The five statements below are the causes behind a lot of computer security risk and exploits. If you understand them well enough today, you will be ahead of your peers.
1. Every company is hacked
When the world hears about the latest big breach, people probably think that the company involved must be bad at computer security. The next time a big hack occurs that results in millions of customer records stolen or millions of dollars in losses, what you should think is “Every company is hacked. This is just the one the media is talking about today.”
Every company is completely and utterly owned by a nefarious hacker or easily could be. That’s just a fact. I’m not including top secret military installations that don’t have Internet and require that their hard drives be placed in a locked safe at the end of every day. I’m talking about the average corporate company or small business.
I’ve never consulted at a company (and I’ve consulted at hundreds) where I didn’t find at least one hacker hidden somewhere when asked to do so. In most cases, especially over the last decade, I found multiple groups that had been in for years. My personal record was eight different hacking groups, with some in as long as ten years.
That one was interesting because one of the reasons they called me was that a software patch that they didn’t want applied was applying no matter what they did. The hacker groups were tired of waiting for the victim company to make its environment more secure, because more and more hacking groups kept breaking in. It’s a problem when the hackers are more security conscious than you are.
As a part-time penetration tester, I’ve often been asked to break into companies (after getting legitimate authority). It’s never taken me more than an hour to do so, except for one company that took me three hours, and then only because they had already followed my advice after my previous paid break in. I’m only an average penetration tester. The people I admire get in even faster. I’m not even including all the world’s nation-states, which are sitting on tons of zero days.
The world’s computers are very poorly secured. You don’t need zero day exploits. You just need to look around a bit to find an easy weakness. Most companies aren’t doing nearly enough to secure their computers. Most talk a good game, but when it comes to really doing what’s needed to keep good hackers out (e.g., perfect patching, application control programs, and no Internet), they aren’t willing to do what needs to be done–at least not yet.
2. Most companies don’t know the way they are successfully attacked the most
This is something I’ve only learned, and tested, in the last five years. I’ve yet to meet an IT security employee who can tell me the number one way their company is exploited the most on a routine basis. Well, that’s not fair. Five to 20 percent of the employees guess the right answer, but can’t point to any data to back up the claim. That means 80 percent at best of the IT security staff thinks it’s something else. The rest of IT and the rest of the company is clueless. If most of the company doesn’t agree on what the biggest threat is, how can they effectively fight it?
The data to show the biggest threat is non-existent. You would think after spending millions of dollars to collect bazillions of events into fancy event log management systems that this question would be the easiest to answer. It’s not. It might never be, especially if you aren’t even asking the question.
3. A criticality gulf exists between real and perceived threats
There is a huge gulf between your biggest potential threats and your biggest actual exploits. Security defenders who understand the difference are worth their weight in gold. Each year 5,000 to 7,000 different new exploits appear. (This has been fairly consistent for over a decade.) One-fourth to one-third of them are marked with the highest criticality. This means when you run vulnerability scanning software or look at a patch management report, you’ll always have a ton of “top priority” things to fix. You can’t concentrate and fix more than a few things at once. So, if your report has 20 number-one priorities you need to correct, what do you do?
Start by fixing the critical things that are causing the most damage in your environment today, followed by the most likely culprits after that. It could be that the top culprits aren’t even the highest ranked vulnerabilities. Doesn’t matter. Criticality rankings are done on potential to do harm. Real harm, and most likely future harm, trumps guesses. Understanding this lesson should change a lot of what you do as a computer security defender.
4. Firewalls and antivirus software aren’t that important
Most of today’s threats are client-side threats, initiated by the end-user. This means they are already past all the firewalls (e.g., network or host) that were put in their way to prevent them from reaching the user’s desktop. Once a threat is there, firewalls provide very little value.
A traditional firewall’s main value is preventing an unauthorized connection attempt to an existing vulnerable service. If your service isn’t vulnerable, then a firewall probably isn’t providing a lot of value. This is not to say that they don’t provide any value. They can and do, especially intelligent, deep-packet inspecting firewalls. It’s just that most threats aren’t the things they stop anymore, so the big value they used to provide just isn’t there.
Antivirus software isn’t valuable because it’s very difficult for any AV product to be 100 percent effective against all the newly emerging malware. Anytime you see a “100 percent” rating, don’t believe it. Those tests are conducted under controlled conditions where the malware is not getting updated nearly as much as in the real world. In the real world, the first malware program you are likely to encounter is simply a downloader that downloads brand new malware programs, updated to bypass all AV software.
5. Two problems are almost 100 percent of the risk
It’s been true for over a decade that the two most likely reasons you will get exploited is due to unpatched software or a social engineering event where someone is tricked into installing something they shouldn’t. These two issues account for nearly 100 percent of the risk. It would be a stretch to claim every other exploit type in the world, added together, would account for 1 percent of the risk. Put another way, if you don’t fix the two top problems, then the rest do not matter. A single unpatched software program has at times accounted for over 90 percent of the web-based exploits. Social engineering gobbles up most of the rest. Make sure you concentrate on the right problems.