Fears of inaccuracies
But, warns Mew, these ratings can be wildly inaccurate. “Most of these risk ratings agencies conduct remote tests of a firm’s externally facing endpoints for known vulnerabilities. However, not only does this not give a picture of the internal security profile, but often a firm can outsource elements of its infrastructure to other third parties, making it hard to know who is running what and how,” says Mew.
The first step to take, according to Firstbrook, is to work out the type of attacker you’re up against – who they are, what they want and the systems likely to be attacked. “There are basically three types,” he says. “First, we have automated attackers who are just using one method of attack – for example, WannaCry. These are not aiming for a particular company. It could be anyone. Their targets are companies who just don’t patch.” Then there are opportunistic attackers who come sniffing for vulnerabilities and ways to exploit them.
Both of these attackers are relatively easy to protect against, provided that organisations have the levels of defence that we’ve already mentioned. The third type, however, is the target attacker who is harder to defend against. “These are criminals who are aiming at a particular organisation,” says Firstbrook, “and will try any way to get in.”
Here it’s not just enough to have secure network systems in place. “They’ll use any avenue. If they can’t get into the system, they’ll show up as a janitor and use password stealing software or a patch card or put a WIFI jack on the network. They’ll use any steps to achieve their goal,” he says.
Your systems therefore need robust checks and you must become self-reliant at defense. An internal examination of corporate system, such as a war-gaming program is a good way to begin to assess how prepared a company is for an attack and its capacity to respond.
Kenealy advises going for defense in depth: that is, using a multi-level approach so that if one method fails another will kick in. Such defense is becoming more important as criminals have become adept at disguising the nature of attack vehicles, for example, the PDF. “They are so well engineered you can’t tell the difference even if you’re a security professional. If an employee has to open a document as part of their job, then that’s what they’re going to do,” Kenealy says.
How can you defend against this? “You have to make use of the sandbox. You put the document into a virtual machine and exercise it, so you know whether it’s good or bad,” says Firstbrook. Still, more sophisticated cyber criminals have cottoned on to this and are upping their game. “The attackers now know that you’re doing that, so they have different methods. For example, they figure it whether they’re in a sandbox or not, and if they are they don’t do anything interesting.”
Here defense in depth can kick in. When a document is delivered the signatures should be checked on the network to make sure they’re valid. But other measures can kick in if one level fails. “The IP address that it talks to will have a reputation, but if it doesn’t meet a certain threshold, then it can be blocked by default. It’s exactly the same for domains as well. A good example could be a connection for a very new domain, one registered in 48 hours, that’s often a sign that things aren’t as they should be,” Kenealy says.
There are also some simple, proactive steps you can take. Arguably, the easiest is to make ensure that all your software is running the latest security patches, or replace the old software that is no longer being officially supported by the vendor. As Firstbrook points out, this is not always the easiest thing to do. “If you’re a large organisation and run a scan, you may find Windows XP and NT machines on your network, or you may find things that are out of support and with no way to actually patch them. Or there may be time limits on patching, for example, systems can only be down for a certain part of the day.”
Also, secure systems. That means no excessive privileges for users, hard and fast password rules and, as mentioned, email systems with all security protection in place.
There’s a nasty world of new and existing threats out there for the enterprise. The best prepared of managers, however, will be better placed to deal with them.
Supported by SonicWall.