Assume your business is going to get hacked — because statistics and human nature say it will. The question is, how will you know, and what will you do to limit the damage?
Even a quick look at the recent Black Hat 2018 Hacker Survey Report and the 2018 Study on Global Megatrends in Cybersecurity — and a long talk with Terry Bradley, chief technology officer at PLEX Solutions in Colorado Springs — show detection and mitigation are more critical than ever.
Businesses really need to come to grips with the inevitability of being attacked, Bradley said, and prepare accordingly.
Awareness and prevention efforts are not enough. What’s needed is a major push on rapid detection and response.
“There’s a lot of time spent on prevention, trying to figure out how we can stop attacks from happening,” Bradley said. “And we should put those preventive measures in place … but we know prevention is never 100 percent effective. Organizations also need to do more in detection: monitoring the network for bad activity, and training the users to know when they’ve been had.”
Bradley draws an analogy with bank robberies.
“We do all kinds of things to prevent banks from being robbed, and yet every day in the U.S. some bank is being robbed,” he said. “But what we have done in the bank robbery arena is we’ve gotten really good at detecting when banks have been robbed and responding to them.
“So we don’t continue to pour money into prevention [alone]. We do the typical things that banks do to prevent robberies — but then we also install a siren and alarms and closed-circuit television cameras to detect when a robbery is taking place and [speed up] the police response, and we put dye packs in the money bags and things like that, to spread out our defense.
“We’re really no better at preventing bank robberies in the 21st century than we were in the 1800s but we’re a lot better at responding to them, and there’s a pretty low probability you’re going to rob a bank and get away with all the money.”
And that, Bradley says, is where we are with cyberspace.
“For the last 10 to 15 years we’ve been looking for some technology or ‘cure’ that’s going to prevent hacking from taking place,” he said, “but the reality is human nature’s never going to allow that to happen. There’s always somebody who wants what you have and they’re going to come up with new and innovative ways to get it.”
People like to talk about layered defense or defense in depth, he explained, but “a lot of times we don’t know where to put those defensive layers — and the bad guys just bypass all of them.
“That’s why the detection is so important. … If our defenses fail, how would we know? What would that look like? Would we see network traffic going out of the network? Would we see logins from unexpected places? Would we see some sort of unusual pattern? Defense in depth is good, but we also need to recognize that your defense and protections always fail, at some point.”
Insights from the Black Hat 2018 Hacker Survey Report bring that home.
“Even though Microsoft has invested heavily to improve its cyber security, 50% of hackers say they easily compromised both Windows 10 and Windows 8 within the past year,” the report said, noting social engineering is still the most common method hackers use to breach systems.
More than 56 percent of respondents in the survey said social engineering — usually phishing — is the fastest way for them to break into a network to access privileged accounts.
The other cybersecurity misstep hackers love to see: people reusing passwords.
“Hackers confirmed that 50 percent of their exploits have uncovered employees reusing passwords that have already been exposed in other data breaches, giving hackers an easy way onto the network,” the report said.
“Knowing your user accounts will likely be compromised at some point,” the Black Hat report said, “you need to implement a ‘zero-trust’ security posture emphasizing least privilege to limit overprivileged accounts that give hackers wide and undetected access.”
The 2018 Study on Global Megatrends in Cybersecurity also has a couple of hard truths on the likelihood of being hacked. Conducted by the Ponemon Institute, the survey of 1,100 senior information technology practitioners from the United States, Europe and the Middle East/North Africa region found IT security practitioners are more pessimistic than ever about their ability to protect their organizations from cyber threats.
Among those surveyed, 54 percent expected their cybersecurity posture in the coming year to stay the same (35 percent) or decline (19 percent). And they see unsecured Internet of Things devices as a major threat, with 82 percent predicting they’ll likely cause a data breach in their organizations, and 80 percent saying such a breach could be catastrophic.
IBM’s 2018 Cost of a Data Breach study found that the average total cost of a data breach, the average cost for each lost or stolen record, and the average size of data breaches have all increased this year, making early detection and mitigation even more critical.
• The average total cost of a breach rose from $3.62 million to $3.86 million.
• The average global probability of a material breach (that is, a breach that involves at least 1,000 lost or stolen records containing personal information) in the next 24 months is 27.9 percent, up from 27.7 percent last year.
• The average cost for each lost record rose from $141 to $148.
The study also looked at the relationship between how quickly a business can identify and contain a data breach, and the financial consequences. It found:
• The mean time to identify a breach was 197 days.
• The mean time to contain a breach was 69 days.
• Companies that contained a breach in less than 30 days saved more than $1 million compared with those that took more than 30 days to resolve a breach.
“One of the things I try to impress upon people is this is happening to everyone,” Bradley said. “There’s a tendency for smaller organizations to think they’re too small to be noticed on the internet and that’s really not the case. If they have a presence on the internet — meaning they’re connected — the hackers of the world are going to find that network. You think of burglars walking down a row of houses and just turning every doorknob to find the one that’s unlocked — those small businesses will be found.
“So they need to prepare for this and they need to take it seriously, because they’re probably some of the biggest targets, having so little in the way of security and defense.”