In BakerHostetler’s 2017 Data Security Incident Response Report, we analyzed 104 network intrusion attacks that we helped our clients respond to last year. Such incidents typically occur when criminals find a weakness in a company’s internet-facing network, penetrate the network, conduct reconnaissance to find valuable data and export the data before they can be detected and stopped. Our clients were required to notify potentially affected customers or patients in 62 percent of the network intrusion attacks. Forensic investigation costs for the attacks averaged $93,322 and ranged as high as $750,000.
Basic data security measures can make it more difficult for many criminals to succeed with these attacks. Companies should consider taking the following steps:
- Implement multifactor authentication to remotely access any part of the company’s network or data.
- Disable remote desktop protocol on internet-facing systems.
- Segregate subnetworks that contain valuable data from other parts of the network, and require users who need to access such data to use multifactor authentication or one-time passwords to do so.
- Implement and monitor a software patch management system that requires critical patches to be installed promptly.
- Require users to use complex passwords and to change them at least every 90 days.
- Remove administrative rights from normal users and limit the number of accounts with administrative privileges.
- Implement a web proxy that can block access to untrusted websites.
- Utilize threat intelligence and endpoint protection tools that use reputational searches and behavioral patterns.
- Deploy an intrusion detection and prevention system (IDPS) that aggregates logs to a SIEM tool that sends real-time alerts.
- Hire qualified staff or engage a vendor to monitor SIEM and endpoint protection alerts.
- Ensure that all internet-facing and core infrastructure systems, as well as systems that store or have access to sensitive data, have logging enabled.
- Retain the logs for at least a year but preferably longer.
- Do not allow employees to access personal email accounts from the company’s network.
- Use security firms to conduct periodic, credentialed vulnerability scans; to help correct vulnerabilities discovered; and to conduct periodic penetration tests on internet-facing applications that contain sensitive data or provide access to internal networks.
These basic security measures may not prevent sophisticated attackers, such as state-supported groups and highly capable cyber criminals, from stealing valuable data. There are increasing numbers of such attackers. As Mandiant’s 2017 M-Trends report states on page 9: “The line between the level of sophistication of certain financial attackers and advanced state-sponsored attackers … no longer exists.” In other words, businesses are being targeted by attackers with skills equivalent to those of attackers employed by Chinese and Russian intelligence agencies. Those skills are extremely advanced, according to a February 2017 report by the Department of Defense (DoD), Defense Science Board, Task Force on Cyber Deterrence (page 4): “[F]or at least the coming five to ten years, the offensive cyber capabilities of our most capable potential adversaries are likely to far exceed the United States’ ability to defend and adequately strengthen the resilience of its critical infrastructures.”
Such advanced attackers were responsible for several of the most serious incidents our clients faced last year. The same Russian-based criminal group, designated by Mandiant as “Fin5,” was responsible for five of the 10 largest network intrusion attacks.
Some basic security measures will help even when the highly sophisticated attackers target a company. For example, an IDPS can identify an attack early and can help security staff prevent the attackers from stealing data over an extended period of time. If logs have been retained, a forensic investigation can determine which systems were accessed and which systems were not accessed. A company can save millions of dollars in notification costs, PCI fines and assessments, regulatory fines, and class action defense and settlement costs by using such logs to prove that only some personal information stored by the company – not all personal information – was accessed or stolen. Failing to invest in basic security measures will prove to be an expensive choice when either low-skilled or highly capable attackers target a business’s network.