For anyone who reads the newspaper or accesses news on the internet, it's become quite common to see data breaches, ransomware, and other security attacks on way too frequent occasions. My non-technical friends are asking if this is due to the "work from anywhere" situation that we're now experiencing thanks for the COVID working situation. Personally, I don't think so. Why not? Because we were experiencing these things prior to COVID. I do agree that COVID escalated the work from anywhere initiative for many companies, yet it hasn't changed the threat, just expanded the threat landscape.
So, what does it take to protect an organization from falling victim to the cyber criminals? Just how hard can it be? Well, quite difficult. As an attacker, I only need find one way into an organization. As a defender, I must plug every hole to prevent a would-be attacker from gaining access. And I must do it without negatively impacting my user community. And I will never have enough people or budget to do all I'd like to do.
In that type of environment, how does one give assurance that there are adequate controls to protect the organization? The key is to identify and manage risk. What are the threats? What controls or protections do you need to put in place to minimize the impact of that threat or reduce the risk to an acceptable degree? For instance, if an organization is concerned with stolen credentials being used for unauthorized access, employing MFA/2FA or multifactor authentication / 2 factor authentication. This requires a user to know the username & password to access an account plus have additional control to authenticate, such as an SMS code, a code from an authentication app, or a biometric authentication method. This doesn't fully mitigate the risk, but it greatly reduces it. By doing a proper risk assessment, an organization can identify key risks, likely threat actors, and typical threats and put proper controls in place.
A lot of attacks are opportunistic attacks. The attacker didn't specifically target you or your organization. They were simply scanning and looking for easy targets. If they find an entry point, they will try it. For these types of attackers, you want to make sure your organization is just a little more protected than the others, so the criminals will focus their effort on the other easier targets. To be clear, this doesn't mean a determined and focused attacker isn't going to persist against you, this is more the opportunistic attackers.
" For anyone who reads the newspaper or accesses news on the internet, it's become quite common to see data breaches, ransomware, and other security attacks on way too frequent occasions"
For the opportunistic attackers, the key is proper cyber hygiene, or focusing on the basics. If you do the basics and do them consistently, you are much less likely to end up in the news as the next victim to a cyber breach.
There are many things that can be added to the term hygiene, yet I'll simplify and go with five:
- Vulnerability management - patch your system. Fix your known bads. These are things that an attacker can leverage to gain entry to your environment. These are not zero-days that are unknown, these are well-known and usually fixable. Apply patches or configuration changes in a timely manner.
- Enable MFA or 2FA - multifactor or 2-factor authentication. This can prevent unauthorized logins if the credentials are lost or stolen due to a data breach. Yes, this has end-user impact. Do it anyways.
- Remove local admin rights from systems. A normal user cannot install software. If you click on a link that wants to install malware, as a normal user it shouldn't install. If you're running as a local admin, this will mess up the system. This too may impact users, yet they’ll adapt quickly.
- Backup your systems - if it's important, back it up. And make sure that the account to create the backup cannot delete backups. Make sure the backups are not on the same network as your system, so that an attacker cannot delete backups. This is vital in a ransomware situation.
- Train your users. Technology will fail. Something will get past your defenses. People will then need to decide. At the very least, train users how to report suspicious activity.
There are a lot of other things that I want to add to the list above, but I'll keep it simple. What I would add to #1 would be asset management as I need to know what to patch, so those two go hand in hand.
To defend your organizations, you need to take a risk-based approach. This means conducting a risk assessment and then using it to determine proper controls. Then you need to implement those controls and put them on all systems or roll them out consistently in your environment. By focusing on the basics, you can better defend your organization and reduce the chances of your organization being the next victim mentioned in the nightly news cycle.
Little improvements have a lot of impact on the overall security of your organization. This existed prior to COVID and it is likely to persist long after the COVID is forgotten. Security is a journey and we need to continue to focus on the basics if we expect to continue to stay safe and secure.