Categories
Compliance|Computer & Network Security|Information Security|Research

2015 Cyber Security Awareness Month

What is Cybersecurity?

According to US-CERT, “The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.”

In other words, it is the people, processes and technology that manage or maintain the Integrity, Availability, and Confidentiality of the systems and data with which an organization functions.  Many times these roles are shared with IT which in turn can come with its own challenges.  Often times, IT is focuses solely on availability, or up-time and ease of use, and both confidentiality and integrity can be counterproductive to maintaining availability.

We want to help organizations become aware of ways they can protect this data and still maintain user effectiveness.  Why should organizations be concerned with cybersecurity?

Conclusion

Organizations today face an ever increasing risk of cybersecurity attack.  This can come in many forms from phishing, insider threats, zero-day attacks, DDoS, and malware.  The risks can be high and can include down-time, loss of revenue, litigation, fines and lost customer information.  Often times, organizations do not have the in-house expertise to address these threats.  The media and marketing also try convince everyone that more products will improve security, but this isn’t always true.  Security is a process and not a product.  We continue to advise and train our clients on top things to consider when securing an organization:

  1. Patch Management – Network devices, servers and workstations must stay update to date with patches, and not only OS patches, but also third party applications like Adobe and Java.
  2. Risk Assessments – How do you know what you are missing if you don’t look?  How do you know what to protect if you don’t know where it is?
  3. Data Classification – If all of the data is mixed together, how can you protect it?
  4. Network Monitoring and Testing – Understand your network.  Know where it is vulnerable, and check regularly.
  5. Data Encryption – If it’s encrypted, and it’s lost, it can’t be used.  This is also shown to decrease the cost per record in a breach.
  6. User Training – Users are accessing data every day and are the largest attack surface in an organization.  Security needs to be at the top of their minds too.
  7. Authentication – Password management is often the first line of defense for an organization.
  8. Separation of Duties – If your account isn’t allowed to do everything, then, if you are compromised, you can protect some things.
  9. Centralized Logging – If you aren’t storing logs and correlating them, you may be missing key indicators of compromise.
  10. Physical Security – What good is a high priced network infrastructure if someone can walk in the front door and plug into it?
  11. Auditing – Sometimes, it’s hard to see the forest for the trees.  Auditing can help you keep the trees in view and make sure you aren’t missing something.

Cyber-security: A Year In Review

What are the threats, by the numbers?

ISACA’s 2015 Global Cybersecurity Status Report asked over 3000 respondents questions about cyber security.  83% said cyberattacks are among the three largest threats to their organizations, and 46% expect a cyber attack to strike their organization in 2015.

Symantec’s Internet Security Threat Report for 2015 reported that the top 5 zero-day vulnerabilities in 2014 were actively exploited by attackers for a combined 295 days before patches were available.  In other words, patching and AV alone isn’t going to protect anyone from zero-day attacks.

Ransomware attacks grew 113% in 2014 along with 45 times more crypto-ransomware attacks.

IBM’s 2015 Cost of a Data Breach Study surveyed 350 companies in 11 countries.  They found the average total cost of a data breach to be $3.79million.

The average cost per lost or stolen record was $154/record, but increased to $363/record in healthcare, $300/record in education and $215/record in financial institutions.

According to the 2015 Verizon Breach Report, 60% of attackers were able to compromise an organization within minutes.

23% of recipients now open phishing messages and 11% click on attachments and nearly 50% open and click within the first 4 hours.  We can also agree with this number based on our social engineering tests on organizations.

Nearly 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

Only .03% out of tens of millions of mobile devices were infected with truly malicious exploits.  They don’t seem to be a preferred attack vector for malware.

Why is this a problem?

According to Raytheon’s 2015 Global Megatrends in Cybersecurity, Only 34% of over 1000 respondents said that they thought their organizations were prepared and keeping up with technologies and the “Internet of Things.”

Over 67% of the respondents said that their organizations need more knowledgeable and experienced security professionals.

How can we prepare?

Respondents saw the following security technologies having the biggest increase in importance over the next 3 years:

  1. Encryption of Data at Rest
  2. Big Data Analytics
  3. SIEM – Security Information and Event Management
  4. Forensics
  5. Encryption of Data in Transit

They also see the following top factors providing the most improvement in their overall security posture over the next 3 years:

Improving Cybersecurity Posture

The IBM study found the following factors that can influence the the cost per record of a data breach:

Increase/Decrease cost per record of a data breach.
This figure shows factors that can increase or decrease the cost per record of a data breach.
Categories
Computer & Network Security>Adobe|Compliance|Computer & Network Security>Java|Computer & Network Security>Vulnerabilities

Third Party Apps: Consider The Risks

What are 3rd party tools?

Everyone, from individuals to enterprises, uses third party tools and applications on their workstations, servers and mobile devices.  Some examples are Adobe Reader, Java, WinRAR, and many more.  They are applications that are run or installed, but are typically not centrally managed by your organization.

Why are they important to an organization?

Many times these tools are required to carry out critical job functions.  These can be running applications that require Java applets, fax services, custom written applications and so on.

What risks can they introduce?

Since these applications are usually not centrally managed, their patches and updates may not be applied as quickly.  Just like all software/hardware, vulnerabilities are found every day in third party applications such as a recently exposed flaw in WinRAR. According to Apigee, new attack techniques are emerging as well, including:

  • Exploitation of mobile and app vulnerabilities with insecure API access
  • Stealing of sensitive data cached by apps that don’t follow security best practices
  • Social engineering of developers to gain unauthorized access of developer keys and credentials.

So what can you do?

While this is an accepted risk when choosing these tools, there are several things you need to remember in order to make the tools as secure as possible:

  • Ensure you stay up-to-date on zero-day vulnerabilities
  • Always be aware of any updates available
  • Use strict authentication methods to secure your systems
  • Consistent monitoring & reporting

In summary, third party tools are an unlocked window into your network and have the potential to cause great damage to your organization when not properly secured. Organizations should consider adopting policies and procedures around approving specific applications and maintaining an inventory of where they are used.  This, in addition to a patch management process for these applications can significantly improve the security posture of your organization.