I read with great irritation this morning of the Experian T-Mobile hack

I just bought a new iPhone from T-Mobile and as part of the lease process, they ran credit with Experian   

Immediate thoughts were of unauthorized credit card transactions, canceled cards. Identity theft. Inconvenience and the sense of violation from a “trusted” 3rd. party, Experian.

Relief when I checked my email receipt from T-Mobile, dated 18th. of September as the compromised data window ended on 16th. September.  But it could have been a couple of days earlier as I’d been thinking about switching from Android for a while.

I'm aware of vulnerability in most companies as a result of my current work in security software.

I track #databreach on Twitter and today, yet another brand-name company announced a breach and data loss.

I try to imagine what it would be like to be a board member, CXO or senior security executive in a public company and wake up in the morning to a voicemail from a 3rd. party, to learn of a breach. 

There is nowhere to hide once a breach occurs. Compliance with regulatory authorities, provides no insurance from #databreach.

Lessons from Home Depot

The Home Depot data breach, outlined in this Krebs on security article is insightful and instructive for senior executives.

A quick refresher, in 2014 retail hardware giant Home Depot exposed 56-million customer debit and credit cards in the breach.

The source of the Home Depot breach was malware, delivered via a partners PC - after landing a Phish. They then used a Trojan to steal the VPN password.

On the inside, hackers had easy to access internal systems, explointg a weakness in MS WIndows what was discovered after the hack. 

Hackers gained unauthenticated access and eventually, full access to the Home Depot network. They were undetected for months inside Home Depot; watching, learning and waiting for the opportunity to exfiltrate data.

I have empathy for security professionals working in large and small companies. Cyber crime is big business; the perpetrators organized, determined, professional and patient.

From a security practitioner perspective, managing security is complex.  The security vendor landscape is fragmented and noisy. Hundreds of vendors pitch solutions for their piece of the puzzle.

Meanwhile, every company is at risk from insider threat, even though they may be in compliance. Security consulting firm Mandiant, noted that 100% of recent data breaches investigated involved stolen credentials.

But it doesn’t have to be this way.

Business owners and executives can reduce risk of data loss from internal breach by protecting user identity.

12 Simple Rules to Protect Identity and Reduce risk of #databreach.

1. Adopt continuous compliance policy. 
2. Enforce security best-practices.
3. Segment networks and restrict access to sensitive information on a need-to-know basis.
4. Restrict privilege; executives and administrators only get credentials for the systems they maintain.
5. Enforce a single source of identity; everyone logs-in as themselves and unable to change identity.
6. Enforce strong password policies.
7. Install single-sign-on systems and process to prevent stale, unused and re-used password vulnerabilities.
8. Adopt multi-factor authentication, with a user’s mobile-phone as the second factor.
9. Protect data on mobile devices using MDM policies that enable remote lock and wipe.
10. Secure remote access for 3rd parties and business partners without using a VPN.
11. Record, watch, audit and alert on privileged user sessions.
12. Prevent shared account administrator access to Root and corporate systems, except in break-glass situations.

Determined professional hackers are innovative, sophisticated and patient.
Former hacker, turned celebrity consultant, Frank Abagnale notes;  ”There’s no master hacker. They’re waiting for doors to open because someone didn’t do something, or they did something they shouldn’t have.”

“Banks spend upwards of $250 million on software to keep me out. But they have 200,000 employees, so I just wait for them to do something wrong and let me in.”

Upgrading identity and access management to handle all user types and access points will reduce risks caused by less than stellar administrators and careless end-users in suppliers, partners and customers