[BreachExchange] Don’t Make Perfect Security the Enemy of Good Security

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 27 18:33:56 EST 2017


https://dzone.com/articles/dont-make-perfect-security-
the-enemy-of-good-secur

We’ve written before about what it means to meet compliance standards
without going completely overboard. Today, we want to talk about how that
applies to cloud security as well. Some teams mistakenly believe that their
security posture needs to be absolutely perfect. That’s not only
overwhelming — it’s impossible.

More to the point, the reality of today’s security landscape is that
cybercriminals are always looking for the path of least resistance. If
company A has reasonably good security safeguards in place and company B
does not, criminals aren’t going to waste resources poking at company A
until they find a weakness. They’ll go after company B.

This is why we tell organizations that, when it comes to security, perfect
can often be the enemy of good. Rather than trying to make your
organization perfectly airtight, it’s time to focus on making your company
as unappealing an attack target as possible. Here’s how.

Understand How Hackers Think

Criminals want the best returns with the least amount of effort. You can
see this in the rise of ransomware-as-a-service. RaaS is basically a
franchise model for ransomware, such that criminals with little technical
expertise (or those who just don’t feel like DIYing) can run ransomware
attacks without having to build anything from scratch. This has led to a
sharp increase in ransomware attacks, as you might imagine.

The best thing about ransomware attacks, from a criminal’s perspective, is
that it often costs less for a company to pony up than it does for them to
clean up an attack. Even better, criminals can often hit the same company
multiple times. If the company paid up once, they may very well pay up
again.

Another common low-effort tactic from cybercriminals is the use of exploit
kits, which essentially scan the internet for known vulnerabilities and
then target organizations that have not addressed them. These are automated
and relatively easy to use, so they too have proliferated. Exploit kits
generally don’t focus on new, rare, or hard to find vulnerabilities. They
go after the obvious ones, because they require the least amount of
resources to target.

You might be sensing a trend here: Cybercriminals like to take the path of
least resistance. There’s plenty of money to be made going after
organizations with major gaps in their security postures, so why bother
with reasonably well-secured infrastructure? The harder it is to crack a
company, the more expensive it is for criminals. Their ROI goes down every
time they have to work around a barrier.

So, unless attackers have a very specific end-goal in mind (say,
cyberespionage between nation states), odds are they will simply troll
around until they find an easy target. Your mission? Don’t be that easy
target.

Ignore the Headlines

“But what about the Target attacks and the Anthem attacks?” you might be
wondering. Here’s a good reminder: The headlines are just that. They are
the biggest stories of the day. What rarely makes headlines are the common,
low-level attacks that are directed at the average organization. Those are
the ones you actually want to be concerned about, and the ones that you
should focus on building a defense against.

In other words, while Zero Day threats seem like a scary problem that
requires a solution, the reality is that very few organizations actually
need to worry about them. It’s a lot more likely that a criminal will go
after your Windows OS because you didn’t install a patch that’s been out
for several months… Oops. By focusing your security defenses inward, not
outward, you can cover a lot more ground. (We covered this topic in an
earlier post, if you’d like to get into more detail.)

Prioritize and Address Vulnerabilities

So, where should you start?

Each company has its own security issues based, in part, on factors such as
size, industry, compliance requirements, data, infrastructure, assets, etc.
And you should take these into account when you analyze your needs.

However, before you go too much further, consider the fact that most
companies that run in the cloud today are using AWS, and therefore, a
logical way to start improving your security is to assess how well your AWS
environment is configured.

Once you have accomplished this, you can go on to identify and prioritize
other areas where you can improve your security and then strategically
tackle these over time. This is a realistic approach that takes into
account the realities of limited organizational resources and criminals’
inherent laziness while you improve your security posture.

Crawl Before You Run

To plan your cloud security program, remember that you must crawl before
you walk and walk before you run. Your goal should always be to focus on
security measures that will demonstrably improve your security posture and
thus make you an unappealing target for cybercriminals. It’s not possible
to address every security concern at once — because no organization has
unlimited time, talent, or resources. But you can focus on the security
issues that most directly impact you, and take the steps that will make
hackers take one look at you and say, “Next, please.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170227/03167a32/attachment.html>


More information about the BreachExchange mailing list