Every time the headlines flood with a new story about a breach at a major organisation, the assumption is that the attackers got in due to a high level of sophistication, or through careful studying of their target looking for the weakest link in the security chain.
Lutz Blaeser, MD of Intact Security, comments: “Most security events are a result of a badly configured cloud gateway between local and public cloud infrastructures, inadequate authentication methods or even because the company considered itself too small or unimportant to be a target in the first place.”
He says there are several widespread enterprise security misconceptions have had disastrous consequences on more than one occasion. “Firstly, the notion that your company is too small or unimportant to be of interest to cyber criminals. Believing your data is not valuable enough to be worth the effort of a criminal’s part, is dangerous.
“Data of all types, be it HR records or billing receipts, login credentials or even telemetry information, can be used to perpetrate spearphishing attacks or social engineering schemes. Moreover, smaller, less secure entities are often used as a stepping stone to more lucrative third-party partners.”
Another misconception, he says, is that public clouds are more easily breached, because cloud providers are responsible for security.
“In truth, too often security experts fail to properly configure cloud environments and applications, leaving them vulnerable to attacks. Of course it’s easier to blame someone else, and public cloud providers are a useful scapegoat, despite the fact that they offer a wide range of tools and solutions for enforcing security.
“Their main responsibility is really to ensure the IT infrastructure and applications themselves are operational – with the least possible downtime. The company making use of public clouds should be doing everything within their means to protect and secure their data, and have controls in place for preventing any unauthorised access.”
In the business world, strong authentication is touted as an acceptable security practice, but, without multi-factor authentication, it is not an effective solution, and access to critical systems can easily be lost. “A massive error is thinking that a single password, albeit a strong one, can keep attackers out. Password strength is only a good solution when it is in conjunction with multi-factor authentication.”
He says the next misconception is that anti-virus solutions and firewalls are a total solution. “While both of these solutions are parts of the chain needed to protect your network and data, simply deploying these on your infrastructure will not have a hope of keeping any sophisticated threats or attacks at bay.
“The threats we see today are far more sophisticated and complex, and the attack surface has widened to include a multitude of threats, from simple data-harvesting malware Trojans to ransomware and advanced persistent threats delivered over a plethora of devices that connect to the company network.”
According to Blaeser, today’s threats have morphism capabilities built in, that make it highly unlikely for traditional security solutions to detect malicious payloads, and also leverage unpatched software vulnerabilities to breach critical systems.
“A layered approach to security should include SIEM, analytics and netflow monitoring too, to detect and respond to any anomalous behaviour that might indicate a new or unknown threat.”
He says there is also the incorrect assumption that software updates and patches prevent attacks. “Installing the latest updates and patches will lower the risks of attackers exploiting known vulnerabilities, that is true, but there is also the question of deploying these updates across the entire organisation in a timely way, as well as the danger of cyber criminals exploiting unknown vulnerabilities or zero-day attacks – to compromise a particular company system or endpoint.”
Blaeser adds that security is a difficult and ever-changing topic. “Businesses need to be responsible for security breaches and shift the paradigm from assigning blame to playing an active role in designing incident response plans, as well as identifying their most valuable assets and focusing security efforts on those.”