How to set yourself up so that a data breach doesn’t mean bad actors have a chance to recover data.
Password disclosures are bad, they will happen to you — count on it.
Instead of being fearful or looking for blame after the fact, accept that your systems will be penetrated it’s just a matter of time.
There is no vendor that you should trust with protecting your data for you, and no matter how perfectly your contract is worded there is no piece of paper that will change the nature of humans. It’s you’re own dysfunction if you think someone else will solve your concerns for you, it’s ignorant of you and futile to try.
Like you, they too will be compromised. It is a matter of time.
When they are compromised it will be insurance that is used to resolve any contractual requirements of the breach, or legal actions. In any case they were stupid enough to presume they were invulnerable to be contracted in a way that doesn’t allow an inevitable data breach.
So when there is a data breach the sad reality is that vendors will reuse techniques that apply to all of their customers, called a product, which means your threat landscape before you had the vendor was just contained to just your own business operations. Now the threat landscape covers the vendors and their customers too! If an employee of the 3rd party company is compromised it is highly likely that the compromise extends to your business too using the same compromise.
If you had taken ownership of your own data security in the first place you’d read about the vendor’s problems in the news and your business is isolated from the issue.
Don’t increase your threat landscape — it only works against you, not for you.
Each of your security decisions must reduce the threat landscape without compromise, otherwise you are deciding to be less secure and that is simply immature and can only mean disaster to you when bad actors find you.
Know your threat vectors, which are routes that malicious attackers may take to compromise you. Look to your physical vectors like Network, Servers, Devices, and Hardware which can be compromised internally or remotely but don’t ignore the human vectors such as user password habits, uncertain personal devices, and social engineering.
Education is more valuable then technology
Educate people that their attention to security can be more important and impactful if compromised then any of the technology used by the company.
Devising a strategy around threat vectors with consideration of your attack surfaces using the following techniques;
Principle of least privilege: ensure users and applications do not have privileges to do more then they are designed or permitted to do. Create RACI reports to identify where you can improve on this.
Operate with minimums needed: reducing the attack surface area. An example would be if your admin area is only used by employees consider blocking any other IP then the office one, which might mean you’d need VPN access when not working from the office.
Establishing a default secure posture: start with no risk and risk increases as features are added that are acceptable compromises by design not by mistake. The best example is AWS S3 buckets, the default policy enforces only the owner access, you need to deliberately make S3 less secure to provide certain functionality.
Avoid security by obscurity: which is universally accepted as weak security. The security of systems and data should not be reliant on keeping a secret hidden. For example encryption is by design intended to be decrypted, therefore if the key is stolen there is zero security remaining. A better technique is to apply similar techniques used to protect passwords that result in a resilient SHA1, but SHA1 has a recognizable set of characters so XOR these characters and encrypt that rather then encrypting the raw data.
Defense in depth: is another common way used to describe the technique described above. What this does is make vulnerabilities extensively difficult to exploit therefore less likely to occur.
We’re pretty familiar with who attackers might be; drive-bys, state actors, ex-employees, organised crime, youngsters, ect. but more important then who is how.
You can read about common methods such as Advanced Persistent Threat (APT), Distributed Denial of Service (DDoS), Cross-Platform Malware (CPM), Phishing, or the more unpredictable ones that come under Metamorphic and Polymorphic Malware which may include a Command and Control component. Most security software will protect you from these known methods and therefore the actors that utilise them.
What I’d like to bring to your attention is unknown methods and the opportunist actors that security software cannot protect you from at all because these are the threats that are the known unknowns that will eventually penetrate your defenses.
Let the threat actors take your data
If your security strategy diligently follows all of the principles its likely that you’re in a position to not actually care that your data is exposed, let the threat take the data because it is rendered useless to them, but be careful to still prevent the threat actors to cause you harm after they’re established a beach-head.
Monitor, Monitor, Monitor
Make sure you are set up to constantly monitor you’re normal activity, because without knowing the normal you cannot detect the anomalous.