NEW YORK—Chief information Security Officers (CISOs) and technology professionals gathered for Gigamon's Cybersecurity Summit here Nov. 8 to get some sobering news from researcher Brian Krebs on the current state of the enterprise IT security.
One of his key observations is that today's big breaches are likely yesterday's news for seasoned cyber-attackers. The recently-disclosed Equifax breach may have grabbed headlines and led to some hasty executive departures at the company, but it came as no surprise to Krebs.
The millions of names, addresses and other personally identifiable information pilfered from the credit bureau's servers have "been out there for years," he said.
"These identifiers—name, date of birth, social security numbers, mother's maiden name, address, previous address, phone number—all of this stuff has been compromised a hundred times over in the last decade. More importantly, it's broadly for sale in the cyber-crime underground," Krebs said during a keynote address.
To illustrate his point, he showed a screenshot of his own personal information as it appears in a dark web marketplace, with some strategic blurring of especially sensitive information, of course.
It's cold comfort for the millions of consumers affected by the Equifax breach and others like it, but businesses can help prevent future incidents with a change of perspective. Rather than reflexively seek out new-and-improved security systems, Krebs suggested that enterprises assume they have already been compromised and let that mindset guide their IT strategies.
As it turns out, companies with a good track record of keeping a tight lid on sensitive information explore a world beyond periodic penetration testing and routinely hack themselves.
They have "red teams," IT security personnel who seek out and essentially attack their own networks, on both sides of the firewall. "Blue teams," meanwhile, monitor their networks and IT services, mounting defenses in an attempt to thwart their colleagues. At the end of the day, they compare notes, take the appropriate steps to harden their networks based on their findings and do it all over again the following day.
Preventing another Equifax-scale breach may also require that businesses reexamine how they configure their networks, according to Edward Amoroso, CEO of cyber-security advisory and training firm TAG Cyber.
"If you're running a perimeter [security] architecture, then you're a sitting duck," warned Amoroso during a CISO panel, stressing that what befell Equifax can happen to any organization relying solely on firewalls and other perimeter security solutions. "Perimeter architecture is not going to stop a determined hacker."
One way to stop hackers or at least slow them down is to "completely explode the network and redistribute defenses," said Amoroso. Using micro-segmentation, virtual servers, containers and other technologies, "exploded" networks make it tough, not to mention time-consuming, to mount an effective attack compared to monolithic approaches.
Krebs also recommended that CISOs think beyond compliance. If a company's cyber-security efforts don't extend beyond the requirements set by HIPAA, Payment Card Industry and other standards, it's only a matter of time until attackers exploit the blind spots created by a narrow view of data security.