根据开放安全基金会,四分之三的所有时间最严重的安全漏洞,今年10月发生了。这包括从纽约市出租车及轿车委员会1.73亿条记录145万条记录,在易趣,并从韩国征信局1.04亿的记录。而这还不包括1.2十亿的用户名和据说俄罗斯黑客窃取密码,或220万条记录从游戏在韩国的网站最近发现被盗。
2014大步向,以取代2013年对暴露记录最高纪录的一年,根据开放安全基金会以及里士满,基于Vir.,基于风险的安全公司
如果我们从我们的错误中吸取教训,那么今年应该是安全教育的一个标志性的一年。
Here are some lessons.
1. It's time to take staffing seriously
The biggest security hole in information security might not be technical at all.
“安全角色的约40%是在2014年空置,”雅各布西,惠普的企业安全产品的CTO说。“当你看的高级安全角色,即空置率近49%。无论我们使用什么样的技术,无论我们如何努力,以确保我们的系统,如果我们要为这场战争几乎有一半我军无人值守的,我们要看到我们的对手是成功的“。
West was referring to a study published this spring by the Ponemon Institute and sponsored by HP, which also showed that 70 percent of respondents said that their security organizations were understaffed. The chief reason? According to 43 percent of respondents, the organizations weren't offering competitive salaries.
[5 steps to take when a data breach hits]
公司可能佤邦nt to reconsider their security staffing budgets in the wake of another Ponemon study, sponsored by IBM and published in May, which showed that the average total cost of a data breach increased 15 percent to $3.5 million, and the average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year’s study.
2.了解你的代码
Over the past 10 years, many organizations have adopted software security best practices, building in security at a fundamental level.
However, that only applies to code they write themselves.
“One of the big points that was really brought to light this year -- and vulnerabilities like Shellshock and Heartbleed really made this point -- is that enterprises don't write the majority of software themselves,” said HP's West. “Software is in fact composed rather than written. We take commercial components and open source components and build a little bit of proprietary on top of that.”
其结果是,一些企业花了几个星期 - 甚至几个月 - 试图库存他们的系统,并找出在那里他们会使用SSL的易受攻击的版本。
组织需要从一个彻底的在20开始tanding of what applications they're using, where and how they're using them, and their relative importance. Automated scanning systems might help with some of this, but at the end of the day, “the rubber has to hit the road,” West said. “It takes human effort.”
3.笔测试是谎言
Penetration tests are a common part of security audits. In fact, they're required under the Payment Card Industry Data Security Standard.
“这是违反了每一个公司有过渗透测试报告说,人不能进去 - 或者,如果他们能得到它,这并不重要,” J·J说:汤普森,鲁克安全,渗透测试公司在印第安纳波利斯的CEO。
So why aren't penetration tests exposing potential security holes so that companies can fix them?
“这很简单,”汤普森说。“渗透测试报告一般都是谎言。”
或者说,是那么生硬,渗透测试人员更受限于他们所能做和不能做的,比实际的黑客。
“你不能模仿某人,因为这不是我们如何做的事情在这里,”汤普森说。“你不能建立一个Facebook的个人资料,因为这太离谱了相关的钓鱼网站。”
Actual hackers – who are already breaking the law anyway, by hacking into a company – might not be averse to breaking other laws, as well. A white hat security firm might be less willing to, say, get into a company by going after the systems of its customers or vendors. Or impersonate government officials, or damage equipment, or hijack actual social media accounts owned by friends or family members of company employees.
4. Physical security, meet cybersecurity
Agents of a foreign group recently went after an organization on the East Coast, circumventing firewalls, extracting data on its leadership, and getting information about upcoming events – and the facilities where those events would be taking place.
“Authorities believed it was part of the pre-operational planning of the group,” said John Cohen, who until recently was the anti-terrorism coordinator and acting undersecretary for intelligence and analysis at the Department of Homeland Security.
“There's a blending together of physical security and cybersecurity,” said Cohen, who is now the chief strategy adviser at Frisco, Texas-based security vendor Encryptics LLC.
It can go the other way, too, with a physical break-in opening the way to digital theft via compromised equipment.
企业安全必须成为更加全面。谁闯入了一个外地办事处的盗贼可能一直在寻找易于电子围栏,或者他们可能已经种植的键盘记录器。
5.失败的计划,第1部分
如果你知道与肯定,黑客将要进入你的系统,你会是什么不同?
After this year's high-profilebreaches, a lot of people are asking themselves that question, and starting to look at security differently.
[13 steps through a data breach]
“的方式,我看着它,我跟在日常工作中看看它的人,有一个在心态开关,”斯科特·巴洛,CompTIA的的IT安全共同体的主席和产品管理的副总裁在波士顿的反思Networks,Inc.的“企业假设其数据将被暴露,或者已经暴露,他们正在采取措施。”
Scott Barlow, the chair of the CompTIA's IT Security Community
Those steps include encrypting data on employee desktops, in file servers, even email.
而一个叫做标记化进程取代银行卡号码与随机生成的代码,或代币,他们离开销售点设备甚至之前。只有支付处理器知道真实的数字 - 零售商获得令牌,这是完全不值钱谁闯入他们的系统中的任何黑客的攻击。
它可以将付款处理器为目标 - 但是,他们一直都是。
“人是在我们之后已经走了,”保罗Kleinschnitz,高级副总裁和第一资讯网络安全解决方案总经理,占在美国支付处理的约40%的人说
同时,目标和家庭仓库将失去支付数据的风险隔离。
“We are pulling that burden away form the merchants and managing it,” Kleinschnitz said.
6. Plan for failure, Part 2
IfJP Morgan可以攻破,每家公司是脆弱的。
“Even if you have the best security in place, there’s still a chance that you may be breached,” said Peter Toren, an attorney specializing in computer crimes at Washington D.C. law firm Weisbrod Matteis & Copley. Toren was also a federal prosecutor for eight years, in the Justice Department's computer crimes division.
Peter Toren, an attorney specializing in computer crimes at Washington D.C. law firm Weisbrod Matteis & Copley
How a company reacts to that breach can make a big difference.
这两个目标的CEO和CIO失去了工作今年春天作为该公司在其4000万支付卡的后果处理帐户违反去年年底的问题的结果。
“It came out in drips,” said Toren. “It was the death of a thousand cuts.”
Companies need to be prepared to deal with a breach transparently and promptly – and preparations have to start long before a breach ever happens.
“他们需要有到位和工作与一家公关公司事先计划,”他说。“不只是一个带来在后马是谷仓出来。”
这个故事,“我们从今年的安全漏洞学到东西6”最初发表CSO .