Well, it's a bit complex. Some businesses, such as Home Depot, decided "We sell hammers" and out of ignorance, fell prey to criminals.
Other businesses calculate, with business rationale, their risks, exposure, loss expectancy per year, value of the information and other values to determine how much to spend to protect their data.
Occasionally, estimation of specific risk is misjudged and a breach occurs with data loss. Moderately often, the risk is properly judged, a breach occurs and it's down to incident response efficiency. Efficient incident response is key to halting the breach before significant harm has occurred.
This is largely science, still partially art. Way back in 1995, I told small - mid sized businesses, "You can't keep them out, they're 24/7/365, your office is not. You can only hope to slow them down enough to prevent major damage to your business". That is as true today as it was then.
To add fun to the mixture, the threats are varied. They range from the disgruntled employee, the script kiddie, the more knowledgeable hacker and the Voldemort of adversaries, the "Advanced Persistent Threat" (APT in the profession). Those range from well funded, experienced cyber-criminals to nation states that use the information for economic or potential military advantage.
Yeah, it gets thick quickly. I started my career in information assurance/information security after retiring from the military. As a reservist, I held down a full time job, plus my military duties. I've re-invented my career five times in my life outside of the military and several times within the military as injuries limited operational capabilities, earlier on, elimination of a specific missile system was eliminated by welcomed treaty and opportunity to experience new fields of operation.
On the civilian side, I've repaired consumer electronics to component level (TV's, VCR's, CD players, DVD players, CD/DVD recorders, etc). When those became essentially disposable, I moved into an area of interest, computing. I still retain an enterprise level network in my home. I'm intending as I relocate, to turn a relatively basic internet network that can "see" the internet into a multi-tiered TLA stack to protect my network as well as I've protected both DoD clients and corporate clients.
I entered into information assurance during DoD contracting time after retiring. I had lower level experience, wanted to advance, had a clearance and a DoD contractor wanted a body. They got a body that instinctively knows how to troubleshoot and learns very fast. I became the LAN/WAN shop's "Shell Answer Man", for those who recall that commercial of my youth. Over time, I assumed control of the antivirus server, patch server, web filter and e-mail filter. Shortly after that, an IA positions was created (finally, as DoD had that requirement for three years previous). I became the installation IASO (Information Assurance Security Officer), amusingly, a Major's slot in an Army centric environment. My career was exclusively enlisted, although I was offered a narrower Warrant Officer position, I declined due to disinterest. Besides, I made more on the civilian side. I still do. I'd continue, but I'd fear for my team, as I've had so many injuries and osteoarthritis advancing, I retired out of fear that the team would try to protect me.
So, what does it take to fully protect a computer? A network is always at risk, period. If one point sees another, there is risk.
Encasing it in concrete, after severing or removing all wires, then immerse it in a volcano, inside of a depleted uranium case around the concrete.
If it can be touched at any time, it is at risk.
Networks that cannot see or "talk" to the internet are still at risk, as PFC Manning. Oh wait, Manning is in prison, rightfully so. The Private First Class should've been joined by his company commander, his S2 officer and NCOIC, at a minimum, per US Army regulations. When a service member (or DoD civilian, contractor or government employee) is facing deleterious personnel action, access to classified information is to be immediately curtailed.
Yeah, a lot of people should be in cells next to Manning. But, the Army moves in self-protective ways and protects idiots under the Peter Principle.
Considering due to Manning and his command staff refusing to do their jobs, NIPRnet (unclassified network that is FOUO (For Official Use Only), SIPRnet (Secret data only, can't find anything that appears internet, let alone the internet) and JWICS (just suffice it to say, Top Secret and Special Compartmentalized Information, the shit of nightmares. Want to know how to build a modern thermonuclear device, there, how to find the POTUS during WWIII, there, informations what would start both WWII and WWIV, there. More common is really, really boring shit.
Like programming information about an APT malware program that tried to find out how many mens shirts were laundered or something equally boring, but interesting to an intelligence agency.
I'm going to use the term risk many, many times. What are risks, hackers?
Only in part.
There is insider risk, where an employee intentionally or unintentionally creates a vulnerability, steals information or even steals assets.
There is external risks, the "hackers", of which there are several varieties, the "script kiddie" of rather limited skills, the use tools that they download. There is the regular hacker type, who typically go for the low hanging fruits, information left easily obtainable, using well known vulnerabilities, lousy passwords, etc. Then, there is the "Advanced Persistent Threat", typically well funded criminal organizations, nation state actors, to really simplify things.
All capitalize upon vulnerabilities, an unpatched server with known vulnerabilities in its software, loose permissions on files and services, injecting specially crafted traffic into a vulnerable software platform can result in privileged access to the server. Phishing attacks, e-mails crafted to trick a user into clicking a malicious link, opening a malicious file that appears valid, etc. Spear phishing attacks, rather than widely spread attacks, personalized attacks for key personnel, Facebook is a goldmine for those actors. Watering hole attacks, such as a compromised website that is utilized heavily by those in the targeted industry of group.
As mentioned before, an inside user can also be a disgruntled employee or one soon to be departing the organization. Think PFC Manning, who knew discharge was pending and sought vengeance. It's an ancient motivation that is well known in the security community and US Army regulations were ignored, as when there is a pending deleterious personnel action, access to classified information is to be withdrawn. In that instance, around a half dozen enlisted and commissioned officers refused to do their jobs and bluntly, they should be in the cells around PFC Manning.
Vendors and contractors are a risk vector, Home Depot had a contractor in to work on equipment unrelated to the POS system, but the network was shared with the POS system. When the contractor's infected computer plugged into the network, the malware scanned, found and installed itself into the POS system. It is believed that the contractor received the malware via a spear phish attack.
Follow me below for a "goobered down" version that would likely get you to pass a Security Plus exam. The formulae are not required for the Security Plus exam, but key concepts are all included.
In information security, there are a few key concepts. Chief is...
The CIA triad. No, not the Central Intelligence Agency, although the agency does follow the triad.
Confidentiality. Private things remain private, not public. For private things, private going out is bad. Want your Social Security Number go out on the internet? No, I don't want it either, although OPM managed to lose that and far more intimate information (US government's Office of Personnel Management, people who track all US government employees, contractors, military personnel, etc and their clearances. Yeah, intimate bad shit beyond any Home Depot breach)?
Been there, done that. Got exposed at Michaels, Home Depot, OPM and a few others. OPM is the worst.
Integrity. It's intact, nobody screwed with it.
Availability.
So, private things remain private, intact and able to be accessed as needed. Way cool, right?
If you said no, I'm hoping that you're joking. We need to access our data, insurance companies need to bill when we're ill and doctor takes care of us, endless are why things are cool on that, when it works.
When it's broken, things go massively sideways.
Integrity.
Data is intact, unaltered by unauthorized personnel and accessible only by authorized personnel.
Availability.
Data is available to authorized personnel when they need to access it.
We also have multiple ways to handle risk, which will be calculated a bit further down in this diary.
Risk acceptance.
See Home Depot's "We sell hammers". Simply accepting the risk, ignoring the potential cost of a breach. That said, some risks have to be accepted, such as having an online presence and workstations able to access the internet.
Risk avoidance.
Expensive, the most expensive, all risks are mitigated. See the US DoD and most other organizations. Networks may be fully segregated, some will never have internet access. Needless to say, it is quite secure.
Risk limitation.
The most common manner to mitigate risk, some risks are accepted (such as operating a website, employee access of the internet, disk drives may fail, but backups prevent protracted outages, etc).
Risk transference.
Have vendors help with risk mitigation, provide external services (such as cloud presence), even insurance against loss from risks.
So, how do you protect your client or customers information?
That gets complicated, on a business term.
Businesses are all about making money, publicly held companies (i.e.; on the stock market) have to return value upon investment of money given in the stock purchase.
Sarbanes - Oxley ensures a CEO/CIO goes to prison if they're lacking due care and due diligence of the data under their trust.
Observed a few of those since I've departed the DoD.
Corporate suddenly gets interested!
So, let's get into the equations used by business and how they were disrupted by the Sarbanes - Oxley Act adding criminal penalties if financial information goes astray or is deleted by unauthorized personnel. Few CEO's want to go to prison, which made information security of greater import to the top corporate officers, so risk management was prodded from the basement of considerations and has greater attention.
First, data is collected on the monetary value on data used by employees. When pressed, what is lost from all data from employees currently and for the past year from managers.
Data collection information comes from employees in a software development program, loss of said information comes from management, later from employees to fill out the picture.
So one then judges the exposure factor (EF) to the risk of total loss, this is subjective in nature, but it does help gauge the risk and cost of mitigating risks to the asset.
For the purpose of this discussion, we'll use 25% as the EF. We'll plug in a low asset value (AV) of $100000. So, to determine the single loss expectancy (SLE) one multiplies AV by EF to, in this example, find that the SLE is $25000.
But, we're not done yet.We now get with the insurance company to find out the annualized rate of occurrence (ARO) for the risks we're trying to protect against or not do so, as the risk is so low that the cost of mitigating it would be more than the asset value.
Let's say it has been a bad string of years and we're examining a web server. ARO is thrice per year.
We now multiply ARO times SLE to know the annualized loss expectancy.
We now know that the ALE is $75000 per year.
So, we can expect to lose everything three times per year, we have a software filter that costs $4500 per year, a smart filter that costs $10000 per year and man hours of $30000 for that asset, totaling $44500. If that eliminates the risk, that is excellent, it'd under the ALE. We can expect to go as high as the ALE, but no higher or we're overspending and will end up bankrupt.
We do this for every major asset, massage the expenses, spending over the ALE for one higher risk asset with the savings on other mitigations.
To say that this is exhaustive and exhausting is to understate it, but it must be done or we join Home Depot and oh so many others in being breached.
So, did we eliminate the risk of a breach?
Nope. We didn't encase the assets in concrete, severing all wires first, then encasing it in depleted uranium and drop the lot of it into an active volcano. We can't do that and conduct business.
So, we do the next best thing; log aggregation and monitoring. When an incident, be it a virus infection on a workstation or odd logons from a user in Chicago logging in from Hong Kong, the monitors note the incident, investigate and pass things to incident handlers, who complete mitigation of the incident. Computer emergency response departments get involved, the equivalent of the famous Apollo 13 line, "Time to wake up ten thousand people". Of course, scaled down, depending upon the size of the enterprise.
When I was contracting for the DoD, the monitoring was at the theater monitoring in one GCC nation, who monitored all of the networks under their domain, which meant they monitored Iraq, Qatar, Kuwait and Afghanistan. Response was much more rapid than if it were monitored stateside.
Other organizations are also global, but monitoring is done near company headquarters. Things get interesting when one isn't only dealing with time zones, but the international date line! Response is slowed, as responders have to locate the manager responsible for that branch of the network and leave a message if they're in a meeting or sleeping.
Larger organizations will also build threat intelligence services, acquire intelligence from US government agencies - which creates information sharing problems if the business is international and multiple computer emergency response units, who overlap with the threat intelligence organization. Threat intelligence and the computer emergency response teams will gather intelligence on the threats the organization face, dissecting malware that was targeted against the company, discover its behavior, where it tries to report to, gain instructions from and where it tries to deliver its data (exfiltration) to, then present them to antivirus and other protective technologies companies in order to block the behavior, block illicit traffic and deleted the malware.
Other mitigations are essentially costless, network segmentation, distribution of duties and responsibilities, patch management (may or may not be costless, depending upon what method is used), antivirus (managed antivirus isn't extremely expensive for large organizations) all play a part in keeping the enterprise out of trouble. It's far easier to "bake in" security when a network is being designed than to add it in as an afterthought.
Regrettably, baking it in isn't very common, as many, many networks were stood up before any concept of information security was found to be important. So, security ends up being retrofitted in, which can create gaps.
To avoid those gaps, organizations create an accreditation system, where specific baseline configurations are to be instituted to permit the subnet to remain connected to the corporate network, specific protections (it's more than firewalls, folks, e-mail filtering, web filtering, intrusion protection systems, host based IPS/antivirus/firewall and more are part of a comprehensive defense in depth).
Some years back, I took a seven year interim authority to operate a DoD network (which was illegal as can be, IATO is only permitted for one year) into a full authority to operate the network.
We documented, documented and when done, documented some more. We explored where each of our fiber optic cables went to. We drew network maps, defined our network, server and system baselines and got all pirated software off of the computers. Yeah, pirated software is a grave risk, either from malware or from civil penalties for stealing a company's software.
Some other changes in baseline were performed and after several months of hectic, hard work, our network was blessed by DISA and we were awarded our authority to operate.
For fun, we changed accreditation methods in the midst of this, from DITSCAP to DIACAP processes and documentation. Fortunately, steep learning curves are one of my fortes.
Fun days. Well, at least I got them to institute change management. Before that, changes could occur randomly, with no stakeholder input.
An example of the lack of change management was when one day, I was working on a script for all of the computers on the base to use when the computer itself logged into the network.
Suddenly, my DOS prompt disappeared. I checked, couldn't even find the icon in my start bar or quicklinks bar. I turned and said (names obfuscated to protect the guilty), Q, where did my DOS prompt go?" I heard the reply, "Hehe, woo-hoo, I'm working on a change here." I inquired, "What change and why?" "Oh, an IAVA came in, we need to remove the DOS prompt from non-privileged users." "Q, I am a privileged user and I can't access my elevated access DOS prompt to do my job. I'm now going to admire this pretty wall, not finish the other tasker we have to have done today and my shift report will reflect my lack of the tools necessary to do my job were withheld by management." "Oh, I'll fix that right away." "Thanks, Q."
Change management would have had the change discussed in the change management committee and implementation planned in advance, then the change conducted properly. Worse changes occurred before change management was implemented. Loops in a computer login script, which prevented the computer from ever reaching a login script, while I was implementing the DoD ordered change. When I was checking why the loop occurred, my changes were missing, a loop introducted. I slapped a tail program to see if the file was being changed, sure enough it was and the loop reintroduced differently.
I picked up the phone and called Q, "Q, are you working on the login script?", "Woo-hoo, yes. I'm working on the ordered change.", I stated, "Stop it! You're a manager now, manage and leave the script to those who are supposed to work on the script! Oh and I fixed your screw-up and implemented the change the right way.".
Hey, I never said that I was a diplomat.