I read an interesting article from Bruce Schnier today that was basically a commentary on an equally interesting article from Brian Krebs about the recently disclosed Marriott breach. I’ve linked both articles below but wanted to highlight a couple of key points.
- Accept that you are vulnerable (your data has been, and will continue to be leaked, stolen, hacked and sold). – Between the Target breach, the OPM breach, the Equifax breach and now the Marriott / Starwood breach, it’s safe to just assume that your data is ‘out there’. The idea to ‘assume breach’ is no longer an optional luxury but a reality. Pretending that it’s not does not make it so.
- Understand your risk. Identity theft, insurance fraud, corporate sabotage, etc. Depending on your circumstance and the data that is (or will be) compromised, understand the risk that you and your organization are now exposed to. Document the assets and how an attacker successfully exploiting your vulnerabilities will impact those assets.
- Plan. Once you know where you’re vulnerable and the risk that that vulnerability poses, plan accordingly with additional security controls.
- Test. Once you have those new locks and cameras guarding the perimeter, updated password policies, access controls and multi-factor authentication guarding access to your sensitive information and logging and alerting telling you when those controls have been challenged, test. Find out what an attacker sees when doing reconnaissance on your organization and what you see (can they pick the locks, bypass the cameras, circumvent the multi-factor, avoid setting off alerts or leaving traces in the logs, etc).
- Brian Krebs – https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/
- Bruce Schneier – https://www.schneier.com/blog/archives/2018/12/your_personal_d.html