Patching, security training programs and password management will thwart attacks more effectively than anything else. You’re already doing them. Here’s how to do them better.
An average of 5,000 to 7,000 new computer security threats are announced each year. That’s as many as 19 every day. The rate at which new threats appear make it difficult to decide which ones require your attention. It might surprise you that, while your competitors waste money on high-tech, expensive, and sometimes exotic defenses, you can get far more value by concentrating on just three things you already do. You can spend less money and nothing you do otherwise will provide a better defense.
The three things you need to do better are not a secret. You already know you need to do them. You know from your own experience that what I’m saying is true. The data in favor of doing them is overwhelming. Still, most companies don’t do them well enough.
Change your security focus
Most computer security defenders focus on the wrong things. They focus on specific threats and what they did after hackers broke in, not how they broke in. There may be hundreds of thousands of unique software vulnerabilities and hundreds of millions of unique malware families, but they all share about a dozen different ways that they initially exploited an environment, including:
- Unpatched software
- Social engineering
- Password attacks
- Physical attacks
- User errors
- Denial of service
Focusing on and reducing these root exploitation causes will help you significantly defeat hackers and malware.
If you want to minimize computer security risk the fastest, identify the biggest root exploitation causes in your company that allow threats to do the most damage to your environment. Stop the biggest root cause and you stop every threat that uses that root cause.
So, what are the biggest root exploitation causes in most environments? Unpatched software, social engineering and password management.
Without a doubt, these root causes are responsible for the most successful and damaging attacks in most companies and have been for decades. One of these root exploitation methods has likely been behind any big attack that has made news in the mainstream media. In my experience, when a company of any size or even the military suffers a big attack, it’s can be traced to one of those root causes.
Your company’s experience may vary, and if it does, you can ignore this article. For the rest of you, keep reading.
Assess your security vulnerability within Salesforce – there is no inherent virus scanner included. Download the assessment script here>>
Better software patching
Both hackers and malware look for unpatched software as a way to break into an environment. They prefer unpatched software as an attack vector because it requires a minimum of end-user involvement. The hacker can attack network computers and services looking for unpatched software, compromise them, and then move on to further internal targets, if necessary. Or they can try to trick a user into opening an email or visiting a website that attempts to exploit an unpatched vulnerability.
Sure, attackers sometimes use software exploitations for which no vendor patch is available (zero-day exploits), but only a few dozen known zero-days are used in a given year compared to the thousands of publicly known exploits. In any case, it’s very difficult to prevent a zero-day attack and you would be far better off concentrating on the much larger, persistent threat. You don’t know if your company will ever be exploited by a zero-day attacker, but it will be attacked many times by threats looking to exploit unpatched software.
The key to driving down security risk the fastest is to concentrate on the highest risk software programs on your highest risk computers. Most companies try to patch every software program (and there are hundreds of thousands of unique programs) with the same effort. This approach is bound to fail. It’s a numbers game of applied effort times the number of devices and software programs you have to patch.
There is a big difference between the most unpatched programs in your environments and the most likely to be exploited software programs. If you can understand that difference, then you understand this recommendation perfectly.
For example, for many years the most unpatched program on a Microsoft Windows computer was Microsoft Visual C++ Runtime Library. It was a program library that was redistributed with many third-party programs. Even though it was the most unpatched program, it was rarely exploited by attackers or malware. Why? Because it wasn’t easy to exploit. It could be located in hundreds of thousands of different folders and usually wasn’t advertising itself in a way that would make it easy to exploit. The same could be said for probably 95 percent of your installed software programs. They may be unpatched, but they aren’t often exploited.
Instead, other popular unpatched programs like Sun/Oracle Java, Adobe Acrobat, and internet browsers, which were in consistent locations and easy to exploit, became the go-to exploitation targets. On servers, web server and database server software became the go-to targets. For that reason, you are far better off trying to perfectly patch internet browser-related software on end-user computers and advertising services on server computers.
Look at your patch management program. Does it prioritize the highest risk programs over everything else? Do you accept a 99 percent or lower patch rate for your highest risk programs? If so, why? Do you even know what your highest risk programs are? What software programs are used to exploit your company the most? Does your patch management program include hardware, firmware and mobile device patches? These are questions that need answers to deliver a stronger computer security defense.
Better and more social engineering training
Another best defense you can implement isn’t software or a device. It’s training. For as long as computers have been around, social engineering threats, usually through internet browsers or email, has been in competition with unpatched software as the leading cause of most root exploits. Most of the biggest hacker attacks I’ve been involved with have involved social engineering elements, especially the ones that had the most lasting damage.
Social engineering hackers are famous for talking end-users out of their passwords and for allowing the hacker or malware to gain privileged access to sensitive resources. Users often mistakenly run Trojan horse programs or provide their logon credentials to fake emails and websites. Social engineering is so successful that many computer security defenders refuse to believe that more and better social engineering training is the answer, but it is!
Study after study shows that providing employees with awareness training, no matter how you do it, makes them less likely to be tricked by social engineering methods. Sadly, most companies do very little security training, often less than 30 minutes a year.
I was involved in a case study where two sets of employees were given social engineering training. The first “control” set was given the standard, mandatory 30-minute video. The second group was given two hours of training with a focus on the most common social engineering attacks the company actually faced. Both groups were then tested by fake social engineering campaigns every two months for a year.
The results? It wasn’t even close. The group given more training learned so well that not a single employee was tricked by the fake social engineering campaigns for more than six months, and they were far more likely to report real social engineering attempts than the control group.
I’m not sure exactly how much social engineering training should be given to employees, but I’m sure it’s more than 30 minutes a year and is probably measured in hours per year. Those hours don’t have to be all at once and training should be repeated at regular intervals and customized to match the type of real social engineering campaigns your company is seeing.
Beef up your password management
For a long time, I recommended focusing on the first two popular avenues of attacks. Now it’s time to add a third: password management. In the past I said that worrying about password hygiene was a waste of time because of the incredible domination of social engineering and unpatched software. And it was.
Password hackers moved on from password guessing and cracking to pass-the-hash (PtH) attacks where the attackers gain access to the password hash databases. PtH attacks went from a theoretical attack to a serious real world problem in 2008 after Hernan Ochoa published his PtH tool kit. Within a year or two, PtH attacks went from nothing to complete domination. For nearly a decade I wasn’t involved in a forensic investigation of an organization hack that didn’t involve PtH attacks.
I couldn’t get excited about stopping PtH attacks as a cause célèbre because PtH is a post-exploitation technique, after the attacker already had local or domain admin control of an environment. The problem wasn’t PtH attacks. It was the fact that the hackers already had total admin control. I’m much more interested in stopping initial exploitation causes than post-exploitation techniques, because if you don’t concentrate on how they first get in, you’re never going to stop the bad guys.
That’s the exact reason why password management has to be added to the list of what your organization needs to be worried about.
Your organization’s passwords are likely everywhere. I’m not even talking about the 773-million-record data breach that Troy Hunt revealed last week. The Privacy Rights data breach database says there are over 11 billion known stolen records.
The realization of this fact changed me. If your passwords are everywhere for any hacker to see, it becomes an initial exploitation problem. The only safe thing to do is to create truly unique passwords without an overall pattern for every website. To do this, you’ll need to either write them down (and look them up each time you need to use them) or use a password manager program.
There are some problems with password managers, the biggest of which is the fact that if your computer becomes compromised (not something you should bet against), the attacker can get all your passwords to all sites at once. As password managers become more popular, hackers will just target them more often.
The only solution to passwords is to get rid of them, which the world is working on. The most viable replacements for passwords, multi-factor authentication (MFA) and multi-variable behavioral analytics, have their own issues, but hackers can’t simply look up a way around them in a database.
Here’s what I recommend for handling your passwords:
- Change all passwords that you haven’t changed in the last few months to non-pattern passwords.
- Implement MFA on your most critical accounts if you can.
- Make sure all passwords are unique for each website.
- Proactively check password data breach services like Troy Hunt’s HaveIBeenPwned or BreachAlarm, or use a free enterprise tool like KnowBe4’s Password Exposure Test to check all organization passwords at once. (Disclaimer: I am employed by KnowBe4.)
- Consider a password management tool that automatically checks to see if any of your active passwords match one stored in a known password database.
If your password is compromised, change it. If it got compromised, understand why it got compromised. Was it something completely out of your control, or did you fall for some phishing scam that tricked you out of it?
Understanding and acting like most of the world’s passwords are out there available for other people to see is an important third act that should be added to every top defense. Social engineering and unpatched software are still the top successful methods for data breaches. Continue to concentrate on those, but everyone’s password being out in the world is only going to allow hackers easy access even when those other two attack types are closed.
Columnist, CSO | JAN 23, 2019