Here we go again.
Just last week there have been more major data breaches and hacks. Those organizations include Marriott, the nation's largest hotel chain, Amazon, the nation's largest ecommerce company, Zoom, the nation's favorite web conferencing tool, and USPS, the nation's perennially-reliable* delivery agency.
Your inbox and the news is full of the steps you should take as an individual user in response to a data breach to ensure you limit your own blast radius. But what checks make sense for a business to take now that the awareness is sky-high? Even if you weren't immediately impacted, the ripple effects of news coverage are going to bleed their way onto your desk in the form of providing proof for your own assurance or at the request of a superior (who doesn't understand security or the time involved).
So what can you do? Here are 4 actions you should take right now, even if you weren't impacted:
*Tongue planted firmly in cheek
1 – Get a handle on your data and assets
You can only be confident in your data management if you have accounted for each bit – see what I did there? Assumptions are just vulnerabilities in disguise. You remember what happens when you assume? You have to know where all of your data is. Track it down. When it comes to malicious activities, hackers target those seemingly minor vulnerabilities.
It is also critical to understand your data lifecycle end to end. After you've collected your data, create a set of data flow maps. Focus initially on your critical data. Why data flow maps? Visualizing the relationships and flow can be a lightbulb for potential problems that would otherwise go unnoticed.
When it comes to digital resources, it's time you refresh your asset inventory. Ideally this is an automated process and you can just go in an do a fetch now to be certain everything seems in its place.
If you are thinking to yourself "an asset inventory would be a good idea," please give me a minute while I recover from a self-inflicted facepalm. An up-to-date asset inventory is critical to knowing the makeup of your digital environment. It is a very good idea. Don't have one? Go ahead and kiss your weekend goodbye.
2 – Do a gut check on your existing security controls
There is a good gut check for evaluating your security controls. It's not an exact science, but it is close. We'll take a personal security angle. Think about that Amazon data breach. What if someone had access to your recent search history or purchases? What if they share it with all of your friends? Is your skin beginning to crawl? Did your stomach lurch? If that's the case, then chances are your controls are weak. The same exercise works for your organization's controls.
Think about alerts. Do you ignore most of them? Maybe even all of them from one of your tools. Are there just so many false positives? If your alerts aren't configured properly or delivered to the right person, chances are strong that you suffer from alert fatigue. But when you hear about a breach, do you immediately jump into that unread pile [of alerts]? Do you sweat a little at the thought that you may have been notified earlier, but just ignored it? Fix your security controls, because in that slew of non-sense there is probably something legitimate that you need to resolve. If they are never valuable, save yourself the time and rethink that tool.
Security controls should leave you confident in your ability to quickly track down and remediate issues that occur. But even if you didn't get the sweats during our above exercise, avoid getting too comfortable. Just because you went through your HITRUST re-certification last month, it doesn't mean you should feel good now. If you had to cram to pass that means your day to day operation are full of holes and you are likely exposed to risk. It's best to be a skeptic.
3 – Implement MFA. Now.
Something as simple as enabling multi-factor authentication can shore up your security defensives. If someone on your team manages to enter their username and password to a mysterious "company sweepstakes" phishing attempt, MFA can bail them out with the extra step needed to successfully log into their account. It can be an extremely impactful, preventative measure when properly utilized – properly means don't send one-time access codes to your email. Ever.
MFA also isn't complex, making it an easy addition and a fundamental control every organization, even if it is just you, should put in place. It's your first line of defense and can be rolled out without busting the budget.
4 – Sign up for a bug bounty program. Today.
A public bug bounty program could be a job-saver when it comes to security operation. Unfortunately, most attackers don't publicly announce their successful breach. With a bug bounty program, you can pay a much smaller ransom to learn what they found. Maybe not the best word choice there.
These white hat hackers can proactively and responsibly inform you of any security findings before they become a breach. As an organization, we have found this is almost more valuable than typical once-a-year external penetration testing. If a bug bounty program isn't your cup of tea, at minimum include a responsible disclosure process.
Sorry we ruined your week's plans
Overwhelmed? Why does it take so much effort just to feel ok about what your operations are supposed to be doing every day? Why does it take so much time to provide evidence to someone who doesn't understand it anyway?
It's moments like these that help you realize that security operations are almost useless unless you can achieve security assurance. Security assurance is that confidence in knowing you could identify an intrusion or anomaly in your digital environment and take swift action. That ability to know what is going on. It's not going to help you now but there is an approach you can take next week that will.
So next week, after walking into the shower of applause that won't happen from all of those on your team that had no idea what you had to do this week, focus on these core themes for your security operations.
You'll thank us later.
Happy Security from JupiterOne