Skip to main content

Foundational controls: The key to defending against cyberattacks

(Image credit: Image source: Shutterstock/GlebStock)

Cyberattacks are, without a doubt, one of the biggest threats organisations face today. New attack techniques emerge on a daily basis, and a recent piece of research from Beaming (opens in new tab)revealed that 52 per cent of UK businesses were hit by some form of cyberattack in 2016, which resulted in the loss of over £29 billion.

Cyberattacks are rife, and with hackers motivated by a plethora of reasons – from money to politics - every organisation is a target.

In the face of the immense growth of cyberattacks, it is now imperative that organisations have a good understanding of today’s threatscape and deploy the correct security controls to ensure their digital assets are comprehensively protected. However, due to the speed at which attack techniques are changing, it’s often more challenging than it seems.

The latest tools in a cyber criminal’s arsenal

In recent years cybercrime has grown into a billion-pound industry. Cybercriminals follow the money, and with so much valuable information now being hosted on the web there’s plenty of opportunity for profit. In order to be successful, however, criminals need to be innovative. They must constantly develop new attack techniques and altered malware variants to avoid detection from security products.


With attackers working at this pace, organisations are under pressure to keep up, and ensure they are continually protected as attack tools evolve. In this year alone, we have witnessed a huge number of seemingly novel techniques, including sophisticated new pieces of malware, and ransomware variants like Petya and WannaCry. Organisations need to ensure they are protected against them all, which can be a major challenge. IT teams are often left confused, unsure if their current solutions protect against specific threats or whether they need to purchase expensive new products. In fact, a recent study from Tripwire revealed that 46 per cent of organisations have purchased security tools that failed to meet their organisation’s needs.

In addition to the challenge of keeping up with known tools, because hacking techniques develop at such a high speed and it is hard to predict what cybercriminals have up their sleeves next. There is no way an organisation can guarantee 100 per cent protection. The same Tripwire study also revealed that 75 per cent of organisations do not believe that buying every security tool available on the market would enable them to fully protect their organisations, indicating the information security professionals are aware of this reality. The findings also suggested that the larger the company, the less confident employees are about cybersecurity tools fully protecting their organisations. For organisations with fewer than 1,000 employees, only 32 per cent felt they would be fully protected if they had invested in all the available security tools. This figured decreased in businesses with 1,000 to 5,000 employees to19 per cent and dropped even further with businesses that have more than 5,000 employees to 15 per cent.

These findings highlight just how confused many organisations are today about the steps they need to take to protect against new and evolving attack techniques. Do they buy new solutions or try to make use of what they already have? And, more importantly, if all the security solutions available today can’t provide 100 per cent protection how can they operate their businesses safely?

Back to basics – The importance of foundational controls

It’s common in information security to look at the most recent innovative attack in the news and imagine that you need a shiny new tool to deal with it, however that’s not usually the case. Very often, the biggest bang for the security buck lies in making sure foundational security controls are in place. The fundamentals of finding and patching vulnerabilities, making sure systems are securely configured and monitoring your systems for change go a long way in maintaining a strong security posture.

The benefits of strong foundational controls are supported by clear evidence. Recent events have shown that basic security controls can effectively protect organisations, even without the help of some of the latest tools on the market. The scale of attacks such as Heartbleed, WannaCry, and now Petya have been attributed to organisations using outdated and unpatched systems, rather than a lack of artificial intelligence, big data, or the next ‘next generation’ defensive tool. These high-profile attacks have highlighted that paying attention to basic security hygiene and ensuring foundational controls are in place can effectively fend off damaging attacks. 

Despite cybercriminals developing new attack tools on a daily basis, the core techniques used for compromise are most effectively addressed with foundational controls. Cybercriminals always need to have an initial entry point for their attacks to be effective. If an organisation stays up-to-date with patching against the latest vulnerabilities, hardens its systems, and had properly trained its staff about the dangers of phishing emails and ransomware, it lessens its attack surface. Key steps that organisations can take to ensure a strong foundation of security include:

1.        Know Your Attack Surface

Organisations should make sure they have visibility into the devices and software they have on their networks. Are there unauthorised devices on your network? Is there unauthorised or unmanaged software throughout the network, bringing risk into your environment? You have to know your environment in order to protect it effectively.

2.        Minimise Your Attack Surface

Now that you know what’s on your network, make sure that all those devices, applications and operating systems are configured properly and securely. This control is about configuring your systems to a defined ideal and secure state (following cybersecurity best practices and your organisation’s own policies). This is often called “hardening” your systems, and doing so shrinks your attack surface. You can never entirely eliminate an attack surface, but you can get it to—and keep it at—a more secure level.

3.       Monitor Your Attack Surface

Now you want to keep an eye on your systems for any changes and new risks. This includes checking for and fixing vulnerabilities, making sure secure configurations are maintained, managing administrative privileges, and paying attention to log data. Organisations should be able scan for vulnerabilities and prioritise the most critical and relevant results to address. Again, many successful breaches have been attributed to organisations failing to patch or mitigate known vulnerabilities. Misconfiguration is also a prevalent entry for attackers. After hardening your systems (as discussed above), you need to monitor them for any changes and ensure configurations stay in a secure state. Lastly, keeping track of administrative privileges and log activity will help you identify and investigate suspicious activity.

Cybercrime is a key threat that organisations face today, and hackers are constantly developing new and innovative ways to launch attacks. However, in order to stay ahead in the game, organisations do not necessarily need to buy every new security product that comes on the market. Sometimes getting back to basics is the most important step. Foundational controls deal with the breadth necessary to manage risk in a changing landscape. New controls may become foundational over time, but the old ones largely remain core to successful risk management. Anytime there’s a new threat to deal with, rather than using it as a means to acquire new shiny objects, organisations should consider how it might be used to drive excellence in the foundational controls they already have today.

Tim Erlin, VP of Product Management & Strategy, Tripwire (opens in new tab)
Image source: Shutterstock/GlebStock

Tim Erlin is VP of Product Management & Strategy at Tripwire. Erlin's background as a Sales Engineer has provided a solid grounding in the realities of the market, allowing him to be an effective leader and product manager across a variety of products. His career in information technology began with project management, customer service, as well as systems and network administration. He is also an active voice in the information security community.