Is it because Target is a $72 billion enterprise with 70 million card holders that it was breached? That probably had a lot to do with it, but that wouldn’t explain why a Boston restaurant chain with 10 properties was targeted last winter. Just as the attack on Fazio Mechanical Services opened the door to the Target Stores fiasco, the Syrian Electronic Army (no kidding) accessed the account credentials of a Melbourne IT reseller to capture DNS records for the New York Times, Twitter and The Huffington Post. It’s a tangled web.
Get used to it. Targeted attacks are the new normal says Forrester, Inc. Analyst Rick Holland in a new two-part report, Forrester’s “Targeted-attack Hierarchy of Needs. ” The analysis is geared more toward large enterprises with many dedicated resources, big budgets, and a high degree of IT skills either on hand or readily outsourced. However, mid-market enterprises and smaller companies can take some valuable lessons from the report’s examination and recommendations.
We bring this to your attention because we believe Peak 10 serves the “whole customer.” Our services must be in lock step with customers’ strategic business and growth plans to be as valuable as they can possibly be. Peak 10 may directly contribute to only a portion of our customers’ business requirements, but our mission is to help make the entire entity successful.
Targeted attacks, as opposed to throwing a wide net, are skyrocketing. The two methods preferred by cyber snakes are phishing and watering holes. Phishing relies on tricking the unsuspecting to reveal confidential information by using email, social media, or attaching a malicious file. The watering hole strategy is used to compromise a trusted web site that, in turn, will infect the criminal’s actual targets when they visit the tainted site.
The Forrester report says that at least 78 percent of all attacks connected to state-affiliated espionage are launched using phishing. Any company large or small that handles proprietary formulations, produces parts for military contractors or that has similar attractive data caches can be targeted. Research universities with government contracts or bioengineering or robotics programs can be rich targets as well.
Zero-day attacks are another method. Think the Heartbleed bug. It’s called zero-day because that’s how many days you have to fix a newly discovered flaw to avoid exploitation. Heartbleed was discovered; think how many others may be hiding in the shadows. For 68 percent of IT and security professionals, this is their greatest concern.
Simple Advice: Begin at the Beginning
No matter the size of the organization, you have to know where you are going in order to get there. Analyst Holland captures this well in his report:
“If you don’t have a sound security strategy, you might fail at responding to commodity threats, and you will certainly fail at responding to sophisticated attacks.
“Before we jump to buying advanced security solutions and services, we must first understand the enterprise architecture and inventory of sensitive data that we’re trying to protect. This understanding is foundational to all aspects of your operations.”
Beginning with tactics without a comprehensive and “living” security plan may have you guarding against threats in all the wrong places. Before getting to prevention, detection and response, you have to figure out precisely:
- How the security strategy aligns with the business strategy
- What you are defending and where
- What tools will work best and in concert with each other
A knee-jerk response to threats can leave you with a disparate collection of point products from multiple vendors. Throwing money at problems will yield poor ROI. Actively managing your security portfolio to measure effectiveness of current products and eliminate obsolete “solutions” can reduce your costs and improve overall performance.
Forrester advises that companies adopt a “zero trust” model; that is, eliminate discretion and assume that no one can be trusted inside or outside the organization. To do otherwise is to overlook vulnerabilities.
A sound zero-trust architectural model encompasses mobile devices and applications, social media use, third-party dependencies, and cloud services adoption. Ignore any one of these and “you will have no hope of detecting or responding to a targeted attack,” cautions the report.
Large companies – those with more than 1,000 employees – have difficulty finding and retaining qualified security staff. Mid-market and small companies will find it even more challenging to compete for these talents and skills as security grows as a priority concern in every corner of our economy and others. Engaging third-party assistance, regardless of an organization’s size, is practically inevitable.
Unless a function supports or directly contributes to the security team’s strategic mission, such as security architecture or incident response, consider outsourcing it. The cloud industry, for example, is responding to cybersecurity as a business growth opportunity. Few providers are as advanced as Peak 10, where security and compliance have long been core service differentiators. However, companies will continue to have more options to outsource commoditized functions and tactical services allowing them to focus on strategic issues and planning.
Ignore the Basics at Your Peril
Many attacks today are orchestrated and sophisticated, leading targeted organizations to mount counter-offensives more strategically and with a broader perspective on the totality of response required. Such has not always been the case.
Companies may have many point solutions accumulated over time from a range of vendors that sought to plug one vulnerability here and another there. Many of these “solutions” were response-driven. Integration between products was a happy coincidence. Are they still there? Is there a rickety substructure underlying a strategically constructed, cohesive portfolio of advanced security systems and services?
No cybercriminals worth their salt are going to battle through modern fortifications when there’s someone guarding the back door with a slingshot. Decade-old vulnerabilities pose little challenge as a point of entry.
More egregious missteps, errors for which there really is no excuse at this late date, are lack of attention to fundamentals. Forrester points out five in particular that make it easy for penetrators to win the day:
- No two-factor authentication for virtual private networks
- All users are local administrators on their workstations
- Using the same local administrator password for all workstations
- No egress filtering
- Lack of privileged account monitoring
Note that threat prevention, detection and response – the top of Forrester’s pyramid in the hierarchy of needs – have not been discussed. Attacking those topics without first laying the foundation for success, beginning with strategy development, will produce a costly yet flawed defense structure.