In my last blog post, I introduced the topic of automation and how it can help improve security posture. In this post, we’ll be covering some of the risks automation can mitigate against.
Data Breaches and Cyber Attacks
A recent survey by ISACA on organization preparedness indicated that only 38% of businesses were confident they were prepared to respond to a cyber attack. With the advent of simple point-and-click cyber attack tools available to almost anyone, 2015 saw unprecedented levels of activity reaching over 1 million distinct attacks a day. These tools have also led to the creation of over 315 million malware variants. In 2015 alone, over 700 million records were exposed from a wide variety of businesses and industries.
2016 has also seen a massive increase of the use of ransomware (such as Cryptowall, CryptoLocker and Locky), which has meant the damage caused to businesses will be the greatest yet. In fact, 2016 has also seen much more targeted attacks with ransomware. The combination of older software, sensitive health data and the risk to life has meant that hospitals like Hollywood Presbyterian Medical Center are targeted more frequently.
According to both IBM and Verizon, the “human factor” can be attributed to 95% of all security incidents. These events can be anything from typos to mistakes in code to password re-use or sharing. Remediation measures for mistakes in configuration can take anywhere from a few minutes to several days to track down and fix. Additional risk can arise when too many configuration or patch changes are carried out or are not carried out in the correct order.
Bimodal IT, Mobility and Bring Your Own Device
The increased use of personal devices and the attempts of IT operations to support them and allow users the flexibility of choice has significantly increased the risk to organizations. These devices are typically unmanaged and are, therefore, not necessarily maintained, updated, or patched to the same level as if they were corporate devices. The wide range of devices also increases load on IT, as evidenced by an uptick in different operating systems, applications and issues.
What can you do?
- Automate endpoint security: Ensure that devices are built, rebuilt, upgraded and patched automatically.
- Automate tasks and processes: Wherever possible, automate common tasks and reduce human intervention, especially if the tasks are repetitive and time-consuming. Backups are an especially good candidate for this.
- Templates: Use standard script and configuration templates. The less a person has to do, the less likely mistakes will be introduced.
- Pre-certify: Before deploying patches, configuration updates, or any other change, validate it by testing it and using peer review.
- Define standard processes and security controls: Consistent processes and controls reduce the barrier to deployment and end user acceptance.
- System hardening: Disable USB ports, CD/DVD drives, and unnecessary user accounts and services. Limit access to those who actually need them.
- Administrator account: Rename or disable the administrator account. End users typically don’t need local administrator access, especially if you have a streamlined software request and deployment process.
- Security reviews: Perform regular security reviews and penetration tests. If you don’t have a dedicated security team, contract a reputable third-party.
- Maintain up-to-date inventory: Keep your device and software inventory up-to-date, identify unmanaged devices and manage them as appropriate. Classify and categorize devices based on importance and use. If a security event occurs, these are your initial priorities.
- Select the right tools: When evaluating IT security tools (or any tool for that matter), choose one that can work effectively within your environment and in collaboration with your existing tools and solutions.
Chris Young of Intel Security agrees that human analysts should let automation do more:
“We all can agree that in the landscape we operate in, not all threats are created equal. That’s why we need to give ourselves permission to stop going after every alert that comes into our Security Operation Centers with equal focus. Around 98% of these events are low priority – let’s trust automation to handle them. Instead, we should put our talent on the hunt after the two percent of alerts that are the real problem.”
By automating patch and configuration management and applying basic change management principle,s it is possible to significantly reduce the risks of mistakes happening and also reduce any potential attack surface. An attacker is much less likely to succeed against a well-managed and patched device.
The use of standardized processes that are easy-to-follow and verifiable will reduce the inconsistencies that occur through manual tasks. Additionally, the checks and balances (when implemented correctly) will mean that any potential mistake can be quickly identified and remediated.
By accurately inventorying not only knowing what you have and where it is but also its purpose and importance, you can effectively prioritize and defend your network, its devices and your data.
About the Author: Jonathan Schnittger is a Senior Software Developer & Team Lead at 1E, a Software Lifecycle Automation company. He is a Certified Secure Software Lifecycle Professional (CSSLP) and a full stack software developer specializing in enterprise grade .Net applications. Jonathan has over 15 years of experience in software development and has worked on a wide variety of applications from mission critical data center monitoring, agent-less inventory solutions, remote deployment software to large scale data warehousing.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.