Cyber-attacks can originate from anywhere, but there appears to be an unabated trend of pointing the finger on either "sophisticated attackers" or, more blatantly, naming and blaming nation-states like China and Russia (alright, maybe North Korea and Iran).
The truth about attribution (who is the attacker) is often overlooked for something more dramatic, especially in situations where sensitive information or brand reputation is at risk. Specifically, we see businesses often try to save face by blaming attacks on state actors when they failed to make proper cybersecurity investments by “cutting corners.” While cyber-attacks can be quite damaging to an organization, especially in terms of:
- Damage to organization’s brand;
- Liability exposure for a “Class Action” lawsuit;
- Loss of customer trust;
- Significant financial penalties; and
- Loss of jobs to make up for increased breach expenses and remediation.
The tactic is simple. Switch the focus from internal bad practices and shift the blame to “sophisticated, nation states and or criminal gangs.” Lazy, but effective.
Yet, there often isn’t concrete proof that backs up these claims. and time and again the victim business ends up with egg on their face as the attacker(s) turns out to be an unsophisticated and unrefined script kiddie. The amateur only succeeds because of bad cybersecurity hygiene for companies that don’t have their house in order.
The following looks at debunking some of the myths and misconceptions around why most cyber attacks succeed and offers some tips on what instead should be done to deny and disrupt attacks.
Myth #1: All Cyber Attacks are Sophisticated and Complex.
While it is easy to assume that all successful attacks are complex and require whole team of nationals, sitting in a room and coordinating with one another, this isn’t always the case. The reality of cyber-attacks is often far more straightforward.
The list of attack motivations can be quite long but there are probably a handful of reasons why many attacks succeed including:
- The business’s executives refuse to acknowledge it’s a target.
- The business ignores or does not focus on the basic tenets of cybersecurity.
- Immature or non-existent cybersecurity and IT controls.
The next time you hear about a complex cyber-attack on a business, there is a better chance that it the attack succeeded not because it was conducted by a nation-state or clever attacker, but rather by one or small group of individuals taking advantage of bad cybersecurity hygiene.
The fact is that even cyber criminals would not want to admit about how easy it was to attack the breached company. A sophisticated attack sounds more serious, and if a business has cyber insurance, this is going to be the storyline to make a claim.
Myth #2: All Cyber Attackers are Professional and Highly Skilled.
While known hackers and foreign militaries clearly do carry out cyber attacks, it is safe to assume that most of the time, cyber attacks are carried out by individuals with little experience. I like to call this group the “bored but curious teenagers” (also known as “script kiddies”). These probing script kiddies are often either looking for weaknesses in systems and processes or they poke around just for the fun of it.
These folks don’t usually have a clock to work against, unless they’re trying to breach a highly-sophisticated defense system. Most of time they will look for the easiest way to hack into a system. Trying to break into a system that has an advanced defense system takes up too much time. They use a variety of methods to load up the malware or exploit a known vulnerability and bide their time.
Myth #3: Throwing Money at Cybersecurity is the Answer.
JPMorgan was on the receiving end of a successful cyber-attack despite having spent close to U.S. $250 million on cybersecurity in 2014. Although they almost doubled the spending to U.S. $500 million, it’s safe to say that they could still be hacked!
Please repeat after me: Only throwing money at cybersecurity will not protect me.
Before spending a penny, or a dollar, more on any technology or employees, one must ask:
- Have we got the basics right? It’s often the basic hygiene, the basic controls that are overlooked in the search for the panacea that does not exist. Most security breaches can be prevented by having layered cybersecurity controls throughout the enterprise. If a company has one weakness such as an unprotected development server, a hacker will find it and exploit the server – even if it is out-of-scope for the cookie-cutter audits such as SOX or PCI.
- What are our GAPS? Have we carried out a GAP assessment and or external audit to determine the areas of weakness and strengths
- Risk-based approach: Have we adopted a formal risk-based approach to information security to ensure services or products procured mitigate the most important and relevant risks?
It is a misconception that just throwing loads of money at cybersecurity will keep you safe.
Myth #4: Only People on the Outside are Launching Cyber Attacks.
Linking in with Myth #2, most people assume that cyber criminals are external to an organization. The race to blame an external source distracts from the truth. The truth that, regardless of the origin of the attacker, internal or external, most regular and complex attacks need the privileges or the access rights of an insider to succeed.
If you can properly manage the privileges and access rights of privileged insiders, you could deny success to a large number of cyber attacks.
A privileged insider can be anyone, often only linked with an IT person, who has the privileges and rights to carry out administrative tasks on critical systems and or access confidential data. Some examples of privileged users are:
- Active Directory Enterprise or Domain Administrator;
- Anyone who has the rights to backup system files; or
- A business privileged user who has rights to access confidential data.
According to the 2016 Verizon Data Breach Investigations Report, the insider threat represented roughly 15% of breaches. Do note, these figures are only from those that are reported.
Myth #5: Companies State Nothing Could Prevent the Attack.
There may be some truth in this myth! We have heard and read the phrase about the two types of companies, one hacked and one clueless that it is hacked. That maxim still stands.
However, pleading powerless is not an excuse. There are simple steps that an organization that can take to significantly improve the organization’s chances of denying and disrupting an attack from either the script kiddie or a sophisticated attacker.
For instance, many companies may not have the proper cybersecurity controls in place such as logging, layering of security controls, having alerts established to detect an intruder, not filtering malicious traffic, improper DNS settings, etc.
Conclusion
Both the movies and the mainstream media make out cyber-attacks to be a glamorous and fairly complex activity confined to a few elite. If we were to believe the media then all hackers are super-smart and live and work in Russia, China or Iran. Yes, there are attacks that can be attributed to nation states like here and here, but the overall reality is far from what the media portrays as the truth.
Today, the availability of hacking tools and services, combined with 24/7 Internet connectivity means that there are as many possible cyber miscreants as there are humans on the planet. Even if we take away the newborns and the really old, we are left with over four billion potential cyber trespassers.
They don’t need to spend all their time exploring new ways to get into a system, when all they need to do is either compromise a system that has not been updated or steal and use privileged credentials from an IT power user. In some instances, organizations simply leave the “door to the crown jewels wide open,” again as a lack of implementing basic cybersecurity hygiene, making it easier for any attacker to succeed.
The reality is that most cyber criminals are out hunting in cyberspace to make a quick buck. In 2016, one ransomware creator is estimated to have made over U.S. $120 million! Imagine the global lure to make large amounts of money with little or no effort. The good news is that the majority of these potential wrongdoers can be stopped in their tracks if a business focuses on basic cybersecurity hygiene practices.
Start by focusing on the cybersecurity hygiene including, but not limited to:
- Ensuring all your systems, servers and mobiles are updated with the latest software updates.
- Encouraging the use of strong but easy to remember passwords and insisting on two-factor authentication for all the privileged users in your business.
- Managing your privileged users by ensuring you are able to effectively monitor and control what administrative actions they can perform and when they can perform those actions.
- Ensuring your endpoint devices are built to secure configuration standards and enforce least privilege security policies.
- Knowing “who can do what”: Within your Active Directory, know what privileged actions each employee can perform. Focus on IT users, helpdesk users and service accounts. Do the same for other critical systems that are on-premise and or in the cloud.
- Shifting focus from a binary “we are secured” way of thinking to a more proactive “we are prepared” mindset.