5 Cyber Security Threats Businesses are Facing in 2018

5 cyber security threats
We all know the cyber security threats landscape is rapidly evolving and it is a real struggle to keep apace with the threats much less get ahead of them, which ideally is where we should be.
Organisations especially those small to medium sized ones have limited resources in terms of people, money and time to commit to all the areas they need to focus on.
It is therefore vital that their approach to cyber security is focused on the areas that will have the greatest impact in terms of threat prevention. Let’s discuss the most common cyber threats that organisations are likely to face which therefore should help to determine the main areas where protection efforts need to be focused. These threats are;
  • Socially Engineered Malware
  • Password Phising
  • Unpatched Software
  • Social Media Threats
  • Advanced Persistent Threats

Socially engineered malware

Every year, hundreds of millions of successful attacks are conducted by socially engineered malware programs. A typical form of this is data encrypting ransomware which is downloaded either in email attachments or trojan horse software downloaded from a site hosting malware. The unsuspecting user is enticed into clicking a link or opening a document which then installs the malware, oftentimes the user is prompted to bypass security controls if they are in place for this particular type of exploit. The malware is installed on the host machine and can then disable defences  such as anti-virus, conduct callbacks to command and control centres which then lead on to the exploits. Exploits could include data gathering and exfiltration or encryption of data and horizontal propagation of the malware.
This type of threat sometimes requires the use of elevated privileges. Techniques that could be used to help prevent this type of threat include;
  • avoiding giving elevated privileges for daily tasks
  • constantly educate users about these type of threats
  • deploying advanced endpoint protection
  • not relying solely on traditional anti-virus

Password phishing

Phishing has become a huge industry for cyber scammers and it is estimated that approximately 80% of global email is spam. Anti-spam techniques deployed by email providers are becoming better are blocking spam how ever the attackers are constantly refining their approach and inevitably some is still getting through to user’s inboxes. Most of us are so busy we do not bother to hover over the links to check for a valid url and
sometimes they are so well crafted it is so easy to miss.
The best protection against phishing apart from good anti-spam software is user education along with policies that encourage the use of 2 factor authentication such as smartcards, sms messages, etc.

Unpatched software

Unpatched software is a major threat due to the existence of known vulnerabilities that could be protected from if the latest available patch is applied. This problem while common for client applications such as web browsers, and ancillary apps such as adobe and java are also quite common on server systems. I am sure you have seen many instances where critical servers running core business systems are unpatched and carry literally hundreds of vulnerabilities.
Software patching needs to be a part of the IT operations processes and undertaken in a regular and systematic manner to avert an easily avoidable vulnerability.

Social media threats

Social media is pervasive and an essential part of an organisations digital presence. It has therefore become a target for cyber attackers to find exploits and cause reputational damage or extort money from unsuspecting users and owners. The threats could start off as simply as a friend request or application install which then develops into something completely different. One example is a response to a post where a visitor may voice
dissatisfaction with a service. The response offers to provide assistance and redirects the person to a fake site where their usernames and passwords are requested and then exploited on the real social media site.
Yet again user education is a must to help protect against this type of threat and 2 factor authentication could also prevent compromise of username and passwords.

Advanced Persistent Threats

The majority of large organisations have been the subject of advanced persistent threats but that is not to say that small-medium organisations are not affected by this also. The attacker may initially use phishing or trojans to infect one machine but once they get hold of a machine, they extend their reach throughout an organisation and steal data within hours oftentimes remaining undetected for months.
The best way to combat advanced persistent threats is to deploy next-generation detection and protection capabilities. Typically such measures will profile the normal network traffic and behaviour thus creating a baseline against which anomalous behaviour can be profiled and alerted.
You may have noticed an underlying theme in terms of the best way to
mitigate most of these threats involved user awareness. The benefits of this cannot be understated and there are some low cost good user training subscriptions that could save organisations a ton of money in costs associated with a successful cyber attack.
It is also however very important to do the basics well such as patching, endpoint protection, password policy and network security.

Is Cyber Security still a Maze?

InfoSecurity Europe 2018
I attended Infosec2018 this week at London Olympia. It was a vibrant event as you can imagine with every exhibitor enthusiastic to promote their wares. They were also eager to grab your details with their ‘GDPR compliant’ badge scanner. As a technologist of too many years to mention (I started in IT when 5-inch floppy discs were the rage), what really dawned on me is that it is understandable why many small businesses are not fully engaging in a comprehensive cyber security strategy.
There are many vendors with absolutely great solutions targeted at fixing some particular problems or protecting a specific area of potential exposure. And of course, there were many GDPR compliant or GDPR enabling solutions on view. The information security landscape is increasingly becoming more challenging as technology becomes more pervasive, as the cyber attack surface increases and as the sophistication and scale of attacks also increases to match.
Cyber Security really needs to be demystified to a large extent to make it more accessible to organisations. What would have really been a helpful approach from vendors would be a means of sharing a common language of Cyber Security. A means of easily identifying where each vendors solution sits in the Cyber Security stack and what it talks to vertically and horizontally.
This would be akin to placing their offering in a Cyber Security jigsaw puzzle so that organisations can clearly see where it sits, what problems it solves and importantly what problem it doesn’t solve. Such an approach would make it easier for decision makers to engage and fully commit to adopting and implementing a comprehensive strategy for effective Cyber Security.
It has been an ongoing bug bear of mine that businesses don’t easily have a conversation about their security needs. There are some obvious reasons for this such as lack of resource, lack of understanding or no buy-in at senior management level. There is also a tendency to not want to do anything because “we’ve been OK so far despite all the doom and gloom”.
This was reinforced in a very enlightening conversation I had with the team at the National Cyber Security Centre (the public face of GCHQ). They strongly advocated that cyber security ownership now has to be at CxO level of organisations. It will only be taken seriously, and the right strategy and resources effected when CxOs understand the business imperative of getting this right and the consequences of not doing what needs to be done.
He lamented the fact that too many organisations are sitting back and waiting until it’s too late before they do something.
He also advised rightly so that it was not actually so difficult to achieve a respective level of Cyber Security. The NCSC have published guidelines on this in terms of 10 Steps to achieve Cyber Security and this really is very straightforward practical actionable guidance.
I must say of all the people I spoke to during the day at Infosecurity, he was the most impassioned and engaged individual (long live our public services).
On a final one of my reasons for going to InfoSec was to research products that I think are unique and can fulfil customer needs. I actually met a supplier that has been named Cool Vendor by Gartner. Being my usually cheeky self I said “you guys don’t look cool”, however after spending some time understanding what the product is able to do to expose Cyber Security gaps, I am convinced that every organisation connected to the Internet needs such as service. Literally within seconds of clicking a button you can test for a range of exposures and vulnerabilities. Lack of visibility is a challenge we all face when it comes to digital communication but it is actually ‘cool’ if you can see your exposures and do something about them before it’s too late. We are in the process of signing up with this cool vendor and will bring you news about the service in the near future.

Cyber Resilience | The Framework you Should Follow

Have you sometimes found yourself bewildered by the sheer volume of bad news out there especially about emerging cyber threats and actual attacks. It is not uncommon to wonder when you will come under a similar threat or worst still is it happening already but you just haven’t detected it yet. What would give us more comfort is understanding that we were cyber resilient to threats to a large extent, sure nothing is ever 100% guaranteed but it would sure be good to a high a high level of confidence about our ability to survive such an eventuality.

So what would good cyber resiliency actually look like?

Cyber resiliency is really about keeping the business operational despite an attack or incident. It is about the organisation having the systems, processes and controls in place to detect an attack, contain it, recover or maintain operations despite the attack and clean up the affected systems.
Some specific objectives of cyber resilience would include the following.
  • Prevention–apply basic cyber protection mechanisms as well as more advanced cyber security controls to reduce the risk. In addition, threat intelligence is applied to keep the protection relevant
  • Cyber response preparation– create and maintain cyber incident scenarios to train staff and maintain a good level of readiness. If an incident happens, there is a plan and people know what to do
  • Minimise service degradation- in the instance of an attack
  • Identify potential damage- and change resources to limit further damage
  • Maintain trust relationships- and review trust of restored systems
  • Effective controls- understand the effectiveness of cyber security controls in relation to the nature of the adversaries
  • Review systems architecture and restructure to reduce risks
The NIST have published some recommendations that could help with achieving cyber resilience and some of these are outlined below.
A word of caution, this is not for the faint hearted as it reads as if from a military manual.
Adaptive Response- maximise the ability to respond in a timely and appropriate manner to adverse conditions thus limiting business impact and maintaining operations.
Analysis and monitoring– maximise the ability to detect attacks by extensive monitoring that can reveal the extent and scope of an attack. We have seen how AI and Machine Learning is playing an increasing role in this area
Coordinated Protection– implemented a range of protection measures that follow the defence in depth principles thus ensuring that attacks will need to overcome multiple mechanisms in order to be successful
Deception– conceal critical equipment or resources from the attacker, this could include techniques such as encryption or multi-layered firewall approach
Diversity– limit the likelihood of successful attacks on common replicated systems forcing attackers to breach different systems necessitating multiple variants of malware
Dynamic Positioning– distribute and dynamically relocate system resources, this could easily be achieved in a resilient cloud environment, this could go a long way to supporting recovery and continuity as well as making it more difficult for attackers to determine the infrastructure topology
Non Persistence– generate and create resources as needed and avoid the likelihood of intrusions through backdoors left on unused resources
Privilege Restriction– restrict access privileges based on attributes of users and systems as well as environmental considerations i.e. do not give admin rights to a user connected via an Internet café or via a country you have no business with
Redundancy–provide multiple instances of critical business systems to aid recovery from failure of primary systems
Segmentation– define and separate elements of your systems based on their criticality and attribute permissions accordingly. This will help to prevent the spread of malware and give further protection to critical systems
Unpredictability– make random and unpredictable changes to increase uncertainty for attackers thus making it more difficult for them to determine their attack sequence
These techniques put together will go a long way to achieve a high degree of cyber resiliency, which will result in the ability to manage the cyber risk and maintain operational services especially in times of persistent attack

How to protect your information assets with technology

Having GDPR compliant processes and procedures is an essential and fundamental part of ensuring a robust data security and management regime is implemented in your organisation. Another crucial and as important component of compliance is having the right tools in place that will support the necessary management, security and monitoring of data assets. This means that you will need to have information at your fingertips about what is happening with your data and your IT infrastructure in general. The technology assets can be quite extensive depending on your environment, but we will focus on just a few elements which are network and device centric. Additional controls will inevitably exist at the application and database level of your infrastructure.
GDPR requirements include breach detection and notification and this is an area where most organisations will need to dramatically improve their approach. Given that most successful breaches steal data within hours while the average time to detect is approaching 100 days, you can see there is a large gap that needs to be bridged. While there may not be the available investment of skilled resources to bridge the gap instantaneously, there are some basic and effective starting points that could bring dramatic and immediate benefits.

Endpoint Security

An effective endpoint security solution will monitor and block threats from compromising the endpoint and propagating threats across your network. Today’s endpoint security must go beyond traditional anti-virus due to the sophistication and ever changing nature of cyber attacks. Systems based only known attacks will be ineffective as malware is able to adapt and evade signature based detection. An advanced endpoint security solution can analyse suspicious files and interrogate up to the second threat intelligence information in the cloud to block attacks that a conventional solution would not notice.
Enhancing endpoint security is, therefore, a quick for organisations looking to significantly improving their security posture at a relatively low cost.

Perimeter Security and threat management

Ask yourself this question, do you know data traffic is coming in or going out of your network? Do you have visibility of what is happening?
Perimeter security for a long time has been about blocking incoming traffic and less about seeing what is going out. Most attacks will rely on data exfiltration as well as callbacks to sites hosting malware.
Implementing effective perimeter security and advanced threat
management will go a long way to dramatically reducing the unwitting interaction between an organisations users or endpoints and known
malware sites. Such a solution must also be good at blocking attempted intrusions as well as scanning file content for threats before allowing
access. Many organisations still have traditional firewalls or have purchased newer devices with advanced features which are yet to be enabled. With the increased regulatory regime of GDPR, it is imperative that the necessary levels of security and threat management are implemented on these platforms. If they do not have the capabilities, they simply need to be replaced with platforms that have a chance of providing protection in the
ever changing threat landscape.

Event Logging and Management

Good IT management will necessitate a security event management tool. The tool will prove invaluable for monitoring, reporting and investigating IT related activity in an organisation.
It can be an effective tool in detecting and preventing attacks by correlating activity and alerts from a number of sources thus aiding in determining the chronology and scope of a security event and it’s root cause. The event management tool will also play a key role in supporting any reporting into a breach because the logs can be analysed to determine the sequence of events and scope of a breach. This will support efforts associated with
the reporting requirements of GDPR for notifying the authorities of breaches.
Correctly specified and implemented technology will have a major role to play in achieving and maintaining good data security standards.

Useful Resources

Related Blogs

GDPR compliance: technology and data handling explained

What is GDPR? 6 questions you need to answer before the deadline

Will GDPR protect your personal data?

GDPR compliance: technology and data handling explained

The GDPR regulation is ultimately about good data/information management and governance. Though many organisations acknowledged previous iterations of data protection regulation, GDPR demands that everyone step up their game and take responsibility or face severe consequences. The innovative use of technology aligned with the data handling processes and procedures will go a long way to achieve and maintain GDPR compliance.
Compliance with GDPR has strong data governance at its foundation.
Data governance should have executive ownership at its core and necessitates strong commitment is communicated and actioned. It involves auditing and risk management where data is identified, classified and managed in a controlled manner. Technology can inevitably be used to automate and scale this process especially where data volumes are extensive.

Data analysis and classification

One of the early steps on the GDPR journey is the analysis of data that is held, and identification and tagging of personal data. Organisations may hold a combination of structured and unstructured data, oftentimes data is held in multiple locations as multiple copies of records are made. Once identified, organisations will need to tag personal data and link pieces of data together that relate to the same individual. Systems will then also need to manage the consent element of GDPR enabling all data being held to be collated in accordance with access and consent requirements of GDPR.

Data management and security

Systems need to be in place that manages data quality throughout its lifecycle. Data location needs to be accurate, duplicates need to be detected, records need to be accurate and should be updated including corrections, amendments and deletions when requested including backup copies which are no longer required.
To support the data security requirements, systems functionality need to be in place that manages data records including encryption, deduplication, backup, deletion and providing access to complete records in a transferable manner. Applications that manage the data also need to be secure ensuring
that user access policies are enforced, and users do not get access to data they are not authorised to. Manual processes are likely to be inadequate and therefore technology will inevitably need to be in place to support this requirement.
In a cloud environment, this will need to be provided by cloud providers whose systems are GDPR compliant. The organisation, however, will still be responsible for securing the data and policing user access irrespective of the cloud providers security controls. For an on-premise scenario, the organisation will have total responsibility for ensuring the systems are in place.

Breach detection, response and reporting

GDPR requires that certain types of breaches are notified to the relevant authorities within 72 hours of the breach occurring. The notification will also require details of the breach such as; how many records were accessed, mitigating measures to counter the breach, consequences of the breach, risks to the individual, categories of data breached. To fully comply with this requirement, organisations will need to have excellent cyber security protection mechanisms and controls in place. This will include at least the following components;
  • Network Security to ensure only authorised devices are able to access the networks
  • User authentication mechanisms to ensure only authorised users have access to systems
  • Intrusion Prevention Systems that detect and block unauthorised network access
  • Monitoring systems to identify and alert if unauthorised activities are detected
  • Logging capabilities to ensure all activity is logged and the information is available to undertake a forensic investigation should the need arise
These are just a few areas where technology applied effectively will greatly assist with GDPR compliance. Implementing the above technologies may well require additional investment if the systems are not yet in place, or it may just be a case of fine-tuning and optimising systems that are already in place.
Inevitably changes need to be made if anything more than lip service is to be paid to GDPR. There is, however, a positive spin on GDPR because it’s not about preventing business but about handling data properly, which must be a good thing for all concerned.

What is GDPR? 6 question you need to answer before the deadline

Why is GDPR necessary?

Regulations such as GDPR have come about as a consequence of technology. The increasing storage of private data over decades has led to concerns over individual privacy. Technology has meant that there is a risk that privacy could be trampled on or sensitive user data accessed inappropriately.
Worst still data could be stolen and used for criminal activity. In essence, regulation ultimately is about protecting individual privacy and individual rights from abuse or misuse of technology.

Why has technology become a problem?

Technology has been deployed over the decades initially as a solution to a business problem. Latterly, technology has been deployed as a fundamental part of the business fabric without which most businesses would cease to operate. In the age of digitisation technology in some instances is the business. Technology has however been deployed in a haphazard manner without security at its core and in many instances, organisations are playing catch up as opposed to having security as part of their core design.

So how is GDPR different to other regulations?

GDPR aims to compel organisations to protect individual privacy by ensuring that those handling the sensitive data are competent; only storing what data is essential, enforcing a policy that only allows access to the relevant people, and has systems in place to protect against and detect unauthorised access.
GDPR gives real teeth to data regulators in terms of enforcement powers including significant fines. It also extends responsibility globally to anyone who processes EU citizens data.

What do businesses need to do to comply with GDPR?

In order to comply with GDPR regulation, organisations need to do the following;
  • Awareness–ensure everyone in your organisations knows about GDPR
  • Information- document what personal data you hold and where
  • Privacy and rights– ensure procedures cover individual rights
  • Subject access requests– update procedures to handle access requests
  • Lawful basis– identify your lawful basis for processing data
  • Consent– review how you manage consent
  • Minors– ensure you have consent for minors
  • Breaches– ensure you have a plan and procedures to detect and report them
  • Impact assessment– plan to undertake these in accordance with ICO guidelines
  • Data Processing Officer– designate a DPO within your organisation
That is it in a nutshell. It is obviously much more involved in practice. The information commissioners website is a great resource for understanding what needs to be done and how to do it.

What are the benefits of becoming GDPR compliant?

Achieving compliance with GDPR will have a number of direct and indirect benefits. Firstly there will be a cost associated with achieving compliance which will likely involve resources of time and money.
Being compliant however is a strong indication that the organisation is processing data in a robust way compliant with best practices. This should mean that organisations are;
  • More likely to protect sensitive data and thus individual privacy and rights
  • Less likely to be breached as they will have better security in place
  • Are more likely to detect security breaches
  • Will be able to respond satisfactorily to individual’s information requests
There is an increasing trend amongst organisations that are now requiring their supply chain to confirm their compliance with GDPR. This will become a differentiator enabling GDPR compliant organisations to be viewed more credibly.

What are the consequences of not complying with GDPR?

Non-compliance with GDPR can have quite severe consequences over time. This could include being excluded from business opportunities as well as the likely punitive measures that may result from an ICO investigation if an organisation has been found wanting in it’s approach to compliance.
Analysts are also predicting that after PPI claims expire next year, GDPR breaches will spawn a new chapter in the claims culture that could run for decades. Compliance with GDPR should be seen as a business opportunity and approached positively in terms of the benefits that it might bring to organisations.

Useful Resources

GDPR Readiness Test [Checklist]
GDPR 12 Step to take NOW [Infographic] 
9 Steps to Implement a Security Managment Tool [eBook]

What’s HOT What’s NOT: Cyber Security 2018

What are the main cyber security trends and focus areas for IT Managers and Chief Security Officers so far in 2018?

One thing we know for sure is that cyber security won’t be taking a lower profile as IT embeds itself at the core of organisations becoming a true business enabler.
IT is at the core of organisations and if there is a glitch then the business impact is profound. It is therefore beneficial to be able to focus limited resources and efforts on the priorities that will really
make the biggest difference.
 So the question is what will be HOT and what will NOT in 2018. The list below, while not being exhaustive, gives a focus on what you should be prioritising.

 HOT

  • GDPR
  • Ransomware
  • Cloud

NOT

  • Anti-Virus
  • VPNs

HOT: GDPR

25th May 2018 is the date the GDPR will come into force. The regulation will affect literally every organisation that holds personal data. With the increasing regulatory powers for investigation and enforcement, firms not complying with the regulation could face severe penalties.
GDPR must, therefore, be high on the list of business priorities and a comprehensive approach to GDPR compliance will necessitate a comprehensive review of policy, process and technology.
In a recent article we discovered that 52% of medium sized business have NOT made changes/prepared for GDPR!

NOT: Anti-Virus

In the face of the new breed of sophisticated, adaptable forms of cyber attacks, traditional Anti-Virus is becoming redundant. The approach of traditional Anti-Virus which is based of signatures relies on threats having been detected and updates being propagated to clients before an attack occurs.
Organisations need multiple layers of protection to stand any chance of detecting and blocking new threats some of which can dynamically probe and adapt to the host environment.
Anti-Virus is still essential especially if it also monitors for abnormal behaviour, however if it is your primary line of defence, expect the worst, as Robert Mueller says, you will be attacked, depending solely on Anti-Virus increases the likelihood of it happen sooner and more frequent.

Related Resources

HOT: Ransomware

2017 saw the spread of global ransomware variants Wannacry and Nyetya. Wannacry made significant parts of the NHS powerless while Nyetya caused major losses for businesses. Fedex counted losses in excess of $300m and at one stage had to resort to WhatsApp for internal communications due to compromised email systems.
The ransomware ‘business model’ has stepped up a notch with it being made available to buy as a service. The avatar of the attacker has suddenly changed from a stereotypical hoody wearing geek to just about anyone who can pay with some Bitcoin.
Ransomware has been the most profitable form of cyber attack to date and franchising it just made it cement it’s pole position as the number one threat in 2018.

Related Resources

NOT: VPNs

Statistics indicate that nearly 50% of workforces are mobile, meaning they access their organisation’s IT applications from remote locations to the organisation’s offices. The ubiquitous VPN has been the secure way of connecting.
 With the various flavours and increasing range of users requiring connections, VPNs are becoming a greater management overhead and an increasing security risk especially if the controls are not kept up to date with the threats.
A need for a more sophisticated and granular method of providing remote access is emerging where users are connected only to what they require, when they require it and furthermore their security posture is established even before they are allowed any connectivity.

Cloud: HOT

Organisations having realised the benefits of cloud adoption have embraced it while mitigating the risks as best they can. The benefits of the cloud in many instances include lower operational costs, agility, increased resilience and scalability.
Cloud adoption is also well suited to the growth of a mobile workforce who need anytime anywhere access to their applications. Securing the cloud data and user access is however an area of cloud implementation that is emerging as a focus area that businesses have not paid sufficient attention to.
Technologies such as secure DNS and the secure Internet gateway are solutions that are highly likely to gain a lot of traction as organisations audit and protect cloud connectivity from a range of emerging cyber threats.

Related Resources

There will inevitably be questions about security topics such as BlockChain, IoT and Phishing just to name a few. Let us know how your list wouldn’t be different.

Trial Cisco Umbrella for 14 Days, completely free and no obligations!

If you have read the last few updates you should now have a deeper understanding of Cloud Security, that’s great! But what can YOU do about it? 

We are offering a 14 day trial of Cisco Umbrella, the industry’s first Secure Internet Gateway in the cloud.

Cisco Umbrella provides the first line of defence against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes.

It takes no time to install and you don’t have to provide any payment details (or even have a phone call).

So what’s to lose? 

Click here to start your trial! 

Want a Quick Win? Secure your DNS

 

Ransomware is currently the number one form of cyber attack due to its profitability and simplicity in execution. It is now evolving as a business model where any ‘Joe Bloggs’ can buy ransomware code for a monthly fee – ransomware as a service. Ransomware thrives partly because of bitcoin and the associated anonymity of attackers who get paid via an untraceable cryptocurrency transaction. The stages of a typical ransomware attack include;

 

  • Stage 1 – Infection

Ransomware always starts with some host infection of malware via phishing attacks, or a website hosting malware

 

  • Stage 2 – Command and control setup stage

This handles the key exchange process to encrypt the files on the infected host

 

  • Stage 3 – Extortion stage

Payment of the ransom and then ‘hopefully’ getting the key to decrypt the encrypted files.

 

Ransomware is constantly evolving and not being breached yet is no guarantee that it won’t happen in the future.

 

Many organisations are using hope and anonymity as a risk mitigation strategy against ransomware – assuming they are small and have not been attacked yet. The fact is that the supply chain is now an increasing focus of malware attacks as a means of accessing valuable data through the back door of larger enterprises.

 

 

Anti-Ransomware Best Practices

 

As with every effective security approach you need a policy and a risk assessment of the threats so this is a given before we get into the type of approach and solutions that need to be in place. Please see some of our previous blogs or check out the NCSC website for some invaluable resource.

 

Phishing can be very sophisticated making it hard to tell if a link is bad or not. Effective protection cannot rely solely on end users, it must be engineered into the system with the right protection mechanisms correctly configured.

 

To start off with you need good anti-spam, anti-phishing and web controls to control the Internet traffic, this could be incorporated into a good endpoint protection solution. Use an email and malware analysis gateway to inspect executables for malware. The gateway should be configured to block files if there is any doubt about it’s authenticity. It is better to stop/delay web downloads so that they can be inspected and properly classified than to run the risk of infection.

 

78% of attacks exploit phishing so it is a good thing to correlate known exploits to the vulnerabilities in your organisation and prioritise patching based on known exploits.

Use network analysis and visibility tools to analyse traffic on the network so you can see what is changing and be alerted to abnormal behaviour.

 

If you do get infected, have effective Backup and DR policies and processes, and ensure that the recovery procedure has been tested and works.

 

DNS Security is the Quick Win

 

92% of cyber attacks make use of DNS at some stage or another through the execution of the attack. DNS is therefore the greatest opportunity to secure your network while having an immediate impact.

 

What if your systems know that a website url a client is trying to access via DNS resolution is a bad site, hosting malware. You could just block it and prevent any interaction with the malware in the first place. This form of protection can be immediate with no impact on client or application performance.

 

A web based infection is usually a 2 step process –  which redirects your web browser to another domain created using an exploit kit which finds a vulnerability in say Flash or Silverlight. The malware will then do a command and control (CnC) call back using DNS resolution to get an encryption key. Until the CnC connection happens there is no damage created.

 

Analysis has shown that most ransomware does a DNS call back, ransomware payment notification also uses DNS. The ability therefore to block a malware connection via DNS security at one or another step of the malware execution process can therefore prove to be the most effective way to implement malware protection.

 

An effective DNS security protection control can have the ability to identify the endpoints attempting the malware connection and therefore feed into the clean-up and mitigation plan.

 

An important service in addition to the above is the ability to query domains and file hashes from a central intelligence platform that has up to the  minute data on the bad domains so that your security incident response team has the ability to conduct intelligent investigations independently of any infections. For instance if you keep doing a DNS query for a site in Russia and you don’t have any business relationship in Russia, that’s something that you should query.

 

Another challenge is the decentralised nature of organisations due to remote working and the increasing importance of branch offices. Mobile devices such as laptops are the primary devices where user changes could compromise security. Around 80% of remote workers disable their VPNs when they browse the web. A DNS based security mechanism can help to maintain the security posture where these remote workers able to still make use of this form of protection even when they disable their VPNs. DNS security can protect any device including IoT, guest devices and roaming clients.

 

Correct implementation of DNS security could make it the first line of defence even before a connection is established by checking the DNS request and blocking bad sites. This will help the IT teams by freeing them up from a large number of alerts that would be generated if the malware had been downloaded.

DNS Security – The Forgotten Lynchpin

 

So it’s all happening in the cloud. Wholesale adoption of cloud services is now a business imperative as the opportunities and benefits of SaaS become ever clearer.

Here are some numbers though that tell us not only what’s happening but also some concerns that we need to have at the forefront of our minds.

  • 82% of mobile workers admit they always turn off their VPN
  • 15% of command and control threats evades web security
  • 60% of attackers penetrate an organisation in minutes and steal data in hours
  • 100 days is the average detection time for an attack
  • 100% of networks interact with malware sites
  • 92% of attacks make use of DNS

Clearly, there is a wide range of threats that organisations need to address in crafting and implementing an effective approach to cyber security. One area that has and is receiving very little attention is the area of DNS.

DNS is the most ubiquitous protocol on the Internet and is deployed in literally every connection that takes place whether surfing a website, watching youtube videos or accessing corporate cloud applications. This ubiquitous use of DNS means that it is also involved in some very undesirable connections to sites like malware sites, known bad sites, command and control centres etc. Other attacks have involved data exfiltration in packets disguised as DNS.

The fact that DNS is involved in around 92% of web attacks strongly suggests that it is an area that is worthy of further efforts in the fight against cyber attacks. DNS is one of those protocols that just works in the background like a utility and as long as resolution is working then no one pays attention to it. DNS is a lynch pin, if it doesn’t work then most applications will stop working and the IT services will grind to a halt. It is vital therefore that DNS gets more prominence and is monitored and secured to ensure continued running of services.

 

Tackling DNS Security 

DNS should be elevated from a connectivity item to a network security component vital to the operation of the organisations IT. DNS monitoring and the implementation of an active security policy that cannot be circumvented by staff can have untold security benefits. Such an approach could be used to block malware and phishing attacks in real time as opposed to after the event. Also, the use of DNS to resolve requests for known malware sites could also prevent attacks before they happen. The DNS controls could hold a regularly updated list of known malware sites and block devices from accessing these sites. Active monitoring could also provide valuable information about whose machine has been compromised and where they are connecting from.

DNS monitoring can also provide a baseline of what normal behaviour looks like for your organisation. Anomalous behaviour is, therefore, easier to detect and acted on. A number of high profiles sites such as Tesla, that have been hacked could have been prevented if the DNS records were being monitored and these organisations were then able to detect and block changes to their DNS records.

Visibility of who is connecting to what site is also a great benefit of DNS monitoring. The explosive growth of IoT devices poses significant threats if they are not properly secured. DNS security could play a vital role by enforcing policy e.g. if the CCTV network should be blocked from Internet access, DNS security controls could prevent these devices being used as a backdoor that could be used for malware propagation or data exfiltration.

Failing to monitor and control DNS is a lost opportunity not only to secure your organisation’s network but also to gain visibility into who is doing what.

10 Steps to Cyber Security – Parts 6-10

The cyber security threat landscape is constantly changing with the ever growing number and scale of attacks. The consequent measures necessary to combat the threats need to be robust, comprehensive and agile. Simply put, it is about developing an effective approach and constantly testing and refining it. The sections below cover the second 5 sections of some 10 essential recommended steps that should be taken to achieve an effective level of cybersecurity and is based on guidance from NCSC.

Incident Management

A security incident is inevitable for all organisations. An effective systems of incident management policies and processes will reduce any likely impact, enable speedier recovery and improve business resilience. Without an effective management system in place, some of the possible risks of an attack include;

  • Greater business impact of an attack through failure to realise the attack early enough and consequent slowness to respond resulting in more significant and ongoing impact
  • Potential for continuous or repeated disruption due to failure to find the root cause
  • Failure to conform with legal and regulatory standards which could result in financial penalties

It is important to manage the risk by taking some of the following steps;

  • Establish an incident management capability using in-house or specialist external service provider, create a plan and test its effectiveness.
  • Define reporting requirements
  • Define roles and arrange specialist training to ensure the correct skill base
  • Establish and regularly test a data recovery strategy including offsite recovery
  • Collect and analyse post incident evidence for root cause analysis, lessons learned and evidence for crime and/or compliance reporting

Malware Prevention

Malware is the most common form of security compromise and it is a fact that all organisations interact with known malware sites. The risk of malware can include; email with malicious content or links to malicious sites, web browsing to sites containing malicious content, introduction of malware through uncontrolled devices such as USB media or smartphones.

Inadequate controls for protection against malware could result in business disruption and/or loss of access to critical data.
Malware risks can be managed effectively using some of the following techniques;

  • Create and implement effective malware policies
  • Control import and export of data and incorporate malware scanning
  • Use blacklisting to block access to known malicious sites
  • Establish a defence in depth approach which includes security controls for endpoints, anti-virus, content filtering to detect malicious code, disable browser plugins and auto run features, ensure baseline security configurations are in place
  • Users should be educated regularly to understand the risk of malware, their role in preventing it and the procedure for incident reporting

Systems Monitoring

Systems monitoring provides the ability to determine how systems are being used and whether they have been attacked or compromised. No or poor monitoring prevents organisations from; detecting attacks against infrastructure or services, slows reaction to an attack resulting in increased severity of an attack, cause non compliance with legal or regulatory requirements
Systems monitoring risks can be prevented by taking the following steps;

  • Develop and implement a monitoring strategy based on the business risk assessment
  • Ensure that all systems are monitored, should include the ability to detect known attacks as well as having heuristic capabilities
  • Monitor network traffic to identify unusual traffic or large uncharacteristic data transfers
  • Monitor user activity for unauthorised use of systems
  • Fine tune monitoring systems to collect relevant events and alerts
  • Deploy a centralised logging solution with collection and analysis capability, and automated anomaly and high priority alerts
  • Align policies and processes to manage and respond to incidents detected by monitoring systems

Removable Media

Removable media such as USB memory devices are often involved in introduction of malware or removal of sensitive data. A comprehensive cyber security strategy must implement controls such as those listed below to effectively manage the risk posed.

  • Devise and implement a policy to govern the use of removable media. A standard for information exchanged on corporate systems should use appropriate and protected measures
  • If essential, the use of removable media should be limited only to designated devices
  • Automatically scan removable media for malware before any data transfer
  • Issue removable media formally to users and prohibit use of personal media sticks
  • Encrypt information at rest on removable media
  • Manage reuse and disposal of media to ensure data is effectively deleted or media destroyed and data retrieval prevented

Remote Working

Remote working for staff or remote support from suppliers is an effective and popular trend but can expose organisations to risk. Mobile working will necessitate the transfer of data across the Internet, sometimes to public spaces. These risks could lead to; loss or theft of data if mobile devices get stolen, compromise of credentials or data if screens are overlooked in public places, loss of user credentials if stored on a device, remote tampering through insertion of malware or monitoring of activity
Some of the recommended controls are listed below;

  • Create a robust policy to address the risk, this should include identifying who is authorised, what kind of information they can access, increased monitoring for remote connections
  • User training to include; awareness of the risks, securely storing and managing credentials, incident reporting
  • Develop and apply a secure baseline for remote devices
  • Encrypt data at rest and data in transit for remote/mobile devices