After Hours: Thomas Fischer
Thomas Fischer, Principal Security Researcher, Digital Guardian.
What are the most actively targeted parts of an organisation’s IT security infrastructure?
The most targeted parts of the IT security infrastructure remain the users. It is often forgotten that the organisation’s’ users are a critical part of the IT security infrastructure. They not only provide a vector for compromise, but are also potentially the best threat intelligence that an organisation can have. They may ultimately be aware of bad emails or compromised sites beforehand as they could have been hit at home or heard it from a friend.
The IT administrator is also an active target; malicious parties wanting to compromise an organisation are interested in how the IT infrastructure is set-up, what services are running and any administrative passwords and access. Thinking about technical infrastructure, the attackers will target the most visible parts of the organisation, like internet facing application servers or looking at how the perimeter can be bypassed either via direct attacks on the user or infiltration through remote offices.
Are insiders (often unknowingly) still the biggest threat to IT security, or has that now changed?
Ultimately, every outsider threat is an insider whose identity has been compromised. We continue to see that the biggest entry vector or reason an organisation is compromised is because of insiders. Take a look at recent campaigns like Dridex and ransomware (note, interestingly enough these are married together now). They target the insider for a reason – they are ultimately vulnerable as they are prone to mistakes. Targeting the organization where it hurts to get a quick payout is what most malicious parties are after. The bottom-line on most attacks is for financial gains.
If organisations don’t have large IT budgets, what are the easiest and most cost effective security measures they can take?
User awareness and enablement is the best way an organisation can best fight against attacks. There are two primary reasons for this.
For one, the user is the best source of information to alert IT that something is going wrong in the environment and secondly the user is the most likely target of an attack. Enabling them to make the best decisions in the face of suspicious actions, attachments or links will ultimately help reduce the organisation’s threat posture.
Is a higher profile organisation more vulnerable to targeted attacks and which sectors are most targeted?
This might be true for hacktivism, but nowadays most high-profile companies are more in tune with their security requirements and implement measures. In general, however, it’s the organisations that are visibly deficient and have weak security that will be targeted.
Malicious parties will use reconnaissance and open source intelligence (OSINT) on organisations to find the low hanging fruit: those areas that are easier to compromise. With regards to industry, we can look at it from two perspectives; while the public sector (governments and their agencies) will be most targeted when it comes to hacktivism or state sponsored (including from the likes of S.E.A. or Cyber Caliphate Army) attacks, financial services, healthcare (including insurance companies), retail and manufacturing are the most likely to be the highest sectors for more substantial financial gain attacks.
What are some of the most basic security errors organsiations need to be aware of?
The most basic error is relying on one technology or relying on the next best thing. A good security posture requires an organisation to use all of its process, procedures and tools in a co-ordinated and coherent manner. Lack of preparedness to respond to incidents is one of the biggest issues organisations need to correct.