Pratum Blog

Time is Money When It Comes to Data Breaches

If you worry that you’re too pessimistic, wait until a warning sign pops up on your dashboard—whether it’s in your car or on the company network. Those moments make reckless optimists of us all, convinced that the problem will fade away like last night’s heartburn. Even though that approach may not actually work, it’s usually more convenient in the short term than wading into a vague problem with invisible tentacles. But the next time unusual network activity sets your Spidey Sense atinglin’, remember this: Most data breaches get more expensive with each passing day.

Despite that, most companies take days to send up the infosec distress flare. That’s why Pratum’s incident response team keeps its calendar open on Friday afternoons. Nearly every week, we get a distress call as IT teams realize they’d better not let things stretch into the weekend. A typical call to our breach hotline (515-212-6634) sounds like this:

“I saw this suspicious login activity on Tuesday, but I took care of it. Then it happened again on Wednesday, so I fixed it again. But it seems like it’s still going on, so can you take a look at it? Before 5:00 today?”

Hackers Favor Delayed Strikes

Pratum’s team stands by 24/7, but, for your sake, they’d rather you make the call sooner. “The problem is a lot less severe if it hasn’t grown for several days,” says Pratum’s Director of Security Operations Megan Soat.

Hopefully, this fact comes to mind the next time you discover a breach “as soon as it happened”: By the time you notice a breach, the hacker has already been at work on your system for some time—probably a long time. An IBM study shows that, on average, American companies take 186 days to detect a data breach and another 51 days to fully contain it. (As you would expect, breaches caused by malicious attackers covering their tracks take longer to detect than glitches or user errors.) A massive breach of Starwood Hotels discovered in 2018 had gone undetected for four years.

And hours count on data breaches like minutes count on ambulance calls. IBM’s study shows that organizations that keep the detection/containment window under 200 days save an average of $1.2 million.

The Price of Waiting

Some of a breach’s costs are clearly measurable (such as the price to restore data), and others may be harder to spot (such as the average 5% stock price drop among breached public companies). Costs that can pile up during a delay include:

  • Lost business operations time – Obviously, the longer you take to fix a problem, the longer it takes for everyone to get back to their day jobs.
  • Ongoing damage – Many attacks spread in clever ways even after you block the original problem. Megan points to attacks involving an Office 365 system. “A lot of teams don’t look at the e-mail forwarding rules,” she says. “So malware may have automatically sent itself all over your system, which means the bad guys still have access after you think you’ve fixed the issue. An IT team may think they’ve solved it but lack the expertise to verify that.” Similarly, irony-loving hackers may exploit your automated backup system to spread their work via the very tool you use to protect your data.
    One of a cybersecurity pro’s biggest services is verifying that the problem is truly eliminated. “Even if you think you have it solved, it could be weeks or months before something else pops up if you don’t have it verified by someone who knows what they’re doing,” Megan says.
  • Fines – Breach notification laws typically specify the timeframe in which you must notify affected parties that their information has been compromised. That window is frequently as short as 72 hours. So taking most of a work week to sort things out could use up your allotted time and incur fines.
  • Breach of contracts – In time-sensitive industries such as logistics, a compromised system could mean you miss critical deadlines and break contracts, costing you revenue in the short term and entire contracts in the long term.
  • Lost customer trust – Here’s a case where the cover-up can look worse than the crime. If word gets out (either through a legally required notification or simple industry gossip) that you dragged your feet in dealing with a breach, many customers will lose confidence in your security process and overall decision making and transparency. That’s why 71% of Chief Marketing Officers say loss of brand value is a breach’s biggest cost. “If it’s something they have to notify on,” Megan says, “it looks a lot better if they’ve involved someone from the beginning. How do you show clients that you took it seriously? Call in a security firm right away.” (Pratum Breach Hotline: 515-212-6634)

What To Do Next Time

Before you face the next suspected breach, consider taking these steps so you’re ready to extinguish problems as soon as you know about them:

  • Create a business continuity/disaster recovery plan – You’ll be way ahead if you’ve developed a response plan in a clear, calm mindset so that you don’t have to scramble for next steps when a stressful event drops on you. Reach out to us for a template you can use to get started.
  • Consider an information security retainer – Signing a contract in advance makes it easy to bring a consultant into the situation. You won’t have to explain your system under the pressure of a breach, and the consultant can let you know in advance what data you should be tracking so they can help you when the time comes. Plus, if you establish a retainer with a set number of hours per year, you’ll have the service built into your budget, which means your boss won’t worry about using the service you’ve already paid for.
  • Call our hotline for a quick opinion – Even if you’ve never worked with us before, we’ll provide an initial read on what you’re facing. “We don’t charge for the first call to find out what’s going on,” Megan says. “And we’re willing to tell people if they don’t need our help.”

To learn more about how Pratum can help minimize the damage and costs the next time a hacker comes calling, contact us today.

Get Serious about Mobile Security

Pull up a copy of any security framework published in the last 20 years, and you’ll almost certainly find some mention of asset management. Tracking the hardware and software in your environment is the fundamental step to securing your organization—and that includes planning for mobile device security. You can’t effectively secure what you can’t see, and you can’t patch software on a system that you don’t know is there. That’s why one top standard, the Center for Internet Security Critical Security Controls (CIS CSC or CIS Top 20), gives the top two spots on its priority list to “Inventory and Control of Hardware Assets” and “Inventory and Control of Software Assets.”

Despite the absolutely fundamental nature of asset management, many organizations neglect it. IT managers especially tend to overlook mobile devices and software, even though these assets are some of the most important elements in risk management. The four factors below make mobile devices and software especially likely to get involved in security incidents:

1. Mobile devices are easily physically lost or stolen.

2. They often contain sensitive data.

3. They frequently connect to networks outside the corporate network perimeter.

4. Users' normal impatience with security safeguards is even more limited in mobile settings.

Add all that up, and you have a recipe for security incidents involving mobile devices. And that’s a problem that can spread quickly. It is critical that your organization manage, control, and monitor mobile devices in order to protect them from becoming a beachhead for hackers looking to pivot and access internal organization systems.

There’s no doubt that managing mobile devices properly adds complexity to your security strategy. But you don’t have the option of ignoring the issue. If a breach occurs, your customers and industry partners won’t care about all the reasons you found it too hard to manage and secure your mobile hardware and software assets. If you think it’s too costly or difficult to implement a mobile device or software control, you should reevaluate whether you should use mobile devices as part of your computing environment.

Review Your Mobile Security Posture

When you do get serious about mobile security, you’ll quickly discover a host of different solution categories (plus a long list of vendors) that could come into play, including Mobile Device Management (MDM), Mobile Application Management (MAM), End Point Protection (EPP) and Data Loss Prevention (DLP). (Plus many others if we bring mobile device network security into scope.)

Most organizations will need to consider a mixture of approaches and solutions to manage mobile device and software risks. One thing you shouldn’t do is determine the best solution first. Before you get to the point of solutioning, you should:

1. Understand all of the risks introduced to your organization by mobile devices and software. (Pratum can assist with thorough risk assessments that include evaluating your mobile posture.)

2. Determine the specific functions or features necessary for your organization to sufficiently manage mobile device and software risk.

3. Evaluate/document whether the solutions your organization already has in place are fully capable of managing your mobile device and software risks.

Below, we summarize first steps toward solutions for the top three mobile device risks listed at the beginning of this post.

Physical Loss/Theft

When a device physically leaves a legitimate user’s control, it is likely to face several potential threats. Anyone in control of a device can either attempt to access what’s on the device, or they may use it to access restricted networks or applications through the credentials of the device’s approved user. Even if a device doesn’t make it into the hands of a malicious attacker, it could be used in a way that exposes the organization to compliance or reputation risk. (A huge community of enthusiasts on the Internet revolves around rooting/jailbreaking devices). Finally, you must be ready to deal with devices that terminated employees never return.

To deal with each of the threats above, consider the following security controls:

Policy/Process/Standards
  • Require users to immediately report lost devices and report security incidents involving mobile devices.
  • Require users to sign an acceptable use agreement for mobile devices or Bring Your Own Device (BYOD).
Technology
  • Keep devices updated with minimum OS (iOS or Android) level standards.
  • Monitor for devices being rooted or jailbroken.
  • Monitor for failed login attempts and enable the ability to lock out or wipe devices when there are too many attempts.
  • Establish adequate device access control configurations:

– Enforce password/pin length/complexity standards.

– Enforce password/pin rotation, reset, and history standards.

– Enforce screen lock/timeout policies for devices.

– Use login banners and warnings.

Sensitive Data Control

Ultimately, data is what most organizations really want to secure on their mobile devices. Before you go down the path of choosing a security approach, consider whether the best approach is simply keeping sensitive data off the mobile device in the first place.

If you do need to allow data to go mobile, you can secure it with a combination of encryption and remote wipe capabilities:

  • Remote wipe – Tools that let you reach out and remove all data on the device (essentially a factory reset).
  • Selective remote wipe – Tools that reach out and remove specific data or apps on the device (more common in BYOD scenarios).
  • Device encryption – Encrypting the device’s hard drive to protect all the data. Be sure your strategy includes plans for managing the device’s encryption keys.
  • Selective encryption – Encrypting certain applications or data on the device. (More common in BYOD scenarios.)

Outside Network Connections

Taking devices outside the traditional security perimeter usually strips them of several layers of network security controls that come along with an organization’s firewall and Internet traffic filtering infrastructure. While endpoint network controls enabled by DNS are not strictly an asset management function, you should strongly consider using them. As mentioned above, a compromised mobile device often becomes a doorway that hackers use to breach broader company systems.

Here are some best practices for managing devices using outside networks:

Device software installation/usage restrictions
  • If users are allowed to install software/apps, they can install malware, whether accidentally or intentionally. So you should strongly consider app whitelisting or category-based whitelisting.
  • If a mobile device user without software restrictions implemented falls victim to a phishing attack, the device is much more easily compromised and can be used to pivot to internal systems.
Elevated security requirements for mobile device access to production systems and data
  • If your risky mobile devices don’t need to be on the same network as your servers when they come into the office, Network Access Control (NAC) can help keep them separated.
  • Consider requiring multifactor authentication (MFA) for any system that can be accessed by a mobile device.
App communication security
  • Ensure that communication channels for all apps on your mobile devices use the latest encryption capabilities such as TLS 1.2 or 1.3 to ensure that traffic transmitted over public networks is properly secured.
End Point Protection
  • Consider implementing an End Point Protection agent to monitor for and respond to malware infections or other security incidents on the device.

If you are an IT or security practitioner, remember that deciding whether to accept a risk or to manage it by implementing a control in any given scenario is ultimately a business decision enabled by your expert opinion. Pratum specializes in helping leaders assess risk in light of their specific business needs and develop appropriate solutions. Contact us to learn more about how we can work together to secure your organization.

The Internet of Things

In 1990, the world contained exactly one Internet of Things (IoT) device: a toaster connected to the Internet by a guy named John Romkey acting on a trade-show dare. Now, experts predict we’re on track to have 41 billion IoT devices in the world by 2027.

That means the security risks of IoT devices must be a key part of the security plan in every business and home-office setting. These devices make us smarter and more efficient by disseminating a staggering amount of data from every corner of our daily experience. One popular statistic estimates the daily data stream adds up to 2.5 quintillion bytes (that’s 18 zeroes). The nationwide arrival of 5G wireless technology will only increase that number.

All that data collection introduces an entirely new realm of risk where the key concept is “attack surface.” A few years ago, “only” computers and servers presented exposure to the internet, but modern hackers can now find doorways into networks through watches; cars; smart thermostats; medical devices; wearable safety devices; Programmable Logic Controllers (PLCs) in valves and switches; and more. Even your kid’s adorable electronic teddy bear could go all Chucky on you if it has an Internet connection and spy-ready features like a camera and speakers. With exponentially more devices connected to the Internet, the attack surface now looks like the Pacific Ocean.

An obvious solution is to keep all these devices offline. In other words, reduce the attack surface. But as we’ll see below, IoT’s tremendous business advantages require you to find a way to safely implement these devices in a way consist with your business’ risk tolerance.

IoT's Advantages

Along with the obvious convenience of having data wherever you need it (remember that your smart phone once seemed like a revolutionary IoT device), the technology lets businesses monitor equipment and personnel in real-time, even in remote settings. A continuous data stream, whether it’s from a weather station in a far-off location or a machine across the shop floor, allows more current, informed decisions. It also produces efficiencies, as information can flow back to a central location for tracking and administration.

Cell towers provide one common use case. In that space, effective monitoring is fundamental to proper maintenance, tower uptime, energy consumption tracking, adherence to stringent service level agreements (SLAs), etc. However, monitoring cell sites remotely keeps getting more challenging because of expanding networks, rising operational costs and security issues. IoT solutions enable 24/7 monitoring of passive assets across multiple remote locations. These devices can now communicate and feed data into a cloud-analytics engine, leading to increased tower uptime and better power management.

IoT's Risks

Routine patches help keep computers secure, but the core design of IoT devices allows for minimal, if any, software and firmware updates. Because this space is growing at a rapid pace, devices are only supported for short periods of time before manufacturers allocate more time and resources to the development and support of new products. In a related challenge, many vendors are rushing products into this seeming gold rush of a market, giving security less attention than it deserves.

Plus, many IoT devices suffer from basic security flaws that are routinely addressed on servers and endpoint computers in organizations that have solid security policies. For example, many IoT devices use unencrypted communications, use default passwords and don’t implement multifactor authentication.

You should be particularly wary of certain high-risk IoT devices, such as off-brand devices (which rarely have the same security protection as higher-priced versions) and Internet-enabled toys, which often lack sufficient security features. These devices can sometimes be used in second-order attacks on a home network, which could quickly lead back to business data in today’s work-from-home environment.

Your unique situation will determine which threats you should focus on. For example, a Department of Defense employee who frequently deals with information requiring certain levels of security clearance probably won’t have a Google or Amazon virtual assistant in the office or use remotely controlled security systems. Your business needs may not require quite that level of security.

Common IoT Attack Vectors

The following list covers some of the most common ways hackers go after IoT devices:

  • Web application attacks – Attackers compromise the application that monitors and controls IoT devices and then uses trusted credentials to remotely control devices. Once they have access, hackers can use the devices to install rogue software or use unsecured operating systems to pivot within the environment.
  • Pivoting – Bad actors can use unsecure but trusted IoT devices as a pivot point into more critical systems.
  • Wireless intercepts – Unsecured wireless communications can be intercepted, and unauthenticated communications can be used to inject commands.
  • Credential or information stealing – Unsecure devices have credentials used to communicate with backend systems, and hackers can use stolen credentials to pivot into more critical systems. Sensitive information can be stolen as the target or used in additional attacks.

How to Protect IoT Devices

In late 2020, the National Institute of Standards and Technology (NIST) issued four new publications that offer recommendations to the government and manufacturers for effective IoT security. These publications fulfill requirements outlined in the IoT Cybersecurity Improvement Act of 2020, which became law in December 2020. For a business, NIST’s new documents provide insight on what you should consider when purchasing and integrating IoT devices. You can read the guidelines here.

We also recommend implementing the following best practices as part of your IoT strategy:

  • Network isolation – Segment IoT devices in separate logical or physical networks. Implement ingress and egress filtering to restrict data flow.
  • Device isolation – Isolate functions or services within the device. Require authentication to the device or service. Restrict communications to or from the device or service.
  • Review security event logs – This includes watching firewall events, intrusion prevention system events, application events and device events. Use a SIEM tool to analyze log data and detect suspicious activity.
  • Penetration testing – Test devices for vulnerabilities and retain a team of white hat hackers to attempt to compromise the device. Use the device to cause mechanical or physical impacts and learn from what happens.
  • Product development activities – Set up devices to eliminate as many problems as you can. Remove unnecessary services, require authentication, encrypt storage and communications, patch systems and apply updates.

For a full assessment of your IoT risks and consulting on how to control the risks for your organization, contact us.

Editor's Note: This post was originally published in November 2020 and has been updated to reflect new legal developments.
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.