These days it seems that every time you open your favorite news source there is another data breach related headline. Victimized companies of all sizes, cities, counties, and even government agencies have all been the subject of the “headline of shame” over the past several months or years. With all this publicity and the increasing awareness of the general public about how data breaches can impact their personal privacy and financial wellbeing, it is no surprise that there is a lot of interest in preventing hacking. The trouble is that there is no way to prevent others from attempting to hack into any target they chose. Since there is a practically limitless number of targets to choose from, the attacker need only be lucky or skilled enough to succeed once. In addition, the risk of successful prosecution of perpetrators remains low. However, while you can’t prevent hacking, you can help to reduce your attack surface to make your organization less likely to be the subject of attacks.
At this point, lets differentiate between opportunistic attacks and targeted attacks. Opportunistic attacks are largely automated, low-complexity exploits against known vulnerable conditions and configurations. Ever wonder why a small business with a small geographic footprint and almost no online presence gets compromised? Chances are good they just had the right combination of issues that an automated attack bot was looking to exploit. These kinds of events can potentially end a small to medium business as a going concern while costing the attacker practically nothing.
Targeted attacks are a different story all together. These attacks are generally low, slow and persistent; targeting your organizations technical footprint as well as your employees, partners and supply chain. While targeted attacks may utilize some of the same exploitable conditions that opportunistic attacks use, they tend to be less automated in nature so as to avoid possible detection for as long as possible. In addition, they may involve a more frequent use of previously unknown exploit vectors (“zero day’s”) to reach their goals or abuse trusted connections with third parties to gain access to your organization. Ultimately it doesn’t matter which of these kinds of attacks results in a breach event, but it is important to think of both when aligning your people, processes and technology for maximum effect to mitigate that risk.
There have been many articles written regarding best practices for minimizing the risk of a cyber-security incident. Rather than recount a list of commonly cited controls, I would like to approach the topic from a slightly different perspective and focus on the top six technical controls that I feel are likely to help mitigate the most risk, provided that all the “table stakes” items are in place (i.e. you have a firewall, etc.).
- Patch and Update Constantly: Ultimately the most hacker-resistant environment is the one that is best administered. Organizations are short cutting system and network administration activities through budget / staff reductions and lack of training. This practice often forces prioritization and choice about what tasks get done sooner, later or at all. Over time this creates a large, persistent baseline of low to medium risk issues in the environment that can contribute to a wildfire event under the right conditions. Lack of a complete asset inventory – both hardware and software – contributes to this risk as applications and devices become unmanaged. Staying on top of patching, system/application updates, end of support/life platform migrations, user administration and configuration management is tedious, time consuming, and generally underappreciated; but this activity - more than any other single task, will reduce the risk of cyber events in an organization and dramatically reduce the risk of opportunistic attacks.
- Email Security: Email is the number one entry point for malware into the enterprise. No surprise really. Given all the data that has pointed to this as the root cause of many breach events, it should be the next place where organizations double-down on security. It is very important that organizations take the time to be informed consumers in this regard and understand what threats the email controls are preventing and what the remaining exposures are so that a layered control model can be put in place.
- Endpoint Detection and Response: Most of that email is destined for a user that will click on attachments and potentially infect themselves with malware of some kind. The second most common malware infection vector is through malicious web content; also, an end-user action. As a result, it makes sense to have a thorough suite of controls on the endpoints and servers in the environment to identify and shutdown viruses, malware, and other potentially unwanted programs. Making sure that all endpoints are under management and kept current will help prevent whack-a-mole malware infections that can persist in environments with inconsistently applied controls.
- Segmentation and Egress Filtering: Just because a hacker or piece of malware makes its way into your environment, doesn’t mean they should be able to spread adjacent network nodes or waltz back out with your mission critical, regulated data. Limiting the ability to communicate both across and outside the network through a combination of controls such as firewall policies and requiring the use of proxy servers is an often-overlooked opportunity for organizations to increase their security, limit the impact of an incident and help prevent a network incident from becoming a public data breach.
- Robust Detection Control Infrastructure: History teaches us that prevention-centric strategies will fail and should be paired with detective controls to minimize time to detection and remediation. Make certain you have a well-tuned SIEM/SOAPA/SOAR infrastructure as part of your security architecture and that that is receiving logs that cover the internal network and applications as well as through the perimeter. This includes tuning of endpoint, application, and network device logs to enable an early detection and response capability in the environment.
- Multi-factor / Multi-step Authentication: The majority of breaches involve the use of cracked, intercepted or otherwise disclosed authentication credentials at some point. Use strong, multi-factor authentication methods by default wherever possible. Combined with the ability to detect and alert on failed login attempts, this practice can provide clues to users that may be the focus of targeted attacks.
Since many implementations of multi-factor/multi-step authentication involve an individual utilizing their cell phone for calls or SMS messages, this does require that users take steps to secure their mobile phones. Entire articles have been written about this topic alone, but in short make sure that the device is fully patched, running only trusted/signed applications from reputable app stores and is protected by a pin or other security access control. Make sure that you check with your mobile provider to take steps to prevent a malicious user from porting your phone number to another device/carrier. Lastly, use app-based authentication methods whenever possible as opposed to SMS-based or phone call methods to further protect yourself from number port out schemes. Such steps can help reduce the risk of business email comprise schemes and maintain the authentication security of corporate social media accounts such as Facebook™, Twitter, and Instagram™.
Cybersecurity has always been something of a race between attackers and the defenders. Organizations that steadily and consistently execute on timely, data-driven decisions that are focused on risk-reduction are more likely to win the day. Every organization, regardless of size, faces difficult choices about where to allocate their limited resources; and you can never eliminate the risk of a cybersecurity incident entirely. So, huddle up and decide how your organization is going to run the next phase of this race. After all, like the eponymous characters in “The Tortoise and the Hare” all we can do is run the race in whatever way we feel maximizes our chance of coming out on top.