Organisations continue to learn the hard way that when it comes to IT security, the simplest things often cause the biggest problems. A network is only as secure as its weakest link, so hackers don't need to spend the time and money it takes to develop advanced persistent threats or zero-day attacks; they just need to focus on finding the easiest ways of getting in. In other words, the most effective hackers keep things simple, something organisations must take into account.
With that in mind, here are four basic principles that attackers exploit and companies need to stay on top of in order to secure their network.
1. People Are Seen As A Weak Link
Hackers looking for a way to infiltrate a network often start with the vulnerabilities of key users — 81% of hacking-related breaches leveraged either stolen and/or weak passwords, according to last year's Verizon Data Breach Investigations Report. Worrying statistics like this should remind us that people are often the hardest part of the security equation. People are fallible and emotional, which is why even regular security awareness training has its blind spots.
Think about it — how easy is it to make somebody's emotions take over in today's world? In the age of connectivity and social networks, it's easier than ever to find professional, personal, or political information that can allow an attacker to craft personalised lures that trigger a response. Inducing such feelings can often lead to irrational behaviour, which in return can be something that can be exploited digitally. Additionally, as the lines blur between personal and professional communication platforms, it is important to make sure that security awareness training, especially when it comes to phishing, translates into the new mediums.
2. Flaws Remain Unfixed
Vendors and researchers don't always have the same goals or objectives, and security suffers as a result. There have been many cases where a researcher is forced to publish a legitimate vulnerability publicly because a vendor recognises it as a true security issue when the matter is brought to its attention privately. This leaves gaping holes for attackers to exploit.
Similarly, when the company in charge of updates is not the owner of the piece of code exhibiting a vulnerability, flaws can remain for an extended period. For example, it can take a long time for a mobilke phone provider to push an update to users after Google fixes an Android security flaw in the OS. Flaws like this will always be present, providing an entry point for even the least-sophisticated attackers to access a network.
3. If There's a Mistake, It Will Be Found
As automation continues to be a key outcome of digital transformation, the "good guys" aren't the only ones to benefit. Attackers are taking advantage of today's automated world and can easily scan for vulnerabilities. There are numerous public and paid services that allow users to explore the Internet pretty much anonymously, looking for misconfigurations that exist on anything from Internet of Things thermostats to government cloud instances.
It's no longer a question of if somebody will discover your mistake, but when (and more importantly, how long after it's been exposed). This story played repeatedly in the breaches of 2017. Amazon Web Services' S3 breach is one example. Attackers found a misconfiguration in AWS's storage buckets, which allowed public write access, enabling attackers to launch silent man-in-the-middle attacks and other hacks on a company's customers or internal staff.
It's important to remember that misconfigurations extend beyond just missing patches and default settings to things like network paths that don't need to exist, giving sweeping landscapes to monitor.
4. There Is a Big Security Workforce Shortage
In 2019, there will be a global shortage of 2 million cybersecurity professionals, according to ISACA, a nonprofit information security advocacy group. To compound the challenges caused by this lack of skilled analysts even more, the ones who are on the front lines are asked to do the impossible. They can't keep up with the barrage of alerts that come from so many sources. The flow is simply too great, and incidents are missed.
When an event is investigated, security teams are using so many internal and external tools, scripts, and conversations to get the relevant context that each investigation is a long and tedious process. This combination of factors is leaving security teams burned out and companies vulnerable.
Once again, hackers are acutely aware of these challenges that organisations face. They know that simple techniques of attack will fly under the radar and may not be scored as a "priority" because analysts are too busy spending their time looking for larger, more complicated threats. It's why attackers will try to live off the land more and more, using underlying sysadmin tools preinstalled with the operating system.
What Does It All Mean?
In the end, understanding the basic principles that hackers are using to infiltrate your network is an important part of staying one step ahead of them. But remember that even the basics will change over time. The most effective thing you can do to overcome these simple, yet evolving threats is to focus on the people protecting your organisation.
These people need to understand their role in securing the environment and the overall impact of the decisions they make. Make sure analysts know what they are protecting and ensure the right controls are in place to stay focused. Finally, be certain that the security teams have the visibility and the tools they need to detect, investigate, and respond quickly and effectively.