Speaking at the recent CyberUK conference in Manchester, Dave Hogue, senior technical director of the Cybersecurity Threat Operations Center at the NSA, flatly stated:
We have sophisticated adversaries using unsophisticated means to cause great damage. In fact, I’ll tell you as the overseer of NSA’s operational teams, we have not responded to a zero-day in over 24 months. Adversaries are getting into networks using non-technical means, taking advantage of hardware and software technologies that are not compliant with the latest offerings, and taking advantage of bad security practices such as solutions that are no longer vendor-supported.
Sticking to the Basics
I can attest that I see these kinds of well-known and preventable vulnerabilities all the time in my work performing network vulnerability assessments, penetration tests, simulated social engineering attacks, and so on.
Hogue further stated that thorough and consistent implementation of basic controls like application whitelisting, two-factor authentication and role-based access would go a long way towards thwarting these persistent but commonplace attacks by making it “…costly for the adversary to operate.”
Is Data Breach Fatigue to Blame?
Why does it seem like we’re failing to make progress towards getting the basics right? One idea is that we’ve become victims of “data breach fatigue”—attacks are now so commonplace that as individuals we’re numb to the threat.
Organizations, too, seem to increasingly view the expense and temporary reputational damage as just another cost of doing business. Indeed, 49% of the companies that suffer a “significant” cyber-attack are breached again within a year—often via a similar attack vector—according to Mandiant’s M-Trends 2018 report. Whether this is the result of complacency, a lack of resources to identify and remediate vulnerabilities, or both, is hard to say.
A related problem may be that those responsible for security are having trouble “seeing the forest through the trees;” that is, correctly assessing risks, identifying vulnerabilities and executing a holistic mitigation plan. For example, scarce resources may be non-optimally utilized on more security technology, adding to admin complexity but still failing to address basic issues like patch management, access control and security awareness training for staff.
Choose a Holistic Approach to Cyber Security
At Pivot Point Security, our expertise is broad as well as deep. While many of our engagements are more limited in scope, we look to partner with clients to efficiently and effectively identify, manage and reduce their actual cyber risk.
Time and again we’ve seen how a holistic approach that covers the basics enables our clients to be demonstrably more secure and resilient. To schedule a no-obligation conversation with an expert about your information security concerns and goals, contact us.