A week doesn't go by without us hearing about a security breach. The recent Heartbleed hacks that hit Mumsnet and Canada's tax agency are just two examples that made the headlines. Yet, attacks happen every minute – we just don't hear about them all.
Breaches are happening too frequently and, with hackers continuing to evolve, enterprises are not doing enough to protect their data. NTT Group's 2014 Global Threat Intelligence Report – which analysed trillions of log lines supported by security intelligence from over 1,300 security experts and researchers – revealed that 43 per cent of incidents in 2013 were the result of malware.
Worryingly, the report highlighted that significant factors contributing to the malware incidents were down to businesses missing basic controls, such as anti-virus, anti-malware and effective vulnerability lifecycle management.
Malware won't go away, which is why the onus is on the IT department to get the basics right if they are to protect their business against real world threats. Sounds obvious, but it's not happening.
The report also revealed that half of the vulnerabilities detected during scans have had patches available for at least two years – yet businesses had not installed them – and anti-virus failed to detect 54 per cent of new malware.
The cost of not doing the basics is increasing. Prioritising controls and putting risk in context could have saved one company over £64,730 according to the report.
Many organisations are not keeping up with the basic controls required to provide a solid foundation for security programmes, yet businesses could save considerable uneccessary sums if they put in place processes to minimise the risk of exposure and implemented the basic measures. Worse still, threats are more sophisticated and there is a requirement for even more advanced controls to keep up with today's trends and attacks, adding more pressure to a company's bottom line.
The basic measures alone will help reduce a firm's exploitable footprint, provide investigative basis and provide the potential ability to respond to a security threat. As a minimum, assess the highest risks first, validate and implement the right controls, and ensure that the control is actually implemented and regularly test to ensure that it is effective. This includes ensuring that critical patches are in place and vulnerabilities are mitigated.
One of the most important basic measures is vulnerability scanning, where a security assessment is conducted to scan the customer's environment. These tests are highly automated and there are several tools that can be used to find services, OS patch level, application patch level and the vulnerabilities they expose. Intelligence of this kind is invaluable as it offers insight into how real attackers could use vulnerability information to gain access to data assets.
With the regularity of vulnerabilities increasing, every IT department should also analyse and collect logs – found in event sources like Windows and Adobe software – throughout the company's IT environment, which are then stored for use in investigations and reports. Routinely checking logs gives firms the ability to access greater threat intelligence to learn from as well as identify statistics and trends over a period of time to predict future risks.
A further basic security measure, which is sadly ignored by the majority of businesses according to the GTIR report, is incident response planning. An overwhelming 77 per cent of the respondents had no incident response plan at all. Appropriate incident response is critical for minimising the impact of a breach, as an attacker will eventually target your organisation.
An indicent response plan needs to be kept up-to-date and then socialised among all of the involved parties. Furthermore, tests should be carried out regularly so that people understand their roles. By having a well-defined plan, and recognising that security incidents will happen, organisations will be better prepared to handle incidents in an effective and consistent way.
Working with a trusted provider to help implement these basic measures offers benefits too. Outsourcing provides and augments the in-house skills of an organisation and enables that organisation to focus on building and developing its business, while the outsourcer provides the information on risks to enable the board to understand, prioritise and manage risks and make informed decisions.
Ensuring regular operations are performed and controls are tested has a significant impact on risk. Putting risk in context is essential for businesses to make informed decisions. Cybersecurity threats are actively working against the organisation's infrastructure, applications, information and people. To face this change in the threat landscape, organisational security must evolve to include fast, nimble and active responses.
To face this threat, businesses are starting to collaborate with Managed Security Services (MSS) partners to access intelligent information for active threat management. An MSS partner, which typically has access to collective global knowledge and systems, provides visibility and control to manage information security risk – and therefore is able to actively notify customers about potential threats and proactively mitigate them.
MSS partners give insight to understand what is happening at both the network and application layer, allowing them to analyse vast amounts of disparate data and distilling it into actionable information that enables businesses to manage increasingly diverse threats and make informed risk management decisions.
APT (Advanced Persistent Threats) simulation is another approach recommended to businesses. It follows the steps that attackers would take when profiling an organisation to try and breach its defences. In other words, simulation would allow an IT department to perform organisation profiling and targeted emails (spear-phishing) and then use this information to simulate an attack through penetration testing – so that it can consciously manage risk.
Governance, Risk and Compliance (GRC) plays an important role in an organisation's continuous risk management approach too. Visibility and alignment in these areas is necessary to deliver effective policies, procedures and security controls as part of continuous risk management.
Regulatory and non-regulatory compliance are crucial and can bring commercial value if fully considered by organisations. Those implementing PCI DSS scanning, a recommendation by the PCI Security Council, have a smaller vulnerability footprint and can remediate faster by nearly three times that of organisations that don't regularly scan PCI, according to the GTIR report.
Businesses are quick to blame hackers and attackers for increasing malware and other threats and it is time for information security professionals to take responsibility for their own data. When the basics of security – threat avoidance, threat detection and incident response – are done right, and with the support from a trusted provider, they can be enough to mitigate and even help avoid high-profile security and data breaches.
Garry Sidaway is global director of security strategy at NTT Com Security