We have seen more instances recently of “security own goals” – i.e. security failures from companies who either should know better (probably overly harsh criticism when faced with a determined, targeted attack) or who are founded on the basis of providing greater security, but then found to be fallible like other businesses.
Past examples would be the well-publicised incidents at the US National Security Agency or at security firms Symantec and RSA. In the last few weeks we have seen:
- News of an attack on Russian security firm Kaspersky that ended up providing them with a good excuse to show off their forensic and investigatory skills;
- Password management service LastPass who suffered an attack that, in post-event analysis, seems to be have been a lot less frightening than it could have been; and
- The US OPM (Office of Personnel Management) exposure of the details of personnel information and security clearances.
Without trying to be critical, these examples show a number of things.
One is that even a well-funded or expert security team can find itself the target of a successful attack if the prize for the attacker is worthwhile – faced with a sufficiently attractive goal the assailant will try as many ways as it can find and use any and all resources available to be successful. This is very hard to defend against.
The second is that detection is vital; and doing this early means the response can be more effective. This should form a fundamental KPI for all security teams.
Lastly, the response and publicity handling will have a big impact on the reputational damage and coverage received after a breach – get this right and you can certainly be painted more positively than if you get it wrong.
In both the Kaspersky and LastPass cases, the analysis of the issue and level of understanding of what had happened, how it had happened and the implications (including for users) were promptly published and showed a high degree of technical and business understanding – this is a welcome change from some past breaches where delays, denials, obfuscation and vagueness have been more the order of the day.
The challenge of course, for many organisations without the security focus or technical expertise of these industry players, is their ability to detect, diagnose and understand how a breach is affecting them.
This problem is part technology (the right solutions with the right capabilities that are configured to do the right things), part business case (the right levels of investment in prevention, detection and response), part people (both number and skills) and also the recognition that breaches are unavoidable. It’s the way they are handled that matters – this is a mindset change.
« Back to Huntsman News & Media Articles