It would be nice if there were a risk-free way for organizations to publish the lessons they (hopefully) learned from data breaches because we could all benefit. But the good news is that things eventually leak out, details are shared with responsible reporters and if you do your research you can learn a lot from data breaches in the months after they fade from the headlines.
And that's exactly what we're doing with the breaches that have occurred over the last year or so, both in the commercial and federal space. Rather than being a Monday morning quarterback our goal is to take a constructive approach to analyzing what we know about these incidents and look for opportunities that the rest of us can exploit (in a good way :)!) to prevent or at least limit the impact of similar breaches on our networks.
Here's a sampling of what we are finding and as you will note, some of them are definitely the basics but that makes them all the more important to consider.
- Having policies but not following them; ineffective controls
- Weak passwords
- Incomplete patching
- Vulnerability scanning without a purpose
- Segment network and people
- If your pentest doesn't find anything; get another tester
- PCI certification doesn't mean much
- Insulate yourself against vendor/contractor risks/breaches
Something to think about is the fact that many of these organizations are reputable successful institutions who weren’t new to cyber security. Yet some of the failures are really basic. These organizations had policies and controls in place yet some of the very risks they were supposed to mitigate were exploited by the attackers. Why?
That may be the most important lesson of all. Dell Software is our sponsor for this event and Alvaro Vitta will briefly show how their array of security solutions can help you implement the lessons learned – especially the most important one.
And it is important because the damage is big from breaches. For many organization the long-term consequences have yet to be assessed but people lose jobs, there are hard costs to the business just cleaning up from the incident, customers leave and this list goes on.
Don't miss this real training for free™ event. Please register now.