Ideally, your product or company has staff dedicated full-time to security. Their day-to-day could be a combination of research, audits, documentation / compliance, and building internal tools to monitor, alert, and mitigate risk. But it’s pretty clear that many companies don’t prioritize this. Oftentimes the processes to prevent and respond to threats are not in place.
Here are two quick procedures that could be implemented in any system, within a reasonable amount of time (and pain?).
I heard a great analogy at a conference comparing cyber security to an office building’s front desk security. The security guards at the front can require ID badges and use metal detectors, RFID chips, video recordings, and even biometric scanners to grant access. But you cannot protect every last little corner, even if you had triple the number of guards. Also, the threat could use a disguise to bypass most checkpoints OR the threat might even be a malicious actor who already has full access.
In the analogy, security guards are the access control systems. Instead of relying solely on the systems to determine who is allowed to go where, a fairly simple notification system is an easy win. Send a quick email to the actor’s boss and another manager when a user touches the most harm-inducing data tables. The alert might say:
Hey – we detected user ‘Slippery Sam’ accessing the following tables: ‘bank_accounts, credit_cards, addresses, phone_numbers’. The user read 50,000 records from these tables. You can ignore this alert if this is business as usual.
The onus is then on the manager to say “yes that seems right, no issue here.” Configuring some thresholds to the level of warning by type of data helps limit the burden on the managers. Spreading out the responsibility beyond just the security team will help build up trust everywhere.
Logging – Respond to a Hack
So it’s clear that hacks can and will happen to almost any system. But how damaging it becomes is really up to the response team. Firms that specialize in cybersecurity will likely be brought in and ask the following three questions right away:
- Who accessed the system?
- Did they get anything, yes or no?
- What things did they get?
Being able to quickly answer these questions helps immensely. Make sure you’re logging requests, database transactions, etc. For guidance on logging best practices, I highly recommend the OWSAP Cheat Sheet Series.
The logs should be detailed and easily accessible as every hour counts with this kind of stuff. Train a few members of the team on how to answer these 3 questions and put the details in your Operations Security playbook.
Sending some emails and logging some actions can go a long way to helping make any software system more secure. It’s never too late to prioritize security in your systems.