Most decision makers in IT management are having to spin so many plates, all at the same time, that there’s always a danger one of them will eventually fall to the floor and smash.
About the author
Peter Mackenzie, incident response manager, Sophos.
The problem is, just because you’ve attended to a cyber security issue, or decided that it’s not relevant for your business, that doesn’t mean you can forget all about it. With the increasing sophistication and determination of attackers, and the type of threats evolving all the time, you can’t afford to drop your guard with any aspect of security, even for a moment.
While maintaining IT security is an increasingly challenging task, a good place to start is to avoid a number of common misperceptions, all of which were encountered within a wide range of organizations when investigating and neutralizing attacks over the past year.
Misperception 1: We are too small to be a target and don’t really have anything worth stealing
It’s easy to think attackers might be targeting bigger fish than your organization. Or that you’re in a low-interest sector and simply don’t have any assets likely to attract the attention of a passing cybercriminal. But our experience tells us otherwise. If you have processing power and a digital presence, you are a potential target.
It’s worth remembering that even though hackers from North Korea and Russia make the headlines, most attacks are not carried out by nation states but opportunists looking for easy prey. So, whatever size your business, if you have any weaknesses in your defenses, such as security gaps, errors or misconfigurations, then you could easily be next.
Misperception 2: We don’t need advanced security technologies installed everywhere
Some IT teams still believe that endpoint security software is enough to thwart all threats, and that they subsequently don’t need security for their servers. Big mistake. Unlike in the past, any errors in configuration, patching or protection make servers a primary target.
The list of attack techniques designed to bypass or disable endpoint software include those operated by humans which exploit social engineering, malicious code injected directly into memory, ‘fileless’ malware attacks such as reflective DLL (Dynamic Link Library), and attacks using legitimate remote access agents like Cobalt Strike, alongside everyday IT admin tools. Unfortunately, basic anti-virus technologies will struggle to detect and block such threats.
Even the assumption that protected endpoints can prevent intruders from making their way to unprotected servers is misguided. Recent experience tells us servers are now a prime target and attackers can easily find their way in using stolen access credentials.
Most contemporary cyber criminals have a strong understanding of Linux machines. In fact, attackers can hack into and install back doors in Linux machines to hide and maintain access to your network. If your organization only relies on basic security, intruders won’t find it too difficult to bypass your defenses in this way.
Misperception 3: We already have robust security policies in place
Yes, having security policies for applications and users is critical. But once you’ve got them in place, that’s not the end of the matter. These policies need to be checked and updated constantly as new features and functionality are added to devices connected to the network, and the strategies of cyber attackers become increasingly more sophisticated.
Your organization needs to test its cyber security policies regularly, using techniques such as penetration testing, tabletop exercises and trial runs of your disaster recovery plans to ensure your defenses are as robust as you would like to believe.
Misperception 4: Our employees understand security
According to Sophos’ State of Ransomware 2021, 22 per cent of organizations believe they’ll be hit by ransomware in the next 12 months as it’s hard to stop their end users from compromising security. Training helps but messages learned can soon be forgotten.
Besides, social engineering tactics like phishing emails are becoming increasingly hard to spot. Messages are often hand-crafted, accurately written, persuasive, and carefully targeted.
Cyber criminals are constantly finding new ways to catch end users unaware. As they step up their efforts, you need to increase yours too. Educate your employees on ways to spot suspicious messages and what to do when they receive one. Make sure they have the contact details of the right person in your team to notify, and that they do it immediately so other employees can be alerted.
Misperception 5: Incident response teams can recover my data after a ransomware attack
Unfortunately, your confidence in the response team’s powers of recovery is misguided. Attackers today are more ‘professional’ than ever. They make fewer mistakes and the encryption process has improved, so you can no longer rely on your responders to find a way to undo the damage.
Automatic backups like Windows Volume Shadow Copies are also deleted by most modern ransomware. As well as overwriting the original data stored on disk, this makes recovery impossible if you aren’t prepared to pay the ransom. And, even then, only 8 per cent of organizations that pay the ransom successfully retrieve all their data.
As you will have gathered by now, IT decision makers and complacency do not go well together. Too many organizations who believed it could never happen to them are now counting the cost after it has happened.
Instead of sitting back and assuming everything’s going to be OK, you need to take full control of your business affairs before somebody else does.
Peter Mackenzie, incident response manager, Sophos.