The Top 5 Myths of Data Breaches
TABLE OF CONTENTS
01 E X E C U T I V E S U M M A RY
02 W H O A N D W H AT I S AT R I S K ?
03 T H E 5 MY T H S
04 CO N C L U S I O N
02
01
Executive Summary
We live in the age of the data breach. It seems from every newspaper
and on every newscast we hear about yet another breach of a computer
network resulting in the theft of confidential or sensitive information. Even
the media outlets themselves have become the targets of these attacks and
data breaches.
Within the security industry and in society in general we are in a constant
search for a solution to this problem. However, many in the security industry
have become so disillusioned by failure that they have adopted the opinion
that a breach is inevitable and the primary focus should be on detection
and response as opposed to prevention. In truth, there is no single, simple
answer and giving up is not a viable alternative.
The fact that there are no easy answers does not mean we have to accept
defeat. And one of the first steps is to recognize that many promoted
opinions about the cause of breaches and the failures of technology are
actually myths. These myths obscure a clear path to increased security
and better risk management. Debunking these myths is an important step
to improve the effectiveness of our security defenses against future breach
attempts. This paper will expose five of the biggest myths that exist about
data breaches, and explain how and why they occur.
03
02
Who and What Is at Risk?
Who is a target of all of these attacks? In a word, you. Targets can literally be anyone and everyone. Some breaches have
nation-state strategic motivations. Others may be politically or financially motivated. Other targets are just low hanging fruit. As
more than one attacker has mentioned when asked why they attacked a particular target - “because they could.” These kinds of
attacks are similar to a thief walking down a hallway in a hotel checking doorknobs—he is looking for the open one. The room with
the open door becomes his next victim. In fact, according to the Verizon Data Breach Report, breach victims were overwhelmingly
targets of opportunity. They were not targeted because of who they were or what they had, they were just easy to break into.
Depending on the specific vertical of your business, it is more likely than not that you have already been the victim of a data breach.
The costs of these breaches are staggering as well. In many cases the cost of the breach is enough to put the victim out of business.
Large public companies have lost tens to hundreds of millions of dollars. But large companies are not the only targets of these
attacks. In fact, midsize and small businesses are often targeted because they are a “softer target.” No organization is immune
from attack.
For many organizations the question should not be what is the cost of securing my network, but rather what is the cost of not securing
my network.
A first step in this direction is understanding the real risk involved. Peeling away the fiction from the facts. This paper is a first step in
that process by exposing what we believe are the five biggest myths of data breaches.
04
03
The Top 5 Myths of Data Breaches
MYTH #1: Most threats and attacks are very sophisticated.
With today’s advanced persistent threats, zero-day exploits and sophisticated targeted attacks, it has become fashionable to throw
up our hands, feeling helpless against these new classes of attacks. Some security professionals advocate that we will not be able
to stop these kinds of attacks and we should plan for what to do when they do happen, rather than trying to stop them.
While there is no doubt that trying to stop these kinds of attacks is very difficult, the fact is the breaches themselves are not all that
difficult. For all of our talk about threat sophistication, most could have been stopped with simple or
immediate controls.
The numbers are overwhelming. For every unbeknownst zero-day attack there are literally 80 or more attacks and
breaches which utilized a known vulnerability and attack vector. The idea that we don’t have the technology or technique to stop
most attacks is a myth. Again, according to the most recent Verizon Breach Report most victims were targets
because they were available, not because of who they were or what they had to offer the attackers.
Even with these new advanced, sophisticated attacks, it is usually a low-level vector that allows them to inject their sophisticated
payloads. In most cases of Advanced Persistent Threats (APTs) we see some sort of spear phishing or other social networking which
allows the attackers to infiltrate a network. Once they gain a toehold in an organization’s network using these types of low-level
techniques, they probe to see how and where they can gain access using some of the more advanced techniques. Again, they are
looking for misconfigurations, unpatched systems, and so forth.
Even vaunted custom malware such as Stuxnet were injected via a USB drive. Injecting malware via a USB drive is hardly
sophisticated or new for that matter. It is believed that the US Department of Defense suffered a breach years ago via USB thumb
drives injecting malware onto systems.
The lesson of this myth is to not become an easy victim of opportunity. Most data breaches are successful not because of some
new, highly sophisticated form of attack. Rather, most data breaches are successful because the attackers found an easy, simple
point of entry that allowed them to inject their attack payloads and complete their breach. And, even if they succeed with step one,
often basic access controls in the network can prevent further damage and raise visibility to the existence of the breach.
Hiding behind the new sophisticated threats as an excuse not to remain vigilant and implement best practices is a losing
proposition. While there are new forms of hacking and attacks, the sophistication of attacks is not the reason for a breach in most
cases. Most breach attempts are actually pretty easily thwarted with simple and mid-level controls in place.
05
MYTH #2: Network controls are useless since all attacks now are
layer 7 attacks.
Oh, how the web app security vendors would love us to believe this one. However, this is another myth about data breaches. While
many attack attempts come in via port 80, this does not mean that existing technologies in network security could not be used to
block them.
A firewall, for example, can be used to stop attacks even with port 80 or other common ports left open. Blocking via IP, whitelisting
IPs, and other firewall configuration management tactics can block many application layer 7 attacks despite popular myths to the
contrary.
Another method of stopping layer 7 attacks is to understand the path an attack would take in order to successfully reach critical
assets. A tool such as FireMon Risk Analyzer can help you visualize what these potential paths of attack are and which controls you
can put in place that would block these attacks.
The important thing to remember about layer 7 attacks is that the traffic still traverses your network. Therefore, using network-based
controls and defenses can still affect them.
Yes, application specific defenses like NGFW, WAF and other layer 7 defenses are effective against these attacks (assuming they
are properly configured), but if you don’t have the budget to afford these luxuries there is no need to throw in the towel—there is still
much you can do. Tightening your network controls and doing all you can to avoid misconfigurations is a viable and surprisingly
effective strategy.
MYTH #3: My technology is slow, old and obsolete (or all of the
above).
This may be the single biggest myth in IT, let alone security and risk. How many times have we heard “My computer did not function
properly”? Other flavors of this myth include “My technology was too slow, too old, and out of date.”
In security specifically, we live in a world of “next gen.” If there is a next gen tool in a particular category, it is obviously better and
makes the previous generation obsolete. Or so the myth goes. We hear about an attack being successful and immediately think we
need a new tool or a new technology to stop the new attack.
06
We don’t think too much about why our present technology did not prevent or stop this new attack. Was it really a case of the
technology being incapable of thwarting the attack? More often than not an examination of the facts will show that the technology
deployed could have successfully protected you but it was misconfigured. Misconfigurations are much more likely to be the
reason for a data breach than obsolete technology. Misconfigurations could involve a firewall setting allowing traffic to or from a
specific IP or via a port that should have been closed. Misconfigured network settings are a major source of data breaches. Who
has permission to access what files and assets on the network? There could also be a misconfiguration on a server, such as file
permissions are set incorrectly.
Misconfiguration can also take the form of a setting on an endpoint that resulted in a patch or remediation not being applied. For
instance, something as simple as not having automatic updates turned on, resulting in a new patch not being applied.
Again, the Verizon Data Breach Report and other data breach studies show that sensible low- and mid-level controls and proper
configuration of existing security technology are adequate to stop the overwhelming majority of attacks. Human error is responsible
for many times more data breaches than older technology. That is not to say that technology doesn’t become obsolete. Of course it
does and that is sometimes the case. For instance, trying to maintain Windows XP systems after Microsoft has discontinued support
could leave you vulnerable to attack. But that situation is far rarer than a simple misconfiguration.
Before blaming the technology, take a good look in the mirror and make sure that your perimeter devices, network, servers and
endpoints are all configured correctly.
MYTH #4: It’s impossible to prevent breaches; I should just concentrate
on response.
There is a very prevalent trend in the security industry that says data breaches and security incidents are unstoppable. Instead
of putting so many resources into preventing a data breach, the tendency is to put resources into incident discovery and breach
response.
As the American General in the Battle of the Bulge replied when asked to surrender, “Nuts!” Giving up and not trying to stop data
breaches is not and never will be a successful strategy. One hundred percent prevention of data breaches may not be possible,
but it doesn’t mean it is not a worthy goal or that you should not try to stop a data breach. The implications of redirecting significant
resources away from prevention towards response is that more breaches will occur requiring even more time and effort on
detection and response.
07
Risk management dictates that we manage acceptable levels of risk. While this may mean dedicating more resources into
prevention than the risk is worth, it does not mean full scale surrender.
There is obviously a balance that needs to be struck. We do need to discover security breaches as fast as possible. We do need a
well thought out plan to respond to data breaches. However, let’s be very clear that the balance must tip in favor of stopping data
breaches where possible and reasonable.
If you take some basic steps to harden your systems you can greatly reduce your risk of a breach. According to the latest Verizon
Data Breach Report, attacks are overwhelmingly opportunistic meaning they were carried out because they were easy and
available, not because of some strategic initiative.
This means that taking reasonable measures to avoid becoming the victim of an opportunistic attack and thwarting low difficulty
attacks could decrease your likelihood of being a data breach victim considerably. With that said, it seems
ludicrous to throw up your hands in defeat.
MYTH #5: If I keep my systems patched, I can prevent all breaches.
If only this were true, what a simpler world this would be. The “I can patch everything, can’t I?” approach fails on several fronts. First
of all, just staying on top of all of the patches that are released for the software you run in your organization can be a daunting task.
In most organizations, you don’t just apply a patch when it comes out. There is a quality assurance process where the patch is tested
to make sure it does not break something else. By the time a new patch is tested and made ready to
implement system wide, there is already a new patch that must be now tested and rolled out as well. While this may be a great
form of job security, it is also like living on the hamster wheel. No matter how fast you run, it seems that the sheer amount of patches
will keep you spinning your wheels.
Of course the other side of this dilemma is that these patches are all driven by the finding of vulnerabilities. So while a good
chunk of your resources is tasked with testing and rolling out patches, another part of the team is out scanning and testing for
vulnerabilities.
Scanning for vulnerabilities is not as easy as it used to be either. With so many mobile and remote devices, they are not always
on the network when you run your vulnerability scan. Tracking, scanning and testing for vulnerabilities can be a bigger job than
patching. Between the two you can rest assured that a substantial amount of your allocated budget and resources will be sunk.
08
03
The news only gets worse too. Even if you dedicate the resources necessary and run a tight vulnerability management and patching
operation, it offers you no protection against the latest zero-day attack that you may be subject to. So even doing all of the above
does not guarantee you that you will be immune to a data breach.
Finally, remember even without the zero-day attack, and you stay on top of your vulnerability management and patching, the
weakest link in your defense still sits behind the keyboard. Being socially engineered to giving up your password or installing some
malware on your device could make all of your hard work and effort for naught.
So while patching and scanning is a form of job security for some and at the very least will keep you busy, it is not a cure for data
breaches.
08
04
Conclusion
Stopping data breaches from occurring totally—while a worthy goal—is probably not possible. However, data breaches are by
and large acts of opportunity. Understanding how they occur, and separating the truth from the myths can make your chances of
being the next victim of a data breach much less likely. Insight into the state of your network, implementing even basic controls and
management can decrease the likelihood that your network will be breached.
Utilizing security management to manage firewall rules and network security policies along with a risk management solution are
some of the best precautions you can take to thwart would be intruders. Implementing a comprehensive security strategy complete
with policy, process and technology in place allows you a better chance to not only stop breaches, but be aware of attempted
breaches as well.
Following these best practices, and doing everything you can to make sure your network and device settings are configured
properly, will go a long way towards helping reduce your risk. After spending huge sums of money on defensive technologies, it
makes economic and security sense to ensure they are effectively configured to reduce your risk. A regular security awareness
training program for your employees can be a big help as well.
One of the best things you can do is have a better attitude towards preventing a data breach. You can make a difference. Don’t
blame the technology you have. Don’t think that the threat and the enemy are so advanced that it is useless to even try. Work
smarter, if not harder.
You can’t stop data breaches entirely, but by cutting through some of the myths surrounding them you can harden your defenses and
make your organization much less likely to be the next victim.
For more information on FireMon’s complete product portfolio, please visit the company’s website at www.firemon.com or email
FireMon at [email protected].
Learn more about our solutions: www.firemon.com
8400 W. 110th Street, Suite 500
Overland Park, KS 66210 USA