Hope for the best, plan for the worst

The world of systems and data security is changing, and some basic assumptions need to change with it. It's no longer safe to assume that your network is protected and that cybercriminals can't get inside the perimeter. Given the right resources and opportunities they can and will. In fact they might already have done so. Instead of focusing solely on safeguarding the network, IT and security teams need to plan for the event that it's compromised. As well as hoping for the best that no attacks will penetrate systems and infrastructure businesses need to plan for the worst.

This is a crucial thing to understand. Many cybertattacks are now designed to introduce malware, allowing hackers to syphon off data or launch a larger attack at a later date. This malware may lie undetected, for months or even years, the hackers waiting for their moment or stealing data unobtrusively. In December 2016 Yahoo discovered that the user data of some 500 million users had been stolen. What was even more galling was that the breach had actually happened two years before.

This isn't as unusual as you might hope. The Ponemon Institute's 2017 Cost of Data Breach study found that, on average, organisations took more than six months to identify a breach, rising to 214 days for malicious or criminal attacks. That's why many security experts are switching mindsets from one that assumes their organisation's systems are fully secured to one that works from the proposition that those systems may already have been compromised.

In the words of Simon Shiu, Director of the Security Lab and HP Labs Bristol, and Boris Balacheff, Chief Technologist for System Security Research and Innovation at HP Labs, the security profession is finally accepting that given enough resources, an attack will eventually be successful. This means designing not only security protections, but also mechanisms that detect when protections fail and help recover devices or infrastructure to a good state, at both machine speed and at scale.' It's this thinking that has led HP Labs to develop technologies like HP SureStart, that not only detect unauthorised changes to a PC or printer's firmware, but enable automatic recovery before serious damage can be done. Resilience is the key.

This hope for the best, plan for the worst mentality is one worth adopting. In a world where hackers can pose a targeted, persistent threat, every organisation needs to be prepared.

Prepare to be breached

It might seem strange to prepare for something you work hard to ensure won't happen, but it's no different to taking contents insurance on your home, even though you'll take adequate measures to protect your possessions against flood, fire and theft.

Just as you wouldn't leave the doors unlocked, so you still need to put proper security in place. Managed access to sensitive data and clear security policies remain crucial, as is educating staff on why. Adopting two-factor authentication systems is also a smart idea, with a password backed up by fingerprint or face recognition, or by authentication through a smartphone app. The latest HP ProBook and EliteBook laptops support one or both forms of biometric sign-in along with Microsoft's Windows Hello authentication framework. That's going to go a long way to keeping your endpoints secure.

Having secure hardware in place can also boost your resilience. HP Printers with Intrusion Detection and SureStart technology can't be taken hostage by malware and used as a staging post for further attacks. HP PCs and laptops with a new generation of SureStart can't be infected at the firmware level and used to sniff for credentials or spread the infection across the network. When SureStart detects the firmware has been altered, it simply shrugs off the attack and reverts to a last known good state. The more technology you have in place to contain a potential breach, the less damage such a breach can do and the faster that breach will be to fix. That's resilience at work.

Beyond that, however, organisations need a whole lot of data. Only by making the most of their SIEM (Security Information and Event Management) tools and logging as much activity as possible, can organisations build a clear baseline view of what normal behaviour on the network looks like, so that they can then spot deviations from that norm. The more activity you log and monitor, the more your SIEM tools can report on and analyse. The more chance you then have of detecting a breach and dealing with it quickly.

Finally, and perhaps most importantly, every organisation needs a breach response plan. This clearly describes what should happen in the event of a breach, laying out clear roles and responsibilities with no ambiguiity in terms of who needs to do what, and when. It helps to define benchmarks you can use to gauge a breach's severity, then an appropriate and proportional responses for each one, which takes your business' security, your customer's data security and any legal or compliance requirements into account. Your plan needs to be realistic in terms of timing and your in-house expertise, and it needs support from senior leaders in the organisation; if a line-of-business system needs to be shut down to secure valuable data, you need someone at the highest level to support the case. It also needs to cover who needs to be identified and when; in the UK and Europe, notification of authorities and in some cases customers will soon be mandatory under General Data Protection Regulation (GDPR).

Detecting a breach

Once you have a baseline view of normal network behaviour, it's easier to spot discrepancies and separate the false alerts from the ones that need investigating. Is there a mismatch between the ports being used and the application traffic moving through them? Is data being accessed from unusual locations at peculiar times?

Are custom tunnels, unauthorised proxies, Remote Desktop Protocol, development tools or file transfer applications being used by teams and workers who have no business case to do so? Are user credentials being used by 9 to 5 workers out of hours? There are often giveaways around stolen credentials, for instance if a user is logging in much more than usual, in shorter bursts, or concurrently from more than one device.

Flows of data might also be suspicious. Look at where it's being accessed, who is accessing it, how much is being transferred and where. All this logging, monitoring and analysis can be hard work which is why it's best to automate as much as possible but it's a whole lot easier than hearing of a breach from a customer or third party. Sadly, this is how some 27% of data breaches are discovered.

Containing and repairing

The main reason to have a plan is that when you discover a breach you need to act fast. You can work to restrict access to at-risk data, log requests and gauge the extent of the breach. You can notify the relevant authorities or if necessary customers and end-users, and put any safeguards required into place. Most importantly, you can check that the attack is actually over. Is there still any suspicious activity? Have any mechanisms used to access data been left in place? Are there any signs that device firmware may have been tampered with, or devices on the network been infected?

You're going to need all that data you've been logging too. This is the evidence that can help you trace activity back to the point of entry, isolate the accounts or software vulnerabilities being used, then take remediate action. IP addresses, account data, login activity, security data and a range of artefacts can be used to backtrack from one event to the preceding event and work out where any attack took place and where it spread. This is what you'll need to fix the breach, then ensure that it isn't repeated. It's just as important to log your remediate activities as well. After all, you may be called to show that you did everything in your power at a later date.

By moving fast, fixing your vulnerabilities, cleaning and patching your systems and making sure that everyone who needs to know is notified, companies affected by a breach can minimise the damage, safeguard their reputation and avoid any regulatory penalties. You can't necessarily prevent a breach from happening, but you can manage what happens if it does. By building resilience into your systems and security policies, you'll ensure that you're prepared for the worst, while still hoping for the best.

Find out how to keep your business safe from hackers like The Wolf...


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.