In the first half of 2017 there have been 918 reported data breaches leading to the exposure of 1.9 billion data records worldwide, according to recent research. We've also seen a plethora of high-profile hacks at major organisations, plus a weaponisation of ransomware and other malware in the form of WannaCry and NotPetya. And now, according to an announcement from the technical director of the NCSC, an even worse “category one” attack is set to hit the UK. This attack, Levy argued, will be entirely preventable; for this reason, the NCSC is working to demystify cyber-security in the UK.
October is Cyber Security Month, so the perfect time to make changes and set some “cyber-security resolutions” within your organisation. I'd recommend getting back to basics with your security strategies to ensure you build a strong defence from the ground up. Many organisations spend too much money and time on a wide array of solutions that don't function well as a whole and don't provide a complete, integrated view of the risks to the environment. That's compounded by the well-publicised cyber-security resource shortage. Plus, juggling solutions and platforms from many vendors actually creates gaps where attacks can be launched. The key is to aim for a layered approach to security—and one founded on just a handful of security controls that are globally accepted as the foundation for a high degree of security in any organisation.
Let's look at the root of the problem we're all facing. It's not very challenging in this day and age to take up the mantle of a cyber-attacker. Exploit kits are available online that simplify the cyber-attack process for even the most inexperienced of hackers. These kits include pre-written exploit code, and criminals will often even have access to support and updates, just like legal commercial software. Combine that with the online availability of sophisticated tools that were originally intended for cyber-espionage, and you've got a lethal petri dish of weapons in play.
Now, if patching were a solved problem and everyone's security ducks were in a row, there would at least be a chance to stem the tide. But as it is…
Software is inherently vulnerable: Think about it. Hundreds of thousands of lines of code, all written by humans. Humans make mistakes; nobody writes software completely free of errors and immune to potential attackers.
Older software means more vulnerabilities get exposed and legacy software doesn't get patched: The longer software is out there in the world, the more that its inherent vulnerabilities get uncovered, exposed, and exploited. Then, this older software doesn't get patched. This isn't a hard-and-fast rule but, by and large, vulnerable legacy software doesn't receive the updates it needs.
Newer software isn't patched properly: Patches were available for supported Windows operating systems prior to WannaCry, and for unsupported systems after that attack. Yet post WannaCry—even with those patches available—organisations still fell victim to NotPetya a month later. Maybe they didn't have the tools in place to comprehensively patch their environments, or they had limited resources. Whatever the reason, patches being available doesn't mean they're being implemented properly.
This is why it's so important to protect yourself with a layered approach, and one that has you selecting fewer products as well, to save you time and money while rapidly increasing your security posture. Patching won't protect you against everything but it's still the most important step in your cyber-security defence plan. But if you can't patch—because you're running legacy systems, for example, or you have concerns that patching will break something in your environment—you need to block the applications that don't get patched with tools like application whitelisting and privilege management.
Regardless of how or where a user accesses their desktop, it's essential they receive only the authorised apps they need to be productive, and that they can't introduce unauthorised apps that could reduce desktop stability, impact security, breach licensing compliance, lead to user downtime, and increase desktop management costs. Some argue that application control is cumbersome and can cause disruption to users, but there are more granular, dynamic and automatic approaches available that provide adequate security without major drawbacks.
There are other layers to your cyber-security defences to consider. User education is vital to preventing those initial—potentially malware-laden—phishing emails from getting in, while regular backups (including off network, to protect against ransomware) will mitigate the risk of data loss. Correctly configuring Windows firewalls can also help to halt the spread of ransomware within the organisation. However, patching and application control should be first on the list for all organisations looking to fortify their organisation against attack—and can go a long way toward reducing your attack surface, enabling you to more easily take on the attacks that do get through, even with limited resources in place.
Major attacks make a global impact, and then organisations go back to the status quo. Likely, they patch vulnerabilities that were the culprits; but they still don't take a hard look at how they patch moving forward, or put in place a proactive security and incident response plan that can simplify and speed up return to business as usual after an attack and make it far less likely one will get through at all. The bedrock of a “back to basics” approach is that you should be building your security programme strategically rather than reactively or tactically.
Contributed by Amber Boehm, security evangelist at Ivanti
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.