When we hear about breaches, we assume that attackers used some never-before-seen, zero-day exploit to breach our defenses. This situation is normally far from the truth. While it is true that nation-states hold onto tastily crafted zero days that they use to infiltrate the most nationally significant targets, those targets are not you. And they’re probably not your organization, either.
At this year’s Virus Bulletin Conference, much like in years past, we were regaled with many tales of attacks against financially important, high-profile targets. But in the end, the bad actors didn’t get in with the scariest ’sploits. They got in with a phishing email, or, as in a case that one presenter from RiskIQ highlighted, they used wide-open permissions within a very popular cloud resource.
The truth is that the soft underbelly of the security industry consists of hackers taking the path of least resistance: quite often this path is paved with misconfigured security software, human error, or other operational security issues. In other words, it’s not super-“l33t” hackers; it’s you.
Even if you think you’re doing everything right within your own organization, that may still not be enough. While you may have thoroughly secured your own network, those you interact with may not be so locked down. You may think that you’ve successfully eschewed third-party software, that you don’t use the cloud for collaboration, so you’re safe in your enclave. However, third parties situated within your supply chain may be using cloud services in ways that endanger you. And sometimes neither you nor they even know that this situation has created significant risk to both of your environments.
Not to worry, you’re not alone, and there are things you can do about it.
High-profile breaches these days often start with third parties you use. While you might have the greatest security team out there, maybe they don’t.
Not sure? Here are a few obvious (or not-so-obvious) things you can check with your teams:
It’s certainly convenient for teams sharing cloud resources – especially as a file share – to have full permissions on files to add/change/delete for anyone. But this could also open you up to trouble. Especially for projects and teams that are hastily thrown together, “temporary” cloud-based resource may be tossed together without considering best security practices. This often includes everyone having wide-open permissions so that everything “just works”. And these resources have a way of outlasting a Hollywood marriage by years, all the while exposing a huge gap in your defenses.
Do your teams or your third-party vendors use unsecured and/or unmonitored messaging services, forums or platforms to discuss your business? If criminals (or even competitors!) can access internal communications about your business, this could cause huge problems. At the very least, they could give significant resources to attackers looking to socially engineer their way into your network.
Corporate email compromise
How well have you locked down the ability to send email from your domain? Could that flood of phish be coming from inside your own house? If you’re not taking good care of your email security, attackers could be using your good name to steal the trust they need in order to fool people into clicking malicious links. Too few companies are using email authentication strategies like DMARC, DKIM or SPF to help verify valid messages, which is something we’d like to see change for the better!
It certainly can be tempting to keep searching for what flashy and dramatic new threats attackers are finding, but in the end it’s most important to make sure you’re filling the simple cracks within your own edifice. As technology becomes more ubiquitous, it also introduces more complexity. By thoroughly addressing these simpler (if unexpected) problems, we can devote less brainpower to stressing out about the space-age techniques that are being used against high-value targets, and use that reclaimed mental bandwidth to make things actually more secure.