The recent spate of high-profile spear-phishing attacks has put pay to any illusions that large organisations and their imposing defences are impenetrable.
The New York Times and The Washington Post in particular have come forward and spoken of the troubles they have faced as new tactics being adopted by cyber-criminals prove more and more difficult to defend against.
As the success of blanket phishing attacks has deteriorated, hackers are focusing on more targeted and time consuming spear-phishing offensives. The ubiquitous nature of social media and the ease with which it allows strangers to garner information means that cyber-criminals are able to target individuals with much more credible and sophisticated attacks. Having failed to scale the ramparts, hackers are now ditching their grappling hooks in favour of a silver tongue that can let them in through the main gates.
As the major defences have proved fallible, organisations must now ensure that they target the smaller elements of their business to mirror the approach taken by the hackers. A combination of education and technology is required to gain the upper hand over spear-phishing offensives.
It is imperative that organisations take every measure possible to safeguard every element of their business. The good news is that there are intermediate, simple controls that can have the biggest impact yet they are overlooked in favour of expensive security projects.
One of the key ways for companies to improve their defenses is to create and closely adhere to a checklist for basic security hygiene. Mine includes:
- Promptly apply security patches to keep software up to date
- Harden software configurations
- Curtail admin privileges for users
- Use 2-factor authentication for remote access services
- Change default admin passwords
- And prohibit Web surfing with admin accounts
Similarly, the Centre for the Protection of National Infrastructure in the UK and the Center for Strategic & International Studies (CSIS) in the US have released a list of the top 20 critical security controls for defending against the most common types of attacks. At the top of the list is keeping inventories of authorised and unauthorised devices and software, securing configurations for hardware and software and continuous vulnerability assessment and remediation.
The U.S. Department of State, NASA, Goldman Sachs, OfficeMax and others have been using that Top 20 list and seeing results. For example, the State Department followed the guidelines for 40,000 computers in 280 sites around the world and figures showed that within the first nine months it reduced its risk by 90 per cent for the computers affected.
In Australia, the defence agency's Department of Industry, Innovation, Science, Research and Tertiary Education reported that it had eliminated 85 percent of all past incidents and blocked malware it would have missed before, without purchasing additional software or increasing end user restrictions.
The hardest part with these efforts is getting IT administrators enthused enough to participate and drive these initiatives. IT admins are already overworked, so presenting the efforts as strengthening existing security measures rather than as additional responsibilities will make them more attractive. There are also ways to increase incentives to users, other than reminding them that cleaning up after an attack is much harder than preventing one. Here are some ideas:
Make it fun. One engineer at NASA has boosted participation by awarding badges, points and other merits as if it were a game, giving employees incentive to compete for the highest score.
Grade it. The Department of State assigns letter grades based on threat risks for websites for various aspects of security and compliance. For instance, a lower grade would be given for software that is missing critical patches and infrequent vulnerability scanning.
Show them the money. The biggest incentive of all would be offering bonuses or time off for quantifiable improvements in security and reduced risk.
The natural reaction of an organisation faced with a new security threat is often to procure new and expensive software. Making a marquee purchase may well win points with a board of directors, but it will not discourage a hacker. Organisations need to put more obstacles in the way for hackers to negotiate until launching an attack becomes too great a drain on resources to be worthwhile.
Bear in mind that the sum of the parts is greater than that of the whole. By ensuring that each individual cog of an organisation is secure, the body will be stronger. Taking smaller, more targeted measures will cancel out the same tactics that are being employed by the hackers to infiltrate organisations.
Wolfgang Kandek is CTO of Qualys