It's no secret that data breaches are an ugly reality for businesses today, and despite ever increasing investments, organizations seem unable to stem the tide of successful attacks. Granted, information security is fundamentally complex, and there are many contributing factors behind breaches such as resource limitations, lack of accountability, compliance distractions, cloud complexity and escalating speed of business. However, I posit that the biggest issue organizations face today is a lack of focus on building and maintaining a basic security foundation.
So, what should the foundation provide? The Verizon Data Breach Investigations Report (DBIR) offers a well-informed guide based on the analysis of thousands of information security incidents and data breaches. Here are several key takeaways from 2017:
- 88 percent of the breaches identified fall into one of nine basic patterns. The top three: unpatched vulnerabilities, malware and stolen or weak passwords.
- 81 percent of hacking-related breaches involved stolen or weak passwords.
- 75 percent of attacks are externally initiated.
- 51 percent of breaches included malware, 66 percent of which is installed via malicious email attachments.
While the DBIR data doesn’t provide a “silver bullet” fix, it helps us see that breaches follow patterns, and patterns are predictable. A case in point is ransomware, a 28-year-old attack method involving the execution of malware that encrypts all or part of a user’s data. To be successful, ransomware has to gain access to a system, install a malware program or inject code into a process and execute commands to encrypt data. This typically happens due to poor patching practices, inbound internet traffic, email and attachments not being scrutinized, and weak endpoint security. Stated simply, it works because organizations aren’t focused on mitigating the known attack method due to a poor security foundation.
It’s worth noting attackers don’t care if a network is compliant, has good privacy policies or lots of shiny technologies. While those are important elements of a good security program, effective security programs need to be focused on mitigating actual attack methods in order to support compliance and privacy related initiatives, not the other way around.
With that said, here are six essential elements of a basic security foundation you can work on today:
- You can’t protect what you don’t know: Continually assess internet-facing networks, servers, applications, accounts, supplier/partner connections, cloud portals etc.
- Bad guys can’t exploit that which is not accessible: Reduce attack surface by eliminating as many ingress points as possible.
- Vulnerabilities are way more than operating system deep: Assess software and OS vulnerabilities, patch critical issues in days, not weeks.
- Credentials are king: Enforce multi-factor authentication for privileged accounts–domain, server, application, database and cloud admins.
- Cloud portal admin and access keys are the new domain admin: Protect them and think twice before integrating authentication because your Active Directory security is probably not as solid as you think.
- Endpoint security should be strengthened: Consider advanced endpoint protection with integrated cloud intelligence/learning across clients and servers.
This list is only a small subset of possible mitigation techniques that should be present in a successful security program. However, the six steps will provide a strong foundation of defenses against the most common attack methodologies and directly reduce risk from the biggest technical threats you face on a daily basis.