Mitigate Security Risk: In an ideal scenario, organizations would have been able to avoid hacking or cyber risk. Because of the many routes in either given corporation, coupled with tactics of social engineering, it is impossible to completely prevent hacking. Corporations can, however, help reduce their surfaces of attack to make them less likely to be the subject of attack.
First, let’s differentiate between opportunistic attacks and targeted attacks. Opportunistic attacks are largely automated, low-complexity exploits against known vulnerable conditions and configurations. Ever wonder why a small business with a small geographic footprint and almost no online presence gets compromised?
Chances are good they had just the right combination of issues that an automated attack bot was looking to exploit. These kinds of events can potentially be detrimental to a small-to- medium-sized business, while costing the attacker practically nothing.
Targeted attacks are a different story. These attacks are generally low, slow and persistent; targeting an organization’s technical defense as well as employees, partners and the supply chain.
While targeted attacks may use some of the same exploitable conditions that opportunistic attacks use, they tend to be less automated to avoid possible detection for as long as possible. They may also involve using heretofore unknown exploit vectors even more frequently, zero days.
Ultimately, it doesn’t matter which of these two kinds of attacks result in a breach event, but it is important to think of both reduce the security risk when aligning people, processes and technology to tranquilize that security risk.
While there have been many articles written regarding best practices for minimizing the security risk of a cybersecurity incident, the technical controls to minimize security risk have been largely under-reported. Provided all “table stakes” items are in place (i.e. a firewall, etc.), I believe these are the top six technical controls to deploy.
Patch and Update Consistently: Ultimately, the most hacker-resistant environment is the one that is best administered. Organizations are short-cutting system and network administration activities through budget/staff reductions and lack of training. This technique often makes it necessary to prioritize and choose which tasks will be done sooner, later or even at all.
Over time, this creates a large, persistent baseline of low-to-medium security risk issues in the environment that can contribute to a wildfire event under the right conditions. Lack of a complete asset inventory – both hardware and software – contributes to this security risk as applications and devices become unmanaged.
Keeping track of patching, end of support/life platform migrations, system/application updates, user administration and configuration management is cumbersome, time consuming, and typically undervalued; but this behavior-more than any other specific task, will minimize the security risk of a company’s cyber event and substantially reduce the security risk of unscrupulous attacks.
Email Security Risk: Email is the number one entry point for malware into the enterprise. Given all the data pointing to this as the root cause of many breach events, it should be the next place where organizations double-down on security risk.
It is important to take the time to be informed in this regard and understand what threats the email controls are preventing and what the remaining exposures are, so that a layered control model can be put into place.
Endpoint Detection and Response: Hackers know eventually someone is bound to click on a link and infect themselves eventually, under the right conditions or with the right scare tactics. The second most common malware infection vector is through malicious web content; coincidentally also an end-user action.
As a result, it makes sense to have a thorough suite of controls on the endpoints and servers in the environment to identify and shut down viruses, malware, and other potentially unwanted programs.
Making sure that all endpoints are under the management and kept current will help prevent whack-a-mole malware infections that can persist in environments where there are inconsistently applied controls.
Segmentation and Egress Filtering: Just because a hacker or a piece of malware makes its way into your environment, it doesn’t mean it should be able to spread to adjacent network nodes or obtain mission critical, regulated data.
Restricting the ability to interact with and off the network by incorporating controls which include firewall policies and mandating the use of proxy servers is a frequently overlooked potential for enterprises to increase their security risk, mitigate the effects of an incident and help to avoid a network incident from becoming a breach of public data.
Robust Detection Control Infrastructure: History has taught us that prevention-centered strategies will screw up and therefore that detective controls must be combined to minimize remediation and detection time.
Organizations should make certain they have a well-tuned SIEM/SOAPA/SOAR infrastructure as part of their security risk architecture and that it is receiving logs that cover the internal network and applications, as well as through the perimeter. It incorporates tuning endpoint, network device logs and application to allow the environment, to detect and response early.
Multi-factor Authentication: The majority of breaches involve the use of cracked, intercepted or otherwise disclosed authentication credentials at some point. Use strongly, multi-factor authentication methods by default wherever possible. Combined with the ability to detect and alert on failed login attempts, this practice can provide clues to users that may be the focus of targeted attacks.
Since many implementations of the multi-factor/multi-step authentication involve cell phones for calls or SMS messages, this does require that users take steps to secure their mobile phones, particularly in an enterprise environment. Make sure that devices are fully patched, running only trusted/signed applications from reputable app stores and protected by a pin or other security risk access control.
Also use the app-based authentication methods whenever possible as opposed to SMS-based or phone call methods to further protect from the number port out schemes. Such steps can help reduce the security risk of business email compromise and maintain the authentication security of corporate social media accounts.
Cybersecurity has always been something of a race between attackers and the defenders. Organizations that steadily and consistently execute on timely, data-driven decisions that focus on security risk-reduction is more likely to succeed.