Well-known, public exploits continue to wreak havoc across organizations, whether due to lagging software updates, users falling prey to well-crafted phishing attempts, or security infrastructure lacking awareness of specific product vulnerabilities. As threats become more numerous and sophisticated, it is critical that organizations maintain updated security programs to adequately protect themselves.
Practicing good security hygiene starts with the basics – fundamentals that should never be overlooked, such as network segmentation, meaningful password management and patching. Particularly in the case of applying and operating system patches, it's critical to implement them as quickly as possible. The time between a vendor releasing a patch and an exploit kit developer taking advantage of a now-public flaw is only a few hours. It's no longer unreasonable to expect users to be phished with “Patch Tuesday” exploits on the same day that they're released.
As much as we try to enforce strong security practices, the reality is that most attacks are in some way related to users' lack of security literacy. Implementing strong internal security education initiatives will help mitigate the probability and ramifications of employees falling prey to malicious actors. Today, compromising users via phishing campaigns is one of the easiest ways to establish a foothold in an otherwise well-defended enterprise.
A Customized Approach
In today's evolving threat landscape, organizations need to take their security approach a step further through fine-tuning and customization. It's difficult to know which risks to prioritize unless you have a strong understanding of your organization's strengths and weaknesses. Security risks, potential threats, and mitigation techniques can be determined through tabletop exercises and threat modeling. For instance, corporate espionage might be high on the priority list for one organization, but may be of less concern for another.
Once confident that identified risks have been adequately addressed, it's valuable for organizations to ensure infrastructure is prepared by testing its capabilities. Organizations can set up effective simulations by establishing (or hiring) a red team to test defenses. For more mature security practices, implementing the full gamut of blue and purple team exercises can be of value too.
To summarize, an organization may deploy every security product available, but until their infrastructure, strategy and response have been thoroughly tested, they are likely to fail against a real adversary.
Practicing good security hygiene is critical, but too often it isn't seen as a significant enough priority by the broader organization. While companies lean on their security teams to help prevent attacks, their hands are frequently tied by business leaders unwilling to risk downtime for patching. To overcome these challenges, there are several actions security practitioners and senior leadership can take in pursuit of a strong security program.
- Enforce a shift in mindset. High-profile cyberattacks seem to be reported weekly, but security is still an afterthought for many businesses. As threat actors continue to mature, the question of if an attack will happen has changed to when. Entire organizations, not just security practitioners, need to view operations through this lens.
- Invest in resources. Despite current technologies, the security skills shortage is impacting organizations' abilities to build robust security teams and execute not only customized security solutions, but general best practices. That's why it's crucial for enterprises – from startups to government agencies – to invest in employing and retaining the right people to get the job done.
- Emphasize “real risk” to senior leadership. When updates are released, security practitioners need to have the flexibility and permission to deploy them in a reasonable timeframe. Internal processes requiring long lead times greatly diminish the effectiveness of patch management. Also, with the advent of cyber insurance, some businesses are still willing to risk unpatched vulnerabilities when the cost of a breach may be less expensive than the predicted downtime. The true cost of a breach needs to be understood in order to address this mindset.
While organizations are making progress towards acceptable hygiene, security is still, unfortunately, an afterthought in many business aspects. There is too much reliance on the latest technologies and tools, when simply conforming to best practices would have a more advantageous ROI. Focusing efforts on security hygiene, staff training and user education can significantly reduce the impacts of a potential attacker.