Why can't we prevent all incidents
When I tell people that I work in Cybersecurity the first question I get is if I can hack. The second question I get is, "if I use Norton or Mcafee as my Anti-Virus and I all set" ?
This idea that Cybersecurity consists of Hacking and Installing antivirus software is analogous to thinking that law enforcement consists of murder and traffic stops. There is a lot more to it than that.
The first thing to understand is that when we think of PC based threats the most common ones are not actually viruses. The most common are called Trojans, named after the Trojan Horse. The idea is that they disguise themselves as something innocuous such as a Microsoft Word or Excel document, or perhaps a media file like an MP3. The trickiest ones even have legitimate content to create a better cover. Thus the users do not have any reason to suspect that they have been infected.
There are many other subcategories of these threats, but the overall category is called malware, short for malicious software. Since about 2015 the malware we see most commonly is called an APT – or advanced persistent threat. It is a combination of several subtypes of malware designed to create an initial infection that is very easy to clean, along with several "persistence mechanisms", or ways of staying on your machine after initial cleanup. For example, the one I have personally seen the most is an initial Trojan infection followed up credential harvesting and a secondary malware download.
The reason this is so common is that hackers often resell access to a compromised computer, often more than once. This allows each attacker to perform their attack and then reduce their risk of ending up empty-handed from the attack. The first attacker may be harvesting credentials for later attacks against the user or company. The second one may be a ransomware gang looking to infect the network and hold the computers for a ransom.
So when the incident hits and users arrive to work to find their machines are encrypted their IT guy might say, don't worry and restore from backups or rebuild. However if the attackers harvested credentials they might be back.
So why can't we prevent all incidents? Because with enough time, patience and effort attackers can break any system.
That's why key defense strategies often focus on limiting account login attempts, implementing 2 Factor Authentication, reducing the number of places from which a system is accessible, and so on. Effectively, each of these reduces the attack surface. However, for every advance that we make in limiting the attack surface if we are not monitoring, auditing, and performing remediation to enforce compliance on those systems we wind up with Gaps or blindspots.
An example of a Gap might be a company whose password policy is 16 characters including special characters and checking their passwords against commonly used passwords. But their CEO, who demands to maintain access to all systems also doesn't like to change his password, and remembering a 16 character password is difficult for him. So he has been grandfathered into the old policy which was 8 characters and his password is set to not expire. Because this is the old policy his password is also not checked against any common password lists. This is a ticking time bomb. It's only a matter of time before his password is simply guessed or phished by attackers, at that point because an exception was made one person with complete access there are no other safeguards or early warning systems in place and a preventable breach occurs.
Of all the incidents I have responded to, more than half involve a weak password. Worse yet, the password is usually shared among numerous accounts. This means that during the incident response process we need to take the time to set up the user or users with a password manager and manually change all of the passwords. This is not only tedious but buys the attackers more time to do what like with those credentials. Lastly, it's very difficult to remember every account you have, as the average person now has subscribed or created an account for over 50 services. Just think of how many you can recall offhand. Streaming services, shopping sites, and banking sites are good examples. In addition people often have many business and personal accounts inter-connected so during the IR process we need to deal with what data leakage may have occurred there as well.
So why can't we prevent all incidents? Simply because as we have more people, more data, and more accounts there is more data and account sprawl, and keeping track of everything becomes ever more difficult.
How can you keep yourself safe from IT Threats?
- Minimize how much personal information you post on social media
- Keep a clear separation between work and home
- Don't share password among your different accounts or with other people
- Use a password manager
- Analyze where you keep your data
- Try to keep data sprawl to a minimum
- Utilize a centrally managed authentication provider for SSO (single sign-on)
- Monitor your endpoints, on-premise systems, cloud services, and network logs for suspicious activity
- Encrypt data when possible
- Create clear plans for onboarding and offboarding of employees
- Maintain good backups and test them at least yearly
- Practice DR scenarios to make sure you are ready when disaster strikes
- Have a plan for who you will call when disaster strikes and be sure will take your call when you need them
