Path of Least Resistance
A determined hacker can probably work their way through any defence, but there is still plenty organisations can do to deter attacks and make themselves less vulnerable
Every day seems to bring news of another data breach and another type of malware entering the wild. While truly determined hackers may be able to break through any defence, it’s perhaps worth remembering that most are easily deterred and will prioritise the easier targets.
“Regardless of the popular image of the average hacker as being a computer whiz, most hackers are just average people and as such are fundamentally lazy,” says Patrick Grillo, senior director, solutions marketing, Fortinet. “As such, they will always look for the path of least resistance into a network.”
That’s why, he continues, e-mail remains a popular entry point for attackers. “Whether phishing, spear phishing and whaling targeted at senior executives, e-mail is a preferred tool to gain initial entry into a network,” he says. “By using valid but compromised login credentials obtained from a phishing campaign, the hacker can easily gain entry into the network.”
Thomas Fischer, principal security researcher, Digital Guardian, says users are still the most actively targeted parts of an organisation’s IT security infrastructure. As well as being a point of weakness, however, he points out that they could also prove to be an asset.
“They not only provide a vector for compromise but are also potentially the best threat intelligence that an organisation can have,” Fischer says. “They may ultimately be aware of bad e-mails or compromised sites beforehand as they could have been hit at home or heard it from a friend.”
In terms of specific ‘bits’ of the infrastructure, attackers will target, “the most visible parts of the organisation like internet-facing application servers or looking at how the perimeter can be bypassed either via direct attacks on the user or infiltration through remote offices”.
According to Nicolai Solling, director of technology services at Help AG, the insider threat may have even grown. He cites a study by Crowd Research Partners that says 62% of surveyed professionals found insider threats have become more frequent. “Despite this, fewer than 50% of organisations have appropriate controls to mitigate this threat,” he says. Among the reasons are growing complexity of ICT, social media, the presence of data on unauthorised third-party applications and, of course, BYOD.
When reviewing security strategy, Grillo emphasises looking at, “the entire network”. IT security managers should be asking if all potential points of weakness are protected and whether or not the solutions in place are adequate. Look at the level of complexity of infrastructure and whether or not that complexity can be reduced.
One aspect of complexity could the the number of vendor solutions involved. Is this proving difficult to manage and can the number of vendors be rationalised? Vendors are unanimous that one key aspect of your approach to IT security must be internal education programs.
Employees, despite all the publicity the subect has received, continue to do things they shouldn’t, a point made by all vendors, especially when it comes to opening mails. Education and vigilance must also be extended to the suppliers, consultants, contractors and remote employees plugged into your network.