In assessing how the cyber threat and mitigation landscape has evolved over time, I often think of the ways that “cops and robbers” movies have changed: In the old days, a typical scene would feature a bad guy walking into a bank with a note indicating that he had a gun, and that he wanted what was in the safe. He’d hand over the note to a teller, and then walk out with bundles of cash.
Now fast-forward to how a more modern film like Ocean’s Eleven depicts heists: There are no handwritten notes. George Clooney, Brad Pitt and their crew spend weeks meticulously casing a targeted casino and develop an intricate, multi-layered plan to get to the vault – a plan which involves overcoming or otherwise “working around” security cameras, biometrics-enabled locks and a formidable laser-detection system. The gang’s countermeasures and tools include technological sabotage, disguises and even a powerful electromagnetic machine which temporarily triggers a massive blackout throughout the Las Vegas strip.
As in the movies, the “bad guys versus good guys” dynamic of cyber attacks have gotten much more complicated. In the past, hackers only had to compromise one vulnerability to gain entry, i.e., break into one “safe” and they walk away with everything the bank has to offer. Once the enterprise recognized the vulnerability, it came up with better “alarms and locks” (such as monitoring tools and firewalls) to protect itself. Back then, this sequence of events sufficed as good, basic cybersecurity hygiene.
However, over the years, hackers have grown increasingly sophisticated, prompting cybersecurity leaders to “up their game” implementing controls across their networks, operating systems, and applications – with public cloud providers introducing additional safeguards – to considerably expand the enterprise mitigation and control portfolio.
But, like our Ocean’s Eleven guys, they eventually find a way. In endless Spy vs. Spy scenarios played out every day, enterprises invest in countermeasures and strategies to keep cyber crooks from infiltrating machines, apps and systems, and the cyber crooks continue to figure out how to circumvent them.
Any network can be compromised given time and money but not every network is worth the effort for the cybercriminals. Sadly, the largest percentage of successful attacks are often purely “spray-and-pray” where the victim has done nothing more than simply be connected to the Internet running vulnerable software. In these cases, you aren’t being targeted for who you are but simply because it was opportunistic. That being said, many times these compromises start off with one objective – joining your computer to a botnet; using it to mine cryptocurrency; spamming, and in some cases are being resold as access points into your organizations network.
For this reason, adopting a risk-based approach to securing your organization is paramount to ensuring you invest your time, money and resources in an effective way: Understanding the balance between the seriousness of threats to your environment and the appropriateness of the controls you can use to thwart or mitigate them.
But there are proven best practices to help contain and minimize the consequences:
Know your enemy
Identify what you have, and who wants it. To extend our “cops and robbers” analogy, if you run a liquor store, you need to worry about the stick-up men, not cat burglars. That’s why you approach security differently for an e-commerce company, as opposed to an aerospace manufacturer. Both have data that is appealing to attackers, but getting to the data requires various techniques and levels of determination.
When you map your cyber assets and profile the type of adversary who would seek to take them, you are better prepared to implement countermeasures commensurate with the resources of your adversaries.
Sweep through the entire enterprise’s cyber ecosystem to uncover all weaknesses and gaps which exist. Ask “Where are the most likely – and ‘easy’ – attack surfaces? These will be attacked by the even the most unsophisticated of adversaries How do we reduce these attack surfaces?” Understand and record the technologies you use, and monitor for patch releases. The most effective cybersecurity hygiene begins with knowing your network and mitigating its threats.
Adopt risk-based strategies
Via a thoroughly conceived risk-based strategy, company leaders inventory assets contained within systems, apps and devices and prioritize their importance. With this, they devote the most time, energy and resources to the assets of the highest value. Assets which represent an “acceptable” level of risk/loss receive less attention.
The balance is a careful one though – at some point you need to understand the linkage of your less critical systems to your truly critical ones… If a non-critical server is compromised, how will you know that the cancer isn’t spreading? Thus, you have to anticipate what is most likely to be targeted, and reinforce against those attacks. Run the same tools against your website that you see attackers deploying, and patch up for known vulnerabilities.
Good cyber hygiene is all about awareness. With 24/7/365 monitoring enterprise-wide, organizations stay on top of the latest threat that has “entered the building” and immediately and effectively respond by containing and/or removing it. In other words, the threat may have “gotten through one door,” but proactive monitoring and response will keep it from getting beyond additional ones.
As demonstrated over time during robberies and cyber attacks, we realize that bad guys will “enter the building.” They could possibly reach a “vault” or “steal the liquor.” In the former, we’d need time-based locks and pressure sensitive tiles to alert our 24/7 security services and the police.
In the latter situation, the store owner needs to invest in a capable alarm system, train employees on robbery response and even magnetically “tag” bottles to deter shoplifters and “stick-up” men. Similarly, if we risk-based strategy and security monitoring, we can deter adversaries from getting in and when they bypass the controls, from escaping with a bagful of loot – in this case, private and/or proprietary information – even if we’re dealing with bad guys who are as clever as the Ocean’s Eleven crew.