Are You Protecting Your Biggest Security Threat – Your End Users? Stuart Reed, Senior Director at Ntt Com Security

The security perimeter has been changing. Businesses can no longer count on well-defined network security perimeters to protect themselves from external cyber attacks. Data is now distributed across users who operate in mobile, dispersed work environments. This way of working does not lend itself to a centralised enforcement of consistent controls.

The 2015 Global Threat Intelligence Report (GTIR), which combines analysis from over six billion attacks, threats and trends around the world, supports the concept of the dissolving perimeter. More specifically, it shows that end users (in other words, employees)are the perimeter and that businesses must take preventative measures to tackle these threats.

Is end user security really that important? Yes, because business-minded attackers are optimising their time by placing greater emphasis on spotting employee weaknesses. Digital business is all about making effective use of available data and, likewise, cyber criminals are in a constant race with their targets to capitalise on the value of that data.

The finance sector is no exception to this rule. Comparisons between the 2014 GTIR and 2015 GTIR show that finance has remained the number one sector targeted by hackers. It heavily relies on data, much of this is highly sensitive and therefore highly valuable, which makes it more susceptible to an attack. And, as end users become accustomed to always-on, real-time access to corporate data, they become targets of criminals who want those same data sources. Worse yet, that user too often becomes an attacker’s entry point to the business. Look at recent highest profile breaches, for example. Many are said to be the result of human error.

What’s interesting is the 2015 GTIR observed that seven of the top 10 vulnerabilities were on end-user systems, as opposed to servers. These vulnerabilities included outdated versions of Java, Flash Player, Adobe Reader, Adobe Acrobat and Internet Explorer as well as missing Microsoft Windows security updates. The ultimate consequence is that the end user becomes a major liability because their systems are often full of unpatched vulnerabilities.

In fact, an alarming 76% of identified vulnerabilities throughout all systems in the enterprise were from 2012 or earlier, making them more than two years old. Almost 9% of them were over 10 years old. Many are also rapidly incorporated into common and simple-to-use exploit kits so that attackers can more readily use them as part of their attack suite.

The end user is therefore an area of data security that financial firms should work hard to protect. Attacks do not have to be complicated to succeed so they should put in place good practice for patching, which can help reduce the impact of any attack suffered. Unfortunately, most organisations and their employees would find that patching and keeping systems updated is a tedious job. It can also be very difficult, especially for companies with several geographical locations and those with a highly mobile, diverse hardware and software environment. These challenges are, on the other hand, seen as opportunities to hackers – making patching a necessary ingredient for optimal protection.

Stuart Reed

Fortunately, there are a number of steps businesses can take to improve their vulnerability management programs and, more specifically, ensure that all end-user client systems are included in their patch management process.

Vulnerability Management Recommendations:

• Define a set of approved configurations to harden and operate end user machines. This should include approved operating systems, applications and utilities, and even browsers. The smaller and more consistent the organisation can make its ‘gold standard’, the easier it is to maintain systems using that standard.
• Inform users what those standards are and, crucially, make it clear that any unapproved software is not only unapproved, but unauthorized too. Ensure that all users understand that the use of unauthorised software can result in disciplinary action.
• Ensure the right level of user permissions and system access rights are managed and reviewed to monitor and control the use of admin or other accounts that are allowed to change system configurations, which include the installation of new, potentially unauthorised software.
• Actively apply the latest software patches to end user systems to help close vulnerabilities and maintain current anti-virus and anti-malware solutions on all end user devices, which have access to company networks or data. Although a simple control, properly maintained anti-virus does detect 40-50% of malware.
• Conduct regular internal and external authenticated vulnerability scans to help identify systems that are out of policy. Once identified, put in place a process to update the systems in a timely manner, and for the systems agreed to be out of policy, manage and review an exceptions list along with the users who have access to such systems.

It is also recommended that vulnerability management is complemented with other basic security measures such as defining processes and best practice, and implementing training programs. Everyone in a financial organisation has a role to play in keeping data secure from an attack, so invest in generating awareness and creating a sense of collective responsibility. The end user will continue to be a constant concern, but these basic principles will make a difference to the security of data.

Finally, it’s worth noting that information security and risk management needn’t be complex or burdensome for businesses. Working with a Managed Security Services Provider (MSSP) can help businesses combat any potential security skills shortages but also to take the vast amounts of threat data and put that in context for the customer. Such providers can provide visibility and control to manage information security risk – and are therefore able to actively notify customers about potential threats and proactively mitigate them. Most companies have applications that they don’t want to touch and can’t lockdown roles and responsibilities. Finding a third party that has industry knowledge of the finance sector along with threat intelligence is a powerful combination although not all providers are the same. Choosing one that can work alongside the business’ goals means that actionable information is available to the customer to enable them to make risk based decisions that is both timely and relevant to their business.