Contributed by Ken Mafli, Data Security Evangelist at Townsend Security
On April 1, 2018, Gemini Advisory presented its findings after investigating the notorious JokerStash hacking syndicate in which over 5 million customer records had been exfiltrated from Lord & Taylor’s and Saks Fifth Avenue’s network. By the time Gemini Advisory announced the discovery, approximately 125,000 records had already been released for sale by the hacking collective. It was expected that the entire cache would become available shortly.
And while this is an embarrassing chapter in Hudson Bay’s customer service history (the parent company of both luxury retail chains), the breach itself is not the end of the story. Bernadette Beekman, a customer affected by the breach, has already filed a class action lawsuit. Beekman claims that “the security breach was caused and enabled by Lord & Taylor’s knowing violation of its obligations to abide by best practices and … by cutting corners on security measures that could have prevented or mitigated the security breach that occurred.”
The Blindspot of Hindsight
After a breach occurs, we tend to look back at how a malicious actor gained access to the sensitive data and wonder why the organizations didn’t see the obvious flaws in their defenses. After all, it seems like common sense actions would have prevented the breach.
The truth of the matter is that common sense defenses could have prevented it.
But if bst practices could eliminate or minimize most breaches, why do they continue to happen? Often, organizations get caught up in current initiatives laid down by executives, get mired in internal politics, or suffer from existing policy inertia—so much so that it creates blind spots to the weaknesses in its own cybersecurity defenses.
But there is another reason: hindsight bias. With hindsight bias, after learning about a breach, we have the tendency to think that we could have foreseen it. Let’s be honest. We tend to look at breaches from a bird’s eye view without any of the surrounding circumstances to set it in context. With this vantage point, we see the path the hackers took to get to the data. And since it seems so plain to us, it can lull us into a sense of false security, thinking we would have done better.
And yet breaches continue to happen on the watch of some very capable people. Organizations need a way to envision likely attack vectors and work to close the gaps in their cyberdefenses. Enter, the pre-mortem.
Dissect Before Your Demise
The idea of a pre-mortem originally comes from project management and it works in the sense of a post-mortem, but in reverse. In its original context, you would gather the plan, resources, and timeline for your project. Then, you would gather the project stakeholders and imagine a scenario wherein 6 months after launch of the project, it is deemed a complete failure. Then you ask “how” and “why.” By imagining the death of a project before it gets launched and take steps to mitigate that death, you increase its odds of survival.
In a similar vein, with your overall cybersecurity posture, you should be doing the same thing. Once you have your cybersecurity policies and procedures outlined and in place, you should invite the stakeholders to conduct a pre-mortem in which you game out potential data breach scenarios. As you do, you should:
- Use as many real world examples of data breaches to inform your scenarios.
- Work forwards and backwards in attack scenarios (i.e. what is the last step someone would need to take to access the data and work backward to the first step, and visa versa).
- Gather as many scenarios as possible.
Shore Up Your Defenses
Once you have gamed out the likely ways your cyber defenses could be breached in a pre-mortem session, it is time to get to work. Steve Brown from Rutter Networking Technologies has this advice:
“Your client data and intellectual property are some of your business’s most valuable assets. If you are to truly defend it, you must go beyond just perimeter security and extend your cybersecurity strategy throughout your whole network. A vulnerability assessment can be a great help in starting to the discovery process to determine where your best capital can be invested and what areas are in highest need of budget allocation. Those areas may include encryption, endpoint protection, multi-factor authentication, log management and more. Only then can you begin to bridge the gap between known weaknesses and greater security.”
To that end, if you do not have these items in place, your analysis should include how these items (plus much more) would help you avoid the breach scenarios you uncovered:
- Encryption and proper key management: For data-at-rest, encryption and centralized key management is typically a last line of defense in case someone gains unwanted access to your sensitive data. But since an attack is likely unavoidable, this will ensure the data is useless.
- SIEM: Monitoring access and activity in your network is vital to mitigating an attack. Your SIEM should be as much of a multi-purpose tool as possible, ensuring that you don’t suffer from tool sprawl and fatigue.
- Permissions management: Ensuring that you have a policy of least privileges in place and then monitor to make sure everyone is playing by the rules is an effective way to spot anomalies and detect any inside/outside threats.
- Patch management: Simply put, patch management is having a systematic way of updating software. This ensures a timely way to address vulnerabilities.
- Social engineering training: Frequent training of employees is one of the best ways to minimize the threat that social engineering poses. The more you can train everyone in the organization to guard their personal data, the more secure your organization will be.
It’s better to conduct a pre-mortem than a post-mortem. If you can imagine the worst and use it to plan ahead, you will be one step closer to overcoming hindsight bias avoid becoming just another breach statistic.
The opinions expressed within this article are the personal opinions of the author. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.