This article marks my 100th column for SecurityWeek over a ten-year span. This milestone has prompted reflection on my initial goal of educating the market about the essentials of cybersecurity.
Unfortunately, not much has changed. Cyber breaches are now bigger and worse than ever. Hardly a week goes by without headlines about a new devastating cyberattack. In fact, the International Monetary Fund reports that the number of cyberattacks has more than doubled since the pandemic.
And, when it comes to breaches, the shift to work-from-anywhere hasn’t helped either. Many companies had to adopt a “move first, plan later” approach and leave their network-centric security bubble behind that allowed IT teams to own and control most of the network. Ultimately, punching holes in existing security controls in the name of business continuity created vulnerabilities and exposed many organizations to increased risks. Cyber adversaries capitalized on the rapidly changing environment by intensifying their attacks and targeting the weakest link in the attack chain – the remote worker.
Despite the advancements in technologies, strategies, and artificial intelligence employed by security experts and threat actors alike, one thing remains constant: the human element. Humans are fallible—a fact that threat actors frequently exploit through phishing and social engineering campaigns to establish a foothold in their victim’s IT environment. Ultimately, hackers don’t hack in anymore—they log in using weak, default, stolen, or otherwise compromised credentials.
Many breaches can be prevented using basic cyber hygiene tactics, coupled with a Zero Trust approach. Yet most organizations continue to invest the largest percentage of their security budget in protecting their network perimeter rather than focusing on security controls that can effect positive change to protect against the leading attack vectors: credential abuse and compromised endpoints.
This is a big mistake. Implementing an effective enterprise security strategy requires understanding hackers’ tactics, techniques, and procedures (TTPs). Security practitioners must review the entire cyberattack lifecycle to gain a full grasp of the areas that need to be addressed as part of an in-depth cyber defense approach.
Here are six best practices for defeating most attacks, hopefully making my reflections 10 years from now more positive.
Go Beyond Passwords
Simple static passwords are not enough, especially for sensitive enterprise systems and data. With static passwords, there is no way to know if the user accessing data is valid or just someone who bought a compromised password from the millions found on the Dark Web. Organizations need to realize that multi-factor authentication (MFA) is the lowest hanging fruit for protecting against compromised credentials. The recent data breach at Snowflake, which impacted Ticketmaster and other organizations, illustrates how the lack of proper identity and access management best practices can derail a business’s security posture.
Identities include not just people but also workloads, services, and machines. Non-human identities represent the majority of “users” in many organizations. Machine identities, often associated with privileged accounts, typically have a much larger footprint than traditional human privileged accounts within modern IT infrastructures. This is especially true in DevOps and cloud environments, where task automation plays a dominant role. Organizations should transition to a dynamic password approach. These ephemeral, certificate-based access credentials address the major security issues plaguing static passwords without impacting usability and agility in highly digitalized IT environments.
Boosting Endpoint Security
Once in possession of stolen, weak, or compromised credentials, attackers leverage brute force, credential stuffing, or password spraying campaigns to gain access to their target environment. Increasingly, cyber adversaries take advantage of the fact that organizations and their workforce rely on mobile devices, home computers, and laptops to connect to company networks. In turn, these endpoint devices become the natural point of entry for many attacks. A Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months. To disrupt the cyberattack chain and minimize risk exposure, organizations should deploy security tools like data loss prevention, disk and endpoint encryption, endpoint detection and response, and anti-virus or anti-malware.
Cloud(y) with a Chance of a Data Breach
Understanding the threats, risks, and vulnerabilities associated with cloud environments is critical to preventing data breaches. Organizations need to understand that securing access to cloud environments is their responsibility. This begins with implementing a common security model across on-premises, cloud, and hybrid environments, while avoiding identity sprawl by repurposing existing identity repositories to broker authentication and access to cloud environments.
Tackling the Supply Chain Hazzard
As companies improve their defenses against direct network attacks, hackers shift their focus to the weakest link by exploiting the supply chain to gain backdoor access to IT systems. Organizations need to monitor and manage IT security risks downstream in the supply chain. This entails implementing advanced supplier risk management practices, securing the software development pipeline, and cybersecurity essentials like hardening the environment, multi-factor authentication, and enforcing least privilege.
Risk-Based Prioritization
Effective prioritization of vulnerabilities and incidents is crucial for staying ahead of attackers. While security monitoring generates significant data, its raw form remains only a means to an end. Information security decision-making should be based on prioritized, actionable insights derived from correlating internal security data with business criticality and external threat intelligence. Without a risk-based approach, organizations are in danger of allocating valuable IT resources to mitigate vulnerabilities that pose little or no threat to the business.
Cyber Resilience: Balancing the Right and Left of the Boom
More and more cyber risk and security management frameworks are adopting the concept of cyber resilience, such as the Department of Homeland Security’s Cyber Resilience Review (CRR) or the National Institute of Standards and Technology (NIST) Special Publication 800-160 Volume 2. Leading analyst firms like Gartner advise clients to shift their cybersecurity priorities from defensive strategies to the management of disruption through resilience to make a real difference to the impact of cybersecurity incidents. A cyber resilience strategy is vital for business continuity and can provide a range of benefits before, during, and after a cyberattack, such as enhanced security posture, reduced financial loss, improved compliance posture, enhanced IT productivity, heightened customer trust, and increased competitive edge.
Conclusion
Achieving 100 percent protection in cybersecurity is unattainable. However, by supplementing traditional perimeter defense mechanisms with principles of identity management, endpoint security, cloud and supply chain risk management, risk-based prioritization, and shifting towards cyber resiliency, organizations can significantly reduce their exposure to data breaches.
I look forward to my next 100 columns with SecurityWeek before ultimately retiring. Many thanks to Mike Lennon and his team, as well as you—the readers of my articles.
