[BreachExchange] Don’t forget the basics in the battle against cybercrime

[Audrey McNeil]

https://www.itproportal.com/features/dont-forget-the-
basics-in-the-battle-against-cybercrime/

It’s possible to be too clever. Sometimes, in our efforts to combat
increasingly sophisticated cyberattacks perpetrated by well-resourced
hackers, we can become mesmerised by potential threats and pour all our
resources into the latest security technologies – all the while neglecting
the basics. By doing so, we are providing an open door for opportunistic
attackers.

It’s easy to scoff at measures such as password hygiene and staff training
whilst there are so many challenges organisations face and try to keep on
top of such as disruptive tech, software changes, cloud migrations, data
analytics etc. New security technologies and techniques such as AI and
advanced behavioural analytics are important weapons in the fight against
cybercrime, but on their own they won’t prevent opportunistic attacks by
low-skilled criminals. It’s like investing in a top-of-the-range,
IoT-enabled home security system, only to leave the front door wide open
every day you leave for work.

This isn’t to denigrate advances being made in areas such as
behavioural-based analytics or various identity access management (IAM)
solutions and other useful tools in our security armoury. These are crucial
weapons in the fight against hacks and other forms of cybercrime, but they
shouldn’t distract us from the more mundane, less-celebrated and
more-neglected tasks needed to keep our systems and networks secure.

Take patch management, for example. You don’t have to be a security expert
to appreciate how delaying patching and other security updates is
practically an invitation to hackers to try their luck against your
corporate network. Yet recent research has shown that more than four in
five breaches are the result of poor patch management.

It’s often said that cybersecurity breaches are inevitable, and it’s true
that the skilled and determined hacker will always get through. That’s no
excuse, however, not to take the basic precautions that will prevent many –
perhaps most – attacks.

Because for all the talk about hacking collectives and state-sponsored
cybercrime groups, casual and unskilled attackers represent just as big a
threat. In fact, according to security research Mikko Hypponen, one of the
biggest attacks of recent times – the DDoS attack in 2016 that disrupted
corporate giants like Amazon, Netflix, PayPal and Reddit – was most likely
perpetrated by “script kiddies”. His reasoning was that the attackers used
code that was so basic, anyone with a passing interest in cybersecurity
could have written it.

New technologies and approaches are key to combating the rise in
cybercrime, and new techniques such as behavioural analysis are much better
at identifying suspicious activity than older, signature-based methods. But
just as it’s fatal to underestimate one’s enemies, so it’s dangerous to
overestimate their capabilities to the extent of becoming lax with the
basics of information security.

Remember, attackers don’t have any incentive to work harder than they need
to; they are looking for any vulnerability in the network – a
badly-configured firewall, for example, or a poorly-patched system. They
also target human weakness, which is why phishing / spear-phishing attacks
continue to be such a lucrative tactic for criminals.

Dangerous misconceptions

If organisations overlook these basic areas of security, then no amount of
security software solutions, advanced behavioural analytics or AI is going
to prevent these intrusions from occurring. New security technologies and
methodologies must not be allowed to obscure the continued need for
practices that are proven to have a significant effect on cyberattacks.
These include conducting rigorous and periodic assessments of security
processes and effectiveness of controls, and fundamental practices such as
the immediate removal of privileged accounts, rapid and thorough patch
installation and updates, and training to prevent attempts at social
engineering.

Moreover, there’s a dangerous misconception that the majority of IT workers
are somehow more immune from phishing attacks; that their skill and
experience in technology means they’ll be able to spot spoof emails more
easily. That’s simply not true, especially as these attacks are growing
ever-more sophisticated, for example through spoofing HR emails, or by
clever facsimiles of HMRC / IRS tax enquiry emails. All it takes is one
click out of the hundreds of emails these scammers send, and then the
organisation has a major potential breach on its hands. Let’s not ascribe
godlike omniscience to our colleagues in IT, who can be just as fallible as
the rest of us.

No-one looks forward to the prospect of conducting a security maturity
assessment with glee, but this is nonetheless a critical undertaking for
any organisation that values its (and its customers’) safety. Similarly,
reviewing disaster recovery and business continuity plans are crucial for
minimising the impact of any breach that does occur.

By all means invest in the latest generation of security tools, but don’t
think that these technologies free you from the fundamental work of
reviewing your entire security estate, patching quickly, managing
identities and permissions, and training all employees – even IT workers –
in how to spot and report phishing attempts.

There will be no end to the eternal war against cybercrime, but there can
be victories for those prepared to fight it. Every breach defeated is a
battle won, forcing cybercriminals to expend more time and resources to
developing new tools and techniques to infiltrate their targets.
Conversely, if we make things easy for the hackers it will free them to
launch even more attacks, and encourage others to pursue such a lucrative
and risk-free activity.

By following the basics of cybersecurity – while continuing to deploy the
latest advanced technologies – we can not only help to protect our own
organisations, but the whole business ecosystem too. That, surely, is the
cleverest way to wage the war.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180621/6388babe/attachment.html>