Russia. China. North Korea. Iran.
If one listens to the mainstream media, these are the biggest cyber security threats facing American businesses. When hackers from these regions make any move against western businesses and governments, the news is magnified ten-fold in comparison to the actual source of the attacks: human error on the part of the victim organizations.
At least that’s the view of some top-level security experts, expressed at London’s 44CON yesterday, and when one thinks about it, they’re right. The biggest threat to security is and has always been the human ability to make mistakes and not know about them due to the lack of questioning decisions made. But Quentyn Taylor, a security executive with Canon, says that exaggerated news of devious hackers in regions untouched by western laws can’t obscure the facts. As part of his opening presentation, he said:
The basics are absolutely being forgotten and there is a mentality to focus on new things.
Taylor made use of a recent report by Verizon, which highlights the fact that a serious lack of patching is still the number one cause of cyber attacks. A hacker doesn’t need some vast spy agency to back him if he can just scan for sites that are still using outdated software. Vulnerabilities are made public after they are patched, after all, and those who fail to update their systems are just beginning for trouble. The Verizon Data Breach Investigations Report says, in part:
Phishing campaigns have evolved in recent years to incorporate installation of malware as the second stage of the attack. Lessons not learned from the silly pranks of yesteryear and the all-but-mandatory requirement to have e-mail services open for all users has made phishing a favorite tactic of state-sponsored threat actors and criminal organizations, all with the intent to gain an initial foothold into a network.
A high percentage of state-sponsored attacks have turned out to be achieved through phishing. Conversely, phishing is one of the easiest methods of hacking to avert, in comparison to brute force password stealing and theft of property which has authorized access to corporate networks. So it is with great importance that speakers at 44CON relayed the message: patching and anti-phishing practices can eliminate a great deal of risks in cyber security. Back to basics, essentially, because both of these are very basic things in network management. Patches should be applied as soon as they are available, even if it means downtime, and all employees should be trained in anti-social engineering practices.
Leaders Need to Lead
Taylor preached that the basics were being lost on those with the authority to ensure that they are understood by lower levels of an organization. CISOs, those in charge of network security, need to be clear on the basics themselves. One breach is one too many, and in many cases it can cost someone their job. Taylor said:
If you’re a CISO, a head of security or aspire to be one, you’re a leader and need to do two things. It sounds obvious but you need to lead. In the herd, you need to understand why you’re in the herd, and on the basis that you’ve seen and understood the landscape.
The herd he is referring to here has to do with the report he was using to fuel most of his talk. It speaks of threat intelligence sharing and how it is like plains animals warn each other of threats such as predatory animals.
Ideally, sharing intelligence should lead to a form of “herd alertness,” similar to the way plains animals warn each other when predators are nearby. This would seem to require that intelligence must be shared at a faster rate than the spread of attack in order to successfully warn the rest of the community. “How fast is that?” you might ask, and it’s a great question.
It may be true that there are more advanced cyber security threats than at any other time in history. It might be true that many of these are state-funded and dedicated to their cause. But losing sight of the basics and conveniently blaming breaches on the bad guys, instead of assessing what should and could have been done to avoid them, is bound to create a situation where the hits just keep on coming.
Images from Shutterstock.