By Nolan Garrett – CEO, Consulting Services – Intrinium
The media is quick to point out the rise in cyberattacks and data theft. It is fast to create a state of panic by saying that X amount of hundreds of millions of records were lost in a ransomware attack. In response to these viral media stories, far too many CISOs are falling victim to the “shiny box” or “silver bullet” solution. While a boost in security controls that protect against niche vulnerabilities is a step in the right direction, it is meaningless when the basics of best practice information security are forgotten.
The 2017 Data Breach Investigations Report (DBIR) revealed the following statistics:
- 51 percent of breaches included the use of malware. 66 percent of the time the malware was accidentally installed by employees through a malicious email attachment.
- 62 percent of breaches featured either internal or external hacking.
- 81 percent of these hacking-related breaches used either weak or stolen passwords.
The results of the 2017 report invite a potential conclusion, though not one with much popularity: We aren’t “doing” information security correctly.
InfoSec is Broken: Foundational Security Hygiene Is The Solution
When 81 percent of breaches are related to password exploits, you would think that around 81 percent of the budget would be focused on resolving risks related to credential exploitation. Unfortunately, this is not the case. One potential explanation is that many Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) come from technical roots, and place a high value on new and interesting technologies. This is supported through industry marketing that uses Fear, Uncertainty and Doubt (FUD) to advance a case for niche-focused security solutions and even non-technical executives who perceive information security to be more in line with what they may see in the movies or on TV. The continuous reinforcement of the concept that information security is at its core a technical problem and therefore for technical staff members to address explains why we in Information Security have struggled to address these core risks as described in the latest DBIR result: we forget about the people side of security.
It may be boring, but properly implemented risk management is the most critical foundation to an effective information security program – without risk assessment and management, security becomes a technical game of whack-a-mole instead of an intentional, continuous mechanism of risk reduction (and communication!). Your information security program will be far more successful when the foundation is built upon these three critical areas of risk management.
- Asset Management. — if you are to protect your vital business data, then you must first know what is in your environment to protect, what its function is, and where it is located. As part of this knowledge, you must know its vulnerabilities. Next, you must actively respond to these potential vulnerabilities (see below!). Automation is one of the ways that you can rapidly respond to future threats. From patching to reporting to application deployment and auditing, there are many opportunities for you to not only manage but properly secure your assets. Finally, you might discover that the best approach is to reduce the number of applications that you are using. However, you can only reduce when you know what you have; and chances are that when you take a closer look you will discover that you have multiple redundancies, which are actually causing a heightened security risk.
- Vulnerability Management. — Many times organizations over simplify vulnerability management, reducing it to a quarterly or annual process of scanning the environment for vulnerabilities and pushing Microsoft patches to their endpoints. An effective vulnerability management program is much broader – it should include continuous asset identification and vulnerability assessment of those assets, frequent remediation (e.g. patch application or reconfiguration), and an exception process that guarantees compensating controls are considered when vendor-provided solutions aren’t available or applicable.
- Credential Protection. — We are all familiar with password-based authentication. Unfortunately, when 81 percent of data breaches occur due to credential weakness or theft, it becomes clear that information security professionals have not achieved the level of success in this area that we should expect. Without strong passwords, effective authentication systems that provide for risk-based evaluation of authentication attempts and effective monitoring of those solutions, even the most elaborate of security systems won’t keep hackers out. Restricting network access, limiting the number of login attempts, analyzing logging records, eliminating the use of default passwords, and leveraging the power of real-time monitoring are just a few of the steps that you can take to shore up your password defenses.
The Bottom Line: Shiny Box Solutions Can’t Work When The Basics Are Forgotten
All too often the niche vulnerability attacks are highlighted in the media. These cases are referenced by those companies that would sell you an “all in one” aka a “shiny box solution.” Unfortunately, these solutions are much like the multi-million dollar house that is built on quicksand — they don’t stand a chance when the basics of IT security are forgotten. While CISOs might not appreciate the lack of glory that comes from saying, “information security starts with credential protection” it is a truth that must be heard.
Only when you have conducted a thorough strategic assessment of your security environment can you truly protect against possible vulnerabilities and future hacks. Intrinium has designed its services not as “shiny boxes,” but rather as customized approaches that examine the intricacies of your security from the most basic to the most advanced stages. Only when you know what you have and when you understand your strengths and weaknesses, can you properly secure your vital business data.