Practical IT: Key Takeaways from the New York Times Breach
Last week, we all woke to the New York Times announcing they were victims of an ongoing attack by Chinese hackers, resulting in the accounts of several reporters being compromised. The article went on to describe details of the breach including four months of network intrusion, the inappropriate access of key reporters' emails, and the hackers gaining the login and password credentials of every single NYT employee. The article then goes on to recount details of the investigation in what has evolved into a very public case study on the challenge of protecting an enterprise with the inherent limitations of antivirus technology.
The question has loomed for some time about the real-world effectiveness of antivirus-based endpoint technologies and their complementary "next generation" adaptations. But in this case, it may finally be decided beyond a shadow of a doubt, antivirus is simply not equipped to address today's attacks against businesses.
Is your business safe from malware with this dated approach to systems and data security?
Relying on solutions like antivirus which is generally 30-50 percent effective is simply not acceptable. Instead, as security professionals we need to suggest that "enough is enough," and proactively seek out solutions that are more sophisticated.
Few businesses will actually be a victim of the advanced persistent threat (APT) bogeyman, but there is overwhelming evidence that their chances of becoming a victim of a targeted attack are growing with each day. This incident illustrates with a degree of certainty that antivirus is ineffective at protecting users, data, and the cloud. Without real-time detection and analytics, we cannot reach true, consistent security effectiveness. We need to continue to work to expose this truth that still seems hidden to many of our peers.
What are the next steps? What do we take away from this that makes our jobs less risky? As a fellow security professional, if you are charged with protecting your company's systems and data, I would examine the following:
Evaluate the effectiveness of the solutions in place
Test your policies, practices and solutions in your environment to get an understanding of how effective they really are. Use red team exercises with your brightest minds donning the blackest hats to crack your network. Penetration testing, social engineering and application testing should be combined with a thorough internal/external policy. Then implement a practice review to maximize the test's effectiveness and develop countermeasures and remedies to mitigate any exposed risk. Remember, like an Olympic athlete, its practice, practice, execute. Just because the Olympics is held every four years doesn't mean those athletes aren't honing their skills in preparation every day prior.
Take a look at the percentage of budget you currently have allocated to dated technologies. If you have a large investment dedicated to ineffective solutions, it may be time to integrate or replace them with more sophisticated tools geared toward today's evolving threat landscape. This seems like a given, right? Except, you may have inherited this budget line and solution when you moved into position. Often times these things are passed along to successors, and too infrequently do we stop to scrutinize them.
Assess your risk and investigate inbound email sandboxing
Checking the safety of an emailed link not just as it enters the mailbox, but as a user clicks on it will pay off in the end. This protects against a new phishing tactic created by cybercriminals to avoid URL lookup incorporated into some email security solutions. Bad guys send an email with a brand new, or clean but compromised URL, to their targets. After the lure is in the old inbox, they can inject malicious code into the website after delivery. No one said the bad guys weren't ingenious. Many of them know security solutions as well, if not better than we do.
Inspect your web traffic in real-time
You need to protect users in multiple ways. Even if you have inbound email sandboxing for your corporate email, some users might click on a malicious link through their personal Gmail account and be directed to a malicious site. In that case, your corporate email spear-phishing protection is unable to see the traffic. The end result is that your network is compromised. We must stop malicious URLs from even getting to users by catching them in the gateway. Email and web security must work in unison. Bottom line is your web security gateway needs to be intelligent, analyze content in real time, and be effective at stopping inbound and outbound malware.
It's not just about technology
You are only as strong as your weakest link. The human element is incredibly important to your security posture. Many CSOs I've spoken with are adopting employee testing programs and conduct this training on an ongoing basis. The result isn't really just employee education or security awareness - it's behavior modification. By doing this, we are both adjusting the likelihood of employees creating a risk incident and using technology to reduce or eliminate employees' and users' risk profiles.