In an ideal world, it would be possible for organizations to prevent hacking. Given the many routes in to any given business coupled with social engineering tactics, it’s impossible to prevent hacking altogether. However, companies can help to reduce their attack surfaces to make themselves less likely to be the subject of attacks.
First, let’s differentiate between opportunistic attacks and targeted attacks. Opportunistic attacks are largely automated, low-complexity exploits against known vulnerable conditions and configurations. Ever wonder why a small business with a small geographic footprint and almost no online presence gets compromised? Chances are good they had just the right combination of issues that an automated attack bot was looking to exploit. These kinds of events can potentially be detrimental to a small-to- medium-sized business, while costing the attacker practically nothing.
Targeted attacks are a different story. These attacks are generally low, slow and persistent; targeting an organization’s technical defenses as well as employees, partners and the supply chain.
While targeted attacks may use some of the same exploitable conditions that opportunistic attacks use, they tend to be less automated to avoid possible detection for as long as possible. In addition, they may involve a more frequent use of previously unknown exploit vectors, zero days. Ultimately, it doesn’t matter which of these two kinds of attacks result in a breach event, but it is important to think of both when aligning people, processes and technology to mitigate that risk.
While there have been many articles written regarding best practices for minimizing the risk of a cybersecurity incident, the technical controls to minimize risk have been largely under-reported. Provided all “table stakes” items are in place (i.e. a firewall, etc), I believe these are the top six technical controls to deploy.
Patch and Update Consistently: Ultimately, the most hacker-resistant environment is the one that is best administered. Organizations are short-cutting system and network administration activities through budget/staff reductions and lack of training. This practice often forces prioritization and choice about what tasks get done sooner, later or at all.
Over time, this creates a large, persistent baseline of low-to-medium risk issues in the environment that can contribute to a wildfire event under the right conditions. Lack of a complete asset inventory – both hardware and software – contributes to this risk as applications and devices become unmanaged.
Staying on top of patching, system/application updates, end of support/life platform migrations, user administration and configuration management is tedious, time consuming, and generally underappreciated; but this activity - more than any other single task, will reduce the risk of cyber events in an organization and dramatically reduce the risk of opportunistic attacks.
Email Security: Email is the number one entry point for malware into the enterprise. Given all the data pointing to this as the root cause of many breach events, it should be the next place where organizations double-down on security. It is important to take the time to be informed in this regard and understand what threats the email controls are preventing and what the remaining exposures are, so that a layered control model can be put into place.
Endpoint Detection and Response: Hackers know eventually someone is bound to click on a link and infect themselves eventually, under the right conditions or with the right scare tactics. The second most common malware infection vector is through malicious web content; coincidentally also an end-user action. As a result, it makes sense to have a thorough suite of controls on the endpoints and servers in the environment to identify and shut down viruses, malware, and other potentially unwanted programs.
Making sure that all endpoints are under management and kept current will help prevent whack-a-mole malware infections that can persist in environments where there are inconsistently applied controls.
Segmentation and Egress Filtering: Just because a hacker or piece of malware makes its way into your environment, it doesn’t mean it should be able to spread to adjacent network nodes or obtain mission critical, regulated data. Limiting the ability to communicate both across and outside the network through a combination of controls such as firewall policies and requiring the use of proxy servers is an often-overlooked opportunity for organizations to increase their security, limit the impact of an incident and help prevent a network incident from becoming a public data breach.
Robust Detection Control Infrastructure: History teaches us that prevention-centric strategies will fail and should be paired with detective controls to minimize time to detection and remediation. Organizations should make certain they have a well-tuned SIEM/SOAPA/SOAR infrastructure as part of their security architecture and that it is receiving logs that cover the internal network and applications, as well as through the perimeter. This includes tuning of endpoint, application, and network device logs to enable an early detection and response capability in the environment.
Multi-factor Authentication: The majority of breaches involve the use of cracked, intercepted or otherwise disclosed authentication credentials at some point. Use strong, multi-factor authentication methods by default wherever possible. Combined with the ability to detect and alert on failed login attempts, this practice can provide clues to users that may be the focus of targeted attacks.
Since many implementations of multi-factor/multi-step authentication involve cell phones for calls or SMS messages, this does require that users take steps to secure their mobile phones, particularly in an enterprise environment. Make sure that devices are fully patched, running only trusted/signed applications from reputable app stores and protected by a pin or other security access control.
Also use app-based authentication methods whenever possible as opposed to SMS-based or phone call methods to further protect from number port out schemes. Such steps can help reduce the risk of business email compromise and maintain the authentication security of corporate social media accounts.
Cybersecurity has always been something of a race between attackers and the defenders. Organizations that steadily and consistently execute on timely, data-driven decisions that are focused on risk-reduction are more likely to succeed.