A panel of experts comprising Adam Montville, David Froud and Mark Kedgley collaborated on a variety of cyber-security issues at a roundtable discussion.
“It's still a draw in the cyber-security war – the attackers get better resources as quickly as the corporate security team do."
That was how Mark Kerrison, NNT CEO, opened a recent NNT panel discussion covering a range of cyber-security issues.
Recent reports show the majority of breaches only need to be active for a period measured in days. One-third of these take what they want within minutes, eg user-credentials.
The rest remain active to steal data such as payment card data. By contrast, only 25 percent of breaches are discovered within a comparable period.
So breaches happen fast with damage done long before anybody knows anything about it. Better defenses are needed, but faster/real-time breach detection is vital.
Why do we seem to be stuck in first gear when it comes to the cyber-security race?”
Why are hackers still able to exploit existing known vulnerabilities?
“Because too many of us make it easy for them!” said Mark Kedgley, CTO, New Net Technologies.
“The most successfully exploited vulnerabilities exist on older abandoned platforms such as Windows XP, with these still widely in use on some of the most lucratively rewarding systems such as Retail POS and banking ATMs.
The only conclusion is that change and cost-averse organizations are hanging on to outdated platforms. Unable to move from a legacy platform? The need for hardening and breach detection is even more acute as the only path available to increase security.
Adam Montville from CIS summarized the inequality of the struggle between defender and attacker: “The problem is that you, as the defender, need to be right all the time – the attacker only needs to be right once.”
Why do you need to understand the configuration of your IT estate?
David Froud, Principal Trainer, Core Concept Security adds: “An inventory of authorized devices is the number one Control in the CIS/SANS Top 20. You can't defend what you don't know you have – you are blind to what your security needs are.”
Kedgley responded: “Your knowledge needs to go beyond the platform, further than the software and versions installed, right through to the actual settings at a security policy-level where configuration vulnerability mitigation is enabled. Changes here could weaken hardened defenses leaving you prone to attack – you need visibility at this level.”
Why do organizations tend to prioritize focus on perimeter defenses at the expense of the actual systems that store sensitive data?
Montville suggested: “Most struggle to identify what the sensitive data is, where it is, and where it goes, whereas working with perimeter security is a relatively known quantity.”
Froud agreed with this, adding “It's easier, better understood, and usually manageable in-house. Network security is easier than end-system security and the skill-sets more prevalent.”
“Whilst it makes sense to focus on perimeter defenses it also misses the point - ultimately the servers and desktops holding the data need to be protected.
“Buy extra bolts for your front door, sure, but get a safe for your valuables as urgently.”
What is the latest guidance with respect to Ransomware?
Froud suggests that defenders, “Follow the advice in frameworks like the CIS Controls which will have you doing things like whitelisting, training folks to see phishing attempts, and having good backups at the ready. Ransomware is not a dramatically new attack, just a monetized one.”
Kedgley comments: “We're back to the earlier question of Perimeter vs Endpoint. Ransomware targets the desktop through phishing emails with toxic web-links or malicious attachments. Our Ransomware Mitigation Kits first audit the desktop applications for vulnerabilities, then automatically harden the browser, office apps, and email.”
Eliminating vulnerabilities by hardening comes with a health warning - what is the safest way to do it?
Kedgley and Froud agreed, with Froud saying: “There are three cooperative ways to mitigate this risk: Simplify, provide advanced information, and test.”
“Provide security requirements to your development team as early as possible. Better yet, have security personnel contributing to every development team. There needs to be as much early-stage consideration to security planning as there is to the sizing of hardware and network design.”
Fround concluded, “Get informed: Use resources like the learn.cisecurity.org website that provides free to use CIS Benchmark content.
"Beware buying security products too early and before you have properly understood what you are trying to secure, so make sure you get help. My pet phrase as a South African is ‘Build your fence higher than your neighbors' – Cyber-attackers are lazy and will attack the easiest targets so make sure you are doing the basics well.”
Kedgley added: “With so much ground to cover and security best practices to implement, use automation to assess vulnerabilities and to remediate them. Use the untapped security measures you have at hand: implement CIS hardening measures - of course! - but make sure you leverage freely available extras such as Microsoft EMET, AppLocker, and BitLocker which provide phenomenal added protection.”
Mark Kedgley, CTO, New Net Technologies
Adam Montville, VP of Programmes, Center for Internet Security
David Froud, Principal Trainer, Core Concept Security