It’s clear that security is now a boardroom concern––from companies like Target taking a big earnings hit and ousting its CEO to J.P. Morgan talking publicly about doubling their cybersecurity spending to $500 million annually. This explosion in interest notwithstanding, it’s worth asking the question: Are we spending money on solving the right problem? Or is there a way to drive better security, not just more?
While the media and security talking heads may claim that these breaches are due to sophisticated or nation-state attackers like China, their actual execution is usually quite simple in nature. Basic phishing and other credential theft attacks have not only been the initial entry vector to these companies but they have also provided attackers with the ability to move laterally within an organization and reach their eventual target.
Attackers will send an email that looks like it’s from a legitimate organization, then the link will take the victim to a fake site – often with a familiar looking domain name – and get them to enter a username and password. All it takes is one user to give up his credentials to give the hacker the ability to gain access to other systems within the company.
Phishing attacks can be pulled off by just about anyone who can create a website; it doesn’t require nation-state funding, advanced exploitation capabilities, or armies of trained cyber warriors. A bored teenager can get all the tools needed to dupe users into revealing usernames and passwords.
When strong authentication isn’t present, it’s expected that attackers will take advantage of that and find the path of least resistance. This is pretty clear in the J.P. Morgan incident where stolen credentials were used to access a single server that was lacking some basic protection. From there, the hackers were able to unleash malicious programs into J.P. Morgan’s corporate network, silently siphoning off gigabytes of information including customer account data.
You’ve heard the acronym APT for Advanced Persistent Threat. We like to refer to APT as “Average Phishing Technique.” The Sony Pictures breach by a state-sponsored North Korean cyber army could have just as easily been done by a malicious actor with basic infosec knowledge and tools on hand.
This is the sad state of the security industry. While it’s interesting to consider where the threat came from, (Was it a nation-state or just a group of Seth Rogen haters?) the more important question is as follows: How many other companies have security no better or worse than Sony Pictures?
My guess is there were a lot of CIOs looking in the mirror that morning realizing their own security precautions could use some basic improvements.
There’s always a lot of hand-wringing when there’s a big breach. Who could expect any corporation to stand up against some kind of carefully formulated attack by a nation-state? But the reality is that who is doing the hacking matters much less than how they are getting into these systems.
Maybe the security industry focuses more on the “who” to deflect from the fact that a lot of crazy expensive security investments aren’t that effective in blocking breaches, even when these breaches are not terribly sophisticated.
Blaming some mysterious, well-funded hacker in the shadows lets CEOs and CIOs off the hook when in some cases they’ve left their back door wide open and a key hidden in a plastic rock on the porch. The reality is that the majority of the big headline security breaches have happened when someone has used stolen credentials, meaning the username and password.
The real challenge is that millions of businesses don’t have a $500 million security budget, can’t afford to purchase and operationalize a litany of best-of-breed security products, and can’t hire enough top security talent to defend their organizations. They face the same attacks and adversaries as the big guys.
While companies like Sony, Target, J.P. Morgan, and Anthem may hurt in the short-term, they will rebuild, recover and revisit their security strategy to continue their operations in the long-term. But if you’re not a JPM-scale company, you may risk having your business effectively wiped out.
So, what can small businesses do? It’s a back to basics approach––strong, unique passwords (yawn) and two-factor authentication (old-school). It’s security hygiene––effectively washing your hands frequently, not investing in expensive hazmat suits, to prevent illness.
Earlier, I asked if there is a way to drive better security, not just more. The answer is yes. By adding more security, people within the organization might find that they need to jump through hoops just to get their work done; they will subsequently revolt and figure out ways around a security precaution.
The secret to success, however, is implementing security that’s so easy to use that people actually use it, (maybe even like it) which, in the end, is the only way any security program can work.
About the Author: Steve Manzuik (@hellNbak_) is the Director of Security Research at Duo Security’s Duo Labs (@duo_labs) where he is responsible for our team of crazy researchers. Steve brings over 20 years of Information Security experience including roles at various product companies, consultancies and research teams.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock