Analysis

Enterprise post-breach mantra must be 'how' not 'who'

Hack me once, shame on you! Hack me twice, shame on me!

There should be no doubting that the fact the US Office of Personnel Management (OPM) has been subject to a breach of quite dramatic proportions. The reports that details of up to four million past and present government employees have been compromised is big news.

The OPM is the agency responsible for both the screening and the hiring of the vast majority, and we are talking something in the region of 90 per cent, of federal government staff. This includes the approval of security clearance. Once you realise that, the importance of the news is frankly a given. 

That this is the second serious breach within the same department in less than the space of a year makes the story even bigger. So why is the world's media, including most of the specialist security and tech press as far as I can see, obsessing over the wrong headline?

Everywhere I look, I see stories covering the attribution angle. The who and not the how. Everyone, it would appear, is salivating over the 'spy movie in the making' notion that the Chinese were behind this 'Nation State Sponsored' attack.

This could, of course, well be the case. The who is ultimately part of the story. What it isn't, at least from the enterprise security perspective, is the most important part of it. If business is to learn from breaches such as this, and business must because the same techniques and exploits will almost inevitably filter down the threat food chain and strike eventually, it must focus on how the perpetrators managed to do what they did and stop them from being able to repeat it.

Attribution is nothing but a distraction at this stage in the game, and one that We The Media seem to have an unhealthy, and certainly unhelpful, obsession with.

For one thing, almost always and at the very least almost always for the longest time, attribution for such attacks is difficult in the extreme to establish successfully. The same is true whether we are talking about nation states or hacktivist collectives, there will always be speculation, finger pointing and kudos collecting.

What there will be precious little of is proof beyond reasonable doubt. In the absence of which, you have to ask yourself why bother expending so much energy when that energy could be so much better spent looking at what went wrong and how to prevent it going wrong again.

Reports are suggesting, for example, that at least some of the data at the centre of the OPM breach was apparently unencrypted. There's important lesson number one right there. At least make the prize as unattractive as possible if the bad guys manage to navigate through the defences to get at it rather than handing it to them on a plate.

Not that encryption is the key, if you will pardon the pun, but it does add another layer of difficulty into the mix. A determined attacker could always steal the keys as well the database, or engineer authorised access to grab the unencrypted data for example. It has to be seen as part of a solution. All too often, unfortunately, encryption is seen as part of a problem and therefore isn't implemented in any form. Big mistake!

Now that the initial hysteria has started to die down, we can get back on track and start looking at that how rather than the who. Hopefully, by so doing, we can learn what vulnerabilities were exploited and where the attack surface was weakened.

Hopefully, if your organisation is subject to a breach you will get straight to the nitty gritty of how it happened and once you've worked that out, and secured the defences, then and only then start pointing the finger of blame...

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Google secretly gamed its own ad system, lawsuit claims
Policy & legislation

Google secretly gamed its own ad system, lawsuit claims

12 Apr 2021
Apple to send exec to App Store Senate hearing after initially declining
Policy & legislation

Apple to send exec to App Store Senate hearing after initially declining

12 Apr 2021
US limits exports to Chinese supercomputing entities
Policy & legislation

US limits exports to Chinese supercomputing entities

9 Apr 2021
Google adds new compliance and security certifications for Google Cloud
compliance

Google adds new compliance and security certifications for Google Cloud

9 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021