Cybersecurity prevention is like Whack-a-mole

Security No Comments

When it comes to cybersecurity, it may often feel like a game of whack-a-mole. Where to look, how hard do I need to hit the mole to prevent it from resurfacing again, and how do I know if I’m covered enough so that I’m reasonably confident malicious third parties are not able to do me or my business any harm.

If anyone had the ultimate answer to that, the entire cybersecurity business would not exist, people would all get along and criminals would all be in jail.

Target selection

So what drives criminals to try to get into your business?

The main three sorts of criminals are

  1. The ones that do it for money, these are the majority and are most likely invading your IT environment to try and extort as much money as they can.
  2. The second category is “employed” by either state sponsored or part of a larger criminal organisation. These are often well funded, have lots of resources, but also pick their targets very carefully.
  3. The last one is a larger category and these often involve non-affiliated criminals that are either “hobbyist” with a malicious intent or, so called, “script-kiddies” who stumble upon an opportunity via some sort of social media or forum platform and decide to give it a go.

As with the more organized crime that fall into the first two categories, there is a combination triangle of effort, risk and reward. Criminals first assess the amount of effort and risk a certain campaign would take and weigh this off against the reward it would have for them so they are able to plot this virtual dot in the triangle. The closer the virtual dot comes towards the Reward tip, the higher the chances are you or your organisation will be targetted.

Exposure Triangle

Reward

The reward in the assessment is either a monetary one or one that has the target of disruption of operations. The more money criminals can get their hands on, the higher the chances the virtual dot ends up in the top triangle. In case of organisation who operate as part of a state sponsored effort, the rewards are mostly valued in terms of damage it may cause. This damage is mostly related to having negative impact on operations, reputation, physical damage etc.

The last part is hard or impossible to predict, as it may be very random. Horizontal damage to partner organisations may also be a reason for your organisation to be targetted. An example is if a rogue state wants to attack a political party, they could hack a donor of that party and leave incriminating evidence of illegal practices and leave false breadcrumbs to that political organisation for law enforcement agencies to trail. Even though in the end, the evidence may show it was part of a hacking exercise, the damage has already been done if rumours and suspicions have made their way to the public.

Risk

The assessment of risks is done by making an inventory of your companies attack surface. The inventory may involve scoping your digital footprint and environment access points, known vulnerabilities of your infrastructure and people so that potential hacking or social engineering campaigns may be created. This is then held against possible detection options that may be in place such Intrusion Detection/Intrusion Prevention system, honeypot deflection, counter-attack mechanisms, organisational awareness of cybersecurity threats etc…

Depending on the profile of the criminal organisation you’re up against, it may be that the decision of targeting you or your organisation is not subject to an assessment at all. If the decision is made by rogue states or organisations who reside in countries that have no, or limited, legislation around cybersecurity, it could well be that you’re subject to a random attack.

If the virtual dot ends up in the lower left triangle, your exposure is somewhat reduced.

Effort or Return on Investment

The amount of resources a criminal organisation needs to deploy, in relation to the rewards it gets back, is significantly important. The RoI takes a great role in the decision-making process of well-organised threat actors. If you have a well-defined cybersecurity structure in place which requires criminals to deploy various attack campaigns on different fronts, you can imagine that the virtual dot will not land in the lower right triangle. When the required efforts accumulate, you will also see that the amount of risk associated with the attack campaign increases. As the number of touch-points the criminal needs to investigate, it linearly increases the chance of hitting “trip-wires” and therefore detection. Depending on the detection methods you have installed and the amount of risk a criminal is willing to take, you may find that your exposure is greatly reduced if you have a well-defined detection and defence mechanism in place.

The sweet spot

So where do I need to sit from a defence side? You may ask. Obviously from a security perspective you would be on the bottom line right in between risk and effort. The problem is that it is extremely hard to get anywhere near that point. You have to accept that there will always be a chance of a possible leak in your defences. The only thing you can do is to try and decrease as much exposure as you can, as well as mitigate the possible fallout in case a breach happens by breaking up anything that may sit in the reward side of the triangle. In the triangle, this would land you basically dead-set in the middle. Also be aware that from a cost perspective, the closed you get to the bottom line the more investment you would need to make, so the “reward” is therefore proportionally inverse to what a hacker sees. If a malicious 3rd party forces you to make significant investments in cybersecurity and therefore eating in your profitability, he may already have achieved its goals.
The counterargument here is that the chance of having a negative exposure is greatly reduced, and other malicious parties will see their virtual dot landing near the bottom line.

How do I get there?

To increase your defences, you need to take a look at mainly two factors. Technical and human.

When it comes to technology, in a large enterprise environments, you would need a team of specialists to define, implement and maintain the structure. As small and medium businesses most often have not the resources to employ the people to do that, external companies are most often the way to go. The main hurdle is often seen in the maintenance of the environment as perpetual services would need to be subscribed for however, I can tell you, this is money well spent.

Look yourself in the mirror and decide how serious you are actually taking the cybersecurity threat that is out there and makes headlines in the media every single day. If you stick your head in the sand or take half-baked measures against these threats, you can rest assure that at some stage you may be up for a media conference as your customer database was leaked on some dark web forum. I’m not trying to instil fear, but almost no day passes where these kinds of breaches make their way into the new.

You can do a lot of things yourself. Updating your software on a regular basis is a fairly simple task these days. PC’s and laptops can contact the vendor in question and update the software themselves if configured to do so. In somewhat larger organisations this is often controlled by special monitoring and deployment software by your IT department. This already prevents over 95% of chances, a threat actor can utilise known vulnerabilities in the software. Ensure that you obtain regular reports from your vendors which shows if certain pieces of equipment have up-to-date software and configured with “least privileges” set up. The latter basically means that the software should only allow access to functions that are absolutely required for people to do their job. If you own a plumbing business, your plumbers may need to have access to the internet to order parts or log their time but they don’t need to have access to your network firewall to enable them to do this. This may seem over-simplified, but I’ve seen environments where equipment was installed which came right from the shelf at the local computer store with all the “defaults” still active.

The human factor is much more complex, as it is subject to a variety of flaws. People can be subject to circumstances such as, lack of knowledge as a result of no proper training, malicious intent, subject to overconfidence but also external influences like extortion, money baiting etc. Former disgruntled employees have also seen wreaking havoc in environments of their former employers.

As you can see, this is much more than just a cybersecurity engagement, but also needs to incorporated departments like human resources to come up with measures that take all these into account.

From a knowledge perspective, people can take training courses and keep up-to-date with rules and regulations that change over the course of a certain period. Non-intrusive tests can be done to see what the current state is and if additional training may be helpful.

The team as defence

Technology has enabled companies to do business on a scale that has rarely been seen in the history of mankind. It can however be a hindrance if things do not go the way as they intend to, or when security measures get in the way of creating obstacles for people.

A combination of easy to use hard- and software in combination with proper training will significantly decrease your exposure to cybersecurity risks. Authentication and authorisation solutions as well as cybersecurity training for small and medium business are a part of what we do.

Get in touch to see what we at EvL Consulting can do for you.

Kind regards

Erwin

Print Friendly, PDF & Email

Subscribe to our newsletter to receive updates on products, services and general information around Linux, Storage and Cybersecurity.

The Cybersecurity option is an OPT-OUT selection due to the importance of the category. Modify your choice if needed.

Select list(s):