“It's still a draw in the cyber-security war – the attackers get better resources as quickly as the corporate security team do."
That was how Mark Kerrison, NNT CEO, opened a recent NTT panel discussion covering a range of cyber-security issues.
Recent reports show the majority of breaches only need to be active for a period measured in days. One third of these take what they want within minutes, eg user-credentials. The rest remain active to steal data such as payment card data. By contrast, only 25 percent of breaches are discovered within a comparable period.
So breaches happen fast with damage done long before anybody knows anything about it. Better defences are needed, but faster/real-time breach detection is vital.
Why do we seem to be stuck in first gear when it comes to the cyber-security race?”
Why are hackers still able to exploit existing known vulnerabilities?
“Because too many of us make it easy for them!” said Mark Kedgley, CTO, New Net Technologies.
“The most successfully exploited vulnerabilities exist on older abandoned platforms such as Windows XP, with these still widely in use on some of the most lucratively rewarding systems such as Retail POS and banking ATMs.
The only conclusion is that change and cost-averse organisations are hanging on to outdated platforms. Unable to move from a legacy platform? The need for hardening and breach detection is even more acute as the only path available to increase security.
Adam Montville from CIS summarised the inequality of the struggle between defender and attacker: “The problem is that you, as the defender, need to be right all the time – the attacker only needs to be right once.”
Why do you need to understand the configuration of your IT estate?
David Froud, Principal Trainer, Core Concept Security adds: “An inventory of authorised devices is the number one Control in the CIS/SANS Top 20. You can't defend what you don't know you have – you are blind to what your security needs are.”
Kedgley responded: “Your knowledge needs to go beyond the platform, further than the software and versions installed, right through to the actual settings at a security policy-level where configuration vulnerability mitigation is enabled. Changes here could weaken hardened defences leaving you prone to attack – you need visibility at this level.”
Why do organisations tend to prioritise focus on perimeter defences at the expense of the actual systems that store sensitive data?
Montville suggested: “Most struggle to identify what the sensitive data is, where it is, and where it goes, whereas working with perimeter security is a relatively known quantity.”
Froud agreed with this, adding “It's easier, better understood, and usually manageable in-house. Network security is easier than end-system security and the skill-sets more prevalent.”
“Whilst it makes sense to focus on perimeter defences it also misses the point - ultimately the servers and desktops holding the data need to be protected.
“Buy extra bolts for your front door, sure, but get a safe for your valuables as urgently.”
What is the latest guidance with respect to Ransomware?
Froud suggests that defenders, “Follow the advice in frameworks like the CIS Controls which will have you doing things like whitelisting, training folks to see phishing attempts, and having good backups at the ready. Ransomware is not a dramatically new attack, just a monetised one.”
Kedgley comments: “We're back to the earlier question of Perimeter vs Endpoint. Ransomware targets the desktop through phishing emails with toxic web-links or malicious attachments. Our Ransomware Mitigation Kits first audit the desktop applications for vulnerabilities, then automatically harden the browser, office apps and email.”
Eliminating vulnerabilities by hardening comes with a health warning - what is the safest way to do it?
Kedgley and Froud agreed, with Froud sayihg: “There are three cooperative ways to mitigate this risk: Simplify, provide advanced information, and test.”
“Provide security requirements to your development team as early as possible. Better yet, have security personnel contributing to every development team. There needs to be as much early-stage consideration to security planning as there is to the sizing of hardware and network design.”
Fround concluded, “Get informed: Use resources like the learn.cisecurity.org website that provides free to use CIS Benchmark content.
"Beware buying security products too early and before you have properly understood what you are trying to secure, so make sure you get help. My pet phrase as a South African is ‘Build your fence higher than your neighbours' – Cyber-attackers are lazy and will attack the easiest targets so make sure you are doing the basics well.”
Kedgley added: “With so much ground to cover and security best practices to implement, use automation to assess vulnerabilities and to remediate them. Use the untapped security measures you have at hand: implement CIS hardening measures - of course! - but make sure you leverage freely available extras such as Microsoft EMET, AppLocker and BitLocker which provide phenomenal added protection.”
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.