Cyber-attacks have moved to the front page of the news. The attack on Colonial Pipeline and JBS Foods went to the heart of the US energy and food supply systems. Hospitals and health organizations were hit in 2020 impacting over 18 million patient records and costing $ 21 Billion. No one is immune as 43% of attacks are against small businesses. So being big or small does not escape the attack. The criminals behind these attacks are building more sophisticated profit-oriented organizations, even investing in AI (Artificial Intelligence) and talent to keep a few steps ahead of the defense.
We are all part of the defense and it’s challenging to keep up with the bad guys. Assuming some level of IPS, firewall and antivirus are in place within your company here are 6 steps to take that many companies either do not do at all or neglect doing consistently or correctly. By no means are these steps a comprehensive approach to cybersecurity. Think of it more as a milestone or a further marker on the journey from your current location to a more secure one.
1. Security Awareness Training
According to the 2021 Verizon Data Breach Report, breaches from phishing attacks have increased from 25% to 36% of all breaches over the past year. This makes sense as the increase in remote workers has created an opportunity to capture or steal credentials from remote devices allowing criminals the ability to get into the cloud or company premise assets leading to 6 or 7 figure ransom demands.
Recent figures from Terranova state that 20% of all employees are likely to click on phishing email links and 67.5 % of these employees go on to enter their credentials on the phishing website. It’s getting much more difficult to identify phishing vs. legitimate emails.
Security Awareness doesn’t remove the element of human judgment, but it does help make human judgment better thereby giving you better odds against the bad guys. Security Awareness Training providers provide training materials, online training programs, baseline testing, simulated phishing attacks, and reporting results. A leader in this area, KnowBe4, has reduced the phishing-prone percentage from a baseline of 37% to 4.7 % over 12 months. Costs range from $ 4 to $ 30 per user for the year based on the program details and the total number of users involved.
2. Email Gateway Security
Ninety percent of cyber-attacks are delivered by email. Security awareness training, as mentioned, is a key step to take but combining it with the power of email security technology will decrease the probability of attack further.
Email gateways servers act as a gateway through which every incoming and outgoing email passes. The purpose is to monitor all emails and only let the good ones go in our out. Incoming emails are monitored for spam, phishing attacks, malware, or fraudulent content. Outgoing email can be monitored to ensure sensitive data is not leaving the organization or that it is encrypted. Email gateway security providers are needed for both on-premises and cloud email solutions. Office 365 email on its own does not provide this. It needs to be combined with Microsoft Defender for Office 365 or a third-party product like Mimecast, Proofpoint, or Darktrace
These solutions range from traditional rule-based programming to using AI to protect against a variety of threats. Some common features include:
- URL defense – unknown URLs can lead to malware or credential phishing. This protection sandboxes suspicious URLs and performs analysis when the user clicks on these links.
- Attachment defense – provides protection against known and unknown threats delivered by attachments.
- Impersonation defense – protects against email attacks that use sender and domain spoofing and social engineering to coerce users to take an action.
3. Operating System Patching
Statistics show known vulnerabilities that have not been patched can be the source of more than 60 % of security breaches. Some are vulnerabilities that have had patches available for years. Vulnerabilities in total will be discussed further down but one part of vulnerability patching and one that is quite common is Operating System Patching for Microsoft, Linux, and other OS. We are used to doing this on the personal side as many of us have our laptop or PC set to automatically download and apply patches as they become available. These patches add features, fix software bugs, and eliminate security vulnerabilities.
Automated patching on enterprise servers can be more difficult than on our laptops. This can present some barriers especially to small IT teams such as:
- The servers contain business-critical apps where any change requires testing on non-production servers followed by promotion to production servers.
- Many patches require restarting the server and they can only be restarted within scheduled windows to avoid disrupting the business.
- There is a low probability but not zero probability of the patch causing a new issue.
- There may be integrated systems that need to have services stopped and started as part of the patching process in specific order requiring some domain expertise.
- There may be a lot of enterprise servers that require patching which may require an all-day outage.
As a result, there may be an inconsistent approach to OS patching where even large companies may miss or ignore some parts of their enterprise. Smaller businesses may not have the staff to keep up to date with patching and may not see the value of patching. That is until they experience a cyber-attack.
Adding the discipline, scheduled, and consistent approach to apply, test, and promote OS patches is a critical and valuable method to reduce the probability of cyber-attacks.
4. Vulnerability Management
Almost 18,000 new software vulnerabilities were reported in 2020 which set a record. Everything is becoming software so beating this record will be the norm going forward. As stated earlier, unpatched vulnerabilities play a significant role in allowing cyber attackers easier access to entry. Software providers work hard to develop patches for these vulnerabilities but for customers patching in such large numbers is challenging. Enterprise software needs to have a patch/change management cycle to safely move tested patches into production. Most of the time this still involves scheduled downtime so having a quarterly or monthly patch cycle is as fast as it gets. This includes applications, middleware, and databases. Much more than just the Operating System. Applying them usually involves domain expertise and detailed planning. All of this makes vulnerability management more likely to be skipped by most organizations.
Another reason for skipping is that it is too difficult to execute a vulnerability assessment manually. It requires a solution like Qualys, Tenable, or Nexpose that smaller businesses may not feel is justified. These tools automatically inventory assets, determine current patch level, unpatched vulnerabilities, and provide the solution to eliminate the vulnerability. The solutions may include patching, configuration, or upgrading versions.
Cyber-attacks are increasing and both large and small enterprises are victims daily. The average downtime for a cyber attack has increased to 23 days and the average ransom cost has increased to over $ 300,000 USD. The cost of implementing a vulnerability management program is much less. Putting in at a minimum, a quarterly program to patch level 4 and level 5 (Critical) vulnerabilities should not be skipped.
5. Incident Detection and Response
The 4 steps presented above are related to the Identify and Protect segments of the Cybersecurity Framework. The reality is that a well-executed prevention plan does not guarantee that an attack or breach does not happen. Some level of detection and response is required for any enterprise - even smaller ones.
Building this capability in-house is challenging for small to mid-size enterprises. Currently, Cybersecurity is a high demand/low supply skillset. The number of open positions is growing faster than the number of available resources. Cyber-attacks are becoming more sophisticated using top-notch talent, money, and advanced technology. Even with a team of cybersecurity analysts, it is impossible to detect a breach within minutes that is needed to minimize impact. It usually takes hours, days, or weeks even with a team.
The AI cybersecurity company, Darktrace, has created a solution for both small and large enterprises that face this challenge. The Darktrace platform (Enterprise Immune System, Antigena, and Cyber AI Analyst) mimics the resilient approach that the human body takes when faced with a known or unknown threat. The Enterprise Immune System learns the “normal” patterns of network activities using unsupervised machine learning. When an anomaly is detected, it immediately provides an alert, and/or Antigena automatically cuts off the infected (breached) device in seconds. This turns a disaster into one that requires manageable remediation with negligible impact on the business. Their approach does not rely on known attack signatures or vulnerabilities and does not rely on predicting. It may be the best approach currently for zero-day vulnerabilities.
Cyber AI Analyst executes an investigation using a cycle of hypothesis and gathering data at machine speed and provide an incident report in narrative form that is easily understood. A process that could take days or even weeks with several human cyber analysts can happen in seconds. The Cyber AI analyst can then hand it off to a human analyst to begin recovery processes. Smaller businesses cannot build a team of cyber analysts due to financial and supply constraints. The team may not be fast enough to stop an attack from spreading anyway. But software like Darktrace teamed up with one or a few analysts is an option that is attractive. They can even combine Darktrace with an MDR (Managed Detection and Response) as-a-service option that would save even more.
6. MFA (Multi-Factor Authentication)
The most efficient security control for Account Takeover (ATO) attacks and social engineering attacks is MFA. With MFA, users must combine two or more verification technologies (something you know, something you have, or something you are) to access their personal information. Something that the user knows is considered the first level of verification (the password), then if we can add something that the user has (a smartphone) and/or something that the user is (biometric control), it can be said that the platform is protected by multi-factor authentication.
As of today, practically all digital services related to finance use MFA to protect the personal data and transactions of their users. From this industry, many others have opted for the implementation of MFA to protect unintentional access to personal data, including social networks (now Facebook, Instagram, and WhatsApp allow activating this security service for free). Some digital platforms already have it defined as a mandatory standard for access by their users.
If your business has a digital platform for your customers to access your services or personal information, consider implementing MFA on a mandatory basis as soon as possible. The implementation of MFA will improve the security of your platform, help you to comply with current regulations in your productive sector, and will improve the user experience by promoting the use of your platform as a secure platform. There are SaaS solutions on the market from the main cloud manufacturers that are available for integration with your digital platforms (Google Authenticator, Microsoft Authenticator, etc.). Integration is simple and prices are defined based on the number of users who are going to use this technology.
A disciplined, continuous, and thoughtful approach to protecting your enterprise systems is a requirement. The steps outlined above are a good baseline to build or enhance. Email and vulnerabilities play a significant role in cyber-attacks. In addition, every organization must assume they will be attacked so detection and recovery need to be implemented. These steps primarily focus on these two areas of exposure and the need to be ready when attacks are successful. For businesses with smaller IT teams finding a partner that can provide expertise and execution without having to build their own team is a good starting point.