The challenge of protecting corporate infrastructure ger more complex every day. According to CVE (Common Vulnerabilities and Exposures) reported, thousands of new vulnerabilities are identified each year. In the first eight months of 2018, the equivalent of 80% of the total risks reported in the previous year has been published. This means that on average 48 vulnerabilities were identified per day by the end of August.isk, cross it with the specific context of each company. Then you can begin to map out the most feasible risks and how to address them.
Source: CVE Details: https://www.cvedetails.com/browse-by-date.php
If the new challenges rise overnight, the information security specialist needs to be up to date with the same speed. Not only new threats, but new cybersecurity controls, new approaches to protection, new market regulations are being developed.
So a question remains: How to keep up with the evolution of the information security industry?
The answer is: it is possible to face these challenges with good preparation. And for that, the good security professional should have answers to the following questions:
1. How does a network work?
Private network security is information security 101. A good professional must understand security of networks and know in detail how the network that is under his/her management works.
It is basic to understand about ports, protocols, addressing, layers within the OSI standard, routing techniques etc. Without knowledge of the anatomy of their company’s infrastructure, it is not possible to design management strategies and deploy controls that can efficiently protect the environment.
2. What are the goals of your attackers?
Often, the goal of cybercrime is financial. But this reason can hide others. For example, an attacker can exploit a breach of a given company as a means to gain information about a user, a partner, or to steal intellectual property that will later be used as currency.
In other words, there are other possible goals. It’s worth mapping them as they can point you to better ways to protect your company from attacks. Among other possible reasons, it is worth considering:
- Personal data theft (clients / partners);
- Industrial espionage (intellectual property);
- Insider trading;
3. What are the root causes of exploitation?
System breaches and malware are challenges that security professionals will always have to deal with. But it doesn’t matter if there are new breaches in a software or thousands of new threats were developed. If there is no feasible way to exploit your environment, you should review other priorities – this doesn’t mean that you don’t need to address the issue with the lowest priority.
While it is important to be constantly alert of what is happening on the external network, whats crucial is to identify in your own environment which points can be explored immediately. In other words, evaluate, classify and prioritize risks based on the existence of exploits.
The list below shows the most common root causes of exploitation:
- Outdated software;
- Social engineering;
- Credential theft;
- Data leakage;
- Configuration Errors;
- Denial of service;
- User error;
- Physical access.
A good way to prioritize your security strategy is to begin by identifying in which cases and how these root causes can compromise your assets and users.
4. How many types of cyber threats there are?
It is crucial to understand what tools and tactics cybercriminals adopt to attack companies and their users. There are three major families of malware (viruses, trojan horses and worms) that are the starting point for creating new types of malicious applications.
We talk about various types of malware in this blog and we recommend that you read it again.
The ability to distinguish between types of threat, will allow the professional to:
- Assess what are the risks to your assets and users;
- Map out the possible breaches that can be exploited by each type of malware, correcting it in a preventative way; and consequently,
- Plan the best set of actions to combat attack techniques.
In brief, by knowing how a malicious application works, the process of choosing the most effective security control will be faster. Of course, a technology such as Advanced Threat Protection – ATP will make it simpler to identify and respond to threats, since this technology can identify known and unknown types of suspicious and malicious applications.
5. Is the user a security layer?
Yes. And user awareness is key so that your strategy has good results.
In fact, information security technologies are efficient to identify suspicious standards and correcting possible errors. But the attackers know that just as well. As a result, we see that recent cybercrime initiatives are more coordinated and sophisticated. Most attacks involve social engineering.
In order to reduce the risks due to human action, whether for misinformation or premeditation, it is key to promote user awareness. From the board to the operational level, everyone needs to have information on the main threats, unsafe practices and behaviors, channels used by cybercriminals to disseminate malicious applications, how the user should behave to help protect information etc.
Good communication is essential as an information security strategy and a relevant skill for the security professional. However, this doesn’t mean that verbal communication is sufficient. The company must invest in training, create documentation to guide its employees, use internal channels to disseminate good practices etc.
It is worth mentioning that in terms of documentation, a security policy is fundamental. It is the law created by the company to define best practices to protect their information, assets and users. Every practice that does not align with the policy, is non-compliant with the rules of the company.
Therefore, the security policy can not be just a technical documentation, but should also involve a non-technical user orientation chapter. This should include:
- The most common threats and risks against the organization;
- Recommended use of resources;
- Guidance for data protection;
- Forms of authentication and how to avoid losing credentials;
- Social engineering awareness;
- Reporting suspicious activity.
Have any questions?
The questions listed above are like “homework” that helps you to understand the basic scenario of cyber risk, cross it with the specific context of each company. Then you can begin to map out the most feasible risks and how to address them.
But of course you want to know more.