Recent Studies Stress Back to Basics – ellenby technologiesApril 29, 2021
This week was awash with new studies that generated a great deal of buzz about what’s right, and what’s not so right, about current security practices. For those of you who haven’t seen the reports yet (or don’t have the desire to read through 90-page documents), here’s a quick breakdown.
Releasing its annual Data Breach Investigation Report, Verizon found that most of the data breaches they encountered (74% to be exact—up 1% from last year) were caused by external sources. They also found that almost all of the breached records in 2008 were electronic, meaning that most of these records were compromised from servers and applications (ISC).
Publishing its Global Internet Security Threat Report for 2008, Symantec found that “[w]ebsites are at the top of the list of media used for the distribution of malware ; the implementation of those malware is automated on websites using similar platforms, code or vulnerabilities, such as XSS ; very often those vulnerabilities are classified with a medium risk and are not subject to rapid updates.” (Which just happens to sounds an awful lot like our “Why Intranets Aren’t As Safe As Everyone Thinks They Are” post.) Symantec also found that Malware and phishing have upped the number of online threats by 165% (DigitalCrime).
And lastly, the Computing Technology Industry Association (CompTIA) discovered what we had already concluded: People are the biggest security vulnerability of all time. According to DarkReading’s recap, the study found that “[w]hile most U.S. respondents still consider viruses and malware the top threat, more than half (53 percent) attributed their breaches to “human error,” while only 47 percent attributed them to technical malfunction.”
There’s no denying that these studies quote a lot of nice stats, and it’s always good to have some documented reminders of why strong security is important, but all of these studies lead back to one very simple thing: Getting back to security basics.
While getting back to security basics won’t fix all of the problems found in these studies, it would fix the majority of them. Because honestly, a lot of the suggestions made in these studies are very basic things that create the foundation of good security practices.
For example: In the Verizon study, they tell people to change their default passwords, review user accounts, patch and keep them up to date, and monitor logs. In the CompTIA study they say that there is too much reliance on typical security tools like firewalls.
The thing about these studies is that they’re not showing us anything new: In essence, it’s just the same stats year after year, only with slightly different numerals and percentages. Most of these surveys just lead us back to the basics we’ve known for many years, like “run anti-malware and keep it up to date” or “label your data and segment it,” like we happened to talk about in our last post.
So instead of getting more fancy technology that doesn’t seem to work, let’s focus on getting ourselves—and our co-workers—to make smart security choices through developing good security habits. Because while firewalls and other security tools might catch some of the problems, they’re no replacement for the best tool of all: Ourselves.
If you’re looking to get back to the heart of security basics, SANS has the perfect event for you in the form of their Application Security Workshop — What Works? workshop on April 29th. The workshop will cover the best ways to counter common attacks through general know-how, products, services, and configurations. If you’re interested, visit the SANS section of our Help Us Help You page to sign up for this workshop.
Why Intranets Aren’t As Safe As Everyone Thinks They Are – ellenby technologies
Addressing the problem of companies not taking insider threats seriously, the “Many Enterprises Still Don’t Recognize Insider Threat, Studies Say” article on DarkReading made some much-needed points about intranets not being the secure entities that many companies believe them to be. While the article’s primary focus is on traditional insider threats—with employees knowingly or unknowingly causing most of the problems—it got me thinking about different kinds of non-traditional threats.
The chief non-traditional threat that comes to mind is the occurrence of company workstations being infected with malware through non-technical users surfing the web. Since non-patched browsers are the norm in corporate America, an unsuspecting admin can have their workstation infected just by surfing the web. Once infected, the workstation can be used to take control of both internal and external company resources.
The number one way that most of these malware-based insider threats happen is through the use of scripting. For an example of what scripting can do, look no further than the Twitter attacks that occurred over the weekend (one on Saturday, the other on Sunday).
The most obvious fix for these all-too-common browser infiltrations caused by scripting is to go no-script by disabling scripting by default. Sure, it’s a pain, and employees are likely to complain, but is the potential compromise or loss of data really a risk that companies are willing to take? For some companies, the answer, (unfortunately) is ‘yes.’ Though it may be obvious to security professionals why disabling scripting is more necessary than optional, members of company management usually buy into long-propagated myths like anti-virus and anti-spam applications being enough protection for both internal and external threats.
If you find yourself in a company that is scared to take the plunge and go no-script, another way to help protect non-technical users and company data is through the creation of a whitelist. Far easier than creating a blacklist of ‘bad’ sites that users need to avoid, creating a whitelist cuts out time, money, and frustration by allowing users to only visit specified ‘safe’ sites.
If you find that a whitelist is also out of the question, I will use one of my oft-touted solutions: Encryption. While many companies feel that encryption for intranets is unnecessary (since they see intranets as being internal and therefore ‘safe’) the reality is that encryption is just as necessary for intranets as it is for external sources.
Another recent article on DarkReading pointed out that the default setting on Internet Explorer 7 and 8 can be unsafe for internal intranet-based Web applications. Since most companies use Internet Explorer as their default browsers, there is no denying the importance of intranet encryption.
But whether you go no-script, create a whitelist, or encrypt every last piece of data you have (which we highly recommend), consider compartmentalizing your data. Inventory it and rank it according to its sensitivity. Segment your network so that the important stuff is really protected. You can do this through creating multiple compartments: One compartment for general users, another part for the company employees that deal with sensitive information ‘a,’ another compartment for company employees that deal with sensitive information ‘b.’ That way, if your network gets compromised, you can protect the rest of your data so attackers don’t have access.
The bottom line is that traditional insider threats as well as malware-based insider threats need to be taken seriously if we’re going to move forward and keep our companies—and ourselves—secure.
If you’re looking for some additional ways to keep your company—and yourself—a little safer, we’ve put together a handy list of books that might do the trick.