How can we prevent cyber breaches and learn from past experiences and secure our companies better?

On Linked-In yesterday, I saw an article from Greame McGowan titled 88% of employees lack awareness to stop cyber risks, which I must say I read with interest and compelled me to write this article. This 88% is an extremely high figure and somewhere in the region of 70% of senior management also don't have the awareness to stop it either. Unless companies understand what the major tactics and flaws are that the cyber criminals use, then it's a bit difficult and easier said than done to have the right security in place.

Now, every day there is so much reported on cyber crime, hackers, breaches via the media, sites like Linked-In, security information sites, news papers and TV from around the world etc., it appears that companies still don't know the challenges being faced and the mitigation techniques to use to be more secure from breaches. Everyone knows that data and IP are the main targets for the criminals, so what is being done to protect this and why isn't the security in place enough to secure our systems from being breached? Hackers know all the techniques to use and the flaws that can be exploited to achieve their aims and it appears that companies and organizations are still way behind. When you manage to understand what those flaws are being externally and internally in the case, then the job of what protection is required will come easier and can be controlled better. We know that the same tools used for penetration testing for example are also being used by the hackers, password crackers, so we know here that if we don't find the flaws, holes and back doors, the hackers will. Penetration testing will find security vulnerabilities, flaws risks, and unreliable environment. In other words, penetration testing can be seen as a successful but not damaging attempt to penetrate a specific information system and therefore mimicking activities cyber criminals would engage in with the intention to compromise this system. Will this be enough though and what about internal breaches from employees?

If companies understand all major breach methods and forms and do more to secure the flaws and back-doors being left open, then the entry points hackers use as mentioned below will make hackers attempts much more difficult. If you don't, it's not a question of if you will get breached, but WHEN.

So, what else can we do? Securing our companies becomes even more difficult day by day, year after year and the threats are getting worse to discover and mitigate. What we also need to remember is that cyber attacks didn't start just last week or last year, it has been around for many years now and so much on the subject has been reported and explained on how the cyber attackers actually managed to breach organizations. There is also a great deal of advice on the mitigation strategies, techniques and processes we can use to stop the hackers from getting in, so what are companies around the world doing wrong if tools and advice are available, even for free! Organizations that we would consider to be the safest on the planet such as: The US Military, US Federal Reserve, UK Home Office, UK Ministry of Defence, to name just a few have suffered breaches via external and internal resources. The hackers know if one attempt doesn't work then look for another. As you are reading this article, hackers are searching the world looking for ports that have been left open, networks not secure enough, systems still using default passwords, easy to crack passwords, web applications that are not secure enough to stop SQL attacks, buffer overflows, Injections, Cross Site Scripting, (XSS), Security Misconfiguration, Cross Site Request Forgery (CSRF), Sensitive Data Exposure, and the list goes on. Why are hackers using these methods? Because they know many organizations have a whole number of flaws in place to do so. Same as for DDos attacks which are increasing year on and the last big one with DNN.

How many cases have we heard of, for example, an employee had his laptop stolen and was still logged in and data was accessed or an employee lost a USB loaded with vital data that wasn't encrypted and therefore was accessible, an employee stole company data by transferring the data to a USB or even an External hard Drive or via DVD? Mistakes can be made, but after they have been made is what shouldn't happen. Security flaws make a potential breach even closer or possible to your company. But hackers will still manage to enter via email systems via social engineering, web applications, wireless connections, etc are all vulnerable targets. Companies around the world cannot keep on believing that technology alone can resolve these issues because they can't and mistakes will always be made somewhere unless more emphasis is placed on making sure all possible vulnerabilities and threats have been analysed, accessed, listed and monitored and the doors closed constantly to make sure they will not be exploited by the hackers. Would you leave your car unlocked while you go shopping and trust no one will steal it? Information security is the same, leave systems unlocked and someone will find that entry point.

Look at the most popular forms of attacks by hackers to breach an organizations. The most common ones include:

• Web Application Attacks (according to SERT, 24% in Q2 2016)
• Mailware (19%)
• Application Specific Attacks (19%)
• DoS/DDoS Attacks (9%)
• Reconnaissance (passive and active) (9%)
• Others (20%) probably to include the
• Phishing Scams, Social Engineering
• Buffer Overflow, SQL Injections, DDos attacks,
• Password Hacking or
• Downloading Free Software
• Fault Injection (also known as fuzzing)
• Escalating Privileges
• Key Logging
• Trojan Horses
• Exploiting Defaults
• MITM (Man-In-The-Middle Attacks)
• Wireless attacks including fake wireless access points
• Waterhole attacks (For instance, most large companies have a local coffee shop, bar, or restaurant that is popular with company employees. Attackers will create fake WAPs in an attempt to get as many company credentials as possible. Or the attackers will maliciously modify a frequently visited website to do the same. Victims are often more relaxed and unsuspecting because the targeted location is a public or social portal).
• Monitoring Vulnerability Research
• Already being in on the inside (Insider attacks)

All these above show just how much companies come under attack by not securing their castle. What needs to be analysed here is to understand in more detail what these threats actually are, how they occurred and from where, their impact and the mitigation techniques to prevent these occurring again.

Companies make mistakes with security, yes that is true, and financing that security is not always easy especially as you never know how much budget should be in place, however, shouldn't we be trying to close the gap on those past mistakes made by other companies and organizations and working hard to bridge the gap and making it even more difficult for our systems to be breached? Yes we should, however, knowing how those mistakes can be strategically resolved to protect companies is not simple, but the mistakes made should be rectified to prevent future security breaches. Most companies assume that once they have all the necessary security software/hardware installed, they’re protected, and this is simply not the case and cyber crime therefore will not be resolved.

Organizations have to see how and what better protection strategies can be put into place to protect themselves better and this must include proper security training throughout the organization and not placed into the hands of a select few such as Information Security Departments. Imagine a battle/war, if you have less people and weapons to fight than your adversaries have, the chances are you will be defeated. Cyber security is the same, what price/cost do you put on to protect your company's assets from being breached? Senior Management should be more involved in these decisions and in my opinion from what I have seen and heard on prevention methods, security controls, etc.. companies should consider putting into place not just an IT Department that deals with problems and to handle the technical side, but a specific Cyber Security Threat Department should be set up that will include the analysis of all known typical security breaches, how they occurred, impacts from those breaches on the organizations and a complete check list into internal security controls to see if similar occurrences can be prevented and this also includes internal threats. Companies and organizations simply do not have the resources, budgets or people with the relevant skill set today in place to safeguard such huge challenges to prevent cyber crime and that's why senior management need to be more aligned with information security and how both have to be aligned for success.

Internal security should also include training and awareness programmes tailored so that employees can see what can happen due to human error. One way to do this is through inoculation — planning a fake attack to test the security. When you plant attacks on the employees to test them, whatever the outcome from this, they are able to learn from their mistakes and will be less likely to make the same ones in the future and internal polices need to be assessed periodically and changed according to the threats that occur. The most difficult to predict and secure from internal breaches is within the company’s own networks. This happens a lot with ex-employees, disgruntled employees who feel they are being abused in their role, those who are expecting promotion and don't get. Alarms should be in place to protect key assets such as data and if say an unauthorized employee manages to attempt to access vital data he/she has no right to access, then an alarm is set off to warn the security team and should be investigated immediately. There is DLP software, which protects data from being breached. When data is invaded, being transferred or high volumes are being accessed or out of the norm, then the IT administrator is notified, IDP/IDS as well are important to help spot all unusual activity and the warning signs and through those warning, help to deal with those warnings in time!

Many employees still allow employees to have access to external USB ports or CD/DVD drives and in this day and age, security measures should be taken to prevent employees using these drives and if they are permitted, then they should be monitored constantly against possible misuse. Access Control should be revised on a constant basis.