Putting Process Over Product to Secure Your Network: Lessons from the Equifax Breach
by Steve Forti
Network security is like a chess game: You have an opponent you must outsmart. When you’re a programmer or a system administrator, you’re configuring systems and dealing with objects. IT security people face intelligent adversaries.
IT security people have to think five steps ahead. Our chessboard is comprised of all the systems connected through the internet. I’m talking private corporations, government networks, and even the power grid. I’m not exaggerating when I say that IT security teams keep the lights on.
Like a chess player, I have to be creative. As Agilant’s Chief Security Officer, I need to bring strategy to the board. The key is understanding the many technologies that comprise an IT installation. I must know a little bit about email, networking, virtualization, and operating systems. Essentially, it takes an IT village to raise a safe environment.
Playing Chess for a New York Bank
In IT, I’ve worked on both sides of the fence. I started as a consultant with Agilant in the 1990s. I worked here for about three years as a senior security solutions architect, where I worked on worldwide hubs and firewalls. But then, I decided I wanted to focus on a single organization instead of jumping from client to client. So, after the birth of my first son, and with a second child on the way, I joined Astoria Bank.
Working in-house gave me a whole new perspective on IT security. As a consultant, I wanted to offer my clients the best solution money could buy. As an in-house security specialist, I learned things weren’t always that simple. There are lots of politics involved in securing a company’s IT infrastructure. Competing interests often win out over what’s best for security.
Everyone has an online presence now. Ecommerce is a significant source of revenue. But, as a result, security can often take a back seat to profit. A member of the executive team will come in and say, “This will triple our bottom line for this division.” The security team will explain that it’s not secure. However, businesses exist to make money. Sometimes, caution gets thrown to the wind as companies seek greater profit.
IT security teams often fight losing battles against senior management. A lot of it comes from a disconnect. Managers think things work one way—security folks know that they don’t. This is especially true in banking.
The financial collapse of 2008 resulted in a new wave of banking regulations. From a financial perspective, they make sense and are helping prevent another crash. At the same time, the FFIEC enacted new cybersecurity rules that I think miss the point.
Bureaucrats wrote these regulations, not security professionals. In my experience, they have led to extra work and worse security. Do you remember the Equifax breach? Hackers stole the personal data of 247 million consumers. I’m sure the company had audits, year after year after year. I can tell you they probably passed with flying colors, but they still got hacked. That’s what happens when you focus on regulations instead of day-to-day security.
The same thing happened with Target in 2013. Target is PCI compliant. That is a tough certification to get and follow-up is very strict. PCI compliant companies undergo a security audit every three months, yet Target still got hacked. This is the result of what I like to call trickle-down security.
It should never start at the top. The best way to secure your network is to ask your frontline personnel what they need. There is often miscommunication. Managers, regulators, and IT security people don’t speak the same language. Therefore, it’s hard for an IT person to ask for another $300,000 to secure a network that is 100% FFIEC compliant.
I had this exact conversation with a regulator recently. Hackers don’t care about compliance. This is a game of chess. An attacker has the time—and the leisure—to think five moves ahead of me. If I’m too busy filling out checklists for regulators, I won’t see the move, and I won’t react. How can I beat my opponent if I’m focused on regulations from a decade ago? Cybersecurity is a moving target.
The biggest lesson I learned in my 14 years at Astoria Bank is this: There is never enough product. You can never get enough hardware and software to protect your network. It’s not just a matter of budget. There is never enough money to configure systems and networks in the most secure manner. Hackers are always finding new vulnerabilities.
Network security is about process, not product. Your equipment is not as important as the way you use it.
This is what I try to explain to our customers now that I’m back at Agilant. There is no magic bullet, but a lot of hard work. One client will rave about Palo Alto, and another will tell me it’s not the best. I hear the same conflicting reviews about Cisco, Fortinet, and Checkpoint. They’re not wrong, but they’re not right, either.
This industry is a game of catch-me-if-you-can. The hackers are always one step ahead, writing viruses and other malicious code. They’re poking holes into firewalls and finding ports to exploit. We are all in this game together. It doesn’t matter who spots the breach and writes the signature or the patch to close it. One day, it’s Cisco; the next it’s Fortinet. You get the picture. Best in class does not mean invulnerable.
I’m very honest with customers. I’m not peddling snake oil here. Agilant’s approach to IT security is not about pushing products—it’s about keeping our customers safe. I will never present a web appliance or a firewall and say, “This will solve all your problems.” That’s not how things work. Before I can recommend a solution, I have to understand how a client uses their IT infrastructure.
I don’t say, “These are the products that are going to save you.” I ask, “How are you using your network and your devices? What can you change to increase security?”
I ask about simple things like macros. I’ll walk into a company that has 250 employees and discover only two are using macros. “Fine,” I’ll say. “Let’s disable macros for everybody except those two people.” Macros are a vector for malware transmitted by email. Hackers will embed malicious code in macros. It’s one of the oldest tricks in the book and you’d best hope your antivirus software can catch it.
This is called process change. I look at what my client is doing and measure the impact it can have on security. Disabling macros for most of the company reduced that particular threat by 98%. Now, we have to figure out how to close a security hole that affects only 2% of the workforce. It’s a lot easier than addressing a gaping vulnerability that affects everyone.
Process Over Product
It’s your approach—not the product—that safeguards security. When you put in a new system, you have to monitor and maintain it. It’s sitting on a rack in your data center, or it’s somewhere on the cloud. Someone in your organization has to know where it is and what it does—and that costs money.
Instead of peddling product, I help customers change their security philosophy. Selling a solution is easy. If you ask me, it’s low-hanging fruit. I can walk into a room and walk out with a deal for an anti-virus system worth tens of thousands of dollars. Two years from now, that company will get hit with five or six ransomware attacks. The managers will wonder what happened.
The easiest way to shrink or close IT security holes: If you don’t need it, don’t use it.
The answer is simple: They put product first. This is wrong. Product is always the last line of defense. It is there to protect you when everything else you’ve done to defend your network has failed. It’s not your hardware and software that keeps you five steps ahead of the hackers — it’s your IT policies.
A lot of our customers ask me to configure firewalls. They want every workstation on their network to have access to the entire internet. But the problem isn’t staff who violate IT policy and use services they shouldn’t. The issue is hackers who know exactly how corporate firewalls are set up. They know the rules and understand the legitimate ways your staff use the internet.
Hacking your everyday connections is the easiest way to infect your network with malware. I ask my clients to pare down the number of services employees can access on the internet. The fewer connections and services you use, the fewer the vectors for malware. If you configure your firewall—and all your IT—on a need-to-use basis, you will shut down most security holes. You can reduce your security threat level by 80% and it won’t cost a penny.
Building a Winning Security Strategy
I’m not saying you don’t need product. I’m not asking you to give up your firewalls, your routers, and your anti-virus software. I want my customers to understand that strategy comes first. Think of it this way: The board and the pieces don’t win chess games—players do.
Equifax learned this the hard way. The company had the latest hardware and software and it complied with all regulations and passed year after year of audits. The failure was not in its setup, but in its strategy. Hackers used a six-month-old vulnerability to steal millions of users’ personal information.
Equifax’s failure was not in its IT setup, but in its strategy.
If Equifax had followed a strict patching policy, none of this would have happened. The company’s IT supplier failed. It didn’t patch the server when the exploit was first discovered. Equifax’s reputation is now in tatters and millions of American consumers are at an increased risk of identity theft.
In chess, the easiest way to lose is to forfeit the game. If you don’t show up or make your move in the allotted time, you’re history. The same is true of IT security: Your opponent is counting on your absence or a moment of inattention. If you want to win, you can never take your eyes off the board.
As Agilant’s CSO, I want to help to you win. I can sell you the chessboard — that’s the easy part—but I’m also going to teach you how to play. The pieces are all set up. It’s your move.