By Dan Tremeer, NET Reply
- What is the top one or two cyber risks to companies right now?
Ransomware and the damage it causes is rightly making a lot of headlines right now and is the leading cyber risk to companies. Digging deeper, exploitable risks that require addressing are as follows
- There are many security products which do excellent jobs when they are fully configured and wrapped within high quality security operations. A high percentage of attacks are preventable with existing security controls with the right configuration and training of cyber staff. A worrying statistic is that on average it takes a business over 200 days to identify a breach, meaning controls are not effectively identifying bad actors’ presence. It is tough to find initial access and reconnaissance activities which skilled attackers apply.
- Security improvements over the past decade mainly focus on technology and tooling, but without providing security awareness to staff who often have access to sensitive data, server access or social media systems, many businesses put themselves at risk, and these staff are seen by attackers as the weak link to access organisations.
- Organisational resilience in the face of a major problem is a big problem for many businesses. If attackers were to take offline a major digital supplier for a significant period how many companies can confidently activate their disaster recovery (DR) plans efficiently? The recent Facebook disruption showed how many small businesses were totally dependent on it, and that is nothing compared to those relying on Azure or AWS.
2. How do bad actors exploit the risk(s)? What techniques do they use?
There are highly organised crime syndicates with numerous roles of varied sophistication. Gaining legitimate account credentials is the first step, so phishing and credential stuffing are two initial techniques which bear fruit and are sold or passed up the food chain. Bad actors with evasive hacking capabilities gain a foothold into target business they expect will have either highly sensitive data, or cannot operate significantly without their digital infrastructure (health services being one example). With companies offering so many access points for attackers to probe and analyse for weaknesses from the outside, businesses have to consider an attacker will have at least low level credentials, making the typical outside equals bad and inside equals good mindset is not a viable strategy, if it ever was in the first place! Another consideration is how capable a business is to defending against a major attack, this leads to smaller organisations being a tastier target for attackers than you might think. Larger organisations will more likely be able to activate DR, or have better controls to detect and respond.
- How can organisations protect against the risk(s), both with technology and staff education?
With adversaries becoming increasingly sophisticated and prevalent, modern security services are necessary for businesses to have a chance of successfully defending against persistent attacks across adapting and complex infrastructures. To identify bad actors earlier, Net Reply recommends businesses move to automated, machine learning solutions that leverage real time behavioural analysis and threat intelligence feeds, wrapped with effective controls, processes and staff training. Businesses should develop a data driven approach to understanding the effectiveness of their security controls by continuously testing their infrastructure and people. For the former, continuous security testing is a new service offering which solves many limitations of vulnerability scanning and manual penetration testing. There are a few different names – Threat Modelling, Breach & Attack Simulators (BAS) and Automated Penetration Testing provide consistent and constant testing and many provide clear reporting and remediation support. For the latter, developing a layered security awareness campaign using various formal and non-formal training techniques creates a culture of good security inside the organisation which have far reaching business value such as reduced overheads on service-desk and security staff.
Businesses also need to test their DR plans and also carry out yearly incident preparedness exercises. Table-top walk-throughs are a minimum level of preparation, but practical testing is more likely to reveal problems. No-one wants to activate untested procedure for the first time during a real and live attack.
- How do you see the risk(s) evolving in the coming years?
Over the past many years it has been demonstrated that crime does pay and Ransomware is likely to continue to be a major risk for businesses and agencies. We are seeing a trend that security vendors are working more collaboratively together to help reduce the impact of bad actors. and it’s now on government leaderships agenda’s so there are some signs it’s getting more attention, relying upon effective state level support is not a recommended strategy however as their chances of eradicating the problem are slim to none. We will see an unprecedented level of technology advancement in many fields which will have an impact on security such as AI, quantum computing etc. which will of course be leveraged by bad actors as well. With everything becoming connected, how long will it be until threat actors figure out ways to disable medical devices such as pace-makers, automatic blood sugar patches or insulin delivery etc. or gain access to a water facility, all could have drastic harmful consequences.
Businesses are becoming more understanding of the areas of risk they maintain and are doing more about it such as putting assurance and governance processes in place to cover supply chain risk, cyber risk, insider threats, and disaster recovery planning, Staff are having to become more security savvy in their home and digital lives and will welcome having more advice from the business will go a long way to help businesses be more resilient to attackers