Similar to burglars looking for the soft target in the neighborhood, such as a house without cameras or newspapers piled up indicating a family on vacation, cyber criminals are constantly probing for vulnerabilities. Sometimes people think that avoiding breaches comes down to “luck”. Its possible that attackers won’t notice you haven’t patched OpenSSL with the Heartbleed vulnerability. More likely, that’s just wishful thinking.
Few, if any, organizations have all the security resources necessary to absolutely prevent a successful attack. But by analyzing the trends from many of the top industry surveys and reports, we can prioritize the security investments needed to harden our environments against the opportunistic attackers.
Here are the recommended top five controls that a security organization can reasonably tackle to improve “luck”.
- Harden credentials used to access sensitive information and beyond
In 2016 the Verizon Data Breach Investigation Report indicated that in the previous year, “63 percent of confirmed data breaches involved weak, default or stolen passwords.” While phishing and other social engineering attacks are typically the vector, the goal is to obtain insider credentials that can then be used to circumvent data loss prevention and detection.
Safeguarding credentials is increasingly important as more and more sensitive information is becoming toxic. In this case, the solution is two-fold. First, consider expanding two-factor authentication to a broader set of services, accessed via single-sign on to reduce user frustration and avoid their instinct for working around authentication. Once that is in place, establish a comprehensive policy for classifying data to determine what information needs additional security layers. Without this ranking in place, you may not be aware of when to implement two-factor authentication.
- Reduce the attack surface of credentials
One of the basic tenets of security is to reduce the attack surface. This has traditionally been accomplished by reducing the entry points on a network or turning off unused software features, but consider credential reduction as well.
As uncovered in the Ponemon Global Trends in Identity Governance & Access Management report, 57 percent of respondents acknowledge that end users have more access than is required to do their jobs. While identity governance is typically seen as fulfilling a compliance requirement, given the way attackers exploit stolen credentials, it makes sense to better use identity governance policies to reduce the threat from attacks originating both inside and outside the organization. That means getting past the rubber-stamping problem.
- Isolate – and monitor – the problem children
There’s a reason why teachers put misbehaving kids out in the hall – they can’t allow the one to disrupt the education of the many. While vulnerability scanning and remediation is a key pillar of any good security program, there will always be those problem systems that cannot be patched or updated, leaving them exposed to a known vulnerability. These vulnerable systems, as well as BYOD systems, deserve to be isolated from the rest of the network.
The Verizon Data Breach Digest tells the story of a financial company whose customers started reporting that their customer website was blocked due to security concerns. This was the result of a data breach involving an employee’s personal laptop, which was infected with malware. While the organization had isolated BYOD from the corporate network, the BYOD network was not monitored and had minimal controls. Worse, the BYOD network was sharing the same network equipment and using the same Network Address Translation (NAT) as the corporate traffic, causing the corporate network’s reputation to fall. The moral is, isolate those systems, but don’t assume it is enough on its own.
- Concentrate encryption on the crown jewels – and everything else
Your organization’s jewels are most likely data. As stated in the HPE Cyber Risk Report, “if surveillance manages time and again to seem like a white knight after terrorist incidents, encryption is often the dragon.” The implication being that even terrorists know how to protect their data with encryption.
Most organizations encrypt sensitive data, but if encryption is applied sparingly, then it can act as an attractant to attackers. Better to encrypt all data to avoid tipping off the importance of it, and slow down or even dissuade attackers who will have to spend resources differentiating between information they want and that which is useless to them.
- Trust, but verify
The US Army, in preparing an operations plan, looks at preparing for two courses of enemy action – the most likely and the most dangerous. While the most likely attacks are effectively confidence attacks against gullible users, the most dangerous is the malicious administrator. While we would all like to believe our employees are honest and follow company policies, the old Russian proverb, made famous by Ronald Reagan while negotiating strategic arms limitations, “trust, but verify” is applicable here as well.
For security leaders, that means leveraging privileged account management to limit, monitor and record what administrators can do or are doing. Priorities will vary by organization, depending on the types of threats they are facing and where investments have already been made. But if you’ve fallen behind in any of these five categories, consider what can be done to raise visibility before your luck runs out.
What am I doing to not leave it to luck?
There are so many passwords in our life, multiple passwords from our workplace, multiple passwords for personal, and even family members that may need assistance. Its almost impossible to remember it all and its also not recommended to have the same passwords or write it down.
I like to use a password manager, there are lots of them out in the market some free and some have monthly fees. Below are a list of a few password managers. But the problem is that password managers could also be compromised and someone malicious could then get access to ALL your accounts in one central location. To minimize this risk, I never put in the full password in the password manager, so this would minimize your account from getting into the wrong hands. For example if your password is “J0hn$Mith!”, in the password manager I would write “JohnSmith!”, which should remind me of my actual password. This same practice could be used for writing
password down also because the actual password isn’t actually being written down, just remember to safely secure the password.
Clipperz online password manager
Keeper Security | Best Personal and Business Password Manager
#1 Password Manager & Vault App, Enterprise SSO & MFA | LastPass
– Tommy, vCISO –
For more information on HI Tech Hui and the tips above, contact us.