By Guest Blogger Brad Mathis, Senior Consultant, Information Security
It is mid-2015. By now, we have all seen incoming emails claiming we have been bequeathed a huge sum of money from a Nigerian Prince, or we have won a foreign lottery we never entered. Most employees have seen these scam emails long enough to know they are not real.
- What about the seemingly benign email coming in from a recognizable sender?
- What if this legitimate looking email has an attached PDF or Word document?
- What if it contains a seemingly real link to a web site?
- How many of your employees would open the attachment or click on the link?
- How many employees will assume it is safe since it made it unscathed through all of your layers of security, including email and web content filters?
- Do your users understand the ramifications of introducing undetected malware into your environment? Do they know this malware can capture their keystrokes, turn on their web camera and microphone, and capture screen shots or data from their system and transmit this data to cyber-criminals completely undetected?
If you can answer these questions with a high degree of certainty, you are either a one-user environment, you are sitting at each user’s desk approving their every keystroke, OR, you have already identified and implemented the requirement for measurable security awareness training and the importance of recurring testing of your staff to see how Phish prone they are.
This would be a good time to stress the importance of continuing to maintain an effective defense-in-depth strategy. What does this mean? Defense-in-depth all comes down to remembering not one single defense mechanism will protect your environment. It takes several layers to lower risk. Examples of necessary defense-in-depth layers are:
- Continuous Vulnerability Management
- Continuous Patch Management of Applications and Operating Systems
- System Hardening and Configuration Standards
- Effective Next Generation Firewall Strategy
- Intrusion Detection and Prevention
- Malware Defenses and Content Filtering
- Secure Perimeter and Network Security Architecture
- Complete elimination of obsolete operating systems and applications, as well as the elimination of technologies no longer supported or considered best practice, such as RIP and WINS
- Strengthened Controls such as Password Requirements and Rights Management
- Policies, Procedures, and Standards
Won’t a strong defense-in-depth strategy prevent the introduction of cyberattacks into my network? Unfortunately, no amount of technical defenses can completely prevent the actions of a user lacking security awareness from clicking or opening something they should not. The danger point is the window of opportunity the cyber-criminal are all too familiar with. Cyber-criminals know there is a time lag between the time vulnerabilities are discovered and the time organizations get around to correcting the vulnerability. The criminals know to attack swiftly while defenses are down and the chance of detection is low.
According to a recent information security study, it takes organizations an average of 176 days to remediate known vulnerabilities. However, it only takes cyber criminals an average of 7 days to exploit known vulnerabilities. During the 169-day delta between vulnerability remediation and cyber-criminal exploitation, your defense in depth layers may be at the mercy of your end user’s level of security awareness education. On top of this, we have been seeing a window of several days before anti-malware providers can detect the newest malware strains.
Of the 150+ Million phishing emails being sent every single day, over 10% are making it through SPAM filters. Of those, over 8 million are opened, and over 800,000 users are clicking on phishing links. An average of 80,000 users a day are phished and actually provide sensitive information to cyber-criminals because they believe the email or web link to be legitimate. Every Day! Are your users among the 80,000 daily victims?
If you haven’t figured it by now, Security Awareness Training and Effectiveness Testing is now a required layer to an effective Defense-In-Depth strategy. Knowing this is critical, Keller Schroeder has partnered with KnowBe4 to offer effective and measurable Information Security Awareness Training, as well as perform ‘safe’ simulated phishing attacks to help determine what your current Phish-Prone percentage is and how to lower it. For years, law enforcement learned their best crime prevention techniques from Criminals. KnowBe4 has taken this approach, as well, with Security Awareness Training. The training was co-developed with reformed cyber-criminal Kevin Mitnick, the Most Wanted Hacker in the World during the mid-nineties.