[BreachExchange] Five best practices for countering cyber breaches and attacks

Audrey McNeil audrey at riskbasedsecurity.com
Fri Nov 4 18:46:48 EDT 2016


http://opensources.info/five-best-practices-for-countering-
cyber-breaches-and-attacks/

The escalation in cybercrime today is driven by the lucrative proceeds of
hacking activity, the increasing availability on the Dark Web of stolen
authentication credentials, and the growth off-the-shelf malware which has
enabled greater participation in cybercrime. Here are five best practices
for organisations to follow to harden their defences against a cyberattack
and mitigate the consequences in the event a breach occurs.

Best Practice 1: Know your adversary
Specific industry sectors are being targeted by cybercriminals, nation
states or hacktivists, each with different motivations and capabilities.
Hackers are able to scan organisations for system vulnerabilities in order
to identify potential targets. Since the details of computer operating
systems used by specific organisations can be purchased on the Dark Web,
hackers are then able to attack organisations through customised malware
designed to exploit vulnerabilities and bypass security. This year’s SWIFT
compromise is perfect example of that strategy. The malware was written
specifically for that company to circumvent internal controls.

Proactive management of cyber security relies on an intelligence-led
approach uncovering the probable source and motives of external threats,
with the aim of preventing a breach before it happens or at least putting
mechanisms in place to ensure it is quickly detected and remediated.

Best Practice 2: Think of employees as a security vulnerabilities
It has long been a practice of hackers to trick their victims into clicking
on email attachments or links in order to download malware. Since details
of employee names, their contact details and colleagues are readily
accessible via company websites or social media sites, fraudulent emails
may appear to originate from a known person in a plausible business
context. By giving employees security awareness training they can be learn
what procedure to follow when witnessing suspicious activity by co-workers,
or receiving a suspicious email on their own.

Best Practice 3: Don’t assume all employees are on your side
Hackers do not rely solely on employees who unwittingly enabling their
attacks. They also gain insider cooperation with employees who
intentionally steal data or help deliver the malware. In the case of the
theft of DuPont trade secrets, details of the intellectual property were
stolen by a number of insiders acting on behalf of an external party. The
collaborators were not disgruntled employees; they were scientists open to
bribery.

Network data traffic can also be analysed by experts to detect employees or
contractors at risk of external factors of influence. Suspicious activity
includes data transfers to unusual IP addresses, and data traffic of
abnormally high volume or outside normal office hours.

To increase the likelihood of detecting malicious insider behaviour
quickly, it is important to monitor the activity of employees with access
to sensitive data. This can be accomplished by setting up alerts for any
data sent via unauthorised means, for example, file transfer, email,
instant messaging or copied to CD’s or USB sticks).

Best Practice 4: Fear what you don’t know

In recent years, we have seen major data breaches against TalkTalk, Sony,
Vodafone and JP Morgan. These are only the most publicised cases; in many
circumstances, companies are simply not aware that they have been breached
because those responsible have evaded detection and continue to operate.

Here are some processes to help you detect ongoing compromises: A thorough
assessment of cyber resilience by identifying undetected ongoing
compromises; stress testing of the organisation’s cyber defences; utilising
scanning software to rapidly identify malware or a virus in order to
investigate and neutralise it in real time; focus resources on real and
active threats by eliminating false positives in alerts; performing
readiness testing to identify the security strengths and weaknesses of your
organisation.

Best Practice 5: Act quickly in the event of a compromise and don’t delay
notification
When a breach occurs, an incident response management plan is vital. This
should set out the pre-determined actions to be undertaken by the team
coordinating the response, including notification of relevant stakeholders,
including the government regulators. Organisations in EU member states must
notify regulators within 72 hours from the time they discover the breach.
The notification must include the nature of the breach, who had been
affected, the potential implications of the breach, and the steps the
organisation has taken to address it.

It’s also important to preserve forensic evidence, including all
electronically stored information (ESI), devices and logs. Guidance from a
digital forensic expert early in the investigation would be well worth the
cost.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161104/58b6ecc6/attachment.html>


More information about the BreachExchange mailing list