The cyberthreat landscape is changing faster than ever for data center managers. Cybercriminals pulled in record hauls last year from ransomware, business email compromise, and other nefarious schemes, and they’re expected to be investing some of that money in new attack methods and platforms.
Nation-states aren't sitting things out, either, with Russian state attackers going after political targets, China going after trade secrets, and North Koreans busily stealing cryptocurrency.
Attackers are getting smarter about getting around existing controls, said Marty Puranik, CEO at Atlantic.Net, a Florida-based data center and cloud provider. For example, half of all phishing sites now show a "padlock" in the address bar, he said, to trick people into thinking that they're secure.
According to anti-phishing company PhishMe, in 2016, less than 3 percent of malicious websites used SSL certificates. The number went up to 31 percent in 2017 and is now at over 49 percent, according to a report the company released in December.
Criminals can also use dumps of leaked passwords to write more convincing, personalized phishing emails, Puranic said. "It's all just becoming better and more sophisticated."
Unfortunately, data center cybersecurity is too often reactive and a result fails to meet actual security needs.
Follow a Framework
Several organizations offer cybersecurity frameworks that can help data centers establish a solid base for their cybersecurity planning.
In addition to specific regulatory regimes for particular industry verticals, like PCI for the payments industry and HIPAA for health care, there are general-purpose frameworks.
The most popular is the National Institute of Standards and Technology’s Cybersecurity Framework, which recently celebrated its fifth anniversary and is used not only in the government sector (where it’s mandatory) but throughout private industry. As of the end of January, the framework has been downloaded more than half a million times. Most recently, it was one of the recognized frameworks in Ohio's new Data Protect Act, which offers companies a "safe harbor" against data breach lawsuits.
The NIST Cybersecurity Framework breaks security down into five key functions:
It's tempting to spend too much time focusing on things that are easy to do. There's pressure to respond to the latest headlines, and, of course, everyone wants you to go around shutting barn doors after the horses have escaped. That can create an imbalance between what a data center actually needs and what it gets in terms of security.
So, the first stage of the NIST cybersecurity framework is to identify an organization's cybersecurity risks and to prioritize those risks based on an organization’s risk management strategy and business needs.
This is a decision for senior management, and it should take into account the different security requirements for different systems and different kinds of data. Tomorrow's lunch menu doesn't need the same kind of security as customers’ financial information.
Many organizations don't have a solid grasp of where all their valuable assets are located and how they are secured. Many don't know all the cloud services their employees have access to or all the devices that connect to their networks.
For every key area of risk, a data center needs to have corresponding controls in place. If one of the biggest worries is of unauthorized users accessing critical systems, for example, then those controls could include multi-factor authentication, least-privilege key management systems, and behavioral analytics.
If ransomware attacks are a major risk, and infected employee desktops are the main vector, then email filters, endpoint protection systems, and employee security training programs would be warranted.
In the case of the Equifax breach, the risk was in the use of open source software without a comprehensive patch management strategy.
"With a commercial software solution, the vendor is in a position to push security information to consumers," Tim Mackey, senior technical evangelist at Synopsys, a cybesecurity firm based in Mountain View, California, said.
There's nobody around to do that pushing for open source tools and libraries, so data centers need a way to stay on top of the situation by having an up-to-date inventory of the open source components they use. Scanning an environment once in a while is not an adequate strategy, since criminals can act quickly when new vulnerabilities are discovered.
This is the area where organizations tend to spend the bulks of their efforts – and most of their money.
Fortunately, cybersecurity budgets are going up. According to a recent Data Center Knowledge survey, 65 percent of data center IT managers expected cybersecurity budgets to increase this year – and none of them expected those budgets to go down.
While attackers are getting smarter, security vendors are also evolving to make their products easier to use, more comprehensive, and smarter, said Atlantic.net's Puranik. Some new vendors offer security as a service, he said. And commercial cybersecurity solutions can offer advantages over home-built ones because they are easier to use, and the vendors are constantly upgrading their vulnerability databases.
"Plus, many have adaptive artificial intelligence capabilities that may detect newer threats that aren't fully known yet," he said.
But organizations can't just spend their way out of trouble, said Tim Steinkopf, president at Centrify, a Santa Clara., California-based cybersecurity vendor. It's not so much about buying every single security tool on the market, as finding the right ones.
3, 4, 5: Detect, Respond, Recover
The last three areas of the NIST framework cover what to do in case a breach does occur.
First, the organization needs to be able to detect that there's a problem.
Next, it needs to be able to react in a way that contains the damage. In the event of a major disaster, one with significant downtime or data loss, the emergency response plan may also include a public relations team, legal advisers, forensic professionals, and other key experts.
Finally, an organization needs to be able to recover from the attack.
So, for example, if a phishing email infects an employee’s desktop with malware, the detection could come from an antivirus or endpoint protection systems. If that fails, a network monitoring system might be able to detect suspicious traffic. The next step could be to isolate the infected system and to check if the infection spread anywhere else. Finally, the recovery stage may involve wiping the system and reinstalling a golden image of the desktop, then retrieving the users' files from a backup system.
Test, Test, Test
One area that doesn't have its own function category under the NIST framework is that of testing. But testing should be a vital part of any cybersecurity plan.
"The best way for a data center manager to understand what is vulnerable to a cyberattack is to test their data center," Laurence Pitt, security strategy director at Juniper Networks, said. "Run the cybersecurity breach process as a live exercise and see what happens."
There are third-party firms that will attempt to break through an organization's perimeter, look for unsecured cloud storage buckets, or scan for leaked passwords. There are even companies that will run simulated phishing attacks on employees.
There's a temptation to create a list of cybersecurity controls and just check off the boxes, said Pitt. "But it won't be known how they perform together or what gaps exist unless a drill is run, and run regularly," he said.