The top three causes of security breaches: Part 2 of 2

If you can harden your business so it is more secure than the next one, you're ahead of the game

In a previous article I introduced the three top causes of security breaches in 2011: SQL Injection, Weak Passwords and Social Engineering Attacks.

No mitigation strategy for these would be complete without first establishing success criteria. The objective is, therefore, to delay, hinder or otherwise deter an attacker from targeting your business.

This might mean setting up enough detection countermeasures so an attacker cannot make a move without being alerted, or hindering the attacker enough to buy you time to investigate and take appropriate action. Or you might make the whole operation too time consuming and complex to be worth the bother when there are other, softer, targets out there. To paraphrase an old Lord of the Rings joke - you don't have to be able to outrun the dragon, just the Halfling.

SQL injection is well over a decade old now and so thankfully, our methods of addressing this vulnerability are relatively mature. The most obvious method would be to prevent it in the first place. Teaching developers secure coding practises, using development frameworks with embedded security controls (.NET) or secure APIs (OWASP's ESAPI) are probably the best preventative measures.

Validate the data going into your applications and escaping out to the database. Use parameterised queries and stored procedures on your database, and configure it so that access by the application is limited to only the data required. Reactive measures could include the use of source code analysis tools (a relatively mature market offering now) and web application firewalls that integrate database monitoring.

Weak passwords - much like social engineering – are a more difficult problem because this attempts to contend with human nature. The war against weak passwords is largely lost. In line with recommendations, password strength has been moving beyond 12 characters, but this is well beyond most people's ability to remember. It means people often resort to predictable passwords, and this has been exacerbated even further by password aging and the inability to reuse previous passwords.

Despite this, password lengths under 12 characters can generally be defeated. If your environment or application is sensitive, you'll also want something more than a password. Separate access to critical infrastructure and applications by using trusted networks and DMZs. Use bastion hosts where all users must authenticate at least once, preferably using a form of 'step-up' authorisation - such as two factor authentication.

Smartcards are becoming more trusted than hard or soft tokens, but even these can be defeated. Password aging ensures that if passwords become known, there is a time limit they can be used. A greater password length and complexity also serves to increase the time required for brute force attacks. However, applying any of these unilaterally across your entire enterprise is costly, inefficient and typically raises the ire of users, so prioritise your targets and to paraphrase Seraph from The Matrix, "Protect that which matters most."

Social engineering is by far the most challenging security risk. Educating your users should be done - opening attachments from strangers, watching for strangers tailgating through secure areas – there is a long list of areas to consider. I might be alone here, but generally, I don’t think it really works. I still agree it’s a useful exercise requiring staff to undergo some form of security awareness training, but the reality is, someone won’t stick to it, while still others will be blissfully ignorant. I really wouldn't put too much effort into it. Try to make it a standardised training program that all new staff go through, and must complete at least once every year so. I would put a far greater emphasis on exploring the probable results of a compromise and how to prevent it.

Staying up to date with incident reports and following attack trends is crucial to building defences that actually work. File attachments must be scanned, preferably using tools that offer a sandbox environment, don't rely on pure signature detection. Restrict administrator access to desktops - except for key staff. Harden all desktops and ensure all internet access is via proxies, logged and monitored regularly. Setup intrusion prevention systems at key internal nodes to monitor (and prevent) ‘abnormal’ connections.

Some of these approaches will become far more common as enterprises increasingly permit employee-owned assets on the network. You are unlikely to prevent everyone from opening up malicious attachments, but you can diminish the ability of any one user to compromise the network.

As mentioned, nobody can built a bullet proof network any more than it is possible to design an unbreakable safe. But, if you can harden your business so it is more secure than the next one, you're ahead of the game.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jarrod Loidl

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place