Chances are your latest data breach could have been prevented. Hackers typically exploit well-known vulnerabilities. Zero-day attacks are actually quite rare, especially for commercial enterprise targets. Companies still struggle to have a realistic picture of their defenses; to know where the gaps are you must better understand your risks. The best defenses are built on how well companies connect the dots and do all of the little things to fortify their infrastructure. Back-to-basics measures and consistent follow-through combine to create a more powerful defense than some of the latest next generation technologies. It’s remarkable how many companies still don’t line up their security risks with their efforts and investments.
If you’re counting solely on signature-based solutions to protect your company from ransomware, Trojan horses, and malware, you should also count on falling prey to a data breach. These endpoint attacks can be repackaged just enough to evade anti-virus signatures. Threat actors and their exploits are constantly evolving; they perfect specific mechanisms and tactics in order to catch systems and people off guard. However, the overarching strategies remain similar from year to year. Cyber defenses should address core vulnerabilities and threat vectors, no matter the packaging.
Most Data Breaches Are Preventable
State-sponsored hackers wielding intricate cyber kill chains and zero-day attacks against critical targets are making headlines recently, and are a growing concern for governments, utilities, and manufacturing enterprises. But as Gartner points out, outside of these specific scenarios, zero-day vulnerabilities account for less than 0.1% of attacks. Unless your organisation has unlimited resources, zero days should not be a top concern. It’s much cheaper for hackers to create variants of existing exploits than to build new ones, especially as they continue to be effective after they are widely publicised. According to Gartner, 99 percent of exploits leverage vulnerabilities that IT and security professionals have known about for at least a year.
The most common malware of the last few years, Conficker, was first identified in 2008, yet still shows up in approximately 15 percent of recognised attacks. Lapses in basic cyber hygiene are maddeningly common: Verizon’s 2017 DBIR found that 66% of malware is installed through malicious email attachments, and 81% of hacking-related breaches exploited stolen or weak passwords. While these statistics—and the fact that Verizon’s investigations have highlighted the same trends for several years in a row— must be frustrating to security professionals, they should also be encouraging. Security awareness training and back-to-basics cyber defenses like patching, encryption, access privilege and application management, multi-factor authentication, and integrity monitoring will go a long way toward addressing the core vulnerabilities that hackers target.
A Risk-Based Approach to Closing the Gaps
Of course, it’s much easier to list the “security basics” than to execute on them. It isn’t practical, for example, to patch everything all the time. The complexity of most businesses (e.g., supply chains, mobile workers, IoT, and big data management) makes it difficult to see gaps in defenses.
Even when gaps are identified, there are competing interests to weigh, like usability versus security. You have to figure out what you can fix (given resources and control) and what fixes will make the most impact (hint: it’s not zero-day defense).
The answer is to employ a risk-based approach. Focus on vulnerabilities currently being exploited in the wild (e.g., Confixer, Zeus, Locky, and other Top Ten regulars). Pay attention to trends specific to your industry or business model: ransomware is hitting hospitals hard; universities and manufacturers are seeing a rise in espionage; hotel POS systems are popular targets. Hackers target widely installed products (e.g., Microsoft Windows) and lucrative data (POS systems, intellectual property, insider trading intel, and health records). Most attacks are financially motivated (73%) or related to espionage (21%), so consider which of your data assets make the juiciest prize and defend them from multiple angles (including incident response and recovery).
Defense in the Details
There’s a lot of threat intelligence available to IT security teams, but it’s woefully under utilized. Understanding which trends are most relevant to and risky for your business, tracking exploits in the wild, learning from other’s mistakes, and evaluating emerging approaches helps direct efforts and resources to greater effect. While new solutions that make big promises are appealing, they are often not the best fit. They may be too expensive to staff, impractical to deploy across the enterprise, or too focused on one end of the prevention-detection spectrum. Penetration testing, for example, requires significant staff time, is often limited in duration and scope, and isn’t performed frequently enough.
In the meantime, there are many proven endpoint protections that can be implemented in combination to provide a customized range of prevention and detection capabilities. In addition to signature-based solutions, patching, and threat intelligence, companies should consider: application control (whitelisting); memory protection against scripted attacks delivered through websites and apps; isolation (sandboxing); activity and behavior monitoring; bug bounties; and algorithmic file monitoring (training endpoints to recognize suspicious elements).
Hardening the Target
In general, hackers are looking for soft targets and low-hanging fruit by testing for commonly known configuration issues and vulnerabilities. Upon finding no simple attack vectors, the bad actor will often move on to weaker prey before wasting time and resources on a business that looks like it knows what it’s doing. For this reason, small-to-medium sized businesses should make sure they do everything within their means to strengthen their security posture and warp around their most valuable assets. Hoping to fly under the radar has never been a viable cyber security plan, but the more big business cyber security practices mature, the more vulnerable smaller organizations become. In this year’s Verizon DBIR, 61% of breach victims employ fewer than 1,000 people.
For larger companies, falling prey to preventable data breaches is increasingly damaging, especially if security failures are perceived as negligence. Brand reputation, customer trust, partner and supply chain relationships, legal and compliance status, and stock values are all on the line – not to mention operations downtime, data loss, and intellectual property theft.
In the end, many data breaches can be prevented through better basic cyber hygiene, procedural discipline, and enterprise-wide accountability. Train employees to spot warning signs and social engineering ploys. Allow access to data on a strict as-needed basis. Use multi-factor authentication and encryption to protect valuable data and systems. Enhance physical security and prepare for device loss and theft. Thoroughly assess third-party vendors and hold them to security requirements. And deploy high priority patches quickly.
Your next data breach is preventable. What security basics need your attention? Where would some consistent follow-through make a significant difference? What vulnerabilities do you hold that are being exploited in the wild? Probing with these questions and acting on the answers is manageable way for organizations of all kinds to mature their endpoint security and stand ready to protect their assets and customers.
Simo Kamppari is CEO of Promisec, a pioneer in endpoint agentless visibility and remediation.