There has been a buzz around the recent Sony Hack and whether cyber security should be the top priority of CIOs in 2015. I wish not to discuss the details of this Hack here as there are sufficient articles covering the same but would instead highlight the top security issues that we could face this year and suggest a few solutions.
Cyber Security Priorities for 2015
Top 10 Security Issues to Address in 2015
1) Overcome Cyber Attack Misconceptions – There are a couple of misconceptions that need to be shed by Organizations with regards to security. When it comes to Cyber-attacks, we need to let go of our belief that “We are not big enough for this to happen to us”.
For example, a 2014 report by Fireeye, a security firm which has customers including the CIA and Pentagon examined data from more than 1,200 security deployments in 63 countries across more than 20 industries and noted that 97% of Organisations experienced a breach during the test period.
Firms also believe that “Placing a good end-point security solution will keep us secure”. It needs to be noted that the recent attacks on Sony, Target, the German iron plant & others have one thing in common: It started with (spear) phishing attacks via email! This goes to show that employees are still the weakest link in the security chain. Just slapping an endpoint security solution is not the answer to our security problems because advanced malware (also known as APT) cannot generally be stopped by Firewalls or Intrusion Detection Systems. It has innumerable entry points.
Also, Organisations need to ensure that “security is built-in and is not an afterthought”.
Solution: A pro-active approach towards Security and its impact on the Business needs to be taken into consideration. Deploying a multi-layered “Defence-in-Depth” architecture would be a robust approach towards building your security landscape. It is about layering your architecture & putting in place security controls at every level.
Another issue that needs to be addressed is of networks NOT being segregated. Office servers, back-end systems, production networks, perimeter devices, backup systems and of course Internet accessible system - they ALL need to be in separate networks. Network engineers still think in terms of efficiency and performance but should really add security as a vital part of any design.
Additionally, a Security Awareness Training Program coupled with a Social Engineering Assessments (SEA) should be on-going.
2) Zero Day Exploits – Software companies such as Microsoft, Sun and others constantly work to fix flaws within their programs, but sometimes they aren't the first to discover vulnerabilities. Cybercriminals find these flaws first and deliver them as malware to their unsuspecting victims causing severe damage. Companies tend not to regularly keep track and apply the patch at the earliest opportunity thereby making themselves vulnerable to attacks.
Solution: Always be on the lookout for companies that fall a victim to new exploits and patch your systems immediately based on the recommendations provided by the respective vendors. The fight against new and emerging cyber threats is a tough one but staying up to date with the latest events and taking immediate measures is quintessential.
3) Web Exploit Kits – “67 million exploit kit related events were detected in the first 3 months of 2014" according to ThreatTrack Security. Focus has shifted from exploiting Windows O/S to pursuing the popular third-party applications installed on PCs. Angler, Sweet Orange, Fiesta, Nuclear, Blackhole and Goon are still the exploit kits that use vulnerabilities in Adobe Flash, Java, Internet Explorer, Silverlight, outdated CMS utilities such as Joomla and WordPress among others to affect systems.
Solution: Put in place an automated patch management system that ensures administrators can push the latest updates onto systems. Additionally, prevent end users from installing ad hoc third party applications on their PC.
4) POS malware – Retailers beware of the POS malware family namely Backoff POS, Brut POS, Soraya, Nemanja, ChewBacca, Alina, JackPOS, BlackPOS, Decebal & vSkimmer. Target & Home Depot were two large retailers that were hacked with damages of $148 million & $62 million respectively with a malware called BlackPoS & its variants that are sold for $1800 online. Other Non POS related malware that are famous & can cause severe damage are Snake, Gyges, Dragonfly & Zberp.
Solution: It varies from keeping POS software up to date, using end to end encryption starting from the point of swipe to deploying smartcard (aka chip card) enabled POS terminals, the latest beacon technology among others.
5) DDoS Attacks – An attack on your website to slow down its service or bring it to a grinding halt would definitely effect your Business. The nature of these attacks could have many reasons. They could be done to hold your website hostage & extort money or often be a smoke screen to cover up other illicit activity like planting malware & stealing information from your network among others.
Solution: Hosting your website with a Cloud Service Provider that can handle the sudden peak in illegitimate traffic from a DDoS attack and then quickly addressing the issue could be one option. If Organizations would still like to host their own web services, then proper port and protocol management with additional access control lists, implementation of an IP blacklist, co-ordinating with your ISP & understanding how they can help are some of the measure to be taken.
6) Spam - Cisco’s newly released 2015 Annual Security Report informs us that spam volume has increased 250% from Jan 2014 to Dec 2014. A classic example is Snowshoe spam which involves sending low volumes of spam from a large set of IP addresses to avoid detection and is an emerging threat.
Solution: Effective e-mail server hygiene is definitely one. Another would be to block a host of IP addresses that participate in spam campaigns.
7) BYOD (Bring Your Own Device) and IoT (Internet of Things) - Fall a victim to its many advantages. The special concern here is connecting one's mobile phones and Tablets to the Corporate wireless network. At the moment, there are way too many vulnerabilities in mobile devices and its innumerable apps. Hence, a cautious approach is the need of the hour.
Solution: Opt for CYOD (Choose Your Own Device) and minimize adoption of IoT till it has stabilized (take a wait and watch approach).
8) Authentication & Password related Issues – Inappropriate access rights, usage of poor passwords & its related practices (ex: sharing & storing it) by end-users has been a known issue but a recent survey by Lieberman Software of 270 IT Professionals suggest that nearly 23 percent can get into their previous two employers’ systems using old credentials and more than 16 percent admit to still having access to systems at all previous employers.
Solution: Implement best practices in Identity & Access Management Systems, stringent password policies, good practices in hiring and terminating employees in conjunction with the HR department, a look at multi-factor authentication especially for remote access to the corporate network, separate authentication for webmail access would be some suggestions.
9) Web Application Security- For companies that run an online portal and its associated risk of credit card information theft, web application vulnerabilities such as SQL injection errors, cross-site scripts and others can cause severe damage.
Solution: Perform thorough Web App Security testing, follow SANS & OWASP Top 10 recommendations and meet PCI DSS compliance.
10) Cyber Risk Management – Apart from having a security strategy, there is now a growing need for firms to have a cyber-risk management initiative in place which takes into consideration the long term risks of brand damage, lost jobs, loss of proprietary information and other critical data, financial losses in profits and stock value, short term drop in investments, lawyers fees during investigation, class action suits and trials among others.
Solution : A thorough Cyber Risk Assessment Program should be in place. Cyber insurance is something most organizations should consider with coverage of Data Breach and Privacy Management, Multimedia liability, Extortion liability and Network Security liability.
And importantly, Exciga would recommend undertaking a Vulnerability Assessment (VA) and performing a Penetration Test (PT) at least once a year if not quarterly to ensure your enterprise network is a safe place.
It needs to be understood that a Vulnerability Assessment and a Penetration Test serves a different purpose from that of a Firewall and an Intrusion Detection System (IDS).
While a Firewall examines network packets to determine whether or not to forward them to their destination, they are not designed to protect your network from improper system configurations and poor application code which lead to vulnerabilities.
Similarly, an IDS inspects all inbound and outbound network activities and identifies suspicious patterns relying on signature files of known attacks to prevent intrusion but they can be easily tricked through the exploitation of techniques such as remote code execution.
The shortcomings of these devices can be addressed through a thorough Vulnerability Assessment and Penetration Test.