In High-Profile Breaches, Attackers Leveraged Poor Security Hygiene
While zero-days have been known to grace unsuspecting victims left vulnerable without a vendor security patch in sight, the major culprit for high-profile data breaches is something far more simple - poor security (cyber) hygiene.
According to Fedscoop.com, the National Security Agency (NSA) has been involved in high-profile security incident response and mitigation efforts over the last two years. During the Federal Cybersecurity Summit last week, Curtis Dukes, deputy national manager of security systems at the NSA stated that all of the security incidents included relatively simple hacking techniques.
A few examples of attackers’ simple techniques include spear phishing (emails or other forms of communication that seek to steal data or passwords, or infect with malware), watering hole attacks (selectively infecting targeted websites with malware in order to infect victims), and USB drive delivery (malware infection).
Dukes also pointed out that the fundamental problem faced in every incident was poor cyber hygiene - in each incident, attackers took advantage of poorly patched and managed systems.
Building Strong Endpoint Defenses
In June, Dukes spoke at another Cyber Security Summit, stating that it pays to invest in strong defense, and that companies and agencies need to build in mitigation throughout a system, not just on the boundaries, according to FederalNewsRadio.com.
He also said “the battle is now being waged down at the endpoint, not the boundary.” The lifecycle of an intrusion is through a phishing scam, allowing attackers to establish a presence, install malware and tools, then move throughout the system to steal data.
In order to build defense capabilities, Dukes recommends installing patches within a very short timeframe after a vendor pushes out a patch. He said that the NSA has seen attackers reverse engineer patches within four days, meaning they can use this information to attack organizations that haven’t yet patched their systems.
The National Campaign for Cyber Hygiene
As part of a multi-year effort to create a nationwide movement toward improving cyber security, the New York State Office of Information Technology Services Enterprise Information Security Office has established the National Campaign for Cyber Hygiene.
The campaign’s five key recommendations for organizations to increase their hygiene includes:
- Count - Know what’s connected to your network
- Configure - Implement key security settings to protect your system
- Control - Limit and manage those with administrative privileges, that is, those with the power to change, bypass or override security settings
- Patch - Regularly update all applications, software and operating systems
- Repeat - Do these things regularly to ensure a solid cyber security foundation for your organization
Microsoft also offers additional tips for better security hygiene for state and local government:
- Identify critical data. By classifying data, you can determine the criticality of data sets and align your processes for data handling.
- Emphasize multi-factor authentication and strong identification. Moving away from single-factor authentication (passwords alone), more secure methods include using multi-factor authentication to verify your users’ identities.
- Teach good hygiene at all levels. That includes instructing employees on best practices to follow when using email, social media and other outside systems.
- Encrypt data at rest and in motion. Secure transport protocols like IPsec and SSL/TLS can be enabled for data in transit, while data at rest can be protected by FIPS 140-2 compliant encryption.
The importance of patching systems and automated processes couldn’t be overstated enough, as newer, patched systems are more secure. Automating the process can also make the time-to-security faster, protecting you against the latest reported software vulnerabilities.
Fundamental Security Principles
At the 5th Annual Cybersecurity Summit held in September and hosted by the U.S. Chamber of Commerce, NSA Deputy Director Richard Ledgett gave a talk on how the private and public sectors can work together to strengthen cyber security. He shared a few insights from the NSA’s investigations, echoing similar statements as Dukes.
According to Ledgett, in most high-profile breach cases that the NSA investigates, an attacker had used a known and patched vulnerability to compromise the organization, making updating and patching the most important thing a company can do to maintain a secure organization.
Maintaining the integrity of a device on your network means ensuring they’re behaving the way they should. Another aspect is containing damage, should an intrusion occur. Organizations must also focus on protecting network credentials from compromise or misuse.
He said the most popular method of stolen credentials is through tailored spear phishing, which allows attackers to use authorized credentials to get into a network.
Other principles include:
- Application whitelisting, to limit what can run and the type of executables
- Limit privileges to deter lateral movement
- Take advantage of security features that are designed by software vendors
- Finally - the most critical, as aforementioned - keeping hardware and software up to date
Ledgett stated there were countless entities hacked because they didn’t update their software or hardware, or were running systems that were no longer supported by the manufacturer, which left them without the ability to receive security patches.
Ensuring Healthy Devices
One way to keep track of out-of-date and unpatched software is with an access security tool that can automatically check devices and allow you to block, warn or notify users to update their operating systems, browsers and plugins before they log into your applications.
Duo’s Trusted Access security model does this by first verifying your users’ identities using two-factor authentication, while checking the security health of their devices before granting secure access to your services.
Ultimately, there’s a lot we can still do to protect ourselves that we aren’t currently doing - but by improving our security hygiene with these steps, we can eliminate many existing risks. Learn more by downloading the new Essential Guide to Securing Remote Access.