Oxon Hill, MD— It should be no surprise when marketing executives for security vendors say that whatever it is their company sells is the best way to bolster data security. That is, after all, their job.
That view certainly prevailed at the Gartner Security and Risk Management Summit held at Gaylord Convention Center just outside the Capitol Beltway that encircles Washington, DC.
And as you’d also expect, the topic that came up in every conversation even vaguely related to security was the recent data breach disclosed by Office of Personnel Management. On June 4, the OPM disclosed that hackers had made off with millions of personnel records of government employees and others, including contractors with security clearances. Since nobody actually knows any solid details about what happened, speculation ran rampant.
Fortunately, I was able to find some serious security researchers at the event — people who were quietly advising some of those three-letter agencies at the capital that we expect are able to keep confidential data from being leaked or stolen. Their views were much different.
“This is why we need a new paradigm,” Jasper Graham said as we talked in his hotel suite far from the crazed goings on at the Gartner event. Graham, who is senior vice president of cyber- technologies and analytics for Darktrace and formerly a National Security Agency cyber-security expert, said that the industry needs to abandon the idea that perimeter defense of the enterprise is enough.
“You might be able to keep out 90 percent,” he said, referring to the number of people trying to break into an enterprise network, but he said that the remaining 10 percent are smart and motivated, so inevitably they will find a way to get into your network.
Because keeping hackers out of your network is essentially impossible, what enterprises must do is find ways to make their valuable data inaccessible or useless, or preferably, both. This is the reason that hackers were able to penetrate OPM, as well as Target, Sony and Anthem, he said. Those networks, he pointed out, were not segmented and their critical data wasn’t encrypted.
Sadly there are worse problems than just limiting security to perimeter defense. Torsten George, vice president of marketing for Agiliance shook his head in dismay as he told me about a company that asserted it didn’t need any sort of cyber-security protection.
“They said they had cyber-insurance, and that was enough,” he said. I asked him if that company’s cyber-insurance was going to cover the company’s drop in valuation or the firings of the company’s CIO and CSO when the board found out why any hacker was certain to be successful.
Enterprises Must Encrypt Data, Segment Networks to Thwart Hackers
What’s equally interesting was the fact that none of the experts I spoke with at the event were willing to point their fingers at OPM itself. The problem with revising a records management system as huge as the personnel records at OPM is daunting and expensive in the extreme.
Agencies are caught in a continuous battle to get the budgets necessary to do their jobs. Complicating matters, the hardware and software in use at many agencies is antiquated and updating it using the existing federal procurement rules can be nearly impossible.
Add to this mix the tendency in Congress to decide to simply cut the federal budget by some random percentage and you’ve got a situation in which adequate security is at best a wish experienced in a fevered nightmare. Instead, federal IT staffers are forced to make do with long-outdated equipment that’s frequently incompatible with anything else in the data center.
When federal IT managers find that some action, such as greater security, is mandated, they often have to choose which other functions they’re going to shut down because they don’t have the funding to do everything they’re required to do.
The situation with the OPM breach is a good example. The Department of Homeland Security has announced that it’s going to request from Congress the money necessary to find the reason for the recent attack and then fix it.
What this means, if you’re familiar with federal procurement, is that Congress appropriated no money currently for security upgrades and none for the task of forensic analysis so that managers can figure out how the attack happened.
Fortunately, private industry doesn’t have to depend on Congress to behave responsibly. But they do have to depend on boards and top managers to believe that bolstering data security should be a priority.
Some companies are, in fact, doing this. For this reason, for every Anthem Blue Cross that doesn’t segment their network and encrypt sensitive data because they’re not legally required to do it, you have a company such as Carefirst Blue Cross that does it anyway.
This is why when Carefirst Blue Cross was hacked, little was lost, unlike Anthem, where everything was taken. Both companies still had to tell their customers about the hack, but only Carefirst was able to tell its customers that there was little chance of identity theft.
Now, when those security experts talk about how security can be done right, they have a good example and a bad example. One wonders how the company with cyber-insurance might feel if they were routinely called out by their colleagues as the bad example.