This is part two of a two-part series on the top cyber threats you should look out for in 2019. To access the first article be sure to click here.
How Organizations Can Defend Themselves
We covered a lot of threats that organizations need to be prepared with so it’s easy to get intimidated or not know where to start. But here are some fundamentals, principles, and best practices that can help an organization prepare against these threats and more.
Focus on recovery
Organizations should always be prepared in the case of a compromise or breach. This involves having a disaster recovery (DR) and business continuity plan. This helps an organization mitigate the damage internally and externally so the company can continue to work and serve its audience.
Proper DR and business continuity can consist of hiring the right PR firm to mitigate reputational damage. It also may consist of having the proper infrastructure controls that prevents your entire site from going down or having a network backup in case your organization is hit with ransomware.
Focusing only on defense will leave you vulnerable in the case of an actual compromise - by preparing for different scenarios, you can follow in the footsteps of successful companies who have seen breaches and survived.
Think through scenarios
“Organizations think too shallow on a given problem. They don’t have any imagination.”
Sanabria suggests that security departments should consider different scenarios of how their organization could be compromised in order to prepare for the next attack. He likens this to a game of chess, where planning and preparation is done proactively and several steps in advance, rather than on a one-to-one basis that only reacts.
These are some sample questions Sanabria offered to help with scenario preparation:
- If we had one developer put in a back door to our database, how much damage can that result in?
- What if our credentials (to our database, email, PaaS, social media, etc) are stolen?
- What if a third-party’s security is compromised? This should be considered for all third-parties, including cloud, PaaS/SaaS, and IoT vendors.
- What happens if a phishing attack targets our finance team? Our development team? Our executive team?
These kinds of questions will help you identify where gaps are in your DR and business continuity planning, but also what you may not be tracking from a security perspective. That brings us to our next point...
Increase Your Visibility
Much of the risk involved with cloud security, whether referring to a cloud service provider or a SaaS/PaaS third-party, has to do with a lack of visibility. Organizations need to increase their visibility so they know who has and can have access to their internal infrastructure. That allows organizations to be more sophisticated in managing their environment (we’ll cover this in the next section).
Visibility should also extend to data management and control. As Sanabria mentioned before, a lot of the problems with cloud service providers is that it’s easy to lose sight of what sensitive data is on the cloud. This leads to accidentally exposed file servers and data, which can fall into the wrong hands if any malicious lurkers are poking around commonly known cloud databases.
Manage Your Employees and Your Environment
Many of the risks facing organizations in 2019 have to do with employee-facing risk. So it’s important to consider them and the environment they’re interacting with when looking for ways to defend against potential attacks.
Employee training that covers issues with BYOD, social engineering, basic security awareness training, proper password management, and how to identify an attack or malicious software is a basic security fundamental that organizations can engage in.
However, that’s only part of the solution. Sanabria suggests you also consider your environment and implement network segmentation, consider basic access needs by role, and implement a privilege management solution. This ensures that the damage is localized if an employee is compromised, for example, by a phishing attack, or an attack on their personalized device.
Identify the Right Solutions
Sanabria stressed that some of the risks that have been around longer do have tools and solutions in place to help defend against attacks. Leveraging tools that will harden your environment (Sanabria suggests Windows 10 with Defender as well as tools that monitor CPU and GPU usage) can help you identify whether there are any hackers in your network and potentially engaging in cryptomining.
Adopting a enterprise password manager and performing a password audit can ensure your employees are taking basic steps to improve security. As for BYOD risk, Sanabria points to mobile device management (MDM) and enterprise mobility management (EMM) solutions as automated ways to keep track of the devices floating around in your environment.
If phishing is a major concern, he suggests sandboxing your environment, which isolates a network so that, in the case of a compromise, the damage is localized to that network (the “sandbox”). Isolated browsers work similarly and “stream” browser sessions through external networks so that if a malicious software or attack is successful, your network is unscathed.
However, with these employee-facing solutions, it may be hard to get widespread adoption and it only takes one employee to fail to use these solutions, and get hit with a phishing email or attack. So here’s an additional approach to take.
Consider Your Processes
Sanabria believes that shifting processes can have dramatic effects on a company’s defense. Rather than continuously engaging in employee awareness, which can be difficult to scale as a company grows, they should look deeper into what the real risk is.
Take, for example, a BEC attack.
“An email without any sanity checks or validation shouldn’t be enough to transfer millions of dollars.”
If a BEC attack is successful, that’s not the fault of the employee but the organization who allowed email to be the single step needed for money to move in and out of the organization. Instead, an organization should consider how payments are approved and carried out.
Considering your company’s processes can have a positive widespread effect on your security and facilitates such actions like implementing network segmentation, cloud security controls, and more.
However, the most important consideration is the following:
Have a Key Understanding of Your Business Objective
The risks organizations will face in 2019 are numerous and dangerous. And we won’t even know what new risks will emerge in 2019. With so much to be aware of, companies may paralyze themselves with new security controls, processes, and software.
It’s important to understand that the right security comes with the right balance. Too much security can slow an organization down, affecting its productivity and reaction time. Sanabria notes that Dropbox, the leader in consumer cloud storage, has had multiple data breaches but has withstood them and come out on top. Other cloud storage providers haven’t lasted as long.
This is why Sanabria makes an important point that even though cloud security is a major risk factor, it’s better, in nearly every perspective, than not using a cloud service provider. Without cloud service providers, organizations would have to use local file servers which are another single point of risk. They’re also most often full of sensitive data without any access controls or permissions on them. Compared to cloud storage, it’s much more difficult to audit file servers, log changes, or automate processes. While cloud storage has its risk, its benefits vastly outweigh them.
It’s important to have a frank and honest inquiry into your organization and understand what you’re willing to trade off in security for growth, which are usually two opposing priorities.
Sanabria notes that this is the reason why MDM and EMM have not been widely adopted and using isolated browsers may not work for every organization. Smaller companies may not have an issue with MDMs or having sandboxed environments, but as companies grow, they may need to adapt and figure out new solutions that work better.
We offered a wide variety of strategies and tactics you can implement in your organization. They should be used in tandem with each other to create a strong, secure organization that doesn’t slow down the business. You may have to try different solutions and processes that work for your specific organization, knowing that you may have to shift strategies in order to find the right balance of security and productivity. An infosec leader’s job is never done, but adopting this kind of principled thinking will help guide their work for years to come.