Remember HeartBleed – a security bug in the OpenSSL cryptography library that affected half a million sites in 2014? Six years on, and it’s still being exploited. In fact, according to NTT Ltd’s 2020 Global Threat Intelligence Report (GTIR), continued attacks against a vulnerability leveraging HeartBleed have helped make OpenSSL the world’s second most-targeted software technology, with 19 percent of hostile activity.
While adversaries are increasingly innovating in the areas of AI, machine learning and automation, many vulnerabilities that are several years old – and which have patches available – are still being actively targeted on a large scale.
Cyber criminals also continue to employ phishing tactics, which have been around since the 1990s, to deliver malware to commit fraud or access an organisation’s network. Vulnerability scanners are the most commonly detected malware component, comprising 21 percent of all malware activity. A new angle for this year is hackers using the COVID-19 pandemic as a lure with, sadly, great success. Tactics include websites posing as ‘official’ information sources, but which host exploit kits or malware, and attacks which hijack router DNS settings via weak or default admin passwords.
Old vulnerabilities remain a prime target
There’s a good reason hackers replay their ‘greatest hits’ time and time again. It’s because they still work.
In many cases, the same old vulnerabilities are there because they’re not being addressed by patch and configuration management programmes. Cyber-attackers are also on the look-out for poor practices around network, operating system and application configuration, testing, security controls, and overall security hygiene.
Another potential weak spot is a failure to educate employees in the basics of cybersecurity awareness, which could have a devastating impact when entire workforces are operating outside the ‘safe’ perimeter of office security controls.
Organisations must defend themselves by taking a proactive approach to cyber security, and building their cyber-resilience.
Building cyber-resilient capabilities
Cyber resilience is the ability to continuously deliver products and services if the organisation is hit by a cyber-related event that impacts normal operations. It equips the business to prepare for, prevent and respond to attacks – and successfully recover to a secure state.
To achieve cyber-resilience, security must be considered a core business function, designed to protect resources and mitigate risk. organisations needs to follow a ‘secure-by-design’ approach– with cyber security solutions and processes embedded in the fabric of the business, built in from the outset rather than bolted on.
Defining, building and managing a new active security programme is never a simple process. Focusing on these core areas will help you design the appropriate infrastructure and overarching strategy.
Identify and map risks to critical assets
Effective cyber-resilience is not about deploying individual technologies to address specific threats, but identifying vital assets and how current security measures relate to them.
Determine the data, infrastructure, people, intellectual property, services and applications the organisation needs to protect. What information and capabilities are most important? What are the systems that support these? How will the organisation and its customers use them?
Evaluate your organisation’s current state of cyber-resilience, and determine your desired future state.
This must involve establishing the current capability to detect and respond to cyber events. Understanding this will also help you identify the level of acceptable risk for the organisation.
Understand your organisation’s goals
Security should be a key tenet of the overall business strategy. In turn, the security strategy must be aligned to what the business wants to achieve, as well as to its risk-tolerance. This will also help secure the proper leadership buy-in and support.
Armed with information about the current and desired future state, you can define a comprehensive security programme which includes policies, development controls, processes, technologies and training, as well as components of network design, application development, and deployment.
Secure the foundation
Get the basics right first, then build additional capabilities. This should involve fostering the optimal security mindset, with an awareness among all employees that they have a role in the success of the security programme.
Ensure proactive defence and adaptive response capabilities are well architected and implemented
Determine the organisation’s response should an event occur, and set out a plan for minimising the time it takes to recover from a cyber event.
Embrace the applied intelligence approach
An intelligence-driven cyber security posture enables businesses to be agile in the face of a changing threat landscape and technology ecosystem. To maintain an acceptable risk level, a reactive mindset must be transformed into a more proactive approach that involves continuous monitoring of the threat environment.
Design, build and deploy solutions that are secure-by-design.
This means having security front of mind when designing business solutions. Security best practices must be considered and built into policies, procedures, infrastructure, and applications. There should also be appropriate visibility into – and control over – all components.
Re-educate all employees in policies, procedures and acceptable practices
As organisations change, they must effectively communicate new business and security rules and processes. In turn, staff must clearly communicate roadblocks to effective collaboration and workflow.
Continue to emphasise good security hygiene
Prioritise the timely application of patches and updates, especially in the environments you rely on most. Make sure you’re running the latest versions, and monitor continually for updates. Good backups are crucial, and even greater emphasis should be placed on end-point control, including appropriate antivirus software.
Draw on Managed Security Services (MSS) support if your in-house security team is small, and encompasses multiple roles that are not consistently focused on cyber security.
Measure your security capabilities – and adjust your priorities based on insight from reporting, metrics, and validation processes.
In a chaotic world, businesses are at increasing risk of becoming a victim of cyber crime. They must be ready for anything – making certain they’re cyber-resilient by implementing the security elements that will protect the business, and maximising the effectiveness of secure-by-design initiatives. Cyber criminals will continue to look to gain from any situation, and old vulnerabilities will remain an active target for as long as they work.
Author: Azeem Aleem, Vice President, Cyber Security Consulting, NTT Security