Last year, in 2019 according to CVEdetails, there were 12,174 new, publicly announced vulnerabilities. If that sounds like a high number, it’s a lot less than the previous two years. We had 16,556 in 2018 and 14,714 the year before. And that’s on top of the several hundreds of millions of unique malware programs and all the conniving human adversaries trying to break into your organization, including nation-states, financial criminals, data and IP thieves, hacktivists, and script kiddies. All-in-all we’ve got a lot to worry about.
Cybersecurity defense is all about decreasing risk from the most likely attacks. The sheer number of new threats definitely complicates the job, but you can significantly improve your defense and it likely won’t cost you much. It’s more of a re-focusing on what should matter the most.
Here are 5 eyeopener strategies to improve your IT defenses and keep the bad guys out of your network.
1. Understand Risk Better
The number one challenge for most computer security defenders that impacts everything else is they don’t understand what risks and threats they really should be concentrating on the most. There is a fundamental misalignment between what most defenders focus on the most and how they are successfully attacked the most.
That’s not hard to believe because of the avalanche of different attacks they are being told to fear and all the computer vendors trying to sell them new software and hardware. But here is something you should learn and understand, “There is a gulf of difference between what you are being told you should fear and what you should prepare to fight the most.” And if you concentrate on the right things you’ll have a far more effective defense.
Let me give you an example. There is a billion-dollar industry of vendors who sell RFID-shielding products supposedly to protect RFID-enabled credit card information from being wirelessly stolen and re-used to make fraudulent transactions. You can buy credit card sleeves that block RFID wireless eavesdropping signals, wallets, purses, and even clothing.
My friends are always happy to tell me they bought one of those products and the Internet abounds with buying opportunities. But the fact is that there isn’t publicly known evidence of a single real-world crime where an RFID credit card shield product would have prevented the crime. Not one!
Or here’s another example that is closer to IT security. Two years ago, the world learned about the chip flaws known as Meltdown and Spectre. These are arguably the most potentially damaging vulnerabilities announced in my 32-year career. They impacted most personal computer chips made since the 1990’s, including those used with Windows, Linux, and Mac systems.
If you didn’t apply the patches, there was literally nothing you could do to stop an attack focusing on those vulnerabilities from successfully exploiting an unpatched system. None of the operating system defenses could stop them. Antivirus detection software couldn’t prevent them. And a successful attack would not be detected or end up in your logs. The only thing you could do to stop them was to apply the vendor patches. And the world rushed to apply the patches.
Sadly, most of the original patches caused fatal computer errors or significant processor slow downs (40% to 60%). And yet, over 2 years later, there hasn’t been a single publicly known real-world attack using either of those two vulnerabilities. So, the patches caused all sorts of problems and no real-world attacks. Who could have predicted it?
Turns out a lot of people. Almost all known exploited vulnerabilities have public exploit code known and used in the real world. Not all exploits, but the vast majority by far. If you want to know if you should patch something, one of the first things you should ask is if the vulnerability is associated with public exploit code being used in the wild. Because if not, maybe you can wait a few days (or weeks) before deploying to make sure the patch vendors have all the bugs worked out.
There are lots of ways you and your organization can be successfully attacked. The two largest root causes of exploits has been social engineering (involved in 70% to 90% of all successful data breaches) and unpatched software (involved in 20% to 40%), and it’s been this way for the entirety of the computer history. Nothing else is close. Every other type of root exploit cause, added up all together, equates to 1% to 10% of the risk in most environments.
You don’t have to believe me. I could be lying to you. I work for a popular computer security services vendor who is trying to sell everyone anti-social engineering education and services. But ask yourself, when you’ve learned of a computer malware program that got loose on a computer or a hacker who made it by all the installed defenses, what was the root cause that allowed them to get past the defenses? When you read about some company that has suffered a hacker attack, how did they get exploited? I can bet that it was either social engineering or unpatched software.
Sure, sometimes it is some other cause, say insider attack, wireless eavesdropping, misconfiguration, data malformation, etc. Social engineering and unpatched software isn’t the cause for every successful attack. Just most successful attacks…by far! In my over 30-years of computer security experience, where I consulted to hundreds of compromised companies each year, only two were compromised because of something else.
Heck, I can only remember a handful of companies who I’ve read about in 30 years that were hacked because of something else other than social engineering and unpatched software. But do you own analysis. What root causes were responsible for most of the hacking or infections in your company? And then ask yourself, are you and your organization spending as much focus on those two root causes as you should be?
Everyone should be using their company’s own local experience of how malware and hackers got by the deployed defenses for how to best defend their organization. Instead, most people end up concentrating on too many things…too many threats and end up not devoting enough time and resources to the biggest threats most likely to compromise their company.
So, my advice is focus more on your local experience and less on global press reports telling you all about the world and nothing about what is happening to you. And focus on the top two or three biggest root causes of cybersecurity events in your organization first and best. And when you do that, there’s a strong chance you’ll want to focus more on anti-social engineering defenses and better patching.
If you’re interested in more on computer security risk management, you can check out my KnowBe4 webinar (https://info.knowbe4.com/webinar-grimes-computer-security-defenses) on the subject or read my best selling book, A Data-Driven Computer Security Defense (https://www.amazon.com/Data-Driven-Computer-Defense-Way-Improve/dp/1092500847).
2. Concentrate on Defeating Phishing
Social engineering and phishing are involved in 70% to 90% of all successful malicious data breaches. It’s easily the biggest root cause for most hacking events. Sadly, most organization spend less than 5% of their resources and less than 1% of their time on preventing it. To prevent social engineering and phishing you’re going to have to focus on the best technical and training defenses you can muster.
I don’t have time to mention everything you could do, although I do cover as many of them as I can in a webinar (https://info.knowbe4.com/webinar-stay-out-of-the-net). But in short, you need to try your hardest to prevent social engineering attacks from making it to your end user (using technical defenses) and train your employees how to recognize when they still make it through and what to do. You want to create a culture of healthy skepticism from employees when they see certain types of emails.
I think everyone now universally agrees that doing simulated “fake” phishing “campaigns” is a great way to test, identify, and train your employees against phishing attacks. KnowBe4 has over 30,000 customers and over 7 years of experience and data to see what does and doesn’t work. What does work is doing frequent security awareness training – at least once a month.
Every employee should receive a longer (15 to 30 minutes) security awareness training when hired and at least once a year. Thereafter, they should receive shorter training (3 to 5 minutes) at least once a month, using a mix of different methods, including in-person, training videos, reading material, emails, games, etc. Intermix that training with simulated phishing campaigns which reinforce the lessons being taught. Employees failing a simulated phish should be given immediate training about the subject they failed and how to improve their future recognition of the threat.
Companies following this type of strategy consistently, significantly reduce the risk of successful social engineering and phishing attacks. KnowBe4’s customers often go from a 30+% employee “phish prone” rate to 2-3% in a year. Not some companies. Not the best companies. Nearly every company that follows a monthly education and phishing plan achieves a 2-3%, or similar very low click rate. I challenge anyone to find another computer security control that reduces risk as well and fast.
All employees should be given a way to report suspected phishing emails. At KnowBe4, we offer the free Phish Alert Button (https://www.knowbe4.com/free-phish-alert). You can deploy that add-in to Outlook, Gmail, and other email clients. When a user sees a potential email phish, they can select the email and click on the Phish Alert Button to send it to a pre-configured email address and the tool also deletes the message.
It’s important that users don’t just delete the message and go on with their lives. Reporting every potential phish lets computer security personnel keep track of how much phishing is going on at anyone time and to note and respond to particularly notable events. If a nation-state adversary is sending phishing emails to all your top employees, you’d want to know about it, right?
3. Better Patch – Focus on the Right Things
After social engineering and phishing, unpatched software is responsible for the most malicious intrusions (20% to 40% of all successful data breaches). But as I covered earlier, there are literally over 12,000 different publicly announced vulnerabilities that we have to be aware of and patch against if we have that software in our environment. But no one can patch everything quickly and perfectly all the time.
So, we need to focus on better patching what is attacked the most. Here are three recommendations: First, if the vulnerability does not have public exploit code released with it, then it’s very, very unlikely to be exploited against your company. You still have to patch it, but perhaps not as aggressively as the exploits that do have exploit code in the public domain.
Second, the software you have to make sure is patched first and best are, on workstations:
- Internet browsers
- Internet browser add-ins
- Operating systems
- “Listening” services reachable from the Internet, like Remote Desktop Protocol (RDP) services
On servers, the top most exploited type of programs are:
- Web server software
- Database software
- Operating systems
- “Listening” services reachable from the Internet, like RDP
- Remote management products, reachable from the Internet
Note: Web sites and retailers need to make sure their point-of-sale (POS) systems are up to date, as well.
Most companies will only be attacked by a handful or so of different exploits. Out of the over 12,000 exploits, your organization may see 5 to 12 of them in any given year tried by malware or a human attacker. Which ones? Likely the ones listed above. So, do your best job at patching those types of software programs above all others. You don’t have to get 12,000 programs perfectly patch, but you do those programs listed above. More than likely the attackers aren’t attacking your human resources software or cafeteria menu program.
Patch what is most likely to be exploited first. There is a huge gulf between your most unpatched program and the most likely to be attacked unpatched program. For example, the most unpatched program in history was Microsoft’s Visual C++ runtime distributable library. It was almost on every Windows computer, often several times, and almost always unpatched.
But I’ve never read of a single instance where an attacker used an exploit against it. Why? Because it isn’t a “listening” service, it wasn’t easily reachable from the Internet, and it was never installed in a consistent place that attackers could look for it. Focus on patching the most likely to be exploited stuff and do it fast and with 100% efficiency.
4. Tested Restore
Every company claims to have great backups, and if anything, ransomware has showed that most of the world does not have good, tested, backups. There isn’t a computer security compliance guideline, recommendation, or regulatory law that doesn’t require that all entities have good, tested backups. Every audit any organization has asked the question, “Do you have good, tested backups of critical information systems?” And every audited company answers, “Yes”, when it usually isn’t true.
What the auditor is asking is if you can restore all your critical systems from backup. What the organization involved usually means when it says, “Yes”, is that they’ve tested restoring a few files or one server, once a long time ago, and it worked. Almost never has the respondent actually tested restoring all the resources and infrastructure needed to recover even one major critical system (which not only includes all the involved servers, but other involved infrastructure services like DNS, Active Directory, etc.).
In order for anyone saying they have tested restoring all their critical systems the tester needs time, space, and resources to do the testing. Regular, thorough backup/restore testing is expensive and time consuming. It takes lots of money, people, and time to do. What most organizations do, is to ask the already overtaxed backup person/team to do some test restores or to rely on a data restoration/VM service that they have never really completely tested, especially at any significant scale.
One of the most popular attack methods these days is ransomware. The ransomware breaks in and then notifies the ransomware owners. The owners look around the now compromised environment, figure out what the victim’s “crown jewels” data and services are, and then creates a malicious strategic encryption plan that locks up as much valuable data and creates as much downtime as is humanly possible. Then they set off the ransomware encrypting all the targeted servers and services. Ransomware routinely encrypts dozens to hundreds of servers nearly all at the same time. It can take months before the attackers make their move.
When a defender learns of the ransomware attack, they find nearly every critical server and service in their environment taken down and held as hostage. To do a full recovery from a ransomware attack, a defender has to simultaneously restore dozens to hundreds of servers and services. They have to figure out what to restore first, what relies on what, and what can be restored and turned on and not be out of sync with all the other later restored servers and services.
Realistically, any server or service that was maliciously encrypted has to be “unit tested”, meaning that the programs must be put through all the possible options it can be involved in, all possible inputs, and all possible outputs, before the restore can be determined to be a success.
Almost no company has tested a global ransomware takedown of their most critical servers and services and tried to see what would happen, or how long it would take to restore from a bad ransomware attack. Almost no company is prepared to do unit testing. You have to prepare ahead of time how to test all possible inputs, all the various computational scenarios, and what to expect (ahead of time) for all the tested scenarios.
One of the single best defenses you can do is to ensure that you have not only great backups of all critical servers, programs, and services, but also of all supporting infrastructure. And then do regular testing of restores of complete systems if not all critical systems. Can you do it? How long did it take? What were the problems? Until you can answer these questions you really don’t have a good, reliable backup. In the end, only a good, reliable restore is the ultimate defense against nearly any destructive attack. Don’t let a major ransomware attack be the first test of what you think is a solid, reliable, backup.
5. Early Detection
I don’t think there is any computer security professional who thinks they can stop every possible attack and attacker, except for perhaps those specially locked down environments with computers without access to the Internet, in a bunker, who’s hard drives get locked in cabinets at the end of each day. The rest of us probably have an “assume breach” mentality. Assume breach means you believe that you either already have a bad guy in your environment or easily could have one in your environment if they decide to concentrate on your network, and you prepare and control accordingly.
So, assuming you don’t think you can perfectly defend 100% of the time, that means you believe you could get successfully hacked. If you think that, the next best thing after prevention is early warning. All great computer defenses focus more than most on early detection, whether it is by intrusion detection devices, event logs, or any of the myriad of software and hardware devices which can alert you that something malicious is going on.
Personally, one of my favorite early warning technologies is deception technologies (i.e. honeypots). I’m a big fan of taking a workstation or server you’re getting ready to discontinue (for any reason) and turning it into a honeypot. Simply clean it up and monitor it to see if anyone or anything tries to connect to it. It’s an unused/inactive asset.
Nobody should be connecting to it (other than broadcast traffic and the normal brood of management services, like antivirus signature updating and patch management servers). Once you finetune the legitimate, allowed connecting computers, you alert on anything else. If a hacker tries to logon to it or port map it, you’ll get early warning. If a malware program is running around your network trying to break into computers, you’ll get early detection.
That’s it! If you want to significantly improve your computer defenses, follow these five above recommendations. Most are no-cost to low-cost, and you’ll get more bang-for-the-buck defense out of them than if you bought some expensive shiny security appliance or expensive new software program. Good computer security…real computer security…isn’t about buying the latest expensive gizmo. It’s about recognizing the right risks, concentrating on the right threats, and simply doing a better job at what you’re probably already doing.
Keep Fighting the Good Fight!