A CISO’s face might turn a ghostly white when hearing “Zero Day Exploit,” out of fear that the network is about to be (or already has been) compromised. But while the security team is battening the cyber hatches in anticipation of a DEFCON 1 level attack, it often neglects basic IT hygiene practices, leaving organisations exposed to simple and unsophisticated attacks and lateral movements within the environment. In fact, according to Gartner, “By 2025, more than 85 per cent of successful attacks against modern enterprise user endpoints will exploit configuration and user errors, rather than make use of advanced malware.”
Cyber-physician, heal thyself
Zero Day exploits are employed much less frequently than they were a few years ago. For example, the 2019 Verizon Data Breach Investigation Report (DBIR) only identifies a handful of notable cases throughout the entirety of 2018. Most cyberattacks are surprisingly unsophisticated – so simple, in fact, that the NSA reports 93 per cent of them could be prevented just by incorporating basic best practices. Hackers no longer need to put in the time-consuming effort necessary to construct elaborate new attacks, because they know they can sneak through companies’ defences just by taking advantage of poor IT hygiene. Even the SingHealth data breach, Singapore's largest cyber-incident, could have been prevented if fundamental steps like routine risk assessments and improving cyber awareness had been implemented.
Some of these errors are very easily rectifiable, including:
- Employees using the default login credentials, or IT failing to add new credentials to every computer, router and IoT device on the network
- Failing to regularly patch devices and drivers
- Improperly encrypting files, or allowing employees to access them via personal devices and home networks
- Neglecting to conduct regular security audits or educate non-IT personnel on proper cyber hygiene
You may think these simple mistakes won’t hit you as hard as a Zero Day. But this is an incorrect assumption: IT mistakes enable the attackers to move laterally and silently in the environment until they are able to compromise their targets. And if you fail to notice one, what’s stopping more from slipping through?
Let me illustrate just how harmful one of these basic attacks can be. If an untrained employee mistakenly opens a phishing email, the attacker is free to inject malicious code into legitimate office files. Since these infected files would then be sent from the user’s legitimate email account (rather than a spoofed version), there is a greater chance that other users would open them and spread the malware into every workstation. Worse still, if the malware turned out to be ransomware, the enterprise would grind to a screeching halt until the CEO decided to pay or IT could somehow get rid of it. The idea that you could be out millions of dollars simply because you forgot to teach your employees common cyber-sense should make you think twice about how secure your network really is.
The little things add up
Why are enterprises so worried about giving up a grand slam when they’re constantly letting singles and doubles through their cyber-infield? After all, just like in baseball, the little hits add up and are much more common than the base-clearing home run.
As reported in the 2019 Verizon DBIR, 33 per cent of breaches were caused by easily avoided social attacks, 21 per cent by human error, and 15 per cent by misuse of credentials by an authorised user. But who or what is to blame for these numbers? The cyber skills gap? Lack of funding? Overconfident CEOs who think, “This won’t happen to our company”? More importantly, what is the solution?
Some decision makers think the best idea is to allocate their entire budget at one of the big-name vendors that claim they do it all. Putting all of your eggs in one basket is not a smart idea, especially when some of these vendors just got breached themselves. Plus, attackers are regularly using techniques that fool cyberdefences by mimicking legitimate tools and real user behaviour.
How can enterprises protect themselves?
So how exactly can a company improve its IT hygiene and as a result its security posture? Well, there are some easy-to-implement tips that should be taken care of right off the bat, like patching frequently, employing two-factor authentication, and properly educating employees on the importance of strong passwords. It’s also important that your cybersecurity plan be customisable and adaptable. It’s necessary to plan for specific events your company is more likely to face, not just generic ones. For example, if you’re in the medical field, it’s more likely you’re going to face a ransomware threat than a DDOS attack.
There are also some more advanced methods that take a bit more time and effort. One is to reduce the attack surface. This is done by implementing a zero-trust security model and access restriction. Think of it as a bouncer at an exclusive club; he’s going to make sure you’re on the guest list every single time before letting you in. Cybersecurity should be no different. Verify access for everyone, every time they request it.
It’s also a good idea to regularly audit and test your network against threats. It’s important to constantly make sure your cybersecurity is up to snuff and your critical assets are secure. Penetration testing and breach and attack simulation (BAS) tool are useful for this, as they stack your defences against not only the latest threats, but older, more common attacks as well. If your defences can’t handle these “practice” exercises, you know it’s time to change up your game plan before the real thing strikes.
Continuously preparing yourself for the possibility of a Zero Day attack while not making sure your security posture is free of gaps and vulnerabilities is like worrying about being struck by lightning but not tying your shoes or washing your hands. There’s a very slim chance a bolt of electricity will strike you down from the heavens, but you’re always at risk for tripping or catching a cold. Make sure you’re taking care of the things you can control, and then you can worry about those rare Zero Days.
Maya Schirmann, CMO, XM Cyber
Image source: Shutterstock/lolloj