A company may not be able to stop every employee from clicking on malicious links in a phishing scam, but it can make sure –through security controls – that the malware doesn't have the opportunity to do damage.
With strong endpoint security controls in place “malware goes ‘splat,' it doesn't go anywhere,” Ann Barron-DiCamillo, CTO at Strategic Cyber Ventures LLC, said at SC Congress Toronto 2016 Thursday.
Security measures often fall short and leave organizations' assets vulnerable. “We put strong capabilities on endpoints on hosts,” she said, “but not on devices.”
Or organizations are slow to patch. “We're not talking about vulnerabilities patched last year,” Barron-DiCamillo said. “We're talking about old patches. We're not making it harder for adversaries.”
She recommended that security pros make it harder for adversaries by whitelisting apps, patching operating systems, patching apps and reducing the number of users with domain or local admin access.
Even improving cyber hygiene and imposing security controls won't eliminate the risk of attack, so Barron-DiCamillo stressed the importance of being prepared to respond to a breach or other attack, starting with having an incident response plan in place and documented. “Be sure to have outside channels for the IR to communicate,” she said, noting that attackers often monitor email communications and might discover that they've been found out.
“Define your approach,” she said, pointing out that for most organizations that means “focusing on containing damage and recovering their business systems.”
Also critical is forensics and data capture. “Make sure to capture all notes” and relevant data. “IR is not just an IT thing so make sure IR aligns with your organization's acceptable use policy.”
She warned companies not to shame those employees that might click on malicious links because it erodes trust, increasing the likelihood that they might not share valuable information or report scams to IT security.
Organizations can reduce the impact of what has become sophisticated social engineering that lures employees through policy, training audits and controls like multifactor authentication, she said.