Computer security defence is all about measuring risk and putting mitigating controls into place to decrease it. Do you have the right focus? Because most organisations don’t; and it has huge repercussions for their computer security. Roger A Grimes, data-driven defence evangelist at KnowBe4, explains…
There are a myriad ways organisations can be compromised by a cyber security attack. These methods include: phishing, unpatched software, misconfiguration, insider, eavesdropping, password attack, physical attack, and attack through a relied–upon third party. More than 16,000 new software vulnerabilities are found each year, followed by potentially hundreds of millions of malware programmes trying to get onto an organisation’s managed devices – and that’s not even including every type of human adversary from nation state to script kiddie that is trying to break in.
Needless to say, there are a lot of things trying to compromise computer systems.
Armed Forces allegory
Most computer defences are like an illogical army. Imagine two armies, one good and one bad, fighting a long battle. The bad army is having great success against the good army’s right flank of battle. Despite this fact, the good army places additional resources on its left flank. The good army gets another report that the bad army is winning on the right flank of battle, so it places more resources in the centre of battle. They even hear of a possible attack from the air that may come one day, so they start building up defences in the middle of the battlefield vertically, just in case. They do everything except put more good resources on the right flank of battle. And then they wonder why they are continuing to lose the battle and the war.
No real army could function that way and win, but it’s exactly what most computer security defences are doing. Most computer security defences are put in place without thoughtful consideration of how big the threat the defence is supposed to mitigate really is, especially as compared to other threats. Most security defences do not take the time to understand how they are successfully attacked. Instead, when confronted with thousands of potential threats and risks, they just throw up as many defences as they can everywhere – and no one can do everything well at once. This method leads to huge misalignments between threats and countermeasures and ultimately often allows the bad guys to be more successful than they could be.
How do you fix it?
First, focus on the root causes of all successful attacks against the organisation. If there is no focus on the true root causes of how malware or an attacker got into the organisation, the security risk will never decrease. The root causes include the methods listed above, like phishing, unpatched software, social engineering, etc. Notice that the list of methods does not include malware. That’s because malware isn’t typically the root cause problem. It’s how the malware got in that needs to be fixed. Every time a successful attack against the organisation is encountered (this includes any malware intrusion that got past defences, if even only for a few minutes), it’s imperative to find out the root cause of how it got in.
For example, if ransomware gets on a computer and the anti-malware programme didn’t immediately prevent and remove it, how did it get by the defences? Did it get by because some unpatched piece of software allowed it to silently infect a system? Did an end user get tricked into running a trojan horse executable by a phishing email or a compromised legitimate website? Why didn’t anti-malware software detect it right away and prevent it from being launched?
If the initial root causes of how ‘bad stuff’ gets onto devices and networks aren’t investigated, how are organisations ever going to stop the attackers? If they do identify the right root causes (say phishing or unpatched software), they will be stopping every malware programme and attacker that uses that particular root cause.
The world’s organisations do not focus on the right root causes, at least according to order of magnitude. For example, social engineering/phishing is responsible for more successful malicious attacks than any other attack method. It’s responsible for 70-90 per cent of all malicious data breaches. Some might argue how big the percentage is, and it might be different for each organisation, but phishing and social engineering are always the top successful attack vectors used against any organisation. Yet, almost all of those same organisations spend less than five per cent of their IT defence resources fighting social engineering/phishing. This is a huge misalignment, which is also the reason why attackers keep using it and why it is so successful.
Unpatched software accounts for 20-40 per cent of all successful malicious data breaches. That’s down from 70-99 per cent of all malicious data breaches – it held the number one spot until about five years ago (when phishing took over). It’s still the number two threat against most organisations, yet those same organisations spend less than five per cent of their IT defence resources making sure they are accurately patched.
All other threats together add up to less than ten per cent of the total risk, yet most organisations spend the bulk of their computer security defence money fighting them. It is a stark misalignment, which significantly increases the success of hackers and malware. I’m not asking you to believe me, even though I’ve got more than 32 years of cyber security experience and have written 11 books on the subject. Look at your own organisation’s experiences for how most malware and attackers got by your defences. It will probably be down to the two root causes I mentioned above. If it’s true – or whatever your top initial root causes for breaches are – you need to focus more on them and less on the others.
Figure out which root causes are responsible for the most SUCCESSFUL break–ins. Then, put the right mitigations in the right places in the right amounts to fight the right things. It’s simple to say and understand, but much harder to implement in practice. Do you have the right focus?
If you would like to join our community and read more articles like this then please click here.