Author: Time Boles, Director Security Services
Data is one of the highest-valued commodities of a company and is used in almost every aspect of running a business: Information on the latest sales figures drive a company’s approach to the market; a warehouse sends out replenishments to stores based on inventory data; financial data helps company board members decide on future strategies for growth…
And it’s for this exact reason that cybercriminals often target databases: They’re dying to get their hands on such valuable and sensitive information.
Cybercriminals can profit from retrieving data, and then using or selling it. Meanwhile, the company from which they’ve stolen suffers (sometimes devastating) losses.
The “Cost of a Data Breach Report 2022” noted that the average cost for a data breach in 2022 was $4.35 million. (https://www.ibm.com/security/data-breach)
Can your company afford to lose $4.35 million?
Securing your data is no longer a moral or business decision: Governments have been enforcing a tougher stance on how companies maintain and protect data. In 2018, the General Data Protection Regulation (GDPR) was implemented to impose uniform data security laws on all EU members.
Lock Your Doors!
Why do people lock the doors and windows to a house? Generally, it’s to keep uninvited people out. But will a locked door prevent a motivated person from breaking in? Probably not. You can try to prevent break-ins with various deterrents, like cameras, watch dogs, security systems, and even guards. Still, none of these can guarantee 100% protection. However, the more obstacles you put in the way of an uninvited person, the harder it will be to gain access to your house, and they may decide the effort is not worth the reward — or, if they still end up breaking in, the chances are higher that they’ll be observed, caught, and removed.
Securing your data is analogous to securing your house. Just as locking your doors will prevent most people from breaking in, locking down attack vectors will prevent most cybercriminals from gaining access to your data. Locking down attack vectors won’t guarantee security, but it forces cybercriminals to expend more time and effort to get to your data — and the harder they have to work, the more likely their efforts will be noticed and thwarted.
Know Your Enemy!
Understanding the attack vectors that cybercriminals will most likely use can go a long way in blocking their access to your system.
In the article “The More You Know, The More You Know You Don’t Know,” Maddie Stone, from Google’s Project Zero team, talks about how attackers use 0-day exploits: “…the 0-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit ‘shapes’ previously seen in public research.” (https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html)
Cybercriminals who make use of 0-day exploits first strike through known, and often-used, attack vectors. Removing those will likely serve as a deterrent, encouraging attackers to move onto other, potentially easier, targets.
According to the “Cost of a Data Breach Report 2022,” cybercriminals consider the following to be the top five initial attack vectors for obtaining access to systems:
• Stolen or compromised credentials (most common, ~19% of breaches)
• Phishing attempts (~16% of breaches)
• Cloud misconfigurations (~15% of breaches)
• A vulnerability existing in third-party software (~13% of breaches)
• Malicious insiders (~12% of breaches)
As a manager, do you know how your systems are being protected from these attack vectors?
Security Is More Than Patching
When working with clients to secure their applications, we have found that many technical individuals solely focus on their area of responsibility. One of the most common responses to their current security approach is, “We apply the vendor patches.” However, if your staff only relies on software patches to protect your data, they’re ignoring four of the five top attack vectors. The variety of initial attack vectors listed above shows the need for a comprehensive corporate cybersecurity program. In most organizations, addressing these attack vectors will involve multiple teams in what’s described as a “Defense-in-Depth” approach.
Every organization is different, but subject matter experts, technology vendors, and the community at large have agreed upon a set of basic security-configuration recommendations for hardening specific technologies in an organization’s environment. These standards have been collected by the Center for Internet Security (CIS) and published as benchmarks — which is why they should be a key component of an organization’s overall security against cyberattacks.
Utilizing Benchmarks
Benchmarks are an excellent foundation for any organization to use when building its overall security posture. That said, benchmarks are not one-size-fits-all. They need to be evaluated within the context of a company’s unique business, application, and user needs. Where patching only addresses one of the top five attack vectors, CIS benchmarks have input on all five. Here is a list of benchmark examples, based on a variety of vendors and software, that helps address these attack vectors:
Stolen or compromised credentials — (Oracle Database 19c Benchmarks)
• Ensure PASSWORD_VERIFY_FUNCTION is set for all profiles.
• Ensure PASSWORD_LIFE_TIME is less than or equal to 90.
• Ensure INACTIVE_ACCOUNT_TIME is less than or Equal to 10.
Phishing attempt — (Microsoft 365 Foundations Benchmarks)
• Ensure that an anti-phishing policy has been created.
• Ensure that LinkedIn contact synchronization is disabled.
• Ensure safe links for Office applications are enabled.
Cloud misconfigurations — (Google Cloud Platform Foundation Benchmark)
• Ensure that the default network does not exist in a project.
• Ensure legacy networks do not exist for older projects.
• Ensure RSASHA1 is not used for key-signing.
A vulnerability existing in third-party software — (Microsoft 365 Foundations Benchmarks)
• Ensure third-party integrated applications are not allowed.
• Require MFA for externally exposed enterprise or third-party applications.
• Only user up-to-date and trusted third-party components.
Malicious insiders — (Apache Tomcat 9 Benchmarks)
• Restrict access to the web administration application.
• Do not run the application as privileged.
Knowing Your Benchmarks
Patching is only part of a holistic approach to securing your data. An overarching view of security, like Defense-in-Depth, is vital to helping an organization understand that thwarting cybercriminals is not a single group’s responsibility. In addition, a holistic security posture will help your organization be proactive about security threats and allow for streamlined risk mitigation.
As a member of the CIS SecureSuite, Spinnaker Support can help you understand the benchmarks you are currently achieving, as well as the ones your team needs to review. Our security solutions are designed for your unique set of applications and systems, as they combine proven processes and experienced staff to continuously investigate issues, harden and protect your environment, and deliver timely fixes and remediations.
For more information, please visit our security page.