The job of the chief information security officer and the security staff never stops. The security lifecycle requires constant attention through monitoring and analysis, responding to threats, and improving policies and protocols. The trick is to always stay one step ahead of cyber criminals who are relentlessly targeting your infrastructure and resources. Sometimes, however, we are our own worst enemies. Seventy-four per cent of respondents in a recent survey of global executives and IT leaders say that careless employees are the most likely source of a cyber attack. And while 56% of respondents named criminal syndicates as the main source of cyber attacks, 52% identified malicious employees as a significant risk. Clearly, with IT professionals identifying insider threats to represent nearly as high a risk as professional cyber crime syndicates, perimeter security measures are not enough. Inadvertent insider threats are often the result of a general lack of security knowledge and neglect, such as employees falling victim to phishing and social engineering attacks. However, they can also come from employees storing or sending sensitive data on insecure applications that IT is not aware of, something that is referred to as Shadow IT. Rather than spending resources on building new zero day attacks, cyber criminals are increasingly focused on simply exploiting known vulnerabilities. WannaCry targeted a Microsoft vulnerability for which a patch had been available for nearly two months. NotPetya not only followed on the heels of WannaCry a month later, but also successfully targeted the exact same vulnerability.
In today’s digital economy, speed and efficiency are essential, and access to data is king. Which is why, more and more, everything is connected to everything else. This explains why we are seeing so many organisations supporting peer-to-peer (P2P) and proxy applications. However, organisations that allow P2P applications are reporting seven times as many botnets and malware as those that don’t. Similarly, organisations allowing proxy applications report almost nine times as many botnets and malware as those that don’t allow them.
Q2 saw nearly 3 billion botnet detections from about 250 unique botnets. 45% of firms detected at least one active botnet in their environment during the quarter, and about 3% reported being simultaneously infested with 10 or more unique active botnets! With so many organisations figuratively setting out the welcome mat to cybercriminals, attackers now have the luxury to build increasingly complex and sophisticated exploits.
Once malware has gained entrance, sophisticated multi-vector intelligence enables malware tools to automatically identify a device or operating system, determine what vulnerabilities exist for that system, and then select the appropriate exploit from its advanced toolkit of options. Then artificial intelligence-like capabilities enable the malware to avoid detection through a variety of sophisticated techniques.
What you can do
Organisations need to start by identifying all critical assets and services on their network combined with actionable threat intelligence services. Next, restart or double down on your efforts to identify and patch vulnerable systems and replace older systems that are no longer supported. In today’s environments, that may mean implementing some sort of asset tracking and management tool. Then you can build proper mitigation solutions and incident response plans around that.
Your IT teams will also need to take a hard look at the impact that analysing high volumes of encrypted traffic will have on the performance of your current security devices and platforms. We not only expect to see the volume and percentage of encrypted traffic to continue to rise, but to also see advanced malware purposefully target the limitations of security devices by exploiting CPU-intensive areas like unstructured data.
Network segmentation must also become a critical part of your digital business strategy. As you consider adopting things like risky apps, IoT devices, and encrypted data, you need to ensure that they are separated as much as possible from the rest of the network. Segmentation combined with regular data backup is also an effective way to combat ransomware.
Mitigating employee risks
Organisations need to adopt the principle of least privilege or zero trust policies, which give employees access to the minimum number of resources needed to do their jobs, while promoting in-depth monitoring of data movement across the network. And since privileged users have access to the most valuable data, security best practices dictate that these accounts are monitored more closely.
You can no longer afford to hand correlate threat data between devices to detect threats, or respond to attacks at anything less than machine speeds. You need to develop an integrated expert security systems that can automatically collect, correlate, share, and respond to threats in a coordinated fashion, anywhere across your distributed network ecosystems.
The writer is regional vice president, India & SAARC, Fortinet