Digital transformation and the evolving threat landscape are having a significant impact on IT teams. Network professionals who were once masters of their IT domains are now being stretched to the breaking point with the adoption of multicloud infrastructures and services, the burgeoning addition of IoT networks and devices, BYOD, mobile workers and shadow IT. As a result, a seemingly nonstop array of device, application, and network vulnerabilities—targeted by increasingly automated attacks—has become today’s new normal. So while IT teams are being forced to remain vigilant for new threats in the wild, it’s becoming increasingly impossible for them to not to lose sight of what’s happening within their own environments.
Today, network and device hygiene are perhaps the most neglected elements of security. However, good cyber hygiene is still a fundamental best practice, and key to ensuring that your organization’s network is kept secure. But it can be hard to prioritize. This article will review where to start and what the most important steps are to take.
A Look at the Landscape
Fortinet’s latest Global Threat Landscape Report reveals that long-known and yet still-unpatched vulnerabilities serve as the primary gateway for attacks time and time again. This trend simply emphasizes that while remaining vigilant for new threats and vulnerabilities in the wild is critical, organizations also need to keep sight of what is happening within their own environment.
The report shows that high botnet recurrence rates, for example, are the result of cybercriminals leveraging common exploits combined with automated attack methods at unprecedented speed and scale. 79 percent of surveyed firms saw severe attacks in Q3 2017, and 185 zero-day vulnerabilities were identified. In addition, 5,973 unique exploits, 14,904 unique malware variants from 2,646 different malware families, and 245 unique botnets were detected by the FortiGuard Labs team.
In light of these growing and increasingly evolved threats, good cyber hygiene, such as having a good vulnerability and patch management process, is more important than ever. Unfortunately, in many environments it is simply not possible to patch everything. Which is why you have to prioritize those vulnerabilities that would have the largest impact on your organization.
One method for prioritizing is to understand what vulnerabilities are most likely to be targeted. Knowing the kinds of vulnerabilities attackers probe for the most can be helpful in determining which assets deserve prioritized patching efforts. Effective IT teams use cybersecurity reports to do just that. Such information helps you ask pointed and important questions such as, “Have we seen these alerts?” and, “Do our scans detect these vulnerabilities?”
Next, identify any technology control that you’re using to protect your cyber assets and make managing the vulnerabilities on those controls a top priority.
Another way to prioritize is to understand that successful attacks have a higher probability of recurring. Whenever a breach makes the news, for instance, you need look at its attack vectors and check to see if you have that same exposure in your environment. If so, make it a priority to reduce that exposure or eliminate it altogether.
Best Practices: Stamping Out Botnets
The Q3 2017 report also revealed that many organizations experienced the same botnet infection multiple times. Either the organizations did not thoroughly understand the scope of the breach and the botnet went dormant only to re-assert itself after normal business operations resumed or the root cause was never found and the organization was re-infected with the same malware.
Before a botnet infection occurs, make sure to have documented procedures in place on how to detect, analyze, respond to and recover from a threat. Specifically, in the case of recurring botnet infections, you need to fully understand all systems that were infected to ensure the thoroughness of the remediation as well as finding patient zero. Once you have patient zero, conduct forensic analysis to determine how the threat got in there in the first place. Having this information will help ensure the same breach does not happen again, and can also help in determining the full scope of the breach and how the threat may have moved laterally to infect other machines.
In addition, take time to review known and especially emerging vulnerabilities and then identify where you are actually at risk for exposure from them.
Best Practices: Performing a Risk Assessment
To really get ahead of vulnerabilities, find out in advance where you need to strengthen your defenses by conducting a risk assessment. The goal of a risk assessment, according to ISACA, is to understand your existing system and environment and identify risks through analysis of the information/data collected.
NIST’s recent Criticality Analysis Process Model describes “a structured method of prioritizing programs, systems and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals.”
ISACA offers practical tips for beginning an enterprise security risk assessment. It starts with gathering all relevant information. The association then provides examples of the types of information that are often collected:
- Security requirements and objectives
- System or network architecture and infrastructure, such as a network diagram showing how assets are configured and interconnected
- Information available to the public or accessible from the organization’s web site
- Physical assets, such as hardware, including those in the data center, network, and communication components and peripherals (e.g., desktop, laptop, PDAs)
- Operating systems, such as PC and server operating systems, along with network management systems
- Data repositories, such as database management systems and files
- A listing of all applications along with version controls
- Network details, such as supported protocols and network services offered
- Security systems in use, such as access control mechanisms, change control, antivirus, spam control, and network monitoring
- Security components deployed, such as firewalls and intrusion detection systems
- Processes, such as a business process, computer operation process, network operation process, and application operation process
- Identification and authentication mechanisms
- Government laws and regulations pertaining to minimum security control requirements
- Documented or informal policies, procedures, and guidelines
After this information is gathered, a number of tasks need to be performed. Not every organization will need to do every one of them; the tasks performed will depend on each organization’s assessment scope and user requirements. These tasks include:
- Identifying business needs and changes to requirements that may affect overall IT and security direction.
- Reviewing the adequacy of existing security policies, standards, guidelines, protocols, and procedures.
- Analyzing assets, threats, and vulnerabilities, including their impacts and likelihood.
- Assessing physical protection applied to computing equipment and other network components.
- Conducting technical and procedural reviews and analyzing the network architecture, protocols, and components to ensure that they are implemented according to security policies.
- Reviewing and checking the configuration, implementation and usage of remote access systems, servers, firewalls, and external network connections, including the client Internet connection.
- Reviewing logical access and other authentication mechanisms.
- Reviewing the current level of security awareness and the commitment of staff within the organization.
- Reviewing agreements involving services or products from vendors and contractors.
- Developing practical technical recommendations to address the vulnerabilities identified and thereby reducing the level of security risk.
Combating the New Normal
There is an incredible urgency for organizations to prioritize security hygiene and determine risk ahead of today’s advanced threats. As the volume, velocity, and automation of attacks continues to increase, it is becoming increasingly important to align patching prioritization to what is happening in the wild to better focus on the most critical and emerging risks. A risk assessment of your environments will help you in the battle to combat today’s new normal. Using the best practices outlined above will help you create a flexible security strategy that can adapt and continue to protect even as the threat landscape continues to shift.