You wouldn’t go for root canal treatment at the first sign of a toothache. Yet that’s exactly what many company executives are tempted to do at the first sign of an IT security breach.
A system user’s credentials get phished, and company executives (perhaps awed by the “mysterious” nature of hacking) look at their budgets and start talking about investing in new security infrastructure.
Yet the threat actor didn’t use any of the areas they want to invest in, and would likely have been blocked had they simply used basic hygiene. This misperception about the real nature of the threat is especially true for opportunistic threat actors.
South African corporate IT security culture needs serious disruption in this regard.
In fact, the right response is to get back to basics. Ask yourself why they were successful, how they gained access − and then address that problem.
The hygiene conversation really is a no-brainer. The risks and rewards to a business are both twofold.
In the case of a toothache, you might need a simple cleanup and filling. In the case of network security, the three most common hygiene problems, according to the Verizon 2022 Data Breach Investigations Report, are:
- Weak password policy.
- Use of default credentials on third party systems (similar to keeping the manufacturer’s admin password on your home WiFi router).
- Unnecessarily exposed systems (publicly visible systems that provide potential entry points for threat actors).
It’s tempting to go for the latest, greatest technology. Everybody likes playing with new toys, but the overwhelming majority of security issues can be dealt with by applying appropriate basic hygiene, rather than investing in the networking equivalent of expensive dental surgery.
Repel opportunistic threats
The reason is simple. To use a second analogy, most home thefts involve intruders snatching washing off the line, or tools from the garden shed. It’s a minority that would brave dogs, alarms and alert homeowners. If you remove the opportunity, you remove the threat.
So before investing in expensive solutions, ask whether the company really needs them. Start by doing some housekeeping: evaluate the built-in protection of existing systems.
How high is the wall? Is the expensive flatscreen visible from the street? Has the garden gate been left unlocked? Is there a window without burglar bars? Look at the likely vulnerabilities and address them using good governance with appropriately applied security protocols.
Then, and only then (based on a sober gap analysis) should capital expenditure be considered. Based on my experience of incident responses across Africa, a lot of incidents look sophisticated, but are actually opportunistic.
That’s because (a) business executives sometimes see the security world as “mysterious” or (b) the initial security breach is achieved using a common exploit but once inside, threat actors go on to wreak far more serious damage.
For example, companies with clear text credentials (including system administrator-level credentials) contained in files that are easily accessed once a threat actor penetrates a gap caused by basic lack of security hygiene.
Double cost or double saving?
The hygiene conversation really is a no-brainer. The risks and rewards to a business are both twofold.
The most direct is the financial loss potentially caused by ransomware or outright fraud. But the additional potential loss caused by reputational damage is often incalculable, and adds to financial losses.
A recent example is BidenCash, a dark web carding marketplace, which leaked 1.2 million people’s credit card details. That included card numbers, expiry dates, CVV numbers, cardholder names, bank names, card types, physical addresses, e-mail addresses, social security numbers and phone numbers.
On the credit side, taking care of hygiene saves companies from the potential debits above but, more than that, it saves businesses from investing in unnecessary technology by fully understanding the real need before approaching the CFO with a major budget request.
And in any case, proper data governance improves compliance with relevant legislation like the POPIA Act.
So, what’s the next step?
When I walk into a customer’s business, there’s one key question I ask them: “What does your environment look like from a threat actor’s perspective?”
Often, those potential clients can’t answer my question. Even worse, they haven’t fully understood what a threat actor could accomplish with that corporate data once they have it in their grasp.
Here’s a cheat sheet for companies wanting to do an initial cyber hygiene cleanup. Look at:
- Weak password policy and weak credentials.
- Default credentials on third-party applications and systems.
- Exposed systems/services (RDP, SSH, SMB MySQL databases, etc.
- Stale DNS records/entries and unused subdomains.
- Out-of-the-box configurations.
- Not disabling systems/services that are not used.
Do these things from a threat actor’s perspective and don’t ask for more budget until a gap analysis has been done.
This basic hygiene won’t necessarily plug every hole, but it will prevent almost all opportunistic threats. And even many sophisticated threats are nipped in the bud this way.
I recently helped a client prevent an imminent ransomware attack. The threat actors had already gained access to the company’s systems through an opportunistic attempt, but the larger implications were really dire.
As a closing thought − remember that it’s not only your own systems that must be considered. A lot like driving a car, you have to think about the other drivers on the road.
Companies that are part of an ecosystem with a bank, or an insurance company, for example, have to consider all those ecosystem player systems too. Once a threat actor gets into the ecosystem, they can often drive around almost everywhere.
Share