Every day seems to bring news of another data breach and another type of malware entering the wild. While truly determined hackers may be able to break through any defense, it’s perhaps worth remembering that most are easily deterred and will prioritize the easier targets.
“Regardless of the popular image of the average hacker as being a computer whiz, most hackers are just average people and as such are fundamentally lazy,” says Patrick Grillo, senior director, solutions marketing, Fortinet. “As such, they will always look for the path of least resistance into a network.”
That’s why, he continues, e-mail remains a popular entry point for attackers. “Whether phishing, spear phishing and whaling targeted at senior executives, e-mail is a preferred tool to gain initial entry into a network,” he says. “By using valid but compromised login credentials obtained from a phishing campaign, the hacker can easily gain entry into the network.”
Thomas Fischer, principal security researcher, Digital Guardian, says users are still the most actively targeted parts of an organization’s IT security infrastructure. As well as being a point of weakness, however, he points out that they could also prove to be an asset.
“They not only provide a vector for compromise but are also potentially the best threat intelligence that an organization can have,” Fischer says. “They may ultimately be aware of bad e-mails or compromised sites beforehand as they could have been hit at home or heard it from a friend.”
In terms of specific ‘bits’ of the infrastructure, attackers will target, “the most visible parts of the organization like internet-facing application servers or looking at how the perimeter can be bypassed either via direct attacks on the user or infiltration through remote offices”.
According to Nicolai Solling, director of technology services at Help AG, the insider threat may have even grown. He cites a study by Crowd Research Partners that says 62% of surveyed professionals found insider threats have become more frequent. “Despite this, fewer than 50% of organizations have appropriate controls to mitigate this threat,” he says. Among the reasons are growing complexity of ICT, social media, the presence of data on unauthorized third-party applications and, of course, BYOD.
When reviewing security strategy, Grillo emphasizes looking at, “the entire network”. IT security managers should be asking if all potential points of weakness are protected and whether or not the solutions in place are adequate. Look at the level of complexity of infrastructure and whether or not that complexity can be reduced.
One aspect of complexity could the the number of vendor solutions involved. Is this proving difficult to manage and can the number of vendors be rationalized? Vendors are unanimous that one key aspect of your approach to IT security must be internal education programs.
Employees, despite all the publicity the subject has received, continue to do things they shouldn’t, a point made by all vendors, especially when it comes to opening mails. Education and vigilance must also be extended to the suppliers, consultants, contractors and remote employees plugged into your network.
The rise of the cloud also creates potential problems. Ask about your cloud partners’ security systems and insist on details. ‘Yes, we have very secure systems in place’ isn’t an adequate answer. Also, find out when the last audit on your security infrastructure was carried out.
Digital Guardian’s Fischer puts user awareness and enablement at the top of his IT security checklist. He also emphasizes the need to identify critical assets and ensure they are adequately protected and that access to them is controlled; having a data loss prevention and recovery (DRP) strategy; and working with tested patch and software management solutions.
Much is made of the insider threat, but what exactly does it mean? From one side there is the disgruntled or departing employee who may deliberately leak or steak data. “There are technologies that can help to prevent this sort of insider from stealing sensitive information,” says Grillo.
From the other side, and far more likely to be a problem, is the employee who inadvertently opens a phishing email and has their login credentials compromised. “Technology is not the solution here,” asserts Grillo. “Employees can either be your first line of defense or the hole in the security strategy. Investing in ongoing cyber threat awareness campaigns and training is one of the most effective measures that can be taken by an organization.
Rabih Dabboussi, general manager, Cisco UAE, adds: “The latest UAE workplace security research findings, conducted by Cisco and GBM, showed employee behavior is a genuine weak link in cyber security and is becoming an increasing source of risk – more through complacency and ignorance than malice. This is because companies have so insulated employees from the scale of daily threats that people expect the company’s security settings to take care of everything for them.”
Roland Daccache, senior systems engineer, Fidelis Cybersecurity, points out that insiders constitute a threat simply because of where they are. “The insider is already past the enterprise firewall and what I like to call ‘perimeter hygiene layers’ and with the most dangerous tool of them all, admin credentials,” he says.
Jim Daniel, director of sales, eSentire, adds that users continue to click on links they shouldn’t touch, use unapproved devices, visit dodgy websites and install banned software. Social engineering, whereby individuals are talked into giving away information, also continues. “It’s critical to train and test employees,” Daniel asserts. “Moreover, it’s critical to perform friendly social engineering attacks to test your employee readiness.”
Not everyone, of course, has a massive budget for ICT security. As a basic and inexpensive step, Fischer returns to the issue of user awareness and enablement, describing it as, “the best way an organization can fight against attacks.” There are two reasons for this, he says. “For one, the user is the best source of information to alert IT that something is going wrong in the environment and secondly, the user is the most likely target of an attack,” Fischer explains. “Enabling them to make the best decisions in the face of suspicious actions, attachments or links will ultimately help reduce the organisation’s threat posture.
Daccache says prioritization and maximizing your investment are key. “It might be worth enlisting the services of a consulting company to help with this,” he suggests.
Solling at Help AG recognizes budget constraints as “an unfortunate reality” and says strategic security investments are the best response. “My advice to organizations is to invest in services such as vulnerability assessment and penetration testing,” he says.
“These help uncover flaws not only in the technology, but also take into account factors like policy, configuration, management and user behavior. With this information, the organization can then invest into either the technologies or the frameworks that optimize their IT security infrastructure and best utilize the limited budget.”
Daniel at eSentire says that, if you do nothing else, encrypt data, lock devices with a strong password and use a VPN when on a public cellular or wi-fi hotspot. Passwords should not be basic and should not correspond with important dates, as these can be socially engineered out of the individual user.
“Unfortunately, password credentials are routinely acquired by unauthorized users,” explains Daniel. “For this reason, you should encrypt the hard drive or device. Encryption offers an additional layer of security.”
If budgets allow, organizations should have a mobile device management strategy, with parameters such as minimum password strength, forced encryption and the ability to perform a remote device wipe to remove all data. Continuing with the theme of BYOD and mobility, data in motion on public networks can be intercepted and stolen. This can include e-mails containing client information and user credentials. Putting a VPN on these devices creates a secure and encrypted connection through which data travels from the device user to the intended recipient.
As to who is likely to be attacked, absolutely anyone can be, though motives differ depending on the sector. ‘Hacktivists’ will target high profile companies and government entities in order to make a statement, whereas smaller organizations will be attacked because they are perceived as a ‘soft target’. Hackers looking for financial gain will target financial services, healthcare, retail and manufacturing.
“Except in the case of an advanced targeted attack (ATA) against a specific target, most hackers operate on a non-discriminatory basis,” says Fortinet’s Grillo. “All companies, large or small, are potential targets to them and by throwing enough malware at enough potential targets, eventually they will penetrate one or more networks.”
Digital Guardian’s Fischer adds: “In general…, it’s the organizations that are visibly deficient and have weak security that will be targeted. Malicious parties will use reconnaissance and open source intelligence (OSINT) on organizations to find the low hanging fruit; those areas that are easier to compromise.”
Ray Rothrock, CEO, Redseal, says that lower-profile enterprises protecting high-value assets are increasingly targeted. “Examples of utilities and transaction brokers are among those who have been recently targeted,” he says.
In terms of the most basic ICT security mistakes, Grillo says organizations often fail to understand whether or not their time and money is going on products that can adequately protect their network. “Assuming that there is an adequate security solution in place, some of the other errors include not having a strong authentication system in place, having a wireless network that is not integrated into the security infrastructure, giving all employees unrestricted access to network resources, not conducting periodic reviews of access rights and believing that your organization is too small or to remote or too anything to be attacked,” he says.
Cisco’s Dabboussi cites unauthorized application use, failing to lock computers and careless password handling as key security mistakes. “One in five employees store system login information and passwords on their computer or write them down and leave them on their desk, in unlocked cabinets, or pasted on their computers,” he says.
Digital Guardian’s Fischer says the most basic errors are relying on one technology and not having an incident response strategy in place. “A good security posture requires an organization to use all of its process, procedures and tools in a coordinated and coherent manner,” Fischer comments.
Roland Daccache, senior systems engineer, Fidelis Cybersecurity, says organizations fall into the trap of, “locking down the doors and keeping the windows open.” A window to your network, he adds can be unprotected wi-fi, leased lines and contractor or employee laptops. He also believes that organizations should avoid a one stop shop approach. “No single vendor knows it all, and the more you diversify your intelligence sources the better shape you are in,” Daccache says.
Rothrock at Redseal cautions that the most common avenues for breaches are through common errors and older, unpatched vulnerabilities. “It is typical for organizations to have human errors in network device configurations, for example, which make the network vulnerable to directed attack,” he says. “Similarly, the lack of automated prioritization for vulnerability patching leaves enterprises struggling to be sure patching efforts are focused where they can be most effective.”
Since hackers tend to prioritize the easier and most obvious targets, the bulk of today’s malware is mainly targeted at Windows-based systems, due to its prevalence. The perception that Apple and Linux operating systems are more secure is more down to the lack of malware developed specifically for these systems, says Grillo.
“Compared to Windows-based systems, their presence is statistically so much lower that there isn’t much of an incentive to spend the time or effort in attacking them,” he explains. “However, no operating system can be considered a 100% safe and there has been a dramatic rise in malware for OS X environments due to their increase presence in the typical office environment.”
The recent revelation that back doors had been placed in a certain Linux distribution serves as a reminder that any OS is vulnerable. Fischer also says that recent examples show no particular operating system is safe. “Malicious parties will tend to attack what will give them a larger footprint so they tend to follow trends in technology. For example, now that more companies are using MacOS-based systems, we are seeing attacks, including ransomware, for that platform,” he says.
Daccache at Fidelis throws Android into the mix. “As we are past the PC era and into the mobile era today, there is a general view that Android holds more malware than could have been anticipated,” he says. This has particular implications for organizations with BYOD strategies.
Rothrock at Redseal cautions that, ultimately, the operating systems is less important than the overall setup. “Attackers are more willing to take the time and make the effort to wait for the necessary weaknesses to align before launching each step of the attack,” he says. “It is much less about individual operating systems than it is about the set of weaknesses an attacker can combine to reach the ultimate objective.”
