Cyber security is an ongoing battle between sophisticated and well-funded bad actors and those who must defend corporate networks against their attacks. The bad news is that the latter are typically not winning. A recent Osterman Research survey found that while most organizations self-report that they are doing “well” or “very well” against ransomware, other types of malware infections, and thwarting account takeovers because of the significant emphasis placed on these threats, they are not doing well against just about every other type of threat. These include protecting data sought by attackers, preventing users from reaching malicious sites after they respond to a phishing message, eliminating business email compromise (BEC) attacks, eliminating phishing attempts before they reach end users, and preventing infections on mobile devices.
This missing component for most organizations is the addition of robust and actionable threat intelligence to their existing security defenses, which can be segmented into four subcategories:
- Strategic (non-technical information about an organization’s threat landscape)
- Tactical (details of threat actors’ tactics, techniques and procedures)
- Operational (actionable information about specific, incoming attacks)
- Technical (technical threat indicators, e.g., malware hashes)
The use of good threat intelligence can enable security analysts, threat researchers and others to gain the upper hand in dealing with cyber criminals by giving them the information they need to better understand current and past attacks, and it can give them the tools they need to predict and thwart future attacks. Moreover, good threat intelligence can bolster existing security defenses like SIEMs and firewalls and make them more effective against attacks. Threat intelligence plays a key role in proactive defense to ensure that all security programs are relevant to the fast-evolving threat landscape. This is particularly valuable in security awareness training to ensure users are familiar with known threats.
Existing security defenses provide some measure of protection against increasingly sophisticated threats, but the enormous number of data breaches and related problems experienced by many organizations reveals that current security practices are not adequate. Good threat intelligence capabilities can provide a great deal of information about the domains and IP addresses that are attempting to gain access to a network. It can enable threat researchers to better understand the source of current and past attacks and better deal with future attacks.
We have just published a white paper on threat intelligence that you can download here.
According to the Ponemon Institute’s 2018 Cost of Insider Threats: Global report, of the 3,269 insider incidents that Ponemon investigated, 23 percent were caused by “criminal insiders” (as opposed to careless/negligent employees or contractors, or credential thieves). These malicious insiders can wreak all sorts of havoc, including theft of customer records, trade secrets or competitive information; and they can create enormous liabilities for their employer in the wake of their departure, such as triggering regulatory audits or fines for violating customer privacy.
So, why do employees become malicious and what can be done about it? Reviewing advice from a variety of sources reveals that most of that advice focuses on checking employees: check their background before they’re hired, monitor their behavior for signs that they might become malicious, and so forth. However, Osterman Research believes that companies should also focus heavily on their managers and monitor their behavior. For example, do managers in your company berate employees in front of their peers? Do they give them poor performance evaluations that are not justified? Do they demonstrate that they have “favorites” among their subordinates? Do they enforce company policies differently for some employees than they do for others? Do they insult their employees? In short, how well do your managers treat those that they manage?
Understanding management behavior is key. A study from several years ago by the law firm Drinker Biddle and Reath found that employees who are treated poorly by their managers will be more likely to commit fraud, intentionally breach data, and otherwise violate corporate policies.
What should employers do? There are several things:
- Monitor managers’ email and collaboration accounts to uncover instances of morale-destroying behavior.
- Monitor their personal social media accounts to uncover posts that undermine employees, the company or others.
- Conduct anonymous employee surveys to get some honest opinions about how managers are treating their subordinates.
- Monitor employee accounts for signs that their managers are treating them badly.
Of course, the goal is not to conduct a witch hunt or to undermine the morale of corporate managers. But bad managers create bad employees, and that significantly increases a company’s risk profile.
Last week, Cisco released an interesting report entitled Maximizing the value of your data privacy investments. Among the various findings from the in-depth, 18-country survey discussed in this report is that organizations that are mostly or completely enabled to satisfy the compliance requirements of the European Union’s General Data Protection Regulation (GDPR) had a significantly smaller number of data breaches during the past year than their counterparts that are least prepared to satisfy the requirements of the GDPR.
One one level, that’s good news: 89 percent of organizations that are not yet ready for GDPR experienced a data breach, while only 74 percent of GDPR-ready organizations experienced a breach. Clearly, GDPR is having a positive impact on data security.
Then again, that’s not particularly good news: even after going to the significant expense and difficulty associated with GDPR compliance, 74 percent of organizations still experienced a data breach! Of course, we would expect that figure to drop in the future given that the GDPR went into force only about eight months ago, but three in four GDPR-ready organizations still experiencing a data breach is very high.
This kind of result prompts a bigger question: just how secure can any organization be in the context of security? Given that we face a well-funded, intelligent, and collaborative set of adversaries in the cybercriminal community that will always have a guaranteed advantage (we need to protect every point of ingress while they need to break into just one), what is the lowest possible number of data breaches, malware infections, account takeovers, successful DDoS attacks, etc. that we can ever hope to achieve? Could a large organization not experience even one data breach in the course of a year? Could it not experience even a single malware infection? Could it prevent every insider threat? Could every CFO recognize every CEO Fraud attempt?
Probably not. So what is the target at which we’re aiming? A senior executive team or board of directors that is asked by the CIO for a 20 percent budget increase to improve security probably should know what they can expect to gain from that kind of investment. A vendor marketing a new technology to combat CEO Fraud or account takeovers would find it beneficial to their sales and marketing efforts if they could provide some concrete metrics about what their prospective customers could hope to gain by implementing their solution. Vendors of security awareness training would be well served by being able to report an X-percent reduction in successful phishing or ransomware incursions after employees were properly trained.
In short, it’s highly unlikely that any organization will ever reduce the success of cybercriminals’ efforts against them to zero. But what can we reasonably expect to achieve?
We have just published a white paper on phishing and ransomware that we welcome you to download and review. Here are some of the key takeaways from the paper:
- Both phishing and crypto ransomware are increasing at the rate of several hundred percent per quarter, a trend that Osterman Research believes will continue for at least the next 18 to 24 months.
- The vast majority of organizations have been victimized by phishing, ransomware and a variety of security-related attacks during the past 12 months. In fact, phishing and ransomware are among the four leading concerns expressed by security-focused decision makers as discovered by Osterman Research in the survey conducted for this white paper.
- Security spending will increase significantly in 2017 as organizations realize they need to protect against phishing, ransomware and the growing variety of other threats they face.
- Most organizations are not seeing improvements in the security solutions they have deployed and in the security practices they follow. While many of these solutions are effective, most are not improving over time, in many cases because internal staff may not have the expertise to improve the performance of these solutions over time. On balance, only two in five of these solutions and practices are considered “excellent”.
- Security awareness training is a key area for improvement in protecting organizations against phishing and ransomware, since our research found that organizations with well-trained employees are less likely to be infected.
- There are a variety of best practices that organizations should follow in order to minimize their potential for becoming victims of phishing and ransomware. Among these best practices are implementing security awareness training, deploying systems that can detect and eliminate phishing and ransomware attempts, searching for and remediating security vulnerabilities in corporate systems, maintaining good backups, and using good threat intelligence.
You can download the paper here.
As an aside, I will be attending the Virus Bulletin International Conference next week in Denver and encourage you to do likewise if you’re at all focused on security. I have been to this event before and can vouch for its tremendous value as a place to learn about trends in cyber security and to advance your education about all things security.
Targeted email attacks are a serious issue for organizations of all sizes and across every industry. Various industry research has shown that these focused emails are by far the number one initial attack vector for targeted attacks on enterprise data. In fact, they account for more than 95% of initial intrusions that lead to important data breaches. Moreover, Osterman Research found in a survey conducted during September 2014 that 47% of organizations considered targeted email attacks to be a very high priority to address and prevent, while only one in six organizations considers them to be a low priority.
While virtually all organizations have deployed security solutions that will block spam and known malware, most have not implemented solutions that will deal with the much more serious problem of targeted email attacks.
Targeted email attacks are not run-of-the-mill malware incursions. These attacks use sophisticated delivery techniques and advanced malware that will normally not be recognized by standard email and endpoint security solutions. Additionally, these attacks provide an entry point into the larger organization and its sensitive data, wreaking havoc on an organization’s finances, its intellectual property and its other sensitive or confidential data. Organizations of all sizes are the victims of these attacks and those that are successfully breached will experience critical business impacts, inclusive of damage to reputation, unexpected legal, regulatory and response costs and more.
We recently published a white paper about Targeted Email Attacks that discusses five key issues:
- Targeted attacks and advanced threats that result in data breaches are most often initiated by targeted email attacks. While a great deal of press attention focuses on attacks directed against large retailers and other high-profile companies, all types of organizations regardless of size and industry vertical are being subjected to attack.
- A single employee can be an entry point for a full-blown attack on the corporate network, sensitive data assets or financial accounts. Senior staff members like CFOs or CEOs are sometimes targeted in highly specific attacks, but the much larger attack surface is comprised of every employee in an organization.
- Users must be the first line of defense in thwarting targeted attacks; they require thorough and ongoing training to detect the social engineering techniques that these attempted attacks are employing.
- However, because targeted email attacks employ advanced malware, employee training is simply not enough – sophisticated technology to detect these threats is essential to prevent these attacks from achieving the loss of financial or other data for which they are designed. Further, while employees should serve as an important line of defense against threats, in many cases it is unrealistic to expect employees to keep abreast of every changing social engineering tactic.
- Ninety-one percent of organizational decision makers do not wholeheartedly agree that their current email security solution is sufficient to protect them from targeted email attacks. This, despite the fact that security professionals understand the problem.
You can download our white paper on Targeted Email Attacks here.