IT professionals should use the nearly epic scale of the Sony cyber attacks to spur their companies into action versus panicking about potential risks.
“The FBI is right when they said that less than 10 percent of companies could survive an attack like the one on Sony,” WatchGuard’s Global Director of Security Strategy, Corey Nachreiner. “And, unfortunately, it’s not a question of if, but when for these kinds of attacks.”
Five actions to strengthen your first-line defense:
1. Firewalls and antivirus (AV) are not enough (Defense in Depth): The threat landscape has changed greatly in the last five years, and firewalls and AV are simply no longer adequate as standalone protection against advanced attacks. Today, organizations need many layers of defense to truly protect themselves from evasive threats, including intrusion prevention services, web security solutions, reputation services, application control and more.
2. Don’t just lock down incoming traffic; restrict outgoing (egress filter): Ã‚ÂMost security professionals focus on restricting outside (Internet-based) traffic from getting into their network. However, administrators should spend time restricting the outgoing traffic as well. If you limit what your users can do online to what’s absolutely necessary for business, you can often prevent employees from accidentally stumbling on cyber landmines, and you might even prevent malicious software from calling home to its attacker.
3. Today, you need APT protection: Advanced threat actors have become extremely sophisticated and regularly create evasive malware designed to get past signature-based AV solutions. This means someone has to find the malware before you have a signature to protect against it. APT solutions detonate potential malware and use behaviors to immediately identify previously unknown, zero-day malware. If you rely only on AV protection, consider yourself infected.
4. Train employees to identify and report spear phishing attempts: Spear phishing is one of the most common advanced attack techniques. Rather than sending an obviously suspicious email, sophisticated actors study their victims intimately and send very targeted and much more believable emails. Train employees on the existence of spear phishing and warn them to remain suspicious of any email with a link or document attachment, even if it seems to come from a co-worker.
5. Use reputation-based security services and threat intelligence: Today, malware delivery is very dynamic and moves at the speed of light. Security organizations have launched information-sharing reputation services to give security controls up-to-the-minute information on what might be a bad site. Make sure your security arsenal includes controls that leverage reputation services.
Seven actions to minimize damage if cyber criminals do get in:
1. You will get breached, plan for it: No matter how sophisticated your security, nothing is perfect. One day you will be breached, so you need to design your internal network with this inevitability in mind. Back up your data, have a pre-written disaster recovery plan, and ensure systems are in place so operations can continue even if the worst happens.
2. Encrypt, encrypt, encrypt: Modern companies have become very good at encrypting any data that leaves the corporate network, but far rarer is anything encrypted locally. If you store any sensitive data (e.g., password databases), it must be encrypted on the computer it’s sitting on. If you encrypt stored local data, it becomes much harder for attackers to steal it – even if they do breach your network. There is no excuse for not using local disk or file encryption.
3. Segment your network and apply “least privilege” principles: Your internal employees shouldn’t have equal access to all of your data. A marketing person should not have access to your full corporate finances, and an accountant should not have access to the marketing plan for a yet-to-be-released movie. Segment your trusted network using strong security controls to limit internal employee access. Also be sure to leverage the least privilege principle to ensure employees have access to only what’s needed to perform their job roles.
4. Two-factor authentication: Passwords will not die anytime soon, however, if you rely on passwords alone and someone figures out your administrator’s credentials, your network is lost. If you use some form of two-factor authentication, an attacker will not be able to compromise your network even if an important password is leaked. In 2015 and beyond, two-factor authentication will become a must have – not just a “nice to have.”
5. Data loss prevention (DLP) can stop data exfiltration and alert you to problems: Modern security products now have controls that recognize when specific data moves around your network. Using DLP controls can help prevent bad guys from sending data out over the Internet, or may at least alert you when data is leaving your building.
6. Consider the full kill chain and block outgoing C&C connections: The kill chain consists of every step in the attack process, including post-breach steps like the communication channels malware uses to report back to attackers for data exfiltration. Even if you get breached, it’s NOT too late to prevent the attack from continuing. Many modern security products can detect and block malware’s outgoing communications. This may prevent attackers from gaining access to your network even if malware has already infiltrated your organization.
7. Visibility and analytic solutions can recognize when you’re breached: Organizations are not noticing that their network has been compromised until it’s much too late, largely because legacy network and security controls do not do a good job of identifying very important events in the oceans of data stored in log files. Today, you need security visibility and analytic controls that can translate and correlate that ocean of logs and present you with the key events that identify that something went wrong.