“In this world, nothing can be said to be certain, except death and taxes.”
— Benjamin Franklin
I would also add, “…and that someone in your organisation will eventually click on an attachment or a link in a phishing email!”
It’s inevitable. No matter how good your awareness training, someone will eventually be duped. Phishing is becoming so sophisticated and targeted now that even the most paranoid and security-savvy folks can sometimes be fooled.
Stay current on your favourite topics
The kill chain is often used as a model to describe how a sophisticated attacker will plan and execute a cyber-attack. It’s a good model and, not least, useful for training and awareness but as a few have said, it is flawed in that it is probably too weighted to the early phases where the attacker is working to get a foothold inside the target organisation (steps 1-5 out of 7 in the Lockheed Martin version). Unpalatable as it may be, we must accept that the most sophisticated attackers can and will breach boundary defences and so these defences fall into the “necessary but not sufficient” category. If we accept that there will always be someone who clicks on the dangerous attachment, we need to be ready for what comes next. Of course, there are a multitude of tools, services and architectural approaches available to address the challenges of what comes next – detection, prevention, log capture and analysis etc. Some of the new emerging technologies using AI and machine learning promise very exciting possibilities around user behaviour analysis, network traffic patterns analysis etc. but determining where to focus limited effort and budget can be very difficult. Some thoughts below:
- Awareness – different to security awareness for your end users. What I am referring to here is more of an awareness for the senior decision makers in an organisation. It’s a difficult message but they need to know that you probably already have unauthorised, unwelcome and uninvited guests in your networks and systems. It is estimated that an attacker can be active within your environment for on average 229 days before being detected.
- Threat and Risk Assessment – What are the threats and what is the likelihood and impact of damage, theft or undetected modification of data and/or systems? Not all data is equal. We don’t care if someone steals the canteen menu, for example, but client data and intellectual property must be protected. Equally some systems are mission critical where others are less so. A thorough and honest appraisal of the risks helps to focus prioritisation and to develop appropriate mitigating controls. It’s also necessary to know where the critical data is, of course!
- Mitigating Controls – Once we have quantified the risks we can apply appropriate controls to mitigate/reduce them. Controls can mitigate risk by reducing the likelihood of occurrence, the impact or both. Our security mechanisms and services become targeted to the highest risks and our staff can understand the importance of the controls because they can see how they contribute to reducing risk. Security in depth provides synergy and becomes the norm as multiple different controls contribute to the overall strength.
- Continuous Measurement – As security improves, the attackers will adapt and the threat will change and evolve. The Risk Assessment needs, therefore, to be continuous and effectiveness of controls needs to be continuously assessed. These assessments need to be brutally honest and the organisation needs to be ready to adapt quickly to new and/or evolving threats
- Logging and Monitoring – most organisations are overwhelmed with the amount of log data that they collect and struggle to create meaningful alerts and dashboards that minimise false positives and allow security analysts to be directed by real anomalies and events worthy of further investigation. There are different technical approaches to address this but the context of the top-down threat analysis is important to help direct effort to add the most value.
- No Man’s Land – find owners for the parts of your systems that fall between infrastructure and the applications. Make sure it’s clear who is responsible for patching, software that is installed over the operating system and third party web applications, for example.
- Insider Threat – don’t forget the insider threat. We’d all like to think that our colleagues are all completely trustworthy and loyal to the firm. Most of the time, that’s true so in risk terms, likelihood is low. Impact, however, can be catastrophic
- Passwords – Regardless of the results of your risk assessment, passwords are a weak link. Even relatively strong passwords can be cracked and many large organisations have poor password discipline. Consider one time passwords and/or 2 factor authentications at least for any accounts with elevated privileges
- Near Misses – Record and thoroughly investigate the near misses. Encourage your staff to report mistakes, such as opening a phishing email. Don’t punish repeat offenders but use the incidents to learn what works and what doesn’t. The awareness training is still important. Many clients I work with execute regular simulated phishing campaigns backed up by immediate training if an employee clicks on a link. This is an excellent intervention to reinforce the message.
Organisations that take the time to thoroughly and regularly assess threats, quantify risks against a risk appetite and are honest about the weaknesses and inadequacies in controls will quickly start to see where investment needs to go toward a true strength-in-depth approach to security. Risk managers must work closely with technical security folks. Clear and robust risk management processes and measurement are key to ensure that investment is directed to the right places and continues to adapt.