Threat ModelHardly a day passes without news of major hacking incidents, data breaches, denial-of-service attacks, technology espionage, and other sorts of cyber mischief. Sometimes, particular companies are the targets. Hackers breached Yahoo (Kan) and stole data on some 500 million users. Dropbox (Rogers) had the passwords of 68 million users stolen and posted on the darknet.
On other occasions, attacks are focused on the internet itself, affecting multiple companies. These attacks are executed by actors such as foreign states, hostile entities like ISIS, or the two working in coordination. A recent example of this was the Distributed Denial-of-Service (DDoS) attack against Dyn, a major DNS provider (Turton, Today's Brutal DDoS Attack Is the Beginning of a Bleak Future). This brought down a number of popular services, including Netflix, Github, and others that rely on this infrastructure (Turton, This Is Why Half the Internet Shut Down Today). Healthcare companies are particularly vulnerable because of their voluminous and rich patient data (which include personally-identifying, financial, and health data all in one place). Further, the healthcare industry is behind the curve in its adoption of the latest technology. One database, based on information from the Department of Health and Human Services, shows that as of 2015, 41 million people have had their data hacked in HIPAA privacy and security breaches at various HIT companies, hospitals, and other healthcare entities (McCann). The real numbers are likely much higher than this, considering incidents not officially reported because of obfuscation or ignorance.
Security is a State of Mind, Not an End StateYour threat model is unique to your systems and your users. Do you have systems that store customer data like birthdates, social-security numbers, credit card information, or personal healthcare information? Perhaps your systems need store only a minimal amount user information. The answers to these questions determine your security posture. What can you do to protect your business and your users? It is tempting to think one can implement a checklist of security best practices and consider the job done. Sadly, no such hope can be found in checklists. Rather, you must foster a culture of security in your organization and among your users. The first step in building a security mindset is knowing your enemy.
Danger Always Strikes When Everything Seems FineIn Seven Samurai (Kurosawa), a village of farmers is under imminent threat from a band of roving outlaws. These outlaws intend to have their way with these villagers by taking their crops (and whatever else they desire) for themselves. The villagers recruit seven Samurai to protect them. The Samurai agree to do this, but in doing so they provide an even greater service. The Samurai teach the villagers how to defend themselves and show them that they are not powerless in the face of the enemy.
Security MindsetWe can apply the lessons of the Samurai to create a powerful security mindset within our organizations:
- Keep Training and Educating. The security mindset is not just for system administrators or the chief security officer. The security mindset must be adopted by everyone involved in designing, building, and maintaining your software systems, including its users. If you handle healthcare data, are your people and vendors taking regular HIPAA training courses? Are they certified? Do your employees know not to open email attachments from untrusted sources? Do you train your employees on security issues? Do they understand virtual-private networking and encryption? Do you have an escalation procedure in place for when breaches occur? Do your UX designers and system architects build security into the DNA of your systems?
- Vet Your Partners. Perhaps you have designed the next disruptive product that will revolutionize healthcare. The prototypes have been created, and the initial field tests are a raging success. Now it is time to focus on manufacturing. Can you rely on your offshore manufacturing partner in China to deliver a clean, secure product? It turns out that the sustained DDoS attack against the internet in October was caused by a botnet created from hacked “Internet of Things” (IoT) devices (Krebs) like video cameras and DVRs. Don’t have blind faith that IoT just works and is secure. It is your responsibility to trust but verify.
- Beware of the Cloud. It is very easy in IT to get caught up in buzz. This is natural; the field changes quickly and the herd is always chasing the next gold rush. The cloud is a recent example. Cloud computing is an entrenched movement and adoption is clearly ubiquitous. Nevertheless, are these facts alone enough to give us confidence that there are no security issues worthy of our concern related to the cloud? A wise position is one of healthy skepticism. All marketing stripped away, the cloud essentially means hosting your data on someone else’s hardware. If you’re talking about encryption, this often means that your private keys are stored in the cloud along with your public ones. Are you storing your private keys in virtual machines (VMs) hosted by cloud providers? Do those private keys get unlocked on those VMs? If so, your private keys are not secure (Leek). If your private keys are stolen, all bets are off—all your efforts at encrypting data-at-rest or data-in-motion are for naught.
- Never Quit Learning and Adapting. Remember, the security mindset doesn’t stop with a checklist (including this one). Technology is always changing. Your enemy is adapting to exploit new weaknesses. Your basic response is to never quit learning about security. You must continuously enhance the security of your systems, procedures, and behaviors of your people and users.
- Hire Your Own Samurai. It is difficult to specialize in every aspect of technology. You need experts who have experience with technologies unique to your situation. Are you building a healthcare application? Are you deploying mobile apps? Will you be relying on cloud technologies? If so, you need a team that understands the unique security demands associated with designing, building, and maintaining products and systems. You need a team that will help you create systems and products that will protect your data, engender confidence and loyalty with your users, and give you a powerful advantage over your competitors.
"Darknet." 6 November 2016. Wikipedia: The Free Encyclopedia. Wikimedia Foundation, Inc. 7 November 2016. <https://en.wikipedia.org/wiki/Darknet>.
Kan, Michael. "Yahoo data breach affects at least 500 million users, company says." 22 September 2016. PC World from IDG. 7 November 2016. <http://www.pcworld.com/article/3123426/security/yahoo-data-breach-affects-at-least-500-million-users.html>.
Krebs, Brian. "Hacked Cameras, DVRs Powered Today’s Massive Internet Outage." 21 October 2016. Krebs on Security. 7 November 2016. <https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/>.
Leek, Tom. "Will my hosting provider be able to see my SSL private keys?" 9 September 2015. StackOverflow Information Security. 7 November 2016. <http://security.stackexchange.com/questions/99886/will-my-hosting-provider-be-able-to-see-my-ssl-private-keys>.
McCann, Erin. "HIPAA breaches: The list keeps growing." 2015 12 March. HealthcateITNews. 2016 7 November. <http://www.healthcareitnews.com/news/list-biggest-hipaa-data-breaches-2009-2015>.
Rogers, James. "Dropbox data breach: 68 million user account details leaked." 31 August 2016. Fox News Tech. 7 November 2016. <http://www.foxnews.com/tech/2016/08/31/dropbox-data-breach-68-million-user-account-details-leaked.html>.
Seven Samurai. Dir. Akira Kurosawa. Toshiro Mifune, Takashi Shimura, Keiko Tsushima, and Isao Kimura. Toho. 1954.
Turton, William. "This Is Why Half the Internet Shut Down Today." 21 October 2016. Gizmodo. 7 November 2016. <http://gizmodo.com/this-is-probably-why-half-the-internet-shut-down-today-1788062835>.
—. "Today's Brutal DDoS Attack Is the Beginning of a Bleak Future." 21 October 2016. Gizmodo. 7 November 2016. <http://gizmodo.com/todays-brutal-ddos-attack-is-the-beginning-of-a-bleak-f-1788071976>.