There is an increasing trend of companies moving to e-business models with connectivity using multiple channels such as the Internet, mobile devices, social media, and the cloud in an anytime, anywhere, always-on model. Businesses, small or large, are part of cyberspace and are continually connected directly and indirectly. While this has definitely improved business volume, it has also increasingly attracted the attention of cybercriminals.
Cyberattacks continue to rise at an alarming rate. Hacking tools are freely available on the Internet. Script kiddies are performing scans and attacks for fun and sometimes just to see if their efforts work. There is also an increase in organized and well-funded cybercriminal groups that continuously target organizations and exercise great patience to systematically exploit the weaknesses they discover. Improved connectivity has also allowed cybercriminals to expand their possible attack vector, so cyberrisk has become a key issue to be addressed by all organizations.
While most organizations already have good security practices in place, they need to spend quality time and resources for long-term cyberdefenses. This article provides quick fixes for closing cybersecurity loopholes and improving cyberdefenses as early as possible before cybercriminals can escalate the level of attacks on any organization.
Raise Cybersecurity Awareness at All Levels
People are the critical element in the journey toward improved security. Many cyberattacks are successful due to unaware and undisciplined end users. In many organizations that are already certified to ISO 27001 and other regulatory requirements, the board of directors (BoD) and end users may be curious about what is new in cybersecurity. If this curiosity is not addressed, the topic may not get serious attention. It is increasingly important for information security teams to create awareness of cybersecurity at all levels. Using examples of various data breaches such as the Target and Sony attacks1 can quickly help demonstrate how cyberattacks can impact the organization.
Reexamine Risk Management Exercises
It is quite possible an organization already has a risk assessment process in place, but in the face of cyberthreats, it becomes important to reconsider the nature of these attacks and revisit the risk assessment exercise. Some of the popular risk management standards and frameworks that can be referred to for the risk assessment are ISACA’s COBIT 5,2 ISO 31000:2009, Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management—Integrated Framework, OCTAVE, the US National Institute of Standards and Technology (NIST) Risk Management Framework and many more. Many organizations may rate the threat and vulnerabilities as low, considering there are no known reported cyberattacks on the organization. Other organizations may have a false sense of security and confidence that, since they have security devices, tools and techniques, they are already cybersecure. It is time to reexamine whether these security devices can be bypassed by any means and realistically assess the risk to the environment. Risk management teams need to keep abreast of how cybercrimes are currently conducted and factor into similar use cases in their risk assessment exercise.
Strengthen Mechanisms for Authentication and Authorization
Passwords, personal identification numbers (PINs), tokens and digital certificates are the most commonly used authentication mechanisms. While an organization may have an excellent password policy, it becomes important to evaluate whether it is implemented properly across the entire organization. Authentication management systems should not accept any weak authentication credentials. System and network administrators need to be extra careful, as they are responsible for highly privileged accounts. Compromise of the authentication system itself and highly privileged accounts are high-risk areas that need to be reconsidered.
Strengthen End-point Protection Measures
Users with desktops, laptops, mobile handsets and personal digital assistants (PDAs) can be very lucrative targets for cyberattackers. Typically, organizations would deploy from basic antimalware to comprehensive end-point protection measures. Antimalware solutions should be able to detect and protect from various kinds of threat agents such as viruses, worms, Trojans, spyware, adware, keyloggers and other variants of malware. Organizations should ensure that there is adequate protection at points of entry through Internet and email access. End-point protection solutions should be capable of recognizing suspicious activity on end-user systems such as unusual ports and traffic patterns, file alteration, attacks on system files, and other activities that can be of interest to a cyberattacker.
Conduct Regular Penetration Testing and Take Corrective Action
For organizations that have not conducted penetration testing (internal and external), it may be time to consider this as one of the most effective ways to proactively identify technical security vulnerabilities in the system that could potentially be exploited by an attacker. Some organizations do perform penetration tests, but the question to ask is whether they have tracked confirmed vulnerabilities to risk mitigation measures and closure. If they have not, then these are the very vulnerabilities that may be exploited by cybercriminals and cause damage to the organization.
Improve the Patch Management Process
It is not uncommon to see vendors releasing multiple patches for operating systems (e.g., Windows variant, UNIX variant) and sometimes within a short time period. From an organizational perspective, it is perceived as a taxing process as it involves making sure that the patch not only addresses the known security issues, but also does not interfere with the business functionality. Many times, application vendors advise customers not to apply the latest patch because their software will not work with the new patch. And if this very system happens to be publicly exposed, the risk multiplies. Cybercriminals are not only exploiting the known but uninstalled patches, but also zero-day vulnerabilities, for which vendors have not yet issued a patch. Considering these scenarios, it becomes important for the organization to focus on the necessary discipline for implementing the patch management process.
Strengthen the Log Monitoring Process
Most organizations have some level of log monitoring, and many of the automated tools show the top Internet Protocol (IP) addresses, top systems where attacks are concentrated, traffic patterns and many other details. Often, this is provided as a feature by the log monitoring system, but it is seldom used effectively. The reports may be generated, but not be reviewed adequately. Sometimes the reports are generated with greater vigor at the start of a new system deployment but monitoring tapers off over time. This is good news for cybercriminals because their activities may not be properly tracked and detected by the organization. Some attacks have become very sophisticated and organizations need to think of security event management-type solutions, but still these systems will not be useful unless the reports generated are fully analyzed and timely action is taken. Discipline in the log monitoring process is required for improved cyberdefense.
Improve the Security Incident Response Process
Organizations may deploy the latest technologies, but in the war between cybercriminals and cyberdefense personnel, an effective security incident response process is a must. Cybercriminals will always attempt new techniques to bypass security, and technology may not always be the solution to detect a new cybercrime attack. Periodic test exercises (e.g., tabletop) and proper training of end users to help them recognize cyberincidents go a long way toward the prompt detection of such attacks. Cyberexperts should be involved to review all the incidents to ensure that cyberattacks do not go undetected and effective responses to cyberattacks are planned and undertaken. Sometimes a simple malware-related incident may turn out to be a targeted cyberattack.
Consider the Disaster Recovery Process for Cyberattacks
Most organizations have some type of disaster recovery process to tackle events such as environmental hazards, network failures, and hardware and application failures. However, organizations cannot afford to overlook the damage that can be rendered by the very specifically targeted attacks conducted by cybercriminals. Organizations need to include and plan for various cyberattacks, such as denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks, among the many hazards addressed in their disaster recovery process.
Conclusion
Cybersecurity threats are on the rise. Every organization is connected to one another, and any organization can become the victim of cyberattacks. A good strategy to strengthen the basic controls discussed in this article will go a long way toward improving the organization’s cyberdefense.
Fundamental controls such as passwords; security awareness; antimalware and end-point protection; patch management; log monitoring; security incident management; and security at the operating system, application, database and network layer have become even more important.
Along with the strengthening of these controls, organizations have to start thinking like a smart hacker and proactively start protecting all the critical assets that may be of interest to an adversary. The offense informs the defense. Prioritization, metrics, continuous diagnostics, mitigation and automation are the five critical tenets of an effective cyberdefense as reflected in the SANS Critical Security Controls.3
Additional specific controls from ISO 27001:2013, COBIT 5 and other relevant best practice guides can help further strengthen cyberdefenses as a long-term solution. Users have become mobile and more demanding; technology has made devices more compact with more features in an interconnected world; and, simultaneously, threats have evolved and attackers have become smarter. Cyberdefense can be more effective only when these transitions are understood and smart defense mechanisms implemented.
Endnotes
1 McCandless, D.; T. Evans; “World’s Biggest Data Breaches,” Information Is Beautiful, infographic, 6 August 2015, www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
2 ISACA, COBIT 5 for Risk, USA, 2013
3 SANS Institute, Critical Security Controls for Effective Cyber Defense, www.sans.org/critical-security-controls/
Sanjiv Agarwala, CISA, CISM, CGEIT, BS 25999/ISO 22301 LA, CISSP, ISO 27001:2013 LA, MBCI, is currently director and principal consultant at Oxygen Consulting Services Pvt. Ltd. Agarwala has more than 17 years of experience across multiple industry domains in various information security roles and has expertise in areas such as information security management systems, risk management, cybersecurity, systems audit, IT governance and business continuity management.