This week we had yet another massive government breach and many are finally concluding that these breaches are the result of incompetence and thus are inexcusable. China, Russia, and a host of others are actively attacking these government services and there is still a robust criminal element looking to get any piece of valuable information they can so they can steal our identities and run up our credit. This is all largely happening because these large agencies and firms are still mostly relying on outdated perimeter security technology that has proven inadequate for over a decade now.
We have had, for some time, the technology to fix the problem.
I used to be a security auditor at one time and it became clear to me that the typical approach to security simply wasn’t working. That doesn’t mean they should be removed any more than if you are breached by having people climb over your walls or break your windows that you should remove your door locks. But security is applied in layers and if folks were regularly going over your walls and through your windows, or in this case using your keys, you’d need a way to secure the inside of your building because securing the perimeter wasn’t effective enough.
This eventually got me to Varonis, a very specialized security firm which focuses on securing the information and reporting immediately if there is any unauthorized, or unusual authorized access. In another government agency (which doesn’t want to be mentioned) there was a suspicion that a similar breach was in progress to the one that leads this column (though far smaller). Varonis came in and installed their solution and after 3 days of scanning they identified an authorized user from a different internal network to the one being breached was pulling files they didn’t have clearance for. After being identified an investigation discovered they were selling this information to third parties.
They not only stopped the breach, they were able to put in safeguards to assure the same approach would not be successful again and that others trying a different approach would either be blocked or immediately flagged for investigation massively reducing the exposure.
Varonis scans at other government agencies routinely find that up to 90% of the people that have access to sensitive information aren’t authorized to see it. This isn’t just at government organizations though, a scan at a large casino discovered that almost every employee had unauthorized access to customer credit card data. This is an error that undoubtedly caused the CIO to see his or her life pass before their eyes and did result in massive operations and policy changes.
Breaches like this are potentially company killers. We saw a far smaller breach at Target and that firm is still on life support because customers don’t trust them. But a breach at a military organization could be an entirely different beast because it could be a prelude to an attack resulting in huge numbers of avoidable deaths. We are currently sweating broad attacks on infrastructure which could drop us all into a Mad Max kind of world pretty quickly, or at the very least, open us up to blackmail from a hostile government. (We do what they say or they shut the country down).
This isn’t an area where we can close our eyes and pretend the bad men will go away. Whether Varonis or some other technology is used (and we do need to think layers here) if the government doesn’t get its act together we could be talking a far different and likely far less comfortable future.