According to my research, it became clear that if CISO's focused on these three items, it would take care of 99% of the vulnerabilities.
There are three top root hacking causes, and they comprise almost all of the cybersecurity risk most organizations face:
- 70-90% of successful hacking involves social engineering
- 33% of it involves unpatched software/firmware, according to Mandiant
- 30% involves weak logins
- And 79% of that last category is due to social engineering
These three most popular root hacking causes are often co-mingled together to bring about the desired effect. For example, a phisher uses social engineering to trick users into clicking on a link, which runs malware that takes advantage of an unpatched software vulnerability.
These three root cause issues are 99% of the reason why hacking is so successful. Everything else a cybersecurity defender has to do, even if required, even if still important, even if still a good thing to do, is a distraction to most efficiently making your organization immediately far more resilient to cybersecurity attacks.
Ask yourself: How much of your day is spent focusing on mitigating these three root hacking causes versus everything else?
Two:
No AV/EDR solution can detect 100% of malware (at least without causing undue operational interruption). I know this because if one AV/EDR product actually did, we would all buy that product, at a premium, and malware and ransomware would be no more. When AV/EDR vendors tell you they can detect 100% of malware, they are ALL lying. Every one of them. And most of us keep believing in some sort of hopeful mass delusion as we keep getting exploited.
Firewalls, VPNs, and AV/EDR are less protective than most people think. Almost all exploited victims had these things and were still successfully exploited. These things are not bad, but they are absolutely not going to save you in most instances of exploitation.
Three:
Most multi-factor authentication (MFA) used today, including Google Authenticator, Microsoft Authenticator, and Duo, are as easy to hack, steal, and socially engineer around as doing the same to a password. It takes a hacker or their malware creation no greater effort to get around most of today’s MFA than the passwords the MFA replaced. And everyone selling that MFA knows it.
Defenses
In light of these absolute facts, what defenses will work best and most efficiently?
Three things:
- Focus far more effort and resources on mitigating social engineering and phishing however you can do it
- Have aggressive, perfect patching on the things that are being actively exploited
- Use phishing-resistant MFA
Yes, you can be exploited by other things (e.g., zero-days, insider attacks, SQL injection, etc.), but the vast majority of successful hacking attacks are related to just three root causes and if successfully mitigated, would get rid of almost all of your cybersecurity risk.
These three main problems and the needed defenses have not changed in over three decades. But one day they might, so create a flexible mental and operational framework that will respond with changes.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
