With organizations embracing cloud and opensource technology, there is growing concern about cybersecurity and those applications. Hackers and security breachers can use systematic approaches to find patterns that pierce companies’ systems.
Surprisingly, 95%of breaches and data exposure stem from human error. Breaches are also instigated by disgruntled ex-employees who still retain access to their company’s systems.
In 2020 there was a cybersecurity threat every 20 seconds. In 2021, that number is projected at one every 11 seconds. However, 77 percent of companies report that they don’t have an incident response plan in the event of a cybersecurity breach.
Nonetheless, there are ways companies can reduce cybersecurity threats. These measures can be broken down into five key areas: organizational considerations, compliance and standards, cloud service providers, people and processes, and technology.
A company’s Chief Technology Officer or Chief Information Officer needs a clear vision on how to build the company’s security structure: What is the data the company owns, where is it located, what is the data flow or application access rate, what are the usual patterns of access, who has access, and what type of privileges do they have?
Once these parameters have been established, the company should ensure it is aware of its “blast radius” (the applications and data that are exposed when a specific access entity is compromised.) Keeping the blast radius to a minimum should be the company’s primary goal.
It also is important for companies to allocate a sufficient budget each year for defense. To reduce cybersecurity threats requires companies to make sound hiring decisions and retaining those with the right skill set a top priority.
Compliance and standards
It is crucial for companies to remain compliant with industry standards in order to reduce their executive and organizational liabilities regarding data security.
HIPAA (Health Information Privacy), PCI DSS (Credit card security standards), GDPR (European Union law on data protection and privacy) and FHIR (a standard for exchanging electronic health records), are just some of the compliance and standards. Equally important is performing compliance auditing as part of the regulatory requirement.
One of the 12 requirements of PCI-DSS is, “Do not use vendor-supplied defaults for system passwords and other security parameters.” Assume an organization is storing the cardholder information in a PostgreSQL database. PostgreSQL default installation will configure listening on Port 5432 for client connections. The organization should override the default port and configure the database to listen on a custom port other than 5432. This practice is often referred to as “database hardening.”
Cloud Service Providers
Cloud Service Providers (CSPs), operate via a shared responsibility model. The CSP is only responsible for the security of the cloud itself, while the company is responsible for controlling access within the cloud. Only the entities permitted by the company can gain access to the cloud. Once access is gained, what the entity can do within the cloud is determined by access policies set by the company.
CSPs also provide comprehensive tools and services (Amazon Web Services (AWS) Organizations, IAM (Identity and Access Management), Guardrails, AWS WAF (Web Application Firewall) to combat common threats like Distributed Denial of Service (DDoS) attacks.
People and Processes
People are the weakest link in the security guardrail. In the process of developing, testing, and deploying an application, companies need to have a robust process to undertake security scans as one of the quality gates before production deployment. Another approach is to apply the principle of least privileges—giving employees, contractors, and vendors only the access they need. For example, this might be “read only” access to files or access only to the specific files they need.
Also, companies should use a continuous auditing system that understands employees’ access patterns. That includes recognizing where and when an employee should be working from. If an employee is suddenly working from a different city, that should be flagged and sent to the security specialists. Also, companies should ensure that once an employee or contractor is terminated, their access to the system also is terminated immediately.
All technology is subject to threats.
Artificial intelligence (AI) systems do have a useful role to play in addressing these threats and can be used to help identify unusual access patterns. Most IT applications today are containerized. As such, security scans of container images should be an integral step for companies when it comes to change approval and deployments.
AI systems can be effectively used to detect behavioral patterns of users and applications’ inter-system communication, such as time of access, location, frequency. Such AI systems usually learn from the past and also predict fraudulent access not previously known.
Following a security breach
One of the major issues a company faces once a breach has occurred is that it often won’t realize what it has lost for several months. This was a problem that Target faced in the aftermath of its security breach in December 2013.
That’s why immediately following a breach a company must know how the hacker gained access and what information they were able to access. To do this, companies should embrace a comprehensive cybersecurity system called SMART. While its official definition stands for Specific, Measurable, Achievable, Relevant, Time, an appropriate acronym also could be deemed: Security Management and Awareness to Reduce Threats.
At the center of the SMART system would be a visualization/blueprint of an organization’s data centers, virtual machines, regions, availability centers, applications, web servers, data servers, roles, and privileges with access to the applications. These would indicate what level of access specific roles have on servers/applications, a geographical plot where the access requests are coming from, and the ability to access hotspots in real time. The system also would reconcile people, applications, access, and access patterns.
Companies also should create a two-fold plan by implementing Level-10 security procedures based on the abovementioned five areas. They also should design an incident response plan to be executed by a Swift Action Team (SWAT) once a breach has occurred. Finally, there should be regular security trials conducted to measure the recovery time.
With foresight and preparation, companies can (and should) find effective ways to reduce the risk of cybersecurity attacks as well as minimize the fallout in the event of a breach.