Time to secure ground on the cyber attack surface

Organisations are confronted by a fast expanding attack surface that requires a more diverse set of protection methods and a strategy based on close analysis of internal and external risks, says David Emm, Principal Security Researcher at Kaspersky Lab.

The era of security complacency is over, and the starting point for any lock-down project should be an audit of corporate systems and a risk assessment to reveal where a business is susceptible to attack. Focus areas must include threat intelligence, monitoring of the corporate network, an effective incident response and appropriate technology. "MSPs need to be prepared to provide the protection their customers require," said Emm. "Whether or not offering this type of support will be a burden or opportunity depends on an MSP's IT resources, staff skills and ability to respond quickly to threats. If the MSP is lacking in any of these areas, the time to remedy them is now."

Why? Because the rise of cloud-based digital transformation has opened the door to danger in areas such as API credential exposure, adaptations to cloud infrastructure and most critically the downloading of sensitive customer data. Nor is that all. Even if an organisation considers its critical systems and devices protected and safe, it is difficult to defend against a trusted insider that chooses to undermine security, pointed out Emm. "The motivations of such people are hard to predict, ranging from a desire for financial gain to disaffection, coercion and simple carelessness," he added. "While insider-assisted attacks are uncommon, their impact can be devastating as they provide a direct route to the most valuable information."

Human behaviour all too often provides attackers with the means to compromise corporate security, noted Emm. "This can be unwitting or deliberate," he said. "The use of social engineering to trick staff into doing something that jeopardises corporate security typically forms the starting point for sophisticated targeted attacks and random, speculative infections. As well as people being the unwitting means by which a business is compromised there's also the danger of a deliberate insider threat. One way or another, people are an important element of corporate security. The key is to develop a corporate culture that embeds security, raise awareness of potential threats among staff and make employees guardians of the company's systems rather than potential weak points."

This is an area where resellers can make a significant difference by equipping businesses with the knowledge and tools to make security a priority. "They can do this by offering solutions that address the issues of employee vulnerability to malicious emails by providing automated, Internet-based security awareness to combat social engineering, phishing and ransomware," explained Emm. "Educational initiatives should be cost-effective, continually updated, easy-to-use, and require a relatively short amount of employee time while being suited to organisations of all sizes."

Emm urges organisations to approach security as a process that encompasses threat prediction, prevention, detection, response and investigation. A multi-layered security solution is a key component of this, but it is not enough on its own. It needs to be complemented by collaboration, education and shared intelligence. "Security breaches can take many forms which is why it is important to have robust procedures and technologies in place to safeguard a business," said Emm. "While security solutions significantly mitigate the risk of a successful attack there are other measures businesses can take to provide thorough protection. These include running fully updated software, performing regular security audits on their website code and penetration testing their infrastructure.

"It's crucial that businesses ensure that all passwords are protected using secure hashing and salting algorithms. The best way for organisations to combat cyber attacks is to put in place an effective cyber security strategy before the company becomes a target."

Failures in planning, implementation and monitoring are the biggest security threats to companies today, so resellers need to be in a position to offer comprehensive security portfolios that include endpoint protection and a number of specialised security solutions and services. "Advanced scalability, combined with support for all types of endpoints and platforms, ensures the solutions cope successfully with even the most challenging and dynamic network structures," commented Emm.

However, there are always risks associated with new technology, especially since we live in a connected world. "Today this includes much more than traditional computers," said Emm. "More and more businesses include smart devices. What makes them smart is that they are connected to the Internet and able to send and receive data. A proliferation of devices and objects collect and share huge amounts of data. This has the potential to create greater opportunities for vulnerabilities. Moreover, because these devices are connected to one another, if one device is compromised a hacker has the potential opportunity to connect to multiple other devices on the network."

According to Emm, the basic practice of using strong passwords, regularly checking for and installing software updates and implementing appropriate security software should be applied to every connected device on the network, including routers.

"Manufacturers of connected products and the security industry need to work together to ensure that strong protection and patch management is designed-in from the very start," commented Emm. "Once a product is on the market it is already too late. There's also a role for Governments in developing security standards for IoT devices. We've all come to expect that everyday objects come with certification marks indicating that they are physically safe. In future, this will have to extend to digital objects. There's no turning back the tide of IoT applications, but checking the security capabilities before deployment isn't a bad strategy. Especially as it is important to ensure that the advance of IoT isn't providing hackers and criminals with another entry point for attack."

If an organisation's network has been compromised it tends to focus the attention on measures required to prevent similar attacks in the future. Nevertheless, perception and reality don't always match. Data from the Kaspersky Lab 2016 Corporate IT Risks Survey shows a contrast between the top threats faced by businesses (targeted attacks, ransomware and employee carelessness) and what businesses perceive as the most difficult threats to manage (inappropriate sharing of data via mobile devices, data exposed through physical loss of hardware, inappropriate use of IT resources by employees, security of third-party cloud services, IoT threats and security issues associated with outsourcing of IT infrastructure).

"There's no question that regulatory requirements are also important, particularly where there are financial implications for non-compliance," commented Emm. "The hot topic right now is GDPR. There is a lot of discussion about the impact it will have on businesses. Many organisations are frantically preparing for the arrival of GDPR - not surprising given the maximum fine for a serious breach is four per cent of the previous year's annual global turnover or 20 million euros, whichever is higher.

"In light of this, organisations must put in place safeguarding practices to ensure they are compliant. Although this will have a financial impact on the company in the short-term, budgeting for this will help businesses avoid larger fines in the long run. On the other hand, it's important for businesses to realise that security and compliance aren't the same thing."