Jan 15, 2014

Security in the Year of the Mega Breach:
How to Protect Yourself and Your Organization from the Most Common Attacks

In today's Whiteboard Wednesday, Jay Roxe, Director of Products at Rapid7, will discuss the topic, "Security in the Year of the Mega Breach".

Jay discusses the most common threat vector used to acquire both personal and organizational data, deception-based attacks. Deception-based attacks are one of the toughest attacks to control. Security professionals are getting much better at locking down a network, however it is very hard for them to stop somebody from gaining access to a network through a user on their network. This is why we are seeing such a huge rise in deception-based attacks through social engineering tactics such as phishing emails.

Watch this video to come away with actionable ways to avoid deception-based attacks both in the workplace as well as outside the workplace.

Read Video Transcript

Welcome to Whiteboard Wednesday. My name is Jay Roxe. I'm one of the Directors of Products here at Rapid 7. We're here today to talk about security in the era of the mega-breach.

A couple of years ago, we had seen reports that the number of records compromised in any given year was actually declining. You don't have to read the headlines very far to see that got completely reversed around the end of last year, when we saw a mega breach at Target, Neiman Marcus and a number of others that don't rise to the point of being 18-point font above the fold.

The thing that unifies the risks for both the consumers and for organizations is the idea of deception-based attacks. We don't know how Target got breached, Neiman Marcus, any of these others. But we can look at what we see as the most common trends in terms of attacks we're seeing in the world today. And that's going after the consumer, going after the user of the corporations' data.

A lot of things haven't changed. We see that proper password hygiene is something that really threatens consumers and it's hard for them to follow. The cupid media breach that occurred at the end of last year exposed 42 million passwords. That's one of the largest troves of passwords ever uncovered, but 42 million passwords that had been stored in plain text. And some of the most common passwords are ones that would not pass even the lightest password requirement check, things like '123456'.

Consumers can protect themselves in the era of the mega-breach. There are a couple of simple techniques. Make sure they've got the proper password hygiene in place so that their password is one of the ones leaked; it's not going to be something that can be reused or can easily be guessed or cracked.

If you think you may have been exposed through one of these breaches, make sure that you're checking your bank accounts regularly, and be wary of phishing attacks; people that may be trying to get more information from you from things that they may have gained through one of these mega- breaches.

For organizations, there are a lot of challenges that can be similar. You need to monitor for deception based attacks.

Over the past years, we've seen companies get a lot better at securing their firewall, at securing their servers, and even at securing the end points in the organization. When I presented with John Kindervag from Forrester a couple weeks ago on one of our webcasts, John made a great point about how we've spent 20 years teaching people to go click on a link in an email to get their job done. But with the rise in deception-based attacks, that becomes a dangerous activity for people to pursue.

Organizations need to look at helping their users understand what could be a phishing attack, what could be an attack that enables the attacker to just log in through the front door, log in through the VPN, directly into the network and then go access any of the information.

They need to implement some tools that do this, and there's a variety of different tools that can make sense. Anything that helps you understand what user behaviors are and identify and remove anything that's an anomalous behavior is something that corporations need to be investigating.

You also need to go test your security controls. It's great to say that you have an appropriate control in place but just like you checked to make sure people know how to evacuate from the building in the event of a fire, you need to check to makes sure that the compensating controls you have in place on your network are actually making you as secure as you need to be.

The era of the mega-breach isn't ending. We're going to continue to see people go after large corporations, go after credit cards because its far easier to capture some of that information by deceiving a user than it is to break into a bank.

Deception based attacks will continue to be something that organizations and consumers need to be concerned about. But there are certain basic principles that people can put in place that we've discussed here that help to defend the organization.

Thanks very much for attending this Whiteboard Wednesday and we'll hope to see you next week.

Looking to Monitor Deception-Based Attacks?

See how UserInsight can help you across your network, cloud, and mobile environments

Learn more