The 2015 Verizon Data Breach Investigation Report (DBIR) has been published. If you are at all interested in information security and the current state of data breaches, you should give it a quick read. Over the next few postings, we’ll point out some of the highlights from the report.

2015 Data Breach Investigations Report - VerizonFirst up, system patching. The DBIR report shows that 99% of all exploits used to compromise systems were greater than 1 year old and had patches available. Sorry folks, there is simply no excuse for allowing systems to go more than a year without patching them against critical vulnerabilities. I’m not advocating for the “patch it within 48 hours” camp here but how about 48 days. Given the report, even 48 weeks would work.

Let’s face it, cyber attacks are not going away. Think of it like this. Patching is to information security what vaccinations are to public health. By being vaccinated, not only do you reduce the chance you’ll contract a specific disease, you ensure you’re not a carrier and will not pass it along to others. When we patch our systems, we ensure they will not be compromised by a particular threat and used to compromise others in the process.

We need to implement strong patch management policies and procedures. The best of intentions are just that, intentions. If we truly care about information security, a defined and repeatable process must be used to identify vulnerabilities and implement the appropriate patch. Only then can we say we are serious about information security and working to eliminate data breaches.

Breach investigations are by their nature somewhat chaotic. There is a flurry of activity by the HR, IT, Legal, Communications and line of business departments. The ability to quickly determine what happened, who or what was impacted and what the next steps are can be thwarted by a lack of information. Logs are critical in helping understand all aspects of a breach.

In the past we have talked about the importance of logs from firewalls, routers and layer 3 switches, server or workstation event logs and intrusion detection logs. Two logs which are commonly overlooked are DNS and DHCP logs.

At 2am in the morning it is much easier to simply pull up a DHCP log and determine that machine HQ5678A was assigned 10.1.25.163 on 03/03/2015 at 9:53am rather than having to query registry entries or sift through event logs hoping to find a trace.  It is also helpful if systems hold their DHCP leases for 30 days or longer. It keeps the logs shorter and helps investigators more easily spot trends of activity, whether that be normal or abnormal activity.

It is also easier to have firewalls record DNS entries and have the log contain both an IP address along with a DNS entry so you can quickly tell that a user on computer HQ5678A was using ebay on port 443 versus a virus using port 443 to communicate with hackme dot com that same port. Much time is spent tracking an IP address to a hostname simply to discover that the communication is to or from a known and approved host.

Time is something you have precious little of during a cyber-security or breach investigation. Taking action before the security investigation begins can save you a lot of time and keep you from running down rabbit trails during your investigation.

If you are a small community bank and someone is offering to do network level penetration testing for 1 or 2 firewalls for $1,500, that’s a reasonable bid.  If however, you have a load balanced web application running on 3 or 4 front end servers, 4 application servers and a database cluster with multiple user roles, the costs should be much, much higher.

The first thing to remember is that vulnerability scanning is all automated. Don’t let someone sell you a vulnerability scan as a penetration test.  Ethical hacking or penetration testing, is largely a manual process.  If during your vendor evaluation a vendor says a penetration test is going to take 5 days but only charges $2,000, a red flag should go up.  How is that possible?  That’s not much more than Geek Squad rates.  Nothing against Geek Squad but they are hardly business class IT support, much less information security experts.

Read more: Penetration Testing, You Get What You Pay For

I’m going to state this very bluntly.  No server needs internet access.  Do I have your attention?  Good.  Now let me clarify.  The vast majority of servers should never be allowed to make a connection to the internet.  This goes double for database servers.  If you want to ensure information security and protect against a data breach keep reading.

Now, I’m not talking about severs in your DMZ which are used to provide public facing services or provide DNS or email.  I’m talking your internal file and print, Active Directory domain controllers, CRM, ERP, etc.  If these servers need an update, get it from a single purpose update server in a different security zone.

One of the common problems we see during a data breach investigation is that a server is compromised and then used to funnel information back out.  If this server was in a security zone with egress filtering, alarms would trigger the instant any outbound communication attempt was made giving the information security team a chance to detect the anomaly and respond accordingly.  A serious data breach may have been prevented.

Read more: Why? Why Does That Server Need Internet Access? Why?

One of the common phrases to describe an organization’s information security posture is the “hard crusty shell, with a soft gooey center”.  Does this describe your organization?  If so, you need to rethink the idea of creating internal security zones.  It’s a given that you’re going to have a lapse in information security.  Someone is going to penetrate through that hard candy coating and start nibbling on the succulent candy in the center of it all.  The question is, how you stop them once they are in.

Internal security zones are essential to every information security architecture discussion.  Multifunction devices, little Linux servers with no anti-malware, lots of services, no access controls, lots of storage…little hacker hideouts.  Why would you ever need a MFD to communicate with the vast majority of your servers?  Especially a database or ERP system?  Maybe a file server or an email gateway, but not the entire server farm.  Why should a customer service PC which only uses the web frontend to your CRM ever need SQL access to your database cluster?  Why would your VoIP or voicemail server need to communicate with your terminal servers?

Read more: Internal Security Zones Are Critical To Information Security

Your company spends hundreds of thousands of dollars each year on new or upgraded information security systems and software to combat a data breach.  Technical teams spend their entire careers staying one step ahead of the hackers to ensure information security in your organization.  Yet it all comes down to one bagel.

One Monday morning, a guy parks next to you and walks to the building with you.  He has a bag over his shoulder, a bag of bagels in each hand and a security badge on his belt.  You get to the door and badge in.  What happens next?  In most cases, you hold the door and invite him in hoping the new guy will offer you a bagel.  You hate Monday mornings.  Oh…and your company just suffered the beginning of a massive data breach.  You were the victim of social engineering.

Physical security is one of the three primary control families used to protect against a data breach.  Take extra care in forcing everyone in your party to badge in when you enter a building.  I know it feels weird.  In today’s world though, it is one of the only ways to stop targeted attacks.  Social engineering is a common occurrence in the data breach landscape we face today.  If you take information security seriously, you should also take physical security seriously.

The role of the board of directors for any company is to help a CEO with his blind spots and provide oversight.  As a board member, do you want to suffer through a data breach because of an information security blind spot?

Information security is a blind spot for most corporate executives.  It’s even a blind spot for many CIOs and CTOs.  The smart and humble ones will admit it.  How many humble CEOs and CIOs do you know?  How many are willing to readily admit they are severely incapable of identifying the risks in an area so vital to your organization?

Read more: Why a Board of Directors Should Require External Security Assessments

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724