Walk around the exhibition floor at most security trade shows and you’d think that every vendor has the answer to stopping cyber-attacks.
Marketing hyperbole with phrases such as “advanced threat protection” and “next-generation” can be seen plastered across vendor stands. Buy these products and we’ll all be safe, right?
There is nothing wrong with software companies trying to sell their wares by showcasing what their products can do. It’s something we do at Avecto and some may say that people in glass houses really shouldn’t throw stones, but to make claims that oversell and clearly cannot be substantiated is harming the credibility of the security industry.
CISOs and heads of IT security will understandably always be looking for some sort of silver bullet. They understand that attacks are inevitable – and it’s highly likely some will be successful – but it can be difficult to explain that to demanding company executives. Promises of perfect security can seem very attractive, and are always a help when trying to secure additional budget.
The problem is the adoption of these supposedly ground-breaking technologies often comes at the expense of basic, foundational security measures. We are seeing fewer companies putting time and resource into getting the foundations of their security right and we believe this is directly linked to why so many companies are falling victim to cyber-criminals, and hitting the headlines for all the wrong reasons.
The Australian Department of Defence for instance names application whitelisting and privilege management as part of its four key mitigation strategies, alongside patching operating system vulnerabilities and patching applications. By implementing these four quick wins, real world data shows that 85% of cyber intrusions can be stopped.
Our own analysis of Microsoft vulnerabilities in 2016 shows that 94% of critical vulnerabilities could be mitigated by removing administrative rights alone. On top of this, 100% of vulnerabilities impacting Internet Explorer could be mitigated by removing admin rights, including 100% of the vulnerabilities affecting the latest browser, Edge.
These are all simple changes that make the job of the attacker a lot more difficult. They can actually prevent attacks from either taking place, or at the very least significantly minimize their impact.
How many of the high-profile hacks in the last year could have been prevented by getting these basics right? Almost all of them, no doubt, including the most recent WannaCry and NotPetya ransomware attacks. Patching systems and removing local admin rights would have stopped those attacks dead, instead the attack spread across thousands of systems and succeeded en masse.
Earlier this year, the National Crime Agency (NCA) found that the average age of cyber criminals arrested or cautioned for carrying out computer-based crimes was just 17. In the same week, it was reported that two men, aged 20 and 22, admitted their part in the 2015 TalkTalk hack. If a group of teenagers and young twenty-somethings can carry out a hack that costs a corporate giant £42 million, it shows that there is a serious imbalance somewhere along the line.
Most of the time, the people that are carrying out these headline-grabbing data breaches and hacks aren’t professionals with a financial agenda. While sophisticated organized hacking groups do exist with economic clout and back office systems, many incidents are started by teenagers in bedrooms, taking advantage of the low-hanging fruit.
It we imagine a perfect world where all these low-hanging opportunities were removed, you’d definitely see a significant drop in successful breaches. Instead, businesses are leaving the door wide open for opportunists to exploit, and much of this is down to companies opting for the ‘next generation’ solutions rather than focusing resource on building strong security foundations.
Coming up with a solution to this issue is not straightforward, and a rallying cry in a blog won’t change the marketing strategy of global vendors or the buying habits of CISOs. However, if organizations start to build their security strategy around foundational measures – and only add the ‘bells and whistles’ once these are in place – then we’ll be in a much stronger position, with criminals having to work much, much harder to be successful.