Like burglars looking for the soft target in the neighborhood, such as the house without cameras or newspapers piled up indicating a family on vacation, cyber criminals are constantly probing for vulnerabilities.
Whether or not you avoid a breach sometimes comes down to “luck.” Maybe attackers won’t notice you haven’t patched OpenSSL with the Heartbleed vulnerability. More likely, that’s just wishful thinking.
Few, if any, organizations have all the security resources necessary to absolutely prevent a successful attack. But by analyzing the trends from many of the top industry surveys and reports, we can prioritize the security investments needed to harden our environments against the opportunistic attackers and perhaps make a bit of our own luck.
If there are only five controls that a security organization can reasonably tackle this year, what should they be?
Harden credentials used to access sensitive information and beyond
The latest Verizon Data Breach Investigation Report indicated that in the previous year, “63 percent of confirmed data breaches involved weak, default or stolen passwords.” While phishing and other social engineering attacks are typically the vector, the goal is to obtain insider credentials that can then be used to circumvent data loss prevention and detection.
Safeguarding credentials is increasingly important as more and more sensitive information is becoming toxic. In this case, the solution is two-fold. First, consider expanding two-factor authentication to a broader set of services, accessed via single-sign on to reduce user frustration and avoid their instinct for working around authentication. Once that is in place, establish a comprehensive policy for classifying data to determine what information needs additional security layers. Without this ranking in place, you may not be aware of when to implement two-factor authentication.
Reduce the attack surface of credentials
One of the basic tenets of security is to reduce the attack surface. This has traditionally been accomplished by reducing the entry points on a network or turning off unused software features, but consider credential reduction as well.
As uncovered in the Ponemon Global Trends in Identity Governance & Access Management report, 57 percent of respondents acknowledge that end users have more access than is required to do their jobs. While identity governance is typically seen as fulfilling a compliance requirement, given the way attackers exploit stolen credentials, it makes sense to better use identity governance policies to reduce the threat from attacks originating both inside and outside the organization. That means getting past the rubber-stamping problem.
Isolate – and monitor – the problem children
There’s a reason why teachers put misbehaving kids out in the hall – they can’t allow the one to disrupt the education of the many. While vulnerability scanning and remediation is a key pillar of any good security program, there will always be those problem systems that cannot be patched or updated, leaving them exposed to a known vulnerability. These vulnerable systems, as well as BYOD systems, deserve to be isolated from the rest of the network.
The Verizon Data Breach Digest tells the story of a financial company whose customers started reporting that their customer website was blocked due to security concerns. This was the result of a data breach involving an employee’s personal laptop, which was infected with malware. While the organization had isolated BYOD from the corporate network, the BYOD network was not monitored and had minimal controls. Worse, the BYOD network was sharing the same network equipment and using the same Network Address Translation (NAT) as the corporate traffic, causing the corporate network’s reputation to fall. The moral is, isolate those systems, but don’t assume it is enough on its own.
Concentrate encryption on the crown jewels – and everything else
Your organization’s jewels are most likely data. As stated in the HPE Cyber Risk Report, “if surveillance manages time and again to seem like a white knight after terrorist incidents, encryption is often the dragon.” The implication being that even terrorists know how to protect their data with encryption.
Most organizations encrypt sensitive data, but if encryption is applied sparingly, then it can act as an attractant to attackers. Better to encrypt all data to avoid tipping off the importance of it, and slow down or even dissuade attackers who will have to spend resources differentiating between information they want and that which is useless to them.
Trust, but verify
The US Army, in preparing an operations plan, looks at preparing for two courses of enemy action - the most likely and the most dangerous. While the most likely attacks are effectively confidence attacks against gullible users, the most dangerous is the malicious administrator. While we would all like to believe our employees are honest and follow company policies, the old Russian proverb, made famous by Ronald Reagan while negotiating strategic arms limitations, “trust, but verify” is applicable here as well.
For security leaders, that means leveraging privileged account management to limit, monitor and record what administrators can do or are doing. The Cyberthreat Defense Report showed that “only 30 percent of respondents are confident that their organization has made adequate investments to monitor the activities of privileged users.” That number is too low for what can be the most devastating of attacks. Consider how leaks by Edward Snowden or the anonymous administrator at Mossack Fonseca have impacted those organizations.
Priorities will vary by organization, depending on the types of threats they are facing and where investments have already been made. But if you’ve fallen behind in any of these five categories, consider what can be done to raise visibility before your luck runs out.