Celebrate Halloween and Share Your Scariest Security Practices
By: Carolyn Crandall
Halloween is here. A time for spooky, scary fun and one of my favorite holidays. When else can you openly become any one that you want to be and “trick” people out of candy. Genius! I love the parallels to deception-based threat detection. Every day our decoys can dress up like real assets and trick an attacker into revealing themselves. Ok, the SOC team doesn’t get candy, but the reward of stopping the bad guys is still awesome. Halloween falls on the last day of National Cybersecurity Awareness Month and completes the October leg of the Attivo Networks On the Road Tour where Attivo participated in 10 industry events across the country. More to come in November and December. If you’re in New York on November 14, I will be presenting at the ISMG Healthcare Security Summit, titled, “The Art of Deception for Advanced Threat Detection in Healthcare Organization.” To register, visit here.
As our final contribution to this year’s National Cybersecurity Awareness Month, I thought it would be fun to highlight five scary security practices that we continue to see all to often and that that leave networks vulnerable to attacks. Let’s have a look at these truly scary security practices:
Human Error – Perhaps the spookiest and hardest of all to control
I have heard hackers say time and again, that persistence is no longer required as it is now so easy to get into organization’s networks. Employees, often through simple mistakes, continue to engage in practices that put network assets at risk. These range from weak passwords, to falling for phishing emails, to clicking on the wrong link (I get it, some look so incredibly real when you are moving fast) and failing to update security patches. I have been told by several CISOs that they would be thrilled if they could get the number of employees who click on phishing emails below 10%. Many say they still see 20% to 30% of their employees still fall for these, despite their efforts to repeatedly train employees.
Reliance on Perimeter Defenses – Today’s perimeter-less, connected world should scare you
Scarily, too many organizations continue to believe that strong perimeter defenses are enough to protect their critical data assets. This places an enormous, unrealistic burden on the IT team. A recent ISMG study of 250 banking and security leaders found that just 38 percent of respondents were highly confident in the ability of their network to detect and prevent fraud. It would seem apparent given the number of security breaches that we have seen in 2017 alone that the concept of a 100% secure network is just not achievable. Yes, many detection technologies come with the trick of an overwhelming amount of alerts and false positives. That said, today’s deception technology provides an efficient and accurate way of detecting threats within the network. Deception is designed for early detection, with the real treat being able to catch both human and automated attackers before they have time to escalate their attack and cause harm.
Supplier and Service Provider Gaps – Don’t let them haunt your house
The security infrastructure of a network is only as strong as the weakest link. When organizations work with suppliers, partners, consultants and service providers, and provide them network access, they are exposing their networks to any security gaps within that provider. As we reported in an August blog, attackers will often target a large organization through these providers. To support today’s connected world and offer the service levels that people have come to expect, organizations must work with their suppliers and partners to understand, assess, and audit these organizations to ensure mandatory levels of security and best practices within their networks.
Failure to Close Gaps – If you know garlic deters vampires, why wouldn’t you use it?
Several large organizations have been breached multiple times, frighteningly often in the same way.. Trump Hotels is an example of one such organization. It has been hit three times in three years with attacks on its debit and credit card systems. While it’s impossible to know the breadth and depth of the organization’s security infrastructure, the IT teams involved have apparently not been able to deploy security infrastructure that detects and quarantines breaches before they result in loss of customer data.
Lack of Testing – Know what ghosts and skeletons are in your closet
Many organizations are required to test for compliance, some for standard security control, and some just simply don’t test because they are overconfident or lack the budget or resources. The lack of adequate testing presents four “fright night” risks. First, it increases the changes that hackers will uncover network vulnerabilities before IT teams do. Second, IT teams do not gain the knowledge of how effective or ineffective their security infrastructure is. Third, penetration tests that reveal network weaknesses can spur a management team to increase investment in the organization’s security infrastructure to close these gaps. And finally, organizations mistaking passing compliance for having a resilient network.
While we are all in the spirit of Halloween, I’d like to invite readers to share the scariest security practices they have witnessed, either within their own organizations, among suppliers or partners, or from any organization with which they have had interactions.