SA companies lacking cyber security fundamentals
While adversaries continuously refine their attack methodologies, primarily towards greater efficiency, simpler operation and more effective outcomes – the unfortunate reality is organisations seemingly still have the same static nature of risks.
It is the fundamental basics of security that continue to fail: inefficient patch management, poor visibility, lack of MFA, insufficient care over third parties and reckless privileges.
It is almost impossible to keep legitimate credentials out of the hands of attackers. They can be stolen from elsewhere, guessed or harvested from within the network. Often, adversaries use leaked credentials from previous breaches to further compromise the individual. Every service available on the Internet, including cloud applications such as Office 365/Outlook, external VPNs and SSO pages, should require users to provide a one-time password (OTP) in addition to their regular password. Despite OTP via SMS being deprecated by some standards, an OTP via SMS message to the user's phone still supersedes a single factor. The implementation of MFA can reduce successful incursions, impede lateral movement within a compromised network and help secure the supply chain.
Year after year, the same issues and security gaps are blighting organisations' ability to effectively identify and respond to threats. It can be easy to lose sight of security fundamentals as an organisation's complexity increases, but the next best step on an organisation's cyber security journey may be to take a step back and reassess its ability to execute the fundamentals.
The common vulnerabilities and exploits used by attackers in the past 12 months reveal that fundamental cyber security measures are lacking. Cyber criminals use less than a dozen vulnerabilities to hack into organisations and their systems, because the reality is, they don’t need more.
CISOs are faced with cyber threat actors that are highly motivated and continue to increase in number, sophistication and creativity. In many cases, these attackers possess the advantage in skills and actively collaborate to maximise speed and aptitude. The pool of highly effective security personnel necessary to build a team is small, expensive and in great demand.
MD at CyberSec Consultants, Nathan Desfontaines, says: "While many attacks can still be stopped by traditional security controls at the perimeter, these controls have little effect against adversaries already on the network. Visibility into the network is required, but visibility must go beyond the perceived network to include the whole network. Too often, organisations fail to accurately monitor all their assets. How can an organisation protect assets it does not know about?"
Arguably, CISOs have the toughest and most unenviable job. All eyes are on them. In most cases, they are tasked with regulatory compliance and preventing cyber attacks through the management of a technical staff that oversees the policy and controls of the technology used by the company. In reality, they are held accountable for whatever goes awry, from anything that could be perceived as a cyber attack – whether it was in their job description or not. Confidentiality of sensitive data, including marketing plans, customer information, executive communications, employee files, payroll stats and product development data are part of the stated or unstated job. Availability of the Web site, uptime for IT operations and tools, compliance to every digital statute anywhere they do business, protection from internal intellectual property (IP) loss and external thieves, and even keeping foreign nation states at bay have been added to the list. Recently, many have also inherited data steward duties as part of stronger and more prescriptive privacy regulations like the Protection of Personal Information Act (POPIA).
The scope of a CISO's job has swelled and will inevitably continue to grow over time, however, it is of utmost importance to ensure you get the fundamentals right first.