1. POS MalwareAs noted by Gabriel Ryan, pentester, CTF player and Offsec R&D, security incidents are rarely the result of a single, critical point of failure:
"Breaches happen when an attacker is able to leverage a chain of vulnerabilities across multiple distinct networks, applications, and system components. This means that from an auditor’s standpoint, simply identifying and remediating critical issues is not enough. Lower-priority findings and informationals are included in pentest reports because they could later prove to be the tipping point that leads to network compromise.One such tipping point could be an organization's point-of-sale (POS) systems, as an actor could decide to infect those endpoints malware. Acknowledging the threat of POS malware, Ean Meyer, information security professional working in Central Florida, feels organizations need to cultivate trust with their suppliers on an ongoing basis.
"Partnership leads to efficiency, but it creates security challenges. Creating risk-based processes to evaluate third-party connectivity at regular intervals is crucial. These processes should align to your security policies for the third party to maintain access. Answering these questions isn't easy in a world of shadow IT. In larger organizations, answers become harder to find. However, as trust relationships get more complex, we must develop robust capabilities to maintain that trust."
2. Browser VulnerabilitiesPOS systems aren't the only endpoints that attackers can infect with malware. On PCs and desktops, for example, an actor can exploit vulnerabilities in web applications to load up malicious code. All they need to accomplish that attack is a web browser and a well-crafted URI. To protect against actors that exploit browser vulnerabilities, Lori MacVittie, sr. technical marketing manager at F5 Networks, feels organizations should take a balanced technical approach. Specifically, she acknowledges that it's just as important to scrub responses returning to the browser as it is to scrub requests sent from browser-based apps:
"Apps often need to display an e-mail address, but such data is generally returned in response to specific, known requests. Other requests returning such data should be considered suspect. Organizations should consider evaluation of HTTP responses for sensitive data like e-mail addresses and only return it when application logic dictates display. Doing so helps protect against vulnerabilities as well as logic errors that might expose data to unintended recipients."
3. Stolen LaptopNot all IT security threats target endpoint software. For instance, an organization's information security could also suffer in the event an IT asset goes missing. Nothing nefarious even needs to happen. We are a mobile and informational society, after all; an authorized employee could jeopardize a company's data simply by misplacing a corporate laptop. Fortunately, there are things organizations can do to protect themselves against the threat of a stolen laptop or other misplaced IT asset. As noted by James Wright, Tripwire employee and U.S. Air Force veteran, companies should begin by implementing some key security control processes, including classifying all corporate data, enabling whole-disk encryption and maintaining an inventory of all endpoints. Wright recommends that companies also track all devices that come equipped with GPS:
"The tracking of GPS-enabled devices allows information technology staff members to locate lost assets to secure or erase them quickly. Check for any applicable laws, privacy, and regulations around using this with employee carried devices. As a tool, GPS can help IT gain visibility into the usage and misuse of company equipment."Once organizations have mastered the basics, they can move on to more sophisticated defensive measures, such as investing in data loss prevention (DLP) technology. Chris Conacher, manager of security content & research at Tripwire, agrees that DLP can bolster the security of a company:
"If you want more assurance, Data Loss Prevention (DLP) solutions can ensure your customer records remain where you want them. If you enable your employees to do their jobs without moving customer information to mobile devices, then laptop theft will always be just that and only that. If you don’t, then you run the risk that it will always be so much more."For added protection, Conacher suggests that organizations store customer information only in the datacenter. Doing so ensures all sensitive data stored by the company will never leave its protected space.
4. PhishingIt's no secret people are the weakest link in an organization. Attackers are well aware of humans' fallibility, and they're more than willing to exploit that weakness to force people into doing something they wouldn't ordinarily do, like clicking on a suspicious link or sending their personal information to someone via email. That's the textbook definition of a phishing attack. Defending against phishing attacks isn't impossible. According to David Jamieson, account executive at Tripwire, it's all about making sure employees know their surroundings and stay alert for activity that's out of place:
"After I graduated from college (1983) and moved to Chicago, at a starting salary of $13,750/year, I didn't have a lot of choices in terms of neighborhoods I could afford to live in. I chose Uptown. It was a neighborhood in transition. One block would be full of nicely renovated homes. The next block over was a disaster. I learned to be careful in the neighborhood: what streets to use and not use at certain times of day, what side of the street to walk on, etc. I see phishing attacks the same way. If something looks at all hinky or suspicious, I alert our IT Security team via the 'Report Phishing' button in MS Outlook. I don’t answer calls from unknown numbers, and I remind my family to be careful, too. Trust your gut instinct. It will protect you, if you let it."
5. CEO FraudNot all phishing attacks end with a set of stolen credentials. Sometimes actors leverage a victim's stolen login information to launch secondary attacks. For instance, in a CEO scam, attackers target a C-level executive's business email. If the ploy proves successful, the actor abuses that unauthorized access to contact someone in the financial department and request a wire transfer to an account they control. Victims of this type of scam have sometimes lost as much as hundreds of millions of dollars. Technical solutions can't do much to protect organizations against a CEO scam. Luckily, the same cannot be said about secure processes. Bob Covello, infosec analyst at Security Cove, couldn't agree more:
"One of the best ways to thwart a CEO scam is by practicing the time-honored 'Two-Man Rule' that was developed at the dawn of the nuclear age. The key to making it work is that one of the two authorized individuals should be at the C-Level of the organization and have a direct line to the CEO. That way, when a fraudulent request arrives, the C-Level executive can directly contact the CEO for confirmation."With the proper processes in place, companies can then direct their energy to empowering their workforce to spot a CEO scam and stop it in its tracks. David Shipley, director of strategic initiatives at the University of New Brunswick, feels employees' and executives' security awareness begins with the right training:
"Providing senior executives and financial department staff with timely cybersecurity awareness and education is vital. The best defense against social engineering is an informed and active community within the organization that's vigilant about social engineering threats and active in reporting these threats to the cybersecurity incident team."Overall, processes and people are integral to an organization's ability to maintain a dynamic security culture that watches out for CEO scams.
6. Insider ThreatAs much as we like to think every employee has an organization's best intentions in mind, it's just not so. For a variety of reasons, some people go over to the "dark side" and leverage their insider access to steal corporate information, plant malicious code, or engage in other nefarious activities. Many employees end up selling the data they steal, sometimes to a competitor company. How can organizations protect against insider threats? The answer is secure processes. For example, Tony Martin-Vegue, host of the Standard Deviant Security podcast, feels background checks belong at the top of that list of controls:
"The most effective defenses against the insider threat often start before the employee is hired. Background checks, credit checks, credential verification, and reference checks are very effective in weeding out people with criminal records or those with financial problems. Another effective proactive defense is performing a risk assessment on job roles that include the assets employees have access to and determining the impact if the employee causes a loss event. Employment requirements and pre-employment checks should be commensurate with the level of inherent risk the position has."That's not all, though. Organizations also need to strike a careful balance between restricting and sharing information with employees in today's collaborative working environments. That's why Martin-Vegue feels companies should also give employees and executives the least number of privileges they need to properly execute their jobs:
"Every position – from the CEO to the cleaning crews – should be given access based on the 'least privilege' principle. This means that every employee should be given just enough access to perform their job duties – nothing more, nothing less. Teach every employee the concept of least privilege, security fundamentals, and the requirement to speak up if they see something suspicious."Through those kinds of processes, organizations can begin to work with their employees to identify potential insider threats and address those situations before someone makes off with sensitive corporate data.