The Backbone

The Backbone

Security fundamentals form a line of protection

For many years, the sage advice for cybersecurity leaders has been to take a layered approach to security, and those words have served the industry well. Unfortunately, cracks in those layers continue to leave organizations vulnerable to security attacks.

In SecureWorks’ 2017 Cybersecurity Threat Insights Report, we found those cracks are often the result of failing to implement basic— the effective combination of people, processes and technologies to protect systems and data. Strong security hygiene requires knowing your assets, your data, and the controls protecting them. Yet in the report, our examination of 163 incident response engagements during the first half of 2016 uncovered failures ranging from poor patch management to a failure to protect the extended enterprise to ineffective preparation for incident response.

To understand what organizations need to do to prioritize the right areas for security spending and what can be done to more effectively prevent, remediate and respond to threats, cybersecurity leaders need to start with the fundamentals.

While much of the media focus is often on sophisticated, targeted attacks, the vast majority of the incidents for which Secure- Works was engaged in the first half of 2016 (88 percent) were opportunistic attacks that did not target a specific organization. Among the incidents in the report in which the initial access vector was known, phishing was used 38 percent of the time, making it the most common attack methodology used by attackers. Scan and exploit was the second most common at 22 percent, while strategic web compromises and credential abuse comprised 21 percent and 15 percent, respectively.

Removable media was involved in four percent of the incidents.

In terms of defense, the implication here is clear: organizations need to put an emphasis on addressing the challenge posed by phishing. Part of that requires educating and training employees to spot phishing emails when they hit their inboxes. Often, there are telltale signs—misspellings, requests for the recipient to do something out of the norm, etc.—but sometimes there are not. In targeted attacks, spear-phishing emails can be even more sneaky than most. It is common for advanced threat groups to perform extensive reconnaissance on their targets before launching an attack, allowing them to create convincing emails that take into account details such as the recipient’s job duties and what IT assets and data they have access to. With that kind of information at an attacker’s disposal, it is likely that someone in the organization will fall victim, making anti-phishing technologies like email filtering critical.

Phishing can often lead to credential theft. Once a phisher has a victim’s username, password or authentication information, they can abuse it to gain access to an account, service or network and take other actions—including data theft. In one incident noted in the report, a threat actor compromised a third-party organization providing help desk services to its true target. After compromising the third-party environment, the threat actor accessed their actual target. Once inside, the adversary gained access to administrator accounts, used them to access Citrix servers, and stole credentials from those servers for other systems. Protecting user credentials and enforcing best practices in regards to passwords/passphrases is a critical part of security. Another critical part is controlling user access and privileges. To prevent potential abuse by attackers or insider threats, user privileges should be limited to the lowest level necessary— a strategy that could cause culture clashes between the organization and users accustomed to not being limited, but also one that could impair an attack from spreading if a machine is compromised.

Strategic web compromises involve attackers infecting legitimate websites their targets are likely to visit in hopes of infecting their computers when they do. These types of drive-by download attacks are particularly sneaky because they take advantage of the trust the visitor has in the site. Although they sometimes use zerodays, the vulnerabilities are likely known issues the attacker is hoping the target has not yet patched. As a result, protecting against these types of attacks starts with an effective patch management strategy that identifies the vulnerabilities affecting your IT environment and rolls out the appropriate updates as promptly as possible.

Organizations should scan their networks and develop an inventory of their software and devices, then prioritize their patching according to the risk of an attack and the damage it could do if successful. In addition, vulnerability management extends to weaving security into the app development process and ensuring the safety of non-commodity code developed internally or by a third-party partner.

Of course, corporate security teams are hardly the only ones doing vulnerability scans. In the case of the recent Wanna- Cry ransomware attacks for example, the threat actors scanned Internet IP addresses for machines vulnerable to a Microsoft Windows vulnerability. This type of highvolume scanning of Internet-facing systems is a common way for threat actors to find systems they can exploit, and as noted above, was observed in nearly a quarter of the incidents examined in the report. One of the reasons the ransomware spread so quickly was that many organizations did not promptly apply Microsoft’s update despite it having been available since March. Buying the latest technology will not solve the problem posed by an unsecure Web server left accessible via the Internet.

Building a Solid Base

The bottom line is that organizations need to take a risk-based approach to security that goes beyond regulatory compliance. Our Threat Insights Report outlines a number of recommendations.

Understand the extended enterprise. Take a data-centric approach. Define your key assets, know where they reside and who has access to them, including third parties.

Increase visibility. By collecting and monitoring security events, you will be able to reduce the time it takes to detect and respond to incidents as well as identify trends within the infrastructure. At a minimum, maintain logs on the following systems for 13 months: firewall, IDS/IPS, DNS, VPN, Active Directory, Web Services and critical servers and systems.

Build a culture of security. Everyone within the organization must take responsibility for protecting information. This involves getting buy-in from C-level leaders as well as other parts of the business outside IT in order to sell the importance of smart security behaviors.

Train your users. Employees unfortunately remain the weakest link. Phishing and social engineering remain popular for attackers seeing to infect enterprises and SMBs alike. Training employees to spot suspicious behavior can significantly improve your ability to block malicious activity.

Too often, the answer for these challenges is to buy the latest technology. However, to truly improve their security, chief information security officers need to focus more on people and processes. One of the mistakes many CISOs make is to take a compliance-first approach to security. Taking that type of checkbox approach does not best serve the organization. When it comes to cybersecurity, compliance should be thought of as a floor as opposed to a ceiling. For example, Secure- Works has talked to security teams at financial institutions who spent as much as 40 percent of their time on compliance initiatives rather than security initiatives that matter to their organizations. Ironically, putting a strong emphasis on security will address most compliance requirements.

Cybersecurity is not a problem that can be solved with technology alone. Developing an effective security strategy means understanding your needs, where your critical data and assets are, and what the risk levels are to that information and those devices. It means training employees, building an effective patch management program, and operationalizing threat intelligence to harden your defenses. It means implementing strategies like strong passwords and multi-factor authentication to control access to critical systems. Whether sophisticated attackers are at your doorstep or not, it won’t take any sophistication to break in if the door is unlocked.

This article originally appeared in the August 2017 issue of Security Today.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

comments powered by Disqus
  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • School Planning & Managmenet
  • College Planning & Management
  • Campus Security & Life Safety