Despite increased budgets, better awareness and improved board buy-in, data breaches are not only becoming more common, but also more explosive. Kacy Zurkus asks why
Those who have been working in information security over the past decade or more have witnessed the evolution of the industry with the creation of positions such as the CSO and CISO to help strengthen enterprise defenses. While much has changed within organizations over the past several years, hackers and the vulnerabilities they are exploiting remain largely the same.
Although larger enterprises may have increased information security budgets and introduced better security awareness training, that’s not universal, which is problematic in today’s interconnected world. Some of the classic problems of passwords and failures to segment networks continue to create risks for companies that have not advanced their overall security posture.
For the most part, the vulnerabilities that have been used in many high-profile attacks are ones that have existed for a long time. They’ve been patched and sometimes even patched again. Unfortunately, many organizations are not updating their software or operating systems, which is one reason why breaches are getting worse despite increased awareness of cyber-threats.
To Patch or Not to Patch
“A large number of vulnerabilities are because of bad patching practices,” says Erika Powell-Burson, CISO, Bentley University. “It takes very little effort to exploit a vulnerability that hasn’t been patched, and it shouldn’t take a lot of effort for companies to patch their systems.”
Some organizations aren’t patching despite the understanding that patching helps to mitigate risks, largely because they are still running legacy systems upon which they are very dependent. Moving to next generation technologies takes time, and organizations have to weigh up the risk and reward. “In some cases, it isn’t possible to move from legacy systems, and those systems are no longer supported by the vendors. Plugins may not be compatible, which often means they can’t bring systems up to speed without replacing them,” Powell-Burson adds.
For those organizations that have upgraded, though, there remains the issue of constantly defending against the attackers. It’s what Jamil Farshchi, CISO at Equifax, calls the ‘problem of one’.
“Attackers only need to be right once, whereas organizations defending against them need to be right 100% of the time. As businesses grow, they inevitably introduce new technologies, larger attack surfaces and a greater number of digital assets – all of which present a number of new, enticing vulnerabilities for attackers to try to exploit,” Farshchi says.
Given that today’s adversaries can access data or other assets with relative ease, monetizing sensitive data has become its own business. Malicious actors are typically well-funded and have myriad motivations which all translates to not only ample reason, but also resources and incentive, to try to break-in.
"There’s a balance to strike there that leans more towards resiliency than towards prevention and detection"
Where Are the Funds Going?
While organizations may be spending more on their security budgets, the last couple of years have seen the threat landscape evolve in ways that companies weren’t prepared to defend against, such as with the advent of ransomware and cryptomining. “A lot of CISOs, rightly so, concentrate on protection,” explains Bill Brown, CISO, Houghton Mifflin. “There’s a balance to strike there that leans more towards resiliency than towards prevention and detection.”
Criminals are not only stealing corporate assets but they’ve also leveraged the theft of machine time to mine cryptocurrency. “There has been a lot of nuisance attacks and password spraying where criminals might not be targeting an organization, but they find a soft underbelly and see where they can turn a profit. Still, the largest factor is that the landscape that needs to be protected is getting exponentially wider,” Brown adds.
One side effect of digitization is that the perimeter is disappearing, creating more risk through third and fourth parties. According to a survey from CrowdStrike, 66% of global organizations have experienced a software supply chain attack.
“Everybody is moving to the cloud, so they might not know their third party and downline vendors, which is why they need a vendor risk management program,” argues Powell-Burson. “Cloud may be – or in some cases is – safer, but just like anything, they need to check and assess what data is moving through. They have to do their due diligence by doing a risk assessment.”
Often risk can be both industry- and company-specific, which can make it difficult for organizations to understand their own risk if they aren’t doing a risk assessment. “Healthcare is a huge target;” something Powell-Burson learnt in her previous experience as the first CSO in a department of one at a hospital. “They are non-profit, and while some are bigger than others, many of their budgets are constrained.”
Outside of the financial sector – where enterprises are shoring up their security with layered defenses in place – other sectors don’t have a security methodology; whether it’s securing the application lifecycle or policies from prevention to response.
Advent of the Automated Adversary
In the same way that defenders are relying on automation to expedite tasks, cyber-criminals are using automation to attack faster. “They can put on the same malicious offenses with great speed and depth. While AI is not a fully accessible tool for cyber-criminals just yet, its weaponization is quickly growing more widespread. These threats can multiply the variations of the attack, vector or payload and increase the volume of the attacks,” according to Security Intelligence.
The ability to use technology to increase the scale and scope of their attacks gives cyber-criminals an advantage, particularly over companies that have not yet invested in automated tools. Even in these large scale attacks, the methods are – in the most part – nothing new. The technology only allows attackers to increase in scale.
As the attacks are fundamentally the same, Farshchi says: “Focus on the fundamentals and put operational rigor around people and processes rather than investing in the latest and greatest shiny new technology – things like asset management, patch management, network segmentation.”
Doing the fundamentals will stop the vast majority of attacks. It’s also important to keep in mind that despite the fact that many organizations have implemented these security tactics, there are still companies – some of which could be in an organization’s downline – that have not taken these basic steps to prevent attacks. “Attackers almost never need to do anything sophisticated or high-tech to breach a system. They look for the weakest link and try to exploit it,” Farshchi points out.
"Companies need to be aware that breaches will continue to occur because we are adding more devices to our networks"
The People Problem
After much attention being drawn to the need for top-down support, there has been progress with board buy-in. “Boards always want to know how we are doing compared to our peers,” Brown says. Yet, down in the trenches, defenders are still fighting their greatest risk, which continues to be the people problem.
End-users are vulnerable because hackers are growing more sophisticated in their ability to impersonate human behavior. “The problem is that we make certain types of mistakes,” explains Ina Wanca, professor at NYU’s Center for Global Affairs and John Jay College of Criminal Justice and former director of cybercrime prevention initiatives at the Citizens Crime Commission of New York City.
“People get frustrated, they repeat passwords, and these behaviors are what hackers are leveraging, especially when using social engineering tactics,” Wanca adds. With the growth of social media platforms, it is easier than ever for hackers to figure out how to trick end users into clicking on links. In virtually every platform, users share a lot of personal information, not only about where they work and the position they hold, but also about their likes and interests.
“The attackers only need to spend a few minutes looking online at what people are sharing to then personalize and send a phishing email. We are creating our own risk, and in large part we don’t know about cognitive biases when we interact online,” Wanca says.
That’s bad news for the organization because in the end, it doesn’t matter what technology they have as they still need humans to interact with it.
The data breaches that have occurred in the past year or two were the result of preventable human error, Wanca says. Mitigating the risk of human error goes back to awareness training, which in large part is a generic, one-size-fits-all process from which employees will zone out.
“A lot of the time the trainings are created for a large audience, which is dry. Given that each person exhibits an individual cognitive bias, security awareness training needs to be tailored to that personal bias. It needs to be individualized,” Wanca argues.
More effective training would look at each individual’s behavior to discern what exposes them when they interact online. In that way, the training can then focus on preventing cybercrime through promoting cyber-awareness by correlating risks with specific triggers in an individual’s behavior.
“Companies need to be aware that breaches will continue to occur because we are adding more devices to our networks. Data will be shared, transmitted through multiple devices, and different communication channels, and it is better to invest in training than in lawsuits or losses,” Wanca argues.
One of the most important things the industry can do to defend against current and emerging threats is to collectively come together as a security community and share things like intelligence, lessons learnt and strategies for success versus working in silos or as competitors.
“Everyone who works in security has had some sort of experience managing through incidents – and we all stand to learn something from each other,” Farshchi says. Atlanta for the Advancement of Security (ATLAS) is one such effort to bring CISOs together and to take a meaningful approach to sharing advice and expertise. As the whole is greater than the sum of its parts, partnerships, according to Farshchi, are paramount