Layer up security to keep your organisation safe, writes Hannah Curtis, Director, Release and Program, at the IT service management company Ivanti.
Businesses have always been a major target for hackers. Over 3.3bn records were breached in the first half of 2018 alone, according to one report. But malicious third parties are increasingly stepping up their focus on organisations: targeting them with ransomware, information-stealing trojans, banking malware and more. They have a wide range of tools and techniques at their disposal, but often attacks involve the exploitation of known vulnerabilities. It’s usually said that no company is 100% hack-proof. While this is true, there are things you can do to make yourself a smaller target — starting with an effective patch management programme. It’s the essential pre-requisite for effective cybersecurity to preserve the corporate reputation and the bottom line.
Firms under fire
Monetary gain remains the prime motivator for cyber-attacks, accounting for 71 per cent of data breaches analysed recently by Verizon. That means hackers are usually looking for the biggest return on their investment of time and resources into attacks. Compromising an organisation could generate far more income — by way of stolen customer data, or extortion of a large ransom — than an attack on a consumer. It’s no surprise, therefore, a report from Malwarebytes noted a 235pc year-on-year increase in malware-based attacks on businesses in Q1 2019, as attacks on consumers declined.
Malware is a means to an end: whether that’s information theft, encryption of a victim’s files or something else. It works by exploiting vulnerabilities in operating systems, applications and browsers, and attackers are increasingly delivering it via phishing emails. Two of the most prolific recent campaigns are Emotet and Trickbot, banking trojans which often arrive in the form of infected attachments and spread by exploiting Windows SMB vulnerabilities to move laterally within a victim’s networks.
Patching problems
Why are organisations so exposed to these attacks? It’s a perfect storm of increasing numbers of endpoints, poorly trained employees, legacy systems, a growing number of vulnerability disclosures and multiple heterogeneous systems, all with different update mechanisms. There’s been a veritable explosion in endpoints as digital transformation takes hold, connecting numerous cloud systems, IoT devices, mobiles and more to corporate networks. Sometimes devices are brought in and connected without the oversight of IT, increasing cyber risk even further. A survey from last year found that a third of IT professionals don’t even know how many endpoints they manage.
This complexity and scale can be challenging enough, but becomes almost unmanageable if IT departments don’t have an automated way to prioritise vendor patches as they are released. Over 22,000 new vulnerabilities were disclosed in 2018, with new fixes added by the likes of Adobe and Microsoft every month. It’s no surprise that just 44pc of patches were applied within 90 days last year, according to Verizon.
Organisations’ biggest risk is not necessarily getting caught out by an attack exploiting flaws yet to be addressed by a vendor, but in attacks leveraging old vulnerabilities since forgotten about. A report, from last year, highlighted flaws from 2017, 2016, 2015 and 2012 as among the top 10 most used in attacks. Organisations are further exposed by the existence of legacy enterprise software and operating systems for which patches no longer exist. These are especially prevalent in operational technology (OT) environments like manufacturing facilities and power stations.
Hitting the bottom line
Arizona Beverages is an unfortunate example of this as it was recently hit by a large-scale ransomware attack that was attributed to unpatched and outdated software that gave hackers an easy way into its network. The impact of such security mistakes can be severe: regulatory fines; major remediation, investigation and clean-up costs; class action lawsuits; and harder-to-quantify reputational damage which can impact the share price and customer loyalty. The warning signs are everywhere: Equifax has now spent nearly $1.4bn following a catastrophic 2017 breach which compromised sensitive personal data on almost half of all American adults. The cause of that breach? An Apache Struts flaw identified months before the incident. Even worse, between July and December 2018, 18,000 firms including two-thirds of Fortune 100 companies downloaded the same vulnerable version despite newer iterations being available.
Defence-in-depth
Effective patching is therefore a key pre-requisite for best practice security, and supporting compliance with the NIS Directive, GDPR and other regulatory and legislative imperatives. It should be built around three pillars: discover the assets you need securing; provide clear insight by identifying risk; and take action with best-in-breed tools. Combining vulnerability and patch management will help you detect and prioritise where security gaps need fixing, while automation capabilities help stretched IT teams scale their efforts organisation-wide.
Yet patching is just one piece of the puzzle: it must be complemented by other best practices. Layer on top application whitelisting to mitigate the threat from zero-day attacks. Then consider adding privilege and identity management, file and media protection, network monitoring and configuration management, strong encryption for data at rest and in transit, and staff training. This is not an exhaustive list. But it illustrates the kind of layered, back-to-basics approach organisations must take to reduce the attack surface, so they can manage cyber risk effectively.
