What are you trying to prevent?
"What are you actually trying to prevent?" posed Tyrone Erasmus, managing consultant at MWR InfoSecurity at ITWeb Security Summit 2015 in Midrand.
This question is key to prioritising where to spend an organisation's security budget, he explained.
Security professionals must think of their company's security from the cyber attacker's perspective to determine who their most likely attackers are and what they aim to do, Erasmus continued.
Cyber attackers can be ordered from most common and least threatening to least common and most threatening. He cited examples such as "script kiddies" who simply want to test their hacking skills, motivated individuals with more destructive goals, highly capable groups, serious organised crime, and advanced persistent threats (APTs), whereby attackers gain access to a network and stay there for a long time with the intention of stealing data.
Security staff should determine where their organisation sits on this threat scale, he continued. While most organisations may only have to be wary of highly capable groups, larger state organisations whose resources could be harnessed for warfare for infrastructural destruction may be under threat from APTs, he elaborated.
Armed with an idea of their threat level, the organisation should pinpoint the resources cyber criminals would want to steal, such as money, client records or secret information, said Erasmus.
He also warned "things hackers don't care about" include what security testing a company has done, what is "out of scope" and rules for "fair play". "One thing about hackers is that they have all the time in the world. They are relentless. They will keep looking for ways to get in."
A common vulnerability cyber criminals exploit today are "features" in client software, Erasmus noted. While it is difficult for attackers to predict exactly what software and versions thereof are in use, and current exploits are very sensitive to subtle differences between them, exploitable features can be general enough to include java applets, HTML applications and browser extensions, he said.
Once an attacker has gained entry to a system or network, their next step is escalating their access until they are able to perform the functions they need, such as making payments or extracting data, said Erasmus.
Security professionals should make an effort to know their likely adversary, as "it's a lot harder to attack someone who understands your motivations and average level of skill".