[BreachExchange] Five Things Enterprises Need to Know About Threat Landscape

Destry Winant destry at riskbasedsecurity.com
Thu Feb 21 08:14:30 EST 2019


https://www.eweek.com/security/five-things-enterprises-need-to-know-about-threat-landscape

It would be easy to say that 2019 is going to be the year of the
state-sponsored hacker, but it would also be easy to say that this
year is going to be the year of the cryptojacker. Or I could say that
this is the year when cross-site scripting is going to be a major
threat. But the reality is that 2019 promises to be all three.

The reality is that 2019 is going to be a year of unprecedented risk
for cyber-attacks, and to even narrow it down to three types would be
a mistake, because attacks are getting significantly more
sophisticated, and the attackers are getting better and more numerous.
Better because the skills of the state-sponsored cyber warriors are
being transferred to cyber-criminals. More numerous because hacking
kits are widely available on the internet, and so is the information
needed to use them.

The true breadth of state-sponsored cyber-attacks is only now
beginning to become known. For example, it now appears that the
Equifax attack of 2017 was probably carried out by a state-run
organization such as the Russian Internet Research Agency, although
there’s no indication that it was the Russians who did it. There’s a
belief by several researchers that the Equifax data was taken so that
it could be paired with data from other sources, such as the Office of
Personnel Management breach, to identify susceptible individuals who
can be turned into spies.

'Script Kiddies' as Dangerous as Veteran Hackers

On the other hand, the number of attackers who can make use of the
resources on the internet to launch their own, relatively
unsophisticated, attacks is growing rapidly. While these so-called
“script kiddies” aren’t experienced hackers, there are so many of them
that the likelihood of their finding a vulnerable target is fairly
good. And from your point of view, it doesn’t matter whether a
successful attack comes from an experienced hacker or one that’s just
lucky.

With this new level of threat in mind, here’s are some things to keep
in mind about today’s new level of security threats:

While anti-virus and anti-malware software are still important,
they’re not enough to protect you against today’s attacks. You also
need secure network design and defense in depth. A secure network
design means, among other things, a properly segmented network so that
a single breach doesn’t provide an attacker with unfettered access to
everything in your organization. Defense in depth means that perimeter
protection isn’t enough; you also need intrusion detection, network
monitoring, solid authentication and encryption.

Size doesn’t matter. While you may think that your organization is too
small to be of interest to a state-sponsored hacking organization or a
cyber-criminal, you’re wrong. Even though you may not have any
important secrets, the state-sponsored attackers are after information
that they can use for a greater purpose. For example, the computerized
health records in a medical office or a mental-health facility may
provide details that those hackers want to use to blackmail a
susceptible individual.

Except for some very specific organizations, you probably can’t do
this alone. This means that you will need to engage professional help
to make sure your computing facilities are secure. You also need to
ensure that your testing is comprehensive. This means more than just a
security review, although that’s important. It means penetration
testing, it means help with network architecture to ensure your
network is properly segmented, and it means making sure that all data
is encrypted, so that even a successful breach won’t yield useful
data.

Handled properly, the cloud can be a secure refuge for your
organizations. Any of the major cloud providers will almost certainly
have better security than you can afford in your data center, but
that’s not the end of cloud security. You must also make sure that you
make use of the security features that are offered by your cloud
provider, that your cloud access is also secure and that you train
your employees to manage their access to the cloud securely.

You owe it to your customers to provide for their security. This means
that your organization’s website must be kept free from malware, and
that you must make sure that your website cannot host cross-site
scripting, malware payloads or any other means of extracting
information from visitors, or to provide a platform for attacking
them. This means that your web pages must be programmed so that
external inputs can’t be placed there, that external software can’t be
implanted onto them, and that you monitor activity on those pages.

It’s also important to take steps that your single biggest
vulnerability, your employees, are trained to protect your company.
This means actively and repeatedly training them not to click on links
in email or on websites, not to respond to phishing emails and not to
respond to social engineering attacks that may appear through a
variety of means, including the telephone. And it means that you need
to examine your organization’s website to make sure that you’re not
supplying the information needed to enable social engineering or
phishing attacks.

So you’re going to have to make sure that the email addresses for your
corporate management aren’t available to website visitors, and you
have to protect information such as cell phone numbers, since mobile
devices can provide a pathway for attackers.

Yes, it’s a lot of work, but the nature and level of the attacks has
changed to the point where there’s more risk than ever before. Sadly,
that risk isn’t going down any time soon, so it’s critical that you be
prepared for it now, and then get ready for next year when it gets
even worse.


More information about the BreachExchange mailing list