Organisations need your help sifting through the good, bad and occasionally hysterical advice about network security out there. They need your help to take the actions most likely to actually improve their situation.
Put yourself in their shoes. They will read riveting descriptions of exotic new security threats: poorly understood, menacing and often statistically irrelevant to their organisations. Even if they don’t end up wasting precious resources deploying flawed solutions as a result of this, they may be distracted from some far more relevant and useful improvements that are well within their means.
You know about these colourful distractions. Organised cybercriminals, or perhaps the People’s Liberation Army working in conjunction with state-owned Chinese companies or even anarchists may be the hackers du jour. A good story has to have characters, right?
However, since the villains are numerous and perhaps even interchangeable, we do better focusing more on techniques than perpetrators at a local level.
Pick almost any cybersecurity top 10 list and it will mention malware, man-in-the-middle, mobile devices, cloud, insiders, privacy, advanced persistent threats and suchlike. These are all real, but not all of them are equally important.
The likelihood that a given organisation will have to deal with a particular one of these threats varies tremendously. Further, the cost of dealing with these threats varies, as does the likelihood of substantially mitigating the risk.
A good security policy involves layers. Two average layers often protect far better than one really good layer. Some problems are already covered while other problems (such as malware that recompile before every download) probably have no single answer.
If you were a doctor, you would tell your patients to wash their hands frequently because that stops many pathogens. In IT, you will likely tell your customers to use similarly easy, broadly effective and remarkably low-cost techniques to mitigate risk, with the understanding that it is probably not practical or possible to entirely eliminate risk.
Keystroke loggers, dictionary attacks and insiders may all represent attempts to steal or use brute force in the acquisition of credentials. I have read that almost half of all network breaches exploited stolen or weak credentials.
It is much easier, in my view, to use a proven two-factor authentication (2FA) technique than to try to prevent every possible way of inserting a new keystroke logger or looking over someone’s shoulder. Strong authentication will also greatly restrict a hacker or insider that has gained partial access to your network.
With single sign-on, the power of a smart card or someting similar can be extended to many applications, and make users’ lives easier at the same time.
I have read that only two per cent of network breaches involved man-in-the-middle attacks, and these attacks are far more suited for penetrating predictable environments like consumer banking sites than heterogeneous environments such as corporate networks.
Even if man-in-the-middle attacks are increasing, most organisations will mitigate risk more cost-effectively by deploying smart cards or other strong 2FA techniques this year, rather than by addressing such hazy initiatives directly.
There are other candidates for cost-effective layers that may prevent many kinds of attacks. Some gateway proxy caching solutions can use content filtering and policy to efficiently block malware downloads from untrustworthy or unknown web sites.
This use of reputation-based filtering, rather than depending on just antivirus to block new forms of malware, may dramatically reduce the risk of zero-day malware attacks across an entire organisation.
The specific recommendation will vary by customer, but the principle still holds. First, add layers that cost-effectively decrease the risk from a wide array of threats, and only then add narrower, deeper protection for additional layers of assurance.
Chris Harget is director of worldwide enterprise markets at ActivIdentity
In an interview with CRN, Wendy Mars says Cisco and its partners are no longer having to arm-twist customers on the need for digital transformation
Vendor's announcements include AI-powered Microsoft Office, a move away from password verification and an alliance with Adobe and SAP
Vendor claims hackers are hijacking machines to mine for cryptocurrency
Nearly half of SMBs are planning to invest in digital workflows to reduce their paper-based processes by 2025, according to Quocirca