Seven Critical Adjustments Needed To Improve Most Cybersecurity Advice

Seven Critical Adjustments Needed To Improve Most Cybersecurity Advice

I have been in the cybersecurity industry for over 35 years and I am the author of 14 books and over 1,400 articles on cybersecurity. I regularly speak with thousands of cybersecurity practitioners each year. Nearly every day, I see (good) cybersecurity advice, but some of it is just a bit shy of what is needed…such as “Use MFA!”. That is good advice, but is not specific enough. It does not give enough detail. There is a slight adjustment needed to get the most benefit. In this blog, I cover the seven bits of cybersecurity advice that I see all the time that need some fine-tuned adjustment.

Focus More on Initial Root Causes

If you want to stop someone from breaking into your house, over and over, you need to focus more on how thieves break into houses (e.g., doors, windows, walls, roofs, garage, etc.) and less on what they do once they are in. Because if you do not focus on the entry points, what they take will just change over time.

In cybersecurity, there are 13 root (initial access) hacking causes. They are:

·???????? Social Engineering

·???????? Programming Bug (patch available or not available)

·???????? Authentication Attack

·???????? Malicious Instructions/Scripting

·???????? Data Malformation

·???????? Human Error/Misconfiguration

·???????? Eavesdropping/MitM

·???????? Side Channel/Information Leak

·???????? Brute Force/Computational

·???????? Network Traffic Malformation

·???????? Insider Attack

·???????? Third Party Reliance Issue (supply chain/vendor/partner/etc.)

·???????? Physical Attack

Every hacking and malware attack I have seen over my 35-plus years in the cybersecurity industry falls into one of these categories. Different organizations have different categories and descriptions, but I have spent over 20 years seriously analyzing hacking root causes and I know I have the best list. But take any root initial access hacking classification list and use and analyze it to assess risk and risk mitigations.

A lot of people focus too much on hacking outcomes, such as ransomware, credential theft, or exfiltrated confidential information. Outcomes do matter, especially for the damage and cost assessment portion of risk management, but if you want to stop cybercrime and lower risk overall, focus more on initial root causes.

It can be hard, especially if you are not in the cybersecurity field to tell the difference between initial root causes and outcomes of initial root causes. More organizations and reports in the cybersecurity industry get it wrong. Many, for example, mix up phishing as a root cause as compared to ransomware or computer malware. Those last two things are a result of an initial root cause, not an initial root cause, as phishing is.

When I want to clarify the difference between a root cause and an outcome of a root cause, I ask myself if the sudden disappearance of the classification of consideration would stop additional outcomes. For example, I remove phishing as a root cause…suddenly, one day it is no longer possible. Perhaps we have finally discovered the perfect technical defense after all these decades, and phishing is just no longer possible.

Well, that would be a great thing, and its disappearance would mean that everything that can be accomplished by phishing (e.g., ransomware, business email compromise scams, password theft, wiperware, extortion, data exfiltration, etc.) would no longer be possible (at least using phishing). When you wipe out a root cause, everything that root cause could be used to do is removed as well.

But let’s consider ransomware. If we could wave a magic wand and make ransomware suddenly go away…maybe some antivirus program finally detects all ransomware…well, that only solves ransomware. If we do not close the entry holes that allowed ransomware to get into an environment (e.g., social engineering, unpatched software, etc.), then the hackers will just use those holes to do something else (e.g., steal passwords, data, wiperware, etc.).

If I do not close the ways that thieves are using to break into my house, even if I protect my furniture and dishes, they will just steal the television and car keys.

Focus on initial root causes when trying to lower overall risk. Nothing else matters as much.

Related book: https://www.amazon.com/Data-Driven-Computer-Defense-Should-Using-ebook/dp/B0BR8FQLWK

Focus More on Social Engineering and Phishing

Social engineering, most often accomplished through email phishing, is involved in 70% to 90% of all successful data breaches (https://blog.knowbe4.com/social-engineering-number-one-cybersecurity-problem ). No other initial root hacking cause is as involved in successful hacking. Nothing else is even close. This is not new. It has been this way since the beginning of computers.

Social engineering is a malicious person or group posing as a person, organization, or brand that the recipient might otherwise trust more in order to induce potential victims into performing a malicious action against the victim’s own interests (or interests of their company). It is a scam.

If this one initial root hacking cause was completely eliminated, it would remove 70% - 90% of the risk in most environments. Yet, the average organization does not spend 5% of their IT/IT security budget to correct it. It is this long-time fundamental misalignment between how we are most successfully attacked and how we choose to defend ourselves that allows hackers and malware to be so successful long-term. Hackers enjoy that we do not know how to appropriately focus.

Nearly everyone is complicit in not focusing enough on preventing social engineering and phishing. Ask yourself if your current anti-social engineering training is enough considering the vast majority of successful attacks will use it. Probably not.

Note: The next highest initial root cause of hacking is unpatched software and firmware, which is involved in 33% of successful hacking (https://www.action1.com/patching-insights-from-kevin-mandia-of-mandiant/ ). They are often combined in the same attack. No other root initial access hacking cause comes close to social engineering and patching. Every other cause added up all together comes to 1% - 10% of the risk in most environments.

More and More Security Awareness Training

The long-term, ultimate defense for social engineering is some technical defense (or combination of technical defenses) that prevent social engineering from getting to end users. Nothing is better than blocking that ill-intended message from reaching its intended victim and hoping they make the right risk decision.

I first heard that someone had figured out a way to defeat all social engineering and phishing back in 1990. I still see some companies making the same claim every year. And yet, social engineering is an even bigger threat today than ever before. Despite decades and billions of dollars spent to fight social engineering (using content inspection filters, antivirus, DNS-checks, etc.) by thousands of companies, including the biggest and most resourced companies (e.g., Microsoft and Google), millions of social engineering messages end up in user’s inboxes and phones. ?

One day, someone might invent the perfect social engineering defense, but the world has been waiting a long time. I have come to the conclusion that social engineering and phishing are like real-world crime. You will never get rid of it completely. The best you can do is contain it and minimize it. But so far, after three decades, we are nowhere close to defeating social engineering and phishing.

When I state that 70% - 90% of all successful hacking comes from social engineering and phishing, you must realize that is only after every other single, defense-in-depth technical mitigation failed. It does not look likely that any technical defense is going to put a significant dent in the amount of successful social engineering and phishing attacks anytime soon. Right now, it is not even close. It is a contagion.

Because our technical defenses are absolutely not working, we need to better train the end users who are getting these social engineering messages on how to better spot social engineering, how to defeat it, and how to appropriately report it (if in an enterprise situation).

And once a year training does not work. Once a year training is almost like not doing any training. I worked with my employer, KnowBe4 to get the data (https://www.knowbe4.com/press/knowbe4-analysis-finds-security-awareness-training-and-simulated-phishing-effective-in-reducing-cybersecurity-risk ) to prove that the more training and simulated phishing a company does, the lower the risk of someone in the organization falling victim to an online scam. We have over a decade of data from over 60,000 different customers with over 400 million data points. No one has more data on this than we do.

We recommend a longer security awareness training (SAT) session when employees are hired (say 15-30 minutes), and a similar longer session once a year thereafter. Then, we believe that SAT should be at least monthly, although shorter in duration (say three to five minutes). Simulated phishing campaigns should be conducted at least once a month, although the organizations with the lowest social engineering cyber risk conduct phishing tests at least weekly. Recipients “failing” a simulated phishing test should be given more training.

Considering that social engineering and phishing are the top threat to most organizations, there is even a growing push for what is known as continuous training. This is essentially saying that cybersecurity training should be as frequently as needed and more frequency is likely needed, as evidenced by how bad we are doing against social engineering today.

CISA even called out (see image excerpt below) continuous cybersecurity training in one of their latest cybersecurity warnings, regarding a Chinese nation-state threat called Volt Typhoon (https://www.cisa.gov/sites/default/files/2024-03/Fact-Sheet-PRC-State-Sponsored-Cyber-Activity-Actions-for-Critical-Infrastructure-Leaders-508c.pdf ).

CISA is recommending all types of cybersecurity training, of which, anti-social engineering training (formally known as security awareness training or SAT), is only one type. Other types of cybersecurity training include teaching people how to correctly deploy, configure, and operate cybersecurity hardware and software defenses. It also includes teaching people the basic security tenets, such as least privilege and defense-in-depth. It, too, must include training people in how to recognize, mitigate, and correctly report social engineering attacks.

If your cybersecurity policies will be satisfied with a single instance of cybersecurity training, then you are doing “checkmark” compliance and not truly best reducing cybersecurity risk.

How much is needed? Again, there is strong evidence to say the more the better. We believe training should be annual and monthly (at least). You can get away with quarterly training, perhaps, but ensure that simulated phishing tests are conducted at least monthly or more frequently.

Note: KnowBe4 sees early evidence that (good) simulated phishing testing is even better for cybersecurity training, than formal training with videos and lectures. The best cybersecurity training program involves both formal training and simulated phishing campaigns, but if you have to choose one, choose simulated phishing.

More Spear Phishing Training

Spear phishing is when a focused, targeted phishing attack attempts to exploit a specific person, position, team, organization, or group. The attempt often uses non-public information learned about that person or group. For example, a phisher may learn that the IT group of a particular company is installing new payroll software and then pose as the new vendor asking for payroll information to help a future migration go smoothly.

According to Barracuda Networks (https://www.barracuda.com/reports/spear-phishing-trends-2023 ), while spear phishing emails make up less than 0.1% of all emails sent, they are responsible for 66% of all breaches. Look at that sentence again and take it in.

It means one hacking method is responsible for two-thirds of all successful breaches!

Unfortunately, most organizations do phishing training using the same generic phishing templates, which do not contain any non-public information and do not include messages targeting a specific person or group. It should then come as no surprise that organizations are falling victim to spear phishing attacks far more regularly. How can we expect people to respond appropriately to spear phishing attacks if we are not educating and training them against those specific attacks?

We cannot.

So, when you do security awareness training, make sure the methods or tools used are capable of simulating real-world spear phishing attacks that could occur against their organization. If you want to best reduce cybersecurity risk, you have to concentrate on fighting social engineering and specifically fighting spear phishing.

Related article: https://blog.knowbe4.com/knowbe4-help-fight-spear-phishing

Focus on Exploited Vulnerabilities

After social engineering and phishing, exploits against unpatched software and firmware are involved in 33% of attacks, according to Google/Mandiant (https://www.action1.com/patching-insights-from-kevin-mandia-of-mandiant/ ). If you do not make companies and organizations do better patching, it is going to leave them open to 33% of attacks.

Last year, we had over 25,000 separate publicly announced vulnerabilities (https://www.cvedetails.com/browse-by-date.php ). That is almost 70 different exploits a day, day-after-day, year-after-year. And the number of known exploits just gets bigger each year.

What does not change year-over-year is that only a very small percentage of them are ever used by any real-world malicious hacker against any real-world company. According to the U.S. Cybersecurity Infrastructure Security Agency (CISA), less than 4% of publicly announced vulnerabilities are ever used to hack any company (https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities ). And that is the list of software and firmware that really needs to be patched. The other 96%+ of known vulnerabilities still need to be patched, but not with as much criticality.

Lucky for us, CISA keeps a list of the exploited software and firmware in what is labeled the Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog ). Anyone can subscribe to the KEVC list and get weekly updates about what is being added. Most patch management solutions have or are beginning to add patch criticalities based on CISA’s KEVC list.

It is not enough for an organization to have a patch management program or to ask if they are patching everything 100% of the time in a timely manner (no one ever is, even if they say they are). It is more important to make sure the organization is patching 100% of what is on the CISA KEVC list in a timely manner (i.e., two weeks or less).

Related article: https://www.dhirubhai.net/pulse/best-patch-management-schedule-roger-grimes-8yqfe

MFA Should Be Pervasive and Phishing-Resistant

You will often read that stolen or guessed password credentials are used in somewhere around a quarter of attacks. And this is true. Of course, 79% of credential theft happened because of phishing (https://www.infosecurity-magazine.com/news/94-firms-hit-phishing-attacks-2023/ ). Remember, credential theft is an outcome of an initial root hacking cause and not necessarily a root hacking cause (but there is some crossover).

Because of this, nearly every cybersecurity hardening guide recommends the use of multifactor authentication (MFA) instead of easy to steal passwords. And this is good advice. Some regulatory agencies and insurance companies only require admins to use MFA, but this is a misalignment of risk. Most attacks happen to regular end users and then the attacker uses an “escalation of privilege” attack to move their security context to admin. In most attacks, end users are the primary victims, which allow the hacker entry into the environment. Escalation of privilege attacks are far easier to do than to gain initial access. So, if the hacker has initial access, the hardest part is done. Protect all end users, whether local or remote, with MFA.

Now here is an even more important recommendation. Sadly, 90% of today’s MFA is as easy to steal and bypass as a password. This includes all the most popular stuff, including Google Authenticator, Microsoft Authenticator, and Duo. I love all those vendors…I really do…but the MFA they are selling the most is as easy to hack and bypass as the passwords they were selected to replace.

There are, however, many forms of MFA that are phishing-resistant. You should ABSOLUTELY require that your admins and users, all users, should use PHISHING-RESISTANT MFA. If you do not, you and they will likely have a false sense of security because you think MFA is significantly lowering the risk of the attack. And it is, no matter what form of MFA you use, but the phishing-resistant forms of MFA lower cybersecurity risk probably 3-5 times lower.

I will put it this way. If you use bypassable and phishable MFA, you are still very likely to get successfully hacked. Hacker methods and their malware have adapted to account for most MFA. It is not even something they have to think about bypassing as an obstacle. It is built-in as automation. Bypassing and stealing most MFA is a default feature in the hacking software and tools they use today.

But if you use phishing-resistant MFA, the likelihood of a company falling victim to a credential theft is significantly lower. The odds that your company falls victim to a credential attack plummets. And implementing phishing-resistant MFA is just as hard (or easy) as implementing phishable MFA. So, why not implement better stuff and get far greater risk reduction?

It is not just me saying this. The U.S. government has been saying this since at least 2017 (https://blog.knowbe4.com/u.s.-government-says-to-use-phishing-resistant-mfa ). CISA, Microsoft, and Google have been saying this for years. Do not ask me why they are still selling phishable MFA, but you as a potential consumer, should not do it.

I maintain what is likely the only list on the Internet that lists every good, phishing-resistant form of MFA:

https://www.dhirubhai.net/pulse/my-list-good-strong-mfa-roger-grimes .

Over Reliance on Everything Else

Lastly, the average cybersecurity controls document has 200-300 controls. These guides say you must have all of those things well implemented to have a good cybersecurity program. If you do not do those 200-300 things well, someone might say you are non-compliant.

But here is the main message that I want you to take away from this article if you care about best reducing cybersecurity risk. No one and no company can do 200-300 things well at once. At best, they can do a few…maybe a handful of things well. Heck, show me a company that best implements one security control in a given year and I am super impressed. Most companies try to do dozens to hundreds of things all at once and they all are poorly implemented. It is simply asking too much.

The bigger fact is that just two of those controls mentioned above (i.e., fighting social engineering and better patching software and hardware) will do more to reduce the risk of hacking and malware than all the rest of the controls on the list. Whether or not an organization has an appropriately configured firewall, uses a VPN, or has up-to-date antivirus software does not matter nearly as much as the rest of the cybersecurity world would have you believe. In fact, every company hit by a successful ransomware or business email compromise (BEC) scam this year had all those things…and they still fell victim to hackers and malware. How?

Probably due to social engineering and something unpatched.

And that is it, those are the messages I would communicate to the cyber defense industry if I could. The things I said above are factual and truthful. What you choose to do with them is up to you!

Heather Noggle

I integrate people, process, and technology. Cybersecurity Workforce | SMB Cybersecurity | Software Requirements | Data Integration | Business Analysis | Speaker | Writer | Systems Thinker

7 个月

Anti-fraud training has better mouthfeel than anti social engineering training. It's not our terms that are going to resonate with people who need the training. Everyone's attuned to fraud and scams, though. Saving for a deeper dive. I especially like the open with the 13 root causes.

回复
Mark Schmidt

Cybersecurity Specialist | CISSP, MBA, BSc, GradDipEd

7 个月

An excellent article, thanks Roger. Sage advice that's practical and clear, backed by your decades of experience. A must-read for all IT leaders.

Randall Frietzsche

CISO | ISSA Hall of Fame | CTA CISO of the Year | Sheepdog

7 个月

This is a fantastic article, and in line with all of Roger's stuff. I am currently reading his latest book and you get the same highly-experienced and thoughtful education and advice! https://www.amazon.com/Fighting-Phishing-Everything-Social-Engineering/dp/B0CXR83CZQ/

Jack Nunziato ??

The Cybersecurity Warrior of NYC ?? We Find Cybersecurity Vulnerabilities Before Cybercriminals ?? Ethically Hacking ???? Bug Bounty ?? AI Security ???

7 个月

Sooo.. Red Pill or Blue Pill? ??

要查看或添加评论,请登录

社区洞察

其他会员也浏览了