2014 cyberattack victims in the crosshairs again, warns SANS' Eric Cole


The big news in IT security in 2015 will not be the newest Fortune 1000 cyberattack victim. Instead, expect the cybercriminals to return to the scene of the crime, and re-attack one of last year's top victims.

That is the prediction of Dr. Eric Cole, cyberdefense curriculum lead at the SANS Institute, who sat down this week with FierceCIO to discuss what CIOs can and should be doing to minimize security risks to their organization.

By everyone's reckoning, 2014 was a total horror show for cyberattacks and data breaches, and we should expect more of the same in 2015. But the biggest warning goes out to those organizations already maimed by cybercriminals.

"I think one of the big things that is going to occur is that you're going to have one of these big organizations from last year be re-infected. I think that will be the huge event," Cole explains. "Everyone is talking about cyberattacks on critical infrastructure, electricity or utilities. I don't think that's going to happen. I think that one of the companies from last year, despite all of the money, despite all of the effort they put into it, is going to be broken into again."

Cole says there are two reasons for this. One is vanity on the part of the attackers, and the second is naivety on the part of victims.

"It's one thing to say that you've broken into an organization once, but the ultimate in terms of bragging rights is to do it again," Cole explains.

"The other important reason is that some of the folks that they broke into still have information that [attackers] want. To me, a lot of these organizations are not testing their fundamental security areas. A lot of these organizations that got breached last year have since spent $20, $30, $40 million on buying new devices, buying new technology and buying new firewalls. The problem is they still haven't fixed the fundamental reason why they got broken into."

So what's wrong with the picture? For some organizations, the wrong people are in charge of security. For others, they are trying to cast too wide a defensive net, leaving actual security measures thin around the entire perimeter, Cole says.

"In a lot of organizations, the person who is in charge of security really doesn't have a security background. This is a very specialized skill. They could be the smartest person on the planet but if they don't understanding those fundamental s they're not going to be successful," Cole argues.

Effective security on the cheap

Ironically, effective IT security doesn't have to cost a lot, Cole says. It is more a mind game to get to the end game.

"The three biggest security shortfalls, and the things they need to focus in on, are what I call the foundation of security--asset identification, configuration management and damage control," Cole says. "Many organizations assume that they already have a foundation in place; but they're forgetting that they're not covering basic components of controlling the environment and understanding what's on the environment."

The problem isn't just at organizations that haven't experienced a security incident. Companies that have been breached are just as guilty.

Cole offers the following advice to CIOs on how to best secure the organization, and minimize damage in the event of an incident.

"The first thing they need to do is data discovery, and then perform what I call de-scoping the environment," Cole explains.

"If you look at any of these large organizations that have been breached, their networks are gigantic. So if you go in and you try to secure that entire environment it's not going to happen--it's too large, it's too difficult, it's too easy to overlook an area. But if you can go in and identify your categorized information--I hate to use the word data classification--but essentially that is what you're doing: determining what information is on your network, what is the sensitivity and then create network segments that are isolated from each other, and then control the flow of who is entering and who is exiting that information," Cole says.

Bottom line: "To me, one of the big focus areas of 2015 is, do not focus on preventing an attack, focus on controlling the damage of an attack," Cole stresses.

"I think that is a huge mind shift, because if you're trying to stop attacks, you're basically putting up a lot of perimeter-based components and we've seen that an advisory can easily bypass and get around those areas. You need to approach security differently: How do we control the damage? How do we limit the exposure?"

In this view, Cole says that of the companies that were breached last year, if the damage had been 5 percent of what it was, it would not have been news.

"The fact that Home Depot got broken into wasn't the news. What was news was the amount of damage that was done," Cole says.

Related Articles
Time to act on national data breach law is now [FierceITSecurity]
Obama announces data breach plan, ISIL supporters hack US Central Comman sites
IT's bug budget news: Security to absorb most increases