If you would like to read the next part in this article series please go to Prioritise your Security Controls – Protect, Detect and Remediate (Part 2).
In part two of the series we look at Windows Defender Advanced Threat Protection for Windows 10 Enterprise to see how it may assist organisations with the major security challenges that they presently face. Noting that detection and remediation after attack is as important as trying to prevent it.
Introduction
The majority of organisations are experiencing heightened cybercrime activity of great sophistication and this needs to be addressed. The repercussion of such attacks on an organisation can be extremely damaging and lasting, not only from a monetary loss perspective but compliance and legal ramifications, as well as lasting impact on organisations reputation.
The organisations unique environment is likely to be a major determining factor for which security controls should be given highest priority and this is likely to differ from one organisation to another, (retail, health industry, finance, manufacture etc.) each with their own unique requirements for security.
Environments are becoming more data-driven, many organisations process large volumes of data which hold significant value and this data is highly sought after in the underground criminal market. Organisations need to realise the value that their data holds and secure their environment with their data in mind.
One way to look at prioritising security controls for the organisation is to consider the potential threats, the environment and the data type and its attributed value. In so doing an in-depth understanding of which threats have the greatest impact on the environment and the organisation is gaged.
Threat areas that are challenging most organisations presently include threats surrounding crimeware, point-of-sale intrusions, cyber espionage, insider threat, applications, accidental errors, physical theft and loss of hardware/devices as well as denial of service. If the organisation is one that processes volumes of highly sensitive data, some industries are more challenged with this than others, these threats will have greater impact on the organisations security posture and will also impact compliance with regulatory bodies.
Further to securing against various forms of attack, it is important to place focus on the detection and remediation of attacks. Attacks are inevitable and on the rise and this should not be taken lightly (we will cover this in part two of the series and look at Windows Defender Advanced Threat Protection for Windows 10).
Below we briefly consider the major incidences that many organisations are challenged with and contemplate where security controls should be made priority with emphasis on prevention and protection.
Prevent and Protect
Where possible security strategies should be implemented to secure against forms of attack most likely to impact the organisation. To combat these cyber trends organisations are relying on intelligence driven security prevention which operates in diverse environments, both mobile and cloud environments. Behavioural analytics is also being utilised to improve security of users and their data.
Major incidences to consider
Presently these 10 major incidences are highlighted and organisations should prioritise security to protect against them:
1. Cyber espionage
Usually organisations processing or holding highly sensitive and valuable data are targeted and a loss or compromise of this data for those organisations will be very damaging. With this type of attack, the target is likely to be specifically rather than randomly chosen because of the data they hold. It is usually an endeavour to capture intellectual property.
2. Crimeware
This involves the use of malware to compromise systems. One commonplace example is phishing attacks. Once the attacker has control of the system they are able to go about capturing information and undertaking other criminal activities for their benefit.
3. Point-of-sale intrusions
A specific attack to capture payment information. If an organisation is one that works with such details and payment information, which is a highly sensitive form of data.
4. Insider attacks
Organisations seemingly choose to prioritise securing against outsider threats above insider threats and believing that this is the threat that should be more of a concern. Insider threats should be equally prioritised and protected against. Once an outsider has gained access the threats may unfold in the same manner an insider threat might. We can’t rely solely on physical defence, the threat brought about by people is one that is often linked to human vulnerabilities and it must be addressed as such.
There is a connection between insider threats and misuse of privileges. Often the primary motive for an attack of this kind is a way for disgruntled employees to seek vengeance or for financial gain.
5. Misuse of privileges
Most of the time those employees or identities with most privileged access rights bring the highest risk. This risk is an insider risk.
The changing ways in which businesses function is making it more challenging to pick up on behavioural inconsistencies as employees are increasingly working more mobile and remotely, outside of the business constraints and outside of business operating hours. Thus location and time are not always a guaranteed cause for concern anymore. Additionally, accessing multiple documents and accounts is also becoming the norm for employees to undertake their duties.
It is important to abide by the least privilege approach and only give users the privileges that they require to undertake their business function (this is consistently highlighted as the best approach and should not be taken lightly). Limiting the amount of privileged users/identities and monitoring those privileged user’s identities is a good way to pick up on any suspicious behaviour which may be indicative of an occurring breach.
Identity and Access Management procedures is an effective way to manage this risk as well as tools and services aimed at reducing exposure of organisations to human error. Note that these defences should work equally well within the organisation as well as remotely to be effective in a more mobile working environment.
6. Application Vulnerabilities
This type of attack tends to be one that is more opportunistic. Web applications that are not properly vetted may represent more of a risk. Vulnerabilities within an application are found and then exploited and access is often gained through the utilisation of stolen credentials (which is becoming more easily achieved with the use of social engineering) this is followed by a breach.
7. Unintentional Mistakes
Unlike a breach caused purposefully by an employee, many breaches continue to occur due to unintentional human errors, often unknown to the employee responsible at the time. This could include sending information or details to the wrong recipient, disposing of sensitive information in an incorrect manner or placing data in public view that should have remained private.
8. Theft and loss
The theft or loss of devices or hardware holding unencrypted sensitive data is very much a concern and incident type that continues to occur.
9. Payment Skimmers
Usually targeting organisations within the finance or retail industry this encompasses the fraudulent capturing of data held on bank cards through the utilisation of skimmer devices and is a major cause of security breaches.
10. Denial of service attacks
Infiltrating the network and causing excessive malicious traffic on a corporate network. This is often achieved with the use of botnets and can impact business operations greatly.
Looking at these 10 major incidences organisations within different sectors will find that certain incidences will pertain to them more than others. It is important to understand the risk that each type of attack has on your organisation and prioritise your security accordingly. With a good understanding it should clarify which security controls to make a priority.
Also certain organisations will need to prioritise security controls not purely based on the incident type that they are more susceptible to but also to achieve compliance with required regulatory bodies, this is particularly important within the health sector for example.
Conclusion
Well thought out third party solutions that compliment each other to achieve a good multi-layered security solution to protect against these incident types (amongst others) and the security challenges faced by many organisations presently is needed. The controls should be implemented in a manner that prioritises the organisations unique security requirements based on the types of attacks more likely to target the organisation and environment.
Windows Defender Advanced Threat Protection for Windows 10 Enterprise should assist organisations with detecting malicious activity and responding swiftly after such attacks.
Look out for part two of the series which will look at detection and remediation with focus on the new technology, Windows Defender Advanced Threat Protection for Windows 10 for Enterprise.
If you would like to read the next part in this article series please go to Prioritise your Security Controls – Protect, Detect and Remediate (Part 2).
