For nearly ten years, I’ve looked forward to the release of Verizon’s annual Data Breach Investigation Report (DBIR). With its analysis on the thousands of breaches and incidents from across the globe, occurring over its last full revolution around the sun, which cybersecurity pro among us does not look forward to such a treasure trove of insights and predictions to guide our focus for the coming year?
The DBIR isn’t the only good report out there. Cisco, Symantec, SecureWorks, Accenture, SANS, and various other organizations that have keen insight into the threat landscape have all produced annual reports and surveys that help to identify emerging trends and offer some guidance on where your security dollars might best be spent. The insights provided are well informed, though a little conflicting at times. Taken together and compiled into one big list of trends, what one might find is a near complete listing of all attack motivations, actors, techniques, and the obligatory security control recommendations—if not a mini-study guide for the CISSP examination. What to make of it all?
Yes – IoT, cloud, mobile, and disruptive attacks are all emerging concerns that we have to be prepared to tackle, lest they tackle us. But there are trends among the trends. Looking across a dozen or more of the 2017 reports, we see a common theme bubbling up in their executive summaries and conclusions: email as the initial vector that an adversary uses to compromise or gain a foothold into the victim organization (whether targeted or opportunistic). There’s no real surprise here. And as obvious as it might seem, it’s an area that is easy to overlook. After all, we security professionals would never be duped by a phish email. Right? So then, it’s often easy to forget that the majority of end users and employees at many organizations are neither technical nor phish savvy and thus fall prey to such attacks, often resulting in the loss of millions in dollars and reputation.
Every end user with an email account serves as a potential pin hole into the organization – a pretty wide open field if you stop to think about it. Couple this with how critically ingrained email has become to our daily way of life and desire to keep critical processes going, communications open, and projects moving along (a completely different topic, but I digress). This hopefully reminds us of the continued need to implement strong anti-phish, anti-spam, anti-BEC, and anti-fraudulent email solutions and to perform ongoing tuning to make sure malicious emails are blocked from landing within reach of our end users. It involves making sure our DKIM and DMARC configurations are healthy.
Those are the first lines of defense. Trailing behind that are our end users. We must continue to train them and keep them on their toes, to formulate good habits and email hygiene practices. Often this comes by way of ongoing training – by both traditional means and by performing simulated phishing exercises to help reinforce good habits.
Organizations should also be shoring up their Maginot Line with additional basic security hygiene controls and resources to help stop attackers from moving laterally within the organization. This includes:
- Effective asset management and control (we can’t manage it if we don’t see and know about it)
- Solid patching and configuration hardening
- Application whitelisting
- Tight control of administrative privileges
That’s just to name a few. For more, I refer you to the Center for Internet Security’s Critical Security Controls framework (CSC), which just so happens to include email security controls and end user training as fundamental elements of any organization’s security program.
ePlus provides assessments that help gauge the effectiveness of your current security program, and help you better protect your organization. We create custom, integrated security programs through a unique holistic approach centered on culture and technology. We offer continuous monitoring, management, and improvement of your organization’s security programs and controls to help keep your data and your brand protected. For more information about how you can implement the recommendations of the CSC1 sub-controls, visit https://www.cisecurity.org/controls/ or contact us at firstname.lastname@example.org. You can also contact your ePlus Account Executive directly.