The start of the new year presents the ideal opportunity for us to look back and learn from the security threats organizations faced in 2018. If anything, last year proved that every organization, large or small, is now at risk of cyber-attack and it’s simply a question of “when” rather than “if” one will be attacked. Adversaries have become more sophisticated and have the potential to cause widespread havoc. They have also proved capable of inflicting more damage by being focused on an organization, industry, country or a region.
As a result, organizations have become increasingly security conscious and Gartner estimated that security spending in 2018 was up 8% over the previous year. It is evident that companies are investing in a myriad of security controls such as next-generation firewalls, IPS, WAF, Proxy, AV, EDR, Email Security, and sandboxing solutions from a wide range of vendors. However, while many assume that merely having all these solutions would be enough to immunize them against cyber-attacks, it is not always the case. So, what ensures an organization is secure?
In a bid to answer this question, I’ve outlined what I believe are the top three threat vectors and provided advice on how to combat them.
Social engineering was used as the initial attack vector in over 65% of threat advisories sent out by Help AG’s Managed Security Services (MSS) team last year. As an example, in late September 2018, an email spam campaign was observed targeting organizations in the Middle East.
Threat actors are employing various techniques to trick users into clicking malicious links, providing credentials on fake websites, or in some cases just opening email attachments. Often, this is the initial entry point for attackers to further progress their intended malicious intentions. Various security controls can be put in place to detect spam, malicious mail/attachments or links. However, an efficiently crafted phishing mail/link/download can bypass these controls, making user awareness the key to mitigating this threat.
End users should be able to spot if the mail in their inbox is authentic. There are warning flags that can be identified by asking the right questions. Does the email attachment look suspicious, have a weird extension, or pop up an alert asking for more permissions? Is that call received from a random person impersonating a government or bank official genuine or not; and is that link where information is being supplied or downloaded from the actual trusted source? If adequate and continual user awareness is carried out internally in an organization, it helps a great deal in tightening defenses against attackers, making your organization a hard target.
Any threat coming from within an organization, such as those either knowingly or unknowingly resulting from the actions of current/ex-employees or contractors/associates, corresponds to an insider threat. Insider threats are one of the toughest for organizations to defend against. Security controls like PAM or DLP solutions can be put in place to keep a check on malicious intent of insiders. However, the threat is not only limited to insiders with malicious intentions. A compromised account is an insider threat because it still matches the characteristic of a malicious insider. For example, if a password was shared, or a password was fully compromised, the insider account can be used to do malicious things within the organization.
Tesla, Punjab National Bank (PNB), and Facebook-Cambridge Analytica were some high profile and widely discussed cases where an insider caused widespread havoc by leaking information, breaching privacy/trust, and/or causing financial losses.
In our view, disorganization, lack or miscommunication among business functions, and the lack of PPT (people, process and technology) also increase the risk of Insider Threats. It is important for an organization to understand the relevance of cybersecurity as a critical business function. Adequate budgets should be allocated to analyzing and enhancing cybersecurity, the development of processes to involve CISO approvals where applicable, and incorporation of security features/controls during the design phase of a project as applicable.
As the name suggests, gaps in security controls can be expertly exploited by adversaries. An organization might have several security controls/devices in place but are those configured efficiently? Are there enough security controls? Do those security controls complement each other or simply exist for the sake of being there? Misconfiguration of security solutions, unpatched vulnerabilities, insecure or lack of controls, and the lack of testing of security controls are what create undefended gaps.
For example, the popular and commonly used protocol ‘SMB’ (Server Message Block) is widely used by attackers (Hidden COBRA, Shamoon 3, etc.) to spread malware across the network. It is important to restrict SMB from external IPs, allow access only where required within a network, and use of non-vulnerable SMB versions.
Also, as many zero-day or existing vulnerabilities are exploited in various attacks, it is important to have these published zero-days/CVEs patched or remediation actions/controls applied to avoid being vulnerable to such attacks. Help AG MSS sends out relevant customer specific advisories pertaining to zero-day vulnerabilities such as those in Adobe Flash, Cisco Product based, MOXA routers, and Windows and Linux based vulnerabilities to name a few.
With an increase in the use of IoT and cloud-based services, the attack surface also widens. Questions should be asked around whether data is being stored and accessed securely. Are web/mobile applications secure against web-based attacks? Is there a vulnerability and patch management process being followed in the organization? Is there adequate visibility and monitoring of the holistic network environment?
In conclusion, through 2019, organizations should ensure that the cyber defense strategies they formulate address all the above-discussed points so that they’re best prepared to defend against cyber-attacks.