Corporate Cyber Security – the Statistical Approach
Where to start in protecting your organization from cyber threats
When building your corporate cyber security strategy, the most difficult thing is to figure out where to start. Most IT security specialists always start by setting up a perimeter firewall and installing an antivirus product on their endpoint. But that doesn’t really cover the company’s workstations against all important groups of attacks. So on top of these initial solutions, CIOs would need to build additional security layers. When looking to build your corporate security strategy, here are 2 key things to consider. 1. Attack vectors – look at potential infections or hacks that could compromise your workstations:
- Direct attacks – such as old school brute force attempts weto compromise passwords and usernames. This type of threat is rather improbable.
- Web exploits that target endpoints – this type of attack could lead to data leaks and compromise corporate credentials. This kind of attack is highly probable to target your organization, no matter its size or field of activity.
- Spam delivered to workstations – spam campaigns frequently pack exploit attacks. Attacks with this malicious twist are also a likely infection route that cybercriminals follow.
2. Your approach: proactive or reactive? Which approach should you choose? What we’ve seen in the field is that most cybersecurity specialists would declare they’d rather choose proactive solutions, but the truth is that the majority of them still rely on reactive products. Proactive protection focuses on making sure your organization doesn’t get hit by malware in the first place. Security layers that can ensure this type of defense are Firewalls, Traffic filtering, Software, and Vulnerability Patching, Exploit protection, Users’ Online Behaviour Monitoring, and Spam Filtering. All of these solutions can make a difference before any security incidents unfold. On the reactive side, CIOs would find Data Leakage Protection, Antivirus, Advanced Malware Protection, Backup, Incident Response Teams (consultancy), and other detection tools useful. These can be either perimeter-based or endpoint-based. When you break down this array of tools into categories and review your effort, ask yourself: Are you doing more work on the reactive or proactive side? It’s worth a thought.
CIOs’ Toolbox – The Need-to-Have Proactive & Reactive Security Solutions
If we consider the statistical approach to IT security, a few things stand out. Need-to-Have Proactive Security Solutions Let’s start with the proactive protection part. This isn’t the sexiest of security approaches, because, historically, CISOs and CIOs have never or rarely been awarded budgets for being on the safe side. But times are changing and, as long as you can show what CEOs and CFOs get for their money, you should be safe. In order to ensure pre-emptive protection, you’ll need to cover the following key aspects:
Almost all security vendors statistically agree that vulnerabilities in 3rd party applications and in Windows software are the number one reason for getting compromised. So this is where you should start. Between 60% and 92% of all attacks start here – depending on whether we consider data coming from Heimdal, Cisco or Symantec. If over half of attacks use these infection vectors, this is clearly a great starting point. Are patching and vulnerabilities boring? Yes, it is. Would it give you the desired effect and eliminate a great deal of your vulnerabilities? Yes, it would. With the rise of Windows 10, patching the world’s (still) biggest OS is now becoming quicker and more efficient. Hence the Windows operating system will most likely be a much smaller concern in the future than it has been in the past. Third-party software is, however, an even bigger concern now than it ever was before. A GFI analysis had identified the same trend:
Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications.
The top 4 most vulnerable 3rd party software
An average of 19 vulnerabilities per day were reported in 2014, according to the data from the National Vulnerability Database (NVD),” according to an analysis by GFI Software. What’s more, according to the same analysis, “24% of these vulnerabilities are rated as high severity.
Let’s see which of them cause the most reasons for concern: Flash has broadened its reach significantly by being integrated into Chrome, Internet Explorer and Microsoft Edge. The problem is that the number of vulnerabilities in Flash is relatively stable at a high annual number. It takes the first spot because it’s always a treat for cybercriminals. Java might be slightly less susceptible to attack, with about a 10% annual decrease in vulnerabilities, but it is still an easy number 2 in the concern scale in my book, because Java has a lot of security problems. Adobe Reader is also a stable number 3. It has a huge install base and it’s commonly plagued by severe security flaws. Apple QuickTime also holds steady at number 4, but its install base has been on the rise over the past couple of years, so this is also a growing concern. CIOs usually loathe spending time on patching and it makes sense all the way. But you can use a solution that automated this tedious task so you can handle other things on your to-do list. The thing that some CIOs don’t consider is that patching has a relatively low price per PC, but a huge impact on your company’s security. TL;DR: Automatic and silent patching – low cost per PC, huge, positive impact on security.
2. User education
From a statistical point of view, you could argue whether this should be number 1 or number 2. The truth is that it really depends on your setup and environment. In a corporate environment, users can be a serious security risk. According to the recent statistics, they really are. The 2015 Vormetric Insider Threat Report showed that:
Globally 89% of respondents felt that their organization was now more at risk from an insider attack; 34% felt very or extremely vulnerable.
Source: 2015 Vormetric Insider Threat Report So in order to mitigate this particular risk factor, they need to be educated about cybersecurity basics. However, such a program is a quite complicated and expensive program to implement. But consider this: When evaluating your ROI, educating users would entail high costs, but it would also have a very high impact on your company’s cyber safety. Of course, continued education is ideal, because, as the market evolves, employees will need to keep up to date and freshen up their skills. High costs might make this fall from the priorities list, but the investment certainly pays off in the long term. TL;DR: User education – high costs, high, positive impact on organizational cyber safety.
Having a firewall is a cheap and necessary quick fix in any company. However, keep in mind that, in today’s security environment, it will not have the biggest security impact on how many risks you have. Regardless of your company’s size, you will certainly need to buy a router – which requires firewall protection. As for a larger environment, there is no doubt that a firewall is a must-have. Source: Firemon – State of the Firewall 2014 Study The important thing is to have your firewall properly configured, so it can help you achieve your goal of closing attack angles before they are taken advantage of. Having a firewall will most likely clear between 1-4% of your problems upfront. TL;DR: Firewall – cheap, quick fix, with relatively low impact on reducing cyber risks.
4. Web filtering
Making sure your incoming traffic is filtered is a key security parameter. Most vendors would agree that this or spam filtering would have the 2nd biggest security impact because this is also one of the areas most prone to creating problems. So why is a firewall typically prioritized above web filtering? Essentially, the router and firewall installed on your perimeter are often the same thing. A perimeter Web Filtering solution can often be purchased as a part of your firewall, but the same product has to be purchased separately to protect your endpoints. Since around 90% of PCs are mobile today, you would need to filter malicious web traffic both in terms of perimeter and for individual endpoints. This is essential to avoid infections that can happen while an employee is traveling with his/her work laptop since these infections can breach your system once the employee gets back in the office. Enabling web filtering on the perimeter may seem easier to do, but doing the same for endpoints is not as difficult as it sounds. Web traffic filtering can most likely remediate 40%-60% of the 10%-40% of threats left after employing patching and a firewall solution. So that would be another 4%-24% from the number of total threats. This may seem like a big leap, but our intelligence shows that this would be an effective course of action for CISOs and CIOs. I know it’s a big span, but we have our numbers, other vendors have theirs and I just want to relay that best possible to you as a CISO or CIO. TL;DR: Web filtering – reduce up to 24% of cyber threats that can compromise your organization by employing a web filtering solution both on the perimeter and on endpoints. This is especially important for a BYOD environment.
5. Spam filtering
Employing Spam Filtering is a critical part of the proactive security on your perimeter, to prevent malware from infiltrating via unsolicited emails. This is the last crucial pillar. In my book, it accounts for the remaining chunk of your proactive security to ensure you don’t get hit by malware in the first place. Here are the percentages of spam in email traffic, recorded between October 2014 and March 2015 by Securelist: According to my experience, this would be the 3rd most important security factor, although some might argue it’s the 2nd most important one. Either way, Spam Filtering is a very easy, cheap, and effective way to eliminate an important percentage of cyber risk. TL;DR: Spam Filtering – easy, cheap solution that can rid your organization of a lot of cybersecurity risks.
Need-to-Have Reactive Security Solutions
Having covered the proactive security measures you can put in place, we must also realize that, despite the percentages we listed, those protection scenarios, even combined, will never achieve a higher rate of immunization than 99,999%. Therefore, having reactive security measures is also critical. And you can’t have only one solution as the go-to fix for your security issues.
Considering the percentages listed above, you can only stop so much. This is especially true for the Spam filter vector, which will still leave a range of security problems wide open. We all know that spam filtering mechanisms will not catch everything. This means that, once infections do hit the workstations, you will need that first layer of reactive measures in place. Antivirus is definitely the place to start.
The oldest trick in the book. There is no way around it. Real CISOs have to back up data, a lot of it and often. Running both Shadow Copies of server drives and regularly scheduled backups is a must for any real-time, server or data storage environment. Thinking you won’t get hit is just being overly brave about things. Either hard drives will fail or you will get hit by malware (particularly ransomware). It is simple math in today’s modern IT world. Backup is a must-have!
3. Advanced malware protection and other measures
Assuming you do have a malware infection on your network, you will want to have an additional layer of reactive tools that can detect the infections for you. This may come “late” as the infection will have hit and potentially have leaked data, lead to ransomware encryption, or other unknown and silent actions, which could be used against your company at a later stage. There are additional layers of reactive security measures you can choose from, but if you’ve reached this point, then you are approaching the areas you should spend money on last.
4. Incident response teams
Depending on the size and strength of the attack you may be confronted with at some point, you might also want to know who to call in the event of an imminent disaster. Here’s how to get ready ahead of time: prepare an agreement with an incident response vendor you are comfortable with, who you know will move fast if you should get locked out of all your systems by ransomware. Having a plan to act on and having trusted specialists you can rely on to help you surpass security obstacles can give you peace of mind and make you more agile in the face of potentially destructive consequences.
With both security budgets and security threats increasing, the need for prioritization and more effective protection become a top concern. For SMEs, this could be especially challenging, since it may be the first time companies tackle these issues head-on. Knowing where to start and what solutions to evaluate and test is key, which is why I hope the above roadmap can offer a viable plan for action.
Thank you, Morten!
It’s an excellent article. I will recommend it highly to my colleagues and friends.
In fact, I wish I had written it, because it enumerated many ideas I have been thinking about over the last 18 months. Keep up the great work!
By the way, many of examples of my writing and presentations are at http://billslater.com/writing
Thanks for sharing your thoughts, Bill! We hope this will be helpful for those who read it and that they apply them for their protection and their companies’ safety.