2014 Mega breaches: 5 key takeaways

This is the first in a series of blog posts concerning IT security and trends for 2015.

A new study by the Ponemon Institute outlines how the mega security breaches of 2014 are changing attitudes towards IT security.

The breaches affected the personal records and credit card information of more than 350 million people. The financial toll is estimated to be billions of dollars in cleanup expenses, fraud response costs, lost market valuation, reputation damage, lawsuits, and related expenses. IT managers face mega challenges as they try to protect data containing credit card information, financial transactions, and other personal information.

In this January 2015 study, 735 IT security practitioners were surveyed about the impact of the mega breaches on their budgets and compliance practices. Here are five key takeaways from the results.

1. More resources are allocated to preventing, detecting, and resolving data breaches.
61% percent of respondents say their budget or security increased by an average of 34%. 65% of respondents say the increased budget enabled investment in security technology to prevent and/or detect breaches.

The top five technology investments are:

  1. Security Incident & Even Management (SIEM) (50%).
  2. Endpoint security (48%).
  3. Intrusion detection and prevention (44%).
  4. Encryption and tokenization (38%).*
  5. Web application firewalls (37%).
ponemon-institute-graph-1

Source: Ponemon Institute

2. Senior management level of concern about cyber defense has risen dramatically to 7.8.
Before the Target breach, the level was 5.7 out of ten. In addition, 55% of respondents rate senior management’s concern as extremely high. Prior to the Target breach, only 13% of respondents believed senior management was extremely concerned. Overall concern among C-level executives was up by about 37%.

ponemon-institute-graph-3

Source: Ponemon Institute

ponemon-institute-graph-2

Source: Ponemon Institute

3. Senior management realizes the need for a stronger cyber defense posture.
The majority of respondents (72%) reported that after the breaches, their companies provided tools and personnel to contain and minimize breaches. 67% say their organization made sure IT had the budget necessary to defend against breaches.

4. Companies have changed their operations and compliance processes.
60% of respondents say they made changes to operations and compliance processes to improve their ability to prevent and detect breaches.

5. Many companies fail to prevent the breach with the technology they currently have.
65% of respondents say that attacks evaded existing preventive security controls. 46% say the breach was discovered by accident.

*If you are considering solutions that ensure PCI compliance, the Black Box EncrypTight™ system provides multi-site WAN encryption at speeds up to 10-Gbps and across Layers 2-4. It also eliminates the hassles of creating and managing numerous VPN tunnels.

Solution Briefs
PCI DSS Compliance
Network Security for Finance

Simplify data protection with WAN encryption

A number of forces drive the need for increased data security, including protecting corporate information and trade secrets, government regulation, trade partner privacy agreements, and customer expectations. For example, in banking and finance, the payment card industry has very strict digital security standards to prevent credit card information from being stolen from the network. The healthcare industry has regulations, including HIPAA and HITECH, to insure that sensitive personal health information is secure.

Current solution: the VPN tunnel
Many organizations don’t encrypt their data over the WAN because it’s traveling on a “safe” multiprotocol label switching (MPLS) network. Although MPLS networks provide more reliable connections than the Internet and aren’t as public, they cannot be counted upon to be private — they’re still vulnerable to attack. It is important to understand that VPNs and technologies such as MPLS are not encrypted by default, and so require additional security measures to protect data. Even if the network is “private” or “virtually private,” it is still subject to attacks. Data sent on MPLS networks is kept separate from other traffic, but it is not encrypted. What’s more interesting is that over the past few years, many MPLS carriers have merged their private WANs and Internet backbones, further reducing security in the process.

Breaking out of the tunnel
IPsec VPN tunnels are fairly simple to set up between only two points. However, when remote sites multiply, the number of tunnels increases exponentially. A tunnel is needed between each pair of sites (Fig. 1), leading to administrative hassles every time a remote site is added. EncrypTight™ eliminates the need to establish point-to-point tunnels between each pair of remote sites, freeing network administrators for other tasks. With EncrypTight, every site on your WAN can establish an instant encrypted connection to every other site equipped with an EncrypTight appliance.

Figure 1How is EncrypTight different than a VPN?
The EncrypTight solution is based on group encryption in which the encryption keys are centrally generated and securely sent to the EncrypTight appliances. This enables you to manage policy and key distribution centrally instead of on a time-consuming, site-by-site basis, as is the case with VPNs. EncrypTight enables you to secure ”data in motion” in a way that is transparent to network architectures and protocols. And, if you decide to migrate to the Internet from MPLS networks using EncrypTight, you don’t experience any service interruptions. Continue reading

The truth about MPLS security

Organizations often use private networks such as MPLS service for data transfer because they offer clear advantages in speed, delay/jitter, and availability compared to the Internet.  As convenient as these networks are, however, they leave data vulnerable. Here are two myths of MPLS security:

Myth #1: “We use a private network” is often stated as the reason for not protecting data as it travels over third party networks.
Truth#1: MPLS isn’t really private. Organizations using a Multiprotocol Label Switching (MPLS) network may believe that encryption is not needed because the network is marketed as “private.” Because MPLS is really a shared network that mimics privacy by logically separating data with labels, the logical separation offered by MPLS isn’t secure and isn’t adequate for data protection. A “private” MPLS link actually traverses a network that also carries traffic from thousands of other users, including traffic from other carriers.

Myth #2: MPLS provides some level of security.
Truth #2: The truth is that MPLS offers no protection against misconfigurations. Human and machine errors as well as OS bugs can result in MPLS traffic being misrouted. It also don’t protect from attacks within the core. MPLS is vulnerable to all traditional WAN attack vectors. Additionally, there is no detection of sniffing/snooping. Think an alarm will go off when a high-tech hit man is stealing your data? Think again. This data is left in the clear and can be access, replicated, or used by anyone who gains access to it.

Continue reading

In the news: (more) security breaches

The ThreatStats section of the April 2012 issue of SC Magazine lists the top data breaches of the month. At the top of the list is Piedmont Behavioral Healthcare in Concord, NC with 50,000 records breached. The reason? An Alamance County employee mistakenly changed a lock on the facility that housed data servers with personal health information. Amazing how one simple mistake put the records of all those people at risk.

Next is the St. Joseph Health System in California with 31,800 records breached. It seems that protected patient informationSC Mag Logo from several hospitals may have been available on the Internet for one year. Again, unbelievable!

The last one is Central Connecticut State University with 18,763 records breached. The reason listed is a malware infestation exposed the information of current and former faculty, staff, and student workers.

Another staggering statistic is the total number of records containing sensitive personal information involved in security beaches in the U.S. since January 2005: 544,669,041!

SC Magazine lists the source of this information as the Privacy Rights Clearinghouse (data from a service provided by DataLossDB.org hosted by the Open Security Foundation).

Don’t add yourself to this list. To learn how you can prevent network breaches from unauthorized network connections and out-of-compliance devices, take at look at Black Box’s Veri-NAC®.

For easy WAN encryption with no VPN tunnels, take a look at EncrypTight®.

Why should I encrypt my data?

When news about e-mail marketer Epsilon’s data breach hit the streets, people were both surprised and concerned. How many other businesses out there have been using third party sites to handle their customer information? The reality is that…It’s a lot. Given the global size of networks out there today, companies are forced to utilize third party carriers. In doing so, these third party service vendors introduce additional vulnerabilities.

Even if third party vendors aren’t used, more and more organizations are using the Internet to send data to branch offices. Authentication is critical, but many companies don’t encrypt their data because it’s traveling on a “safe” MPLS network. Although MPLS networks provide more reliable connections than the Internet and aren’t as public, you can’t put all your eggs in the MPLS basket.

When vendors say MPLS is secure, what they mean is that the traffic is kept separate from other traffic. Separate data is not the same as data security, and separate traffic is even easier for hackers to attack. The vendor might have processes in place to prevent unauthorized data snooping, and tell you that their employees probably aren’t going to snoop either. In fact, your data probably won’t be stolen on an MPLS network, but you have no way of being sure and no way to tell if your data has been breached.

The only way to ensure data security over an MPLS network is by encrypting data as it travels across the WAN. This is accomplished through a traditional IPsec VPN. Although this approach is fairly simple to set up between only two points, when remote sites multiply, the number of tunnels increases exponentially. A tunnel is needed between each pair of sites, leading to administrative hassles every time a remote site is added. With growth comes the addition of personnel, router and re-structuring costs. Not to mention, a lag in network performance.

Continue reading