How to design systems that help prevent breaches ? Let’s explore Innovative technologies are affecting and reshaping all market industries and not just the healthcare industry. Some organizations believe, not embracing or implementing such technologies can limit their competitive edge. Buzz words and acronyms of today like, cloud, IoT, BYOD, DRaaS, and Data Lakes are part of the growing number of businesses and households utilizing these technologies. With all this technology comes the ever flowing exchange of information in the form of sensitive personal or corporate information. Are you concerned about this type of exchange of information?
Technology is exploding with new innovations faster than businesses can evaluate them into their security postures. Businesses are throwing tremendous amounts of finances into preventive measures such as firewalls and intrusion prevention systems to keep the bad guys out. The latest data breaches in the news concerning stolen personally identifiable information (PII), credit cards or payment card industry data (PCI) and protected healthcare information (PHI) makes you wonder if preventive measures truly are working or sufficient enough to keep out the bad guys.
Cyber criminals who breach corporate infrastructures (i.e. cyber crime) may setup shop to deploy, in some cases, similar technologies used in protecting that very same data. For example, once cyber thieves breach an internal network, they may hide and extract the data by using the same technology (encryption or VPN) which could result in an event going undetected by the IT staff.
Let’s focus on two measures of our discussion “Designing with Breaches in Mind”– preventive and detective measures. Think about your home, built with windows and doors (preventive measures). My question to you is – if a burglar circumvents a home’s preventive measures by breaking in, how do you know your privacy had a breach? Hopefully an alarm system was installed (detective measure) with a monitoring service notifying authorities and the home owner of an intrusion. The motivation behind installing an alarm system possibly was the homeowner taken into account the possibility of a burglar breaking into his/her home. The concept of how to design our homes with breaches in mind, businesses need to follow similar thinking.
Here’s even a worst scenario, imagine no alarm system in your home then an intruder breaks in concealing himself inside undetected. The intruder may inconspicuously move around from room to room perhaps even while your home. This is scary thought, we hope will never happen, but does this seem unfeasible? You may not even conceive anything is happening or out of place in your home.
This very scenario is similar to a hacker who pivots from one network device to another undetected in a corporate environment. Many businesses and government agencies today face similar threatening situations called Advanced Persistent Threat (APT). Intruders hiding inside their network going undetected for days, months and often times years! This is just one of the many reasons why millions of sensitive data in the form of PII, PCI and PHI are stolen in tremendously large quantities! This involves true proactive monitoring of all parts of the network and every device inside and out that makes contact with the organization’s network infrastructure. A company’s cloud enabled resources should also be included in such monitoring, which can also be a challenge.
A business network design isn’t just limited to detective or preventive measures. Companies that experience serious breaches have to take a more holistic view by looking at all business unit functions, processes and resources as to how data is handled and protected; including the types of processes in place for monitoring data and key performance indicators or metrics, gaging their effectiveness. Corporations need behavior changes towards effective cyber security development life cycles.
I challenge today’s businesses to look into correlating their security logs, making sure dates and times are synchronized and fed into a centralized repository system known as Security Information Event Management or SIEM. In today’s excessive information sharing technology of credit card transactions, smart phones, cloud enabled point of sales systems (POS), even providing your physician’s staff social security information can be compromised. Organizations need to consider on how to design with breaches in mind. This minds set has to start from C-level management and translate to the data users or handlers. Designing with breaches in mind is taking a step beyond the normal due care practices and taking an onerous approach to due diligence! We may then start to see a downward curve in massive breaches and thefts of sensitive and classified information.