The Backbone

The Backbone

Security fundamentals form a line of protection

For many years, the sage advice for cybersecurity leaders has been to take a layered approach to security, and those words have served the industry well. Unfortunately, cracks in those layers continue to leave organizations vulnerable to security attacks.

In SecureWorks’ 2017 Cybersecurity Threat Insights Report, we found those cracks are often the result of failing to implement basic— the effective combination of people, processes and technologies to protect systems and data. Strong security hygiene requires knowing your assets, your data, and the controls protecting them. Yet in the report, our examination of 163 incident response engagements during the first half of 2016 uncovered failures ranging from poor patch management to a failure to protect the extended enterprise to ineffective preparation for incident response.

To understand what organizations need to do to prioritize the right areas for security spending and what can be done to more effectively prevent, remediate and respond to threats, cybersecurity leaders need to start with the fundamentals.

While much of the media focus is often on sophisticated, targeted attacks, the vast majority of the incidents for which Secure- Works was engaged in the first half of 2016 (88 percent) were opportunistic attacks that did not target a specific organization. Among the incidents in the report in which the initial access vector was known, phishing was used 38 percent of the time, making it the most common attack methodology used by attackers. Scan and exploit was the second most common at 22 percent, while strategic web compromises and credential abuse comprised 21 percent and 15 percent, respectively.

Removable media was involved in four percent of the incidents.

In terms of defense, the implication here is clear: organizations need to put an emphasis on addressing the challenge posed by phishing. Part of that requires educating and training employees to spot phishing emails when they hit their inboxes. Often, there are telltale signs—misspellings, requests for the recipient to do something out of the norm, etc.—but sometimes there are not. In targeted attacks, spear-phishing emails can be even more sneaky than most. It is common for advanced threat groups to perform extensive reconnaissance on their targets before launching an attack, allowing them to create convincing emails that take into account details such as the recipient’s job duties and what IT assets and data they have access to. With that kind of information at an attacker’s disposal, it is likely that someone in the organization will fall victim, making anti-phishing technologies like email filtering critical.

Phishing can often lead to credential theft. Once a phisher has a victim’s username, password or authentication information, they can abuse it to gain access to an account, service or network and take other actions—including data theft. In one incident noted in the report, a threat actor compromised a third-party organization providing help desk services to its true target. After compromising the third-party environment, the threat actor accessed their actual target. Once inside, the adversary gained access to administrator accounts, used them to access Citrix servers, and stole credentials from those servers for other systems. Protecting user credentials and enforcing best practices in regards to passwords/passphrases is a critical part of security. Another critical part is controlling user access and privileges. To prevent potential abuse by attackers or insider threats, user privileges should be limited to the lowest level necessary— a strategy that could cause culture clashes between the organization and users accustomed to not being limited, but also one that could impair an attack from spreading if a machine is compromised.

Strategic web compromises involve attackers infecting legitimate websites their targets are likely to visit in hopes of infecting their computers when they do. These types of drive-by download attacks are particularly sneaky because they take advantage of the trust the visitor has in the site. Although they sometimes use zerodays, the vulnerabilities are likely known issues the attacker is hoping the target has not yet patched. As a result, protecting against these types of attacks starts with an effective patch management strategy that identifies the vulnerabilities affecting your IT environment and rolls out the appropriate updates as promptly as possible.

Organizations should scan their networks and develop an inventory of their software and devices, then prioritize their patching according to the risk of an attack and the damage it could do if successful. In addition, vulnerability management extends to weaving security into the app development process and ensuring the safety of non-commodity code developed internally or by a third-party partner.

Of course, corporate security teams are hardly the only ones doing vulnerability scans. In the case of the recent Wanna- Cry ransomware attacks for example, the threat actors scanned Internet IP addresses for machines vulnerable to a Microsoft Windows vulnerability. This type of highvolume scanning of Internet-facing systems is a common way for threat actors to find systems they can exploit, and as noted above, was observed in nearly a quarter of the incidents examined in the report. One of the reasons the ransomware spread so quickly was that many organizations did not promptly apply Microsoft’s update despite it having been available since March. Buying the latest technology will not solve the problem posed by an unsecure Web server left accessible via the Internet.

Building a Solid Base

The bottom line is that organizations need to take a risk-based approach to security that goes beyond regulatory compliance. Our Threat Insights Report outlines a number of recommendations.

Understand the extended enterprise. Take a data-centric approach. Define your key assets, know where they reside and who has access to them, including third parties.

Increase visibility. By collecting and monitoring security events, you will be able to reduce the time it takes to detect and respond to incidents as well as identify trends within the infrastructure. At a minimum, maintain logs on the following systems for 13 months: firewall, IDS/IPS, DNS, VPN, Active Directory, Web Services and critical servers and systems.

Build a culture of security. Everyone within the organization must take responsibility for protecting information. This involves getting buy-in from C-level leaders as well as other parts of the business outside IT in order to sell the importance of smart security behaviors.

Train your users. Employees unfortunately remain the weakest link. Phishing and social engineering remain popular for attackers seeing to infect enterprises and SMBs alike. Training employees to spot suspicious behavior can significantly improve your ability to block malicious activity.

Too often, the answer for these challenges is to buy the latest technology. However, to truly improve their security, chief information security officers need to focus more on people and processes. One of the mistakes many CISOs make is to take a compliance-first approach to security. Taking that type of checkbox approach does not best serve the organization. When it comes to cybersecurity, compliance should be thought of as a floor as opposed to a ceiling. For example, Secure- Works has talked to security teams at financial institutions who spent as much as 40 percent of their time on compliance initiatives rather than security initiatives that matter to their organizations. Ironically, putting a strong emphasis on security will address most compliance requirements.

Cybersecurity is not a problem that can be solved with technology alone. Developing an effective security strategy means understanding your needs, where your critical data and assets are, and what the risk levels are to that information and those devices. It means training employees, building an effective patch management program, and operationalizing threat intelligence to harden your defenses. It means implementing strategies like strong passwords and multi-factor authentication to control access to critical systems. Whether sophisticated attackers are at your doorstep or not, it won’t take any sophistication to break in if the door is unlocked.

This article originally appeared in the August 2017 issue of Security Today.


  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • 91 Percent of Security Leaders Believe AI Set to Outpace Security Teams

    Bugcrowd recently released its “Inside the Mind of a CISO” report, which surveyed hundreds of security leaders around the globe to uncover their perception on AI threats, their top priorities and evolving roles, and common myths directed towards the CISO. Among the findings, 1 in 3 respondents (33%) believed that at least half of companies are willing to sacrifice their customers’ long-term privacy or security to save money. Read Now

  • Milestone Announces Merger With Arcules

    Global video technology company Milestone Systems is pleased to announce that effective July 1, 2024, it will merge with the cloud-based video surveillance solutions provider, Arcules. Read Now

  • Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

    Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams. Read Now

Featured Cybersecurity


New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3