Looking back at 2022 and what a year it has been a year of more. More data breaches, more ransomware, more vulnerabilities reported, and the list goes on. With all the cyber incidents that are reported it is easy to start to think that we are loosing the fight on the cyber security front.
One of the biggest eye openers for me this year has been the importance of people in keeping our companies and environments safe, people at all levels of the organisation from the highest levels of management that shape the direction of the organisation. All the way down to that person who receives an email that just does not look or feel quite right and send it onto the security team for further investigation, and everyone in between. It is the people that either make of break an organisation’s security strategy, be that a formal mature well formulated one or a more fluid unstructured understanding that there needs to be a focus and direction as to how.
Taking a look at the reporting of the major data breach and ransomware incidents this year, it is clear that the vast majority of all of the attacks are still successful, by the same attack vectors that we as an industry have been talking about more than a decade, and yet they are still successful.
1. Malicious attachments sent in email
2. Links to websites that contain malicious code
3. Lost or stolen credentials, this includes password reuse
4. Unpatched devices or orphaned devices that are connected to the internet
5. Exposed ports like RDP or poorly secured remote access tools
The question why these are the reasons for the majority of breaches and not some fancy chained ‘0’ day exploit makes keeps making the list is that they still work, even in 2022. Truth it that there is nothing glamorous or discussion worthy about these and they are not going be the next key note address at a security conference, and our modern systems ship out of the box built for convenience and ease of use and setup and not security. Having dealt with a large number of organisations in the past year and spoken to them about what they are security areas they are focusing on in the coming year, it has become clear to me that we are failing in the messaging and in creating a clear set of guidelines that are easy to follow.
It is with this in mind that the strategic focus for Cruiser Information Services and their customers is going to focus on getting the basics of information security right, realising that not everyone is in the same stage of their security journey and meeting them where they. There is no one size fits all solution in the market and no one product will offer 100% protection 100% of the time.
Any security strategy needs to include the following basics
1. Know what you have, this includes a hardware, software and cloud resource inventory. It is impossible to protect what you don’t know about.
2. Make sure that what you have is fully patched, this is a lot harder that it sounds especially with the risks that are posed to patching server infrastructure, where downtime is difficult to get approved. This means all software not just the operating system.
3. Put mitigations in place to reduce the risk of end of life software and hardware that is still in operation and usually performs business critical functions.
4. List and restrict all the devices where local admin accounts are used.
5. Make use of a password manager, this will go a long way to protecting your online accounts. Your password manager protects you in two ways
5.1 Creates and stores unique and usernames and passwords for all the online resources you visit, you only need to remember your master password.
5.2 Protects against entering your credentials in look alike sites that have been setup to try and steal your user name and password
6. Setup and use multi-factor authentication on all sites where this is possible, even if it is not mandatory. Even SMS which is the easiest to bypass is better not having anything enabled.
7. Secure your device configuration, consult your software vendor on the best practices on securing your device. What is default is not necessary secure. Microsoft for example has a whole set of security benchmarks that are not enabled by default but go a long way to protecting your device.
8. Email protection, a good email protection tool will reduce the risk posed to your business through email.
9. Managed detection and response, takes your anti-virus product and changes it from a reactive signature based tool, that looks for the know threats and moves into a behavior based protection.