[BreachExchange] How to address the 6 most overlooked causes of data breaches

[Inga Goddijn]

https://gcn.com/articles/2016/12/07/cybersecurity-human-factors.aspx

Cybersecurity experts repeatedly warn about the growing number of
sophisticated malware and hacker attacks against IT infrastructure and
data. Organizations can’t control the bad guys, and the criminals are
getting better. However, rudimentary attention to security threats can go a
long way toward protecting systems and data.

The human factor plays a critical role in how strong or weak an
organization’s security defenses are. Be alert to the six most common
human-factor mistakes that can lead to deadly security breaches.

*1. Awareness*

It’s not just rogue employees who compromise agency defenses with insider
information. Out of ignorance, even the most loyal, hard-working employees
can make mistakes that cost the agency dearly. For example, simple phishing
attacks can be launched by opening emails from unknown senders, clicking on
links and downloading attachments, after which they deliver malware onto a
computer or convince a user to give up passwords. About a quarter of
recipients open phishing emails, and 11 percent click on attachments. How
can we keep this from happening?

The first lesson to convey to employees is the extreme importance of
security. Are employees aware of the criticality of the data they deal with
every day? Do they understand the necessity to comply with data-privacy
regulations and what it might cost the agency if they don’t?

Once employees are aware of the requirement for security and their critical
role, they must be warned about using unauthorized websites and shadow IT
tools and shown how their daily activities can lead to undesired endpoint
or network penetration. And these lessons must be reinforced periodically
to ensure that they are not forgotten.

*2. Time constraints*

Often lacking sufficient budget and headcount, security staff are
overburdened. Given all the pressure to “get everything done,” sometimes
things just don’t get done correctly.

Misconfiguration of a tool and neglecting to follow security policies to
the letter are regular mistakes. So is spinning up a certain service, such
as a container, a proxy or monitoring tool, but forgetting to secure it.

Still another consequence of time pressures can be forgetting to update
security patches or not updating  them on time. About half of IT
professionals see outdated security patches as a problem and cite human
error and patch management as stumbling blocks to making web apps totally
secure.

Cutting corners may sometimes be a good way to get the job done quickly,
but it also makes way for poor security. Security managers must keep their
teams on their toes. And when they undertake to respond to an incident,
they must see it through to its final resolution.

*3. Passwords*

While hacking and malicious attacks are often the top concern for
protecting an organization’s data, often it’s the weak or lost password
that proves to be the Achilles’ heel that leads to disaster.

Protected only by weak passwords, laptops, tablets, cell phones, computers
and email systems offer up little defense against the committed hacker who
can easily obtain subscription information, personal, financial and health
information as well as sensitive business data. IT departments will go a
long way to enhancing security by implementing policies that enforce use of
strong passwords on all devices.

Another password vulnerability is employees’ tendency to use the same
password (or even the same set of passwords) for both work and home. If a
home network is breached, there may be little damage that an attacker can
do, but if the attacker can extract passwords from a home computer (or
personal smartphone) and use them as a springboard to launch attacks
against the enterprise, devastation can ensue.

*4. Friendly outsourcers, vendors and partners*

As technology becomes more complex, companies increasingly rely on
outsourcers, vendors and partners to support and maintain systems. These
third parties typically use remote access tools to connect to the agency’s
network, but they don’t always follow security best practices.

Organizations must trust their contractors and vendors. However, even
partners with benevolent intent can leave their customers open to attack.
Third-party threats increase exponentially if unvetted partners are allowed
to access an organization’s network.

Agencies must be certain that their trusted partners and vendors follow
best security practices, such as enforcing multifactor authentication,
requiring unique credentials for each customer and creating a comprehensive
audit trail of all remote-access activity. Third-party accounts should be
disabled as soon as they are no longer required, and login attempts using
these accounts should be monitored.

*5. Alert fatigue*

Alerts signal a potential problem that might require immediate attention,
but if alerts are frequent and coupled with a high false-positive rate,
they lose their power.  About a third of cybersecurity professionals face
more than 10,000 alerts every month, and more than half of the alerts are
false positives.

Alert fatigue occurs when security personnel are exposed to a large number
of security alerts and become numb to them, which can cause increased
response times and missed alerts.

For the security team, the number of false alarms belies the actual
problem. Alert fatigue leads to a loss of confidence in security tools.
Over time, the sensitivity threshold falls to a point where all alerts are
suspect, and actual security becomes almost non-existent. When the real
thing happens, nobody recognizes it.

Cybersecurity incident response teams are dealing with their own version of
alert fatigue. After investing in state-of-the-art systems that detect
potential attacks and sound alerts, the extremely high rate of false
positives undermine the value of the detection systems.

Hiring more personnel is not the answer. Attacks are increasing
exponentially and agencies cannot keep up just by throwing more people into
the fray. Arming staffs with the best technology -- one that provides
accurate alerts with no false positives – is a much better approach.
Deception-based solutions, for example, fall into this category.

*6. Routine*

Most organizations are very good at preparing for a targeted event.
Security teams will be on high alert when the latest advanced persistent
threat is published or a new zero-day attack is discovered. But once the
danger has passed, teams tend to fall back into a routine, let down their
guard and can miss a new attack.

Be on guard against routine. Re-allocate tasks. Give your security team
training in the latest technologies and tools. Keep the environment fresh
and dynamic.

Everywhere, networks and data are under attack. This is war! In order to
defend their agency assets, cybersecurity professionals must rely on every
means at their disposal. These days, while we tend to focus on technology
and expertise to spearhead our defenses, we must not overlook the simple,
internal steps we can take to reduce our attack surface and to make every
employee a soldier in our battle against cyberattacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161207/fea02831/attachment.html>