Many security breaches over the last year have taught us new lessons (or clarified ones we should have already learned). This paper reviews these key issues and focuses attention on 10 responses that we all need to adopt in our approach to security in 2015.
Many security breaches over the last year have taught us new lessons (or clarified ones we should have already learned). This paper reviews these key issues and focuses attention on ten responses that we all need to adopt in our approach to security in 2015. The security breaches of 2014 were more numerous than in any previous year. They ranged from nuisance hacks to identity theft to the attempt to extort a major motion picture organization. Many of these attacks were preventable, mostly because prior security breaches have demonstrated flaws, misconfigurations, and design mistakes that many other organizations continue to have. Too many fail to learn from the mistakes and losses of others. If we hope to get ahead of the onslaught of hacks and attacks in the future, we have to learn from others. Here are ten key lessons we need to learn (or learn again) from compromises.
1. Email Is Not Private
Email has always been a plain text communication medium. However, many have forgotten that or have become confused about its security over time. Those who use a web browser to access their email often see an https as the prefix of the URL, meaning their connection to their email is secure. But that SSL/TLS-encrypted connection only provided protection for accessing and reading your messages, not when sending or receiving them. Likewise, email client users may have configured SSL/TLS connections to their email server at their ISP or office. This type of connection provides security for the sending and receiving of messages, but only between the client and your local email server. Messages sent to other recipients across the Internet and received from others are often sent in plain text.
Email messages sent and received across a public Internet link are likely sent in their original plain text form. Several email service providers, such as Google, Microsoft, and Yahoo, have announced that they are in the process of setting up encrypted email transmissions for messages between their own members and others that join in their initiative. However, it may be years before a majority of messages are encrypted for transit. And I would not ever make the assumption that all messages will be encrypted for the foreseeable future.
There are two approaches I want you to consider when dealing with email. First, minimize the transmission of information across email that could cause you problems (or heartache) if it was intercepted in transit, whether by your employer, family, government, or hackers. Seek out a more secure form of information transference, such as encrypted file exchange, text chat, or video conferencing, for those items of importance of value. Second, start using an email encryption utility yourself. This is currently a mechanism available mostly to users of standalone email clients, such as Thunderbird and Outlook, but may be available to web-based email through the use of browser plug-ins. S/MIME is an email encryption and digital signature solution that you might already be using at work, as it is a standard and integrated well with smart cards, Common Access Card (CAC), and Personal Identity Verification (PIV) devices. Another encryption mechanism to consider is that of PGP (commercial), GPG (GNU licensed), or OpenPGP (Open source). The primary drawback to client-based email encryption solutions is that your recipient must have a corresponding solution installed in order to decrypt your messages or verify your digitally signed messages.
If you fail to encrypt your emails, there are others who are more than willing to read them without your knowledge or consent.
2. No Network Is Fully Secure
If you have attended any security training, I'm sure you were informed of the fact that security is never a completed project, it is always a journey whose destination changes often. There is no perfectly secure network and it is impossible to construct one. There are always means to breach security, whether through technical exploits, physical breaches, or social engineering. However, many organizations seem to act like their security is complete, that their network is unbreachable, and that their environment can be fully trusted. In 2014, hundreds of organizations realized that their networks were not perfect when hackers broke in to cause damage and steal confidential information.