Understanding attack paths is a matter of practice


Modern organizations are increasingly investing in tools to increase agility, support teams, and capitalize on the increased flexibility that technology gives them. However, not enough of them are investing in the security and education needed to get the most out of these technologies without risking their organizational information assets or those of their supply chain partners – upstream and in downstream.

I have always been disappointed that whenever I have spoken about the risk posed by technology to business, the assumption has been made that I am therefore by definition anti-technology – nothing could be further from the truth. I believe, however, that there is no way to abdicate the organization’s responsibility for security assurance or data protection when it comes to technology.

Experience has taught me that when organizations turn to technology to solve a range of problems, as they should, they don’t channel enough resources to protect themselves from unintended consequences or uninformed users of that technology, in many cases. not even train users on the basic usage of it, not to mention its safe and secure usage.

Now that we’ve built more and more technology to make it easier and simpler for us to connect, the threats I’m talking about have quickly adapted and taken advantage of it. Too often there is a reactive response that is then required, with organizations reverse engineering risk mitigation once risks have become apparent, and often after data breaches have occurred.

If we look at the latest data available from the Office of the Information Commissioner (ICO), we can see that nearly three-quarters of breaches in the third quarter of 2021 were caused by non-cyber incidents, such as sending emails. an email to the wrong person. Of the remaining 25%, the top five causes are phishing (no surprise), ransomware (again no shock), and software or hardware misconfiguration. This speaks to hasty deployments, global policies, and changes in environments and work tools. In short, a lack of robust risk management.

We know that third-party infringement has been in the news for a few years. Not only does this show no signs of changing, but as we continue to work in remote and hybrid styles, the results of poor technology implementation and poor security risk management potentially expose further of organizations to each other. And we know all too well how quickly connections between supply chain partners are exploited these days.

In other words, there is much more at stake than one’s own organization when it comes to bad security. Some 51% of organizations have been hacked by a third party in the past 12 months, and 75% of this was because those third parties had too much privileged access.

Organizations need to be much more cohesive and their risk management needs to be much better informed. Too few risk assessments begin with a detailed and well-informed threat assessment, which means that risk treatment is often flawed.

Assuming that an effective and well-informed risk assessment has been performed for each business area where a new platform or technology is being considered, how each team or area should use this tool should be identified, defined by the business and once agreed and facilitated by security.

“Too few risk assessments begin with a detailed and well-informed threat assessment, which means that risk treatment is often flawed”

Mike Gillespie, Advent IM

Ensuring that user experience and capability are balanced against the need for security and then linked to the level of security means that there will be no need for users to circumvent overly stringent security measures that prevent them from using it as they need it for their role. This will be appropriate and proportionate to their role and not a general level of security for all.

It is essential to ensure that IT security teams are consulted in any purchase and subsequent deployment. They should also be part of the education and training that should take place as part of user orientation.

People – their behaviors, attitudes and beliefs – are fundamental to good security. As such, technology education is only part of the solution, and organizations should enlist their true experts to contribute to broader education, awareness and training – the people responsible for communication, marketing and public relations tend to better understand what motivates people and what is likely to succeed in behavior change, so use them.

Where appropriate and feasible, are networks with different security needs or varying levels of sensitivity segregated? If the worst should happen and a bad actor ends up in your network, is he able to move easily and quickly through it? Ensuring areas are segregated means it will be more difficult and you can extend your security more appropriately into sensitive areas and around those with privileged access to assets.

Nothing makes an organization better prepared than good intelligence. Since most of our breaches come from within, or at least are facilitated from within, then why is so much of our horizon scanning and intelligence gathering focused on the outside?

Good quality, no blame, near miss reports are invaluable as an intelligence tool. It will allow you to identify early warnings and indicators of subtle behavioral changes, deviations from policy or re-emerging lax security practices, and allow targeted education to nip it in the bud .

Ultimately, you can call it information security, information assurance, or cybersecurity. As you wish. But whatever you call it, never forget people, people.


Comments are closed.