Neil Daswani, Co-director of the Stanford Advanced Security Certification Program, and former CISO of Symantec’s consumer division (LifeLock & Norton), recently presented his lessons learned from big name breaches to 4iQ investor BGV’s Technology Advisory Council. Neil is an expert in information security, and the co-founder of Dasient, an Internet security company that protects websites from web-based malware attacks (acquired by Twitter in 2012). Prior to Dasient, Neil was a product manager at Google where he led the authoring of “The Anatomy of Clickbot.A”—a detailed analysis of a 100,000-machine botnet constructed to conduct click fraud—and a book chapter on “Online Advertising Fraud.” I took notes and chatted with Neil after his talk.
In just the last few years, the number of breaches and exposed identity records has risen. Companies like Target, Yahoo, Marriott, Equifax, and just recently Capital One, have made headlines because they have suffered massive breaches. As a result, lawsuits have been filed, companies have been fined, and CEOs have been fired.
Although a single breach may have multiple causes, Neil noted some common attack vectors and root causes:
There are defenses companies can employ to prevent or react to these types of attacks. For example, defenses against phishing include anti-phishing awareness training and testing, fast exposed credential detection and password resets, email authentication (DKIM/DMARC) and multi-factor authentication. Malware risks can be reduced with techniques such as endpoint protection, sandboxing and intrusion detection, and software security can be improved with strong key management and cookie generation algorithms.
The key, of course, is a holistic, defense in depth approach that focuses on preventing, detecting, containing, and recovering from security incidents.
The problem, however, is that a holistic approach to information security requires more than just technology; it also needs people to address human error and process issues. There is an immense skills gap and shortage in trained professionals – according to cyberseek.org, while 715,715 people are employed in cybersecurity today, there are 313,735 job openings. Further, CyberSecurity Ventures predicts that there will be 3.5 million unfilled positions worldwide by 2021.
Given the massive skills shortage, Neil recommends investing heavily in automation. With new privacy laws like GDPR and CCPA coming into effect, and to avoid becoming the next headline-grabbing breached company, he also recommends that CISOs focus on addressing the root causes of breaches, in turn achieving compliance as a side effect.
Finally, CISOs should also take a defense in depth approach to account takeover prevention, investing not only in detecting web-based credential stuffing attacks, but also subscribing to identity threat intel that detects usernames, passwords and other exfiltrated PII that is found circulating on the internet for any breached company. CISOs can use these alerts to automate password resets before exposed passwords can be weaponized. This process also allows for the system to check usernames and passwords at account creation, login, and password reset events to make sure users are not reusing passwords and leaving their accounts, as well as the company, open to hacking attempts.
Don’t wait until it’s too late. Just as you would conduct a post-mortem to reflect upon and improve your company’s security practices in the wake of a breach, learn from other case studies as well. Errors committed by other breached companies may actually benefit yours in the long run.