7 Deadly Sins of Security Practitioners
The threat of cyberattack continues to strain the resources of even the most well-funded cybersecurity programs. According to one survey from KPMG earlier this year, 88 percent of organizations today have suffered a cyberattack in the past 12 months. As a result of these incidents, more than half suffered a business process disruption and more than a third suffered some sort of financial loss.
It’s a call to action, if there ever was one, that security practitioners need to take their security programs to the next level. Unfortunately, it’s hard to do that when they keep shooting themselves in the feet.
The following are some of the most common ways that security pros sabotage their efforts to raise the bar on infosec.
Leaving Critical Systems Unpatched
The news this month of Equifax’s massive and extremely disconcerting breach of 143 million individuals’ most sensitive financial information offers yet another example of how bad patch practices can bite an organization in the rear. The root cause of this most recent incident was confirmed to be an attack against a server suffering from a well-known and patchable vulnerability in Apache Struts.
Old, unpatched vulnerabilities are the lowest-hanging and most profitable of fruit for attackers today. According to one study earlier this year, as many as 90 percent of recent attacks involved an attempt to exploit vulnerabilities three years or older.
Tolerating Flat Network Topologies
Honestly, bad patching and other poor hygiene doesn’t even have to occur in very critical systems to have a huge impact on risk if organizations fail to properly segment their networks. The bad news is that many security practitioners don’t see proper segmentation of network assets as a high priority and flat network topologies still proliferate in every size organization.
According to one survey by firewall management firm Firemon earlier this year, only about 41 percent of organizations see microsegmentation as a concern for them.
The thing is that not only does segmentation limit the kind of lateral movement that an attacker can do to get from low-value systems to high-value data, it also has a ton of other benefits.
“Micro segmentation (sic) segregates the network in a manner that provides rapid incident response, simplified compliance, and greater visibility through continuous monitoring,” wrote Brandon Peterson in a SANS report last year.
Letting Default Passwords Linger in IT Infrastructure
Enterprises essentially roll out the welcome mat for the bad guys when they leave components of their IT infrastructure littered with default passwords. And yet it is an extremely common practice. According to one survey, as many as one in five organizations have never changed their default passwords on privileged accounts.
Be they used in servers, network hardware or privileged accounts in sensitive software, default credentials are very easy to look up online and most attackers today have automated means of scanning for systems using them.
The recent rash of ransom attacks this year on online-facing database servers offer an example of how quickly an automated attack against this kind of poorly guarded infrastructure. Beginning in January and repeated again throughout the year, the attacks quickly escalated from a few limited attacks to compromising tens of thousands of servers within a week. And the sole means of attack was by going after those servers that used default credentials.
Failing to Effectively Prioritize Actions Based on Business Risk
Whether managing vulnerabilities or responding to a mountain of unfiltered alerts, security practitioners perennially suffer from having too much stuff to do and not enough time to do it. While it might feel heroic to take cowboy approach of constantly flying by the seat of one’s pants with frantic effort at every new crisis, that’s no way to manage risk. All too often organizations chase the latest threat trends, the latest technology or the latest zero-day without ever figuring out how much their actions will address the biggest risks to the business.
If practitioners really want to make a difference, they need to be able to effectively prioritize their actions. Now, a lot of that does start at the top—it’s the CISO’s responsibility to identify business risks and come up with strategic plans to go after the most critical areas. But that doesn’t mean this can’t also come from grass-roots levels, either. From the practitioners on the ground, it starts first by being methodical about practices. Unfortunately, according to the “Cisco 2017 Annual Cybersecurity Report,” only about half of organizations review and improve their security practices regularly, formally and strategically over time.
Consider, for example, that in one major survey 75 percent of respondents say they have no formal cybersecurity incident response plan. And another survey showed that one in three practitioners admit that they either don’t know how they prioritize vulnerabilities for mitigation or they prioritize solely based on the CVSS score of the flaw, with no context about the asset classification or the threat intelligence that shows how frequently attackers are hitting these flaws. From top to bottom and bottom to top, everyone has a responsibility to track actions to business risk.
Working in a Vacuum
Of course, it’s pretty hard to prioritize business risks without finding out what matters to line-of-business leaders and end users. One of the biggest acts of self-sabotage security practitioners commit on a daily basis is working on security in a vacuum without engaging with the rest of the business.
This is crucial from both a give and take perspective. Not only do security practitioners need to be talking to executives and employees about business risks so they can tailor security activity accordingly, but they also need to be engaging so that these stakeholders take responsibility for security in their daily lives. After all, phishing still remains the No. 1 way organizations get owned today. The sad fact is that only about 28 percent of security practitioners today say they effectively communicate cyber-risk strategy and objectives to employees and just 8 percent say they’ve embedded cyber-risk management within their company culture, according to Willis Towers Watson.
Working Without An Accurate List of Assets
When security practitioners don’t know exactly what it is they need to protect, everything else is a moot point. And yet, many organizations today fly blind when it comes to asset discovery and classification. When security practitioners fail to enumerate and categorize infrastructure, endpoints, and data important to the business, they make it possible for crucial assets to fall through the cracks. These are the assets that remain unpatched and unprotected and they’re the ones attackers are likely to either steal or leverage to gain a foothold into the network.
According to one survey, only about 31 percent of organizations today understand what comprises their crown jewels in terms of digital assets.
Establishing Time-Consuming Manual Processes
We’ve already discussed the issue of too much to do and not enough time. Risk prioritization is crucial, but equally important is not wasting time on manual tasks. Survey after survey warn about the IT security skills gap, but flipping it on its head the problem could be just as easily explained as the cybersecurity automation gap.
Too many of today’s security tasks remain manual and time-consuming. Last year, one survey showed that just 15 percent of security practitioners would say that their security processes are highly automated. About half of them said they had some automation in place, but not nearly enough. And approximately a third of them reported they used little to no automation. Considering the rapid pace at which attackers are automating their activity, security pros failing to automate are essentially bringing a knife to a gun fight.