Rebels hacked the Death Star: Is your organization next?
A long time ago in a galaxy far, far away, the Empire made one critical and fatal mistake that would lead to their eventual downfall. They never believed that the rebels would be able to breach their defenses at Scarif and steal the plans for their most prized weapon: The Death Star.
Plans were placed in a vault, in a tall tower, surrounded by thousands of heavily armed troops and Imperial Walkers, on a planet completely surrounded by an impenetrable force field, defended by hundreds of spaceships.
Yet it only took a group of highly motivated and determined individuals to get through their defenses, and the consequences were dire.
Where was the Empire’s incident plan? Why weren’t the Death Star plans encrypted? Why didn’t they user two-factor authentication?
Every day brings news of another data breach. Some are huge data breaches like eBay, Equifax, or Yahoo, while others are much smaller. However, they all have one thing in common: Once in, hackers were able to get a lot of data.
Often, hacks are limited to users’ personal data, but sometimes customers’ credit card details are also stolen. Many companies that suffer a breach already have security measures in place: They patch servers, firewalls, wide-area file services, and intrusion detection systems. Many have an information security policy and carry out penetration tests, but the hackers get through anyway.
Plan for the breach
No matter how high you build your walls, someone with enough skill, determination, and resources can get in. Nation states are now engaging in corporate espionage, and if North Korea really wants your data files, you are going to find it very difficult to keep them out.
Humans are often the biggest attack vector in any system, and highly sophisticated security systems can be breached through clever social engineering. In an effort to keep their data safe, organizations are spending more and more to build taller walls with increasingly sophisticated technology, but, time and again, these are breached and data is exposed – sometimes through very sophisticated attacks, and sometimes through human error.
While it is extremely important to focus on strong information security, what the Empire forgot to study was how to mitigate the damage if and when rebels managed to breach their security. They didn’t plan for a breach because they never thought it would happen. This is the same mistake that many organizations on this planet are making, too.
Create an incident plan
Every organization should have a data-breach incident plan. When the proverbial item hits the fan, the last thing needed is employees running around like headless chickens, desperately trying to manage the situation, and making things up as they go along.
The moments after a breach is discovered are extremely stressful for all involved, but they are also the most crucial. Without a plan, matters can be made much, much worse.
Forensic evidence can be destroyed, further data exposed, and misinformation can be disseminated. During this time, everyone should know what they need to do so that the crisis can be managed.
Audit your data
One of the great features of the forthcoming GDPR regulations is that European organizations are being forced to audit their data. Many organizations don’t know what data they hold, how much of it they have, and where it is located.
Organizations that have grown organically over time are likely to have many legacy systems with different data residing in each. Companies should consider what personal data they actually need and ensure that the rest is removed, or at least fully encrypted. Is it really necessary to keep the personal details of someone who bought from you five years ago?
Separation of systems to avoid cross-contamination
A chain is only as strong as its weakest link. Many secure systems have been breached because of a weak entry point. It is important to ensure that systems are separated. That way if one is breached, the breach is contained to that system rather than across all systems, thus limiting your exposure.
Implemented correctly, an e-commerce site built on a highly secure platform is going to be very difficult to breach. You may also have a WordPress blog sitting within the same environment. WordPress is by far the most-hacked web platform in the world. Data released by Securi showed that 74% of a sample of hacked websites in 2016 ran WordPress.
While some of that blame is on WordPress users not keeping their software up to date, this number should concern you if you run a WordPress site. You concern should be magnified if you run a WordPress site hosted on the same environment as your e-commerce store.
If your WordPress platform is breached, it could be used as an entry point into your e-commerce website, where the most valuable data resides. The WordPress site should be hosted on an entirely different and separated hosting environment than your e-commerce platform to ensure that there is no cross-contamination.
Data encryption is more complex than it may immediately appear. In theory, it makes complete sense to encrypt all personal data held within your e-commerce platform’s database. If the data is breached without the key, it is meaningless.
The biggest problem is that your application generally needs to be able to decrypt data on the fly, meaning that somewhere within your code is the key. Therefore, if someone gets hold of your application and the data, they may be able to decrypt the data using that key.
Another encryption challenge is performance. If your application needs to decrypt data in real time, this can significantly increase performance overheads, and often it is just not practical. Encryption is a great way to protect your data, but it comes with its own set of challenges.
Deception-based security presents hackers with fake vulnerabilities, or even fake data that can obscure the real thing.
Hackers generally look for the most basic vulnerabilities, like known exploits, before deploying more advanced techniques. Once they find a vulnerability, they are likely to focus on that. If they are then given access to data that appears sensitive and real but is, in fact, fake, you have a chance of throwing them off the scent.
You can also more easily monitor that activity, which increases your odds of identifying, then blocking, the attacker. By deploying decoy systems and data, you can give the attacker the illusion of successfully breaching your network.
Best cybersecurity practices for the future
Organizations should not solely focus on keeping hackers out, as this alone will not protect their data from everyone. A determined, experienced, and well-resourced team could probably hack almost any e-commerce platform if they tried hard enough.
Building a bigger wall will only deter them for so long. A greater focus on mitigating breaches rather than just trying to prevent them is needed to ensure that all of your data is as protected as it can be.
If the Empire had tasked someone with auditing their data and creating a robust and tested incident plan, things could have turned out very differently.
Do or not do. There is no try!
The first step in breach remediation is knowing you’ve been hacked. See The Future of Cybersecurity: Trust as Competitive Advantage.