When I read the 2017 Verizon data breach report, I couldn’t help but notice that it would be relatively easy to reduce an attack surface by implementing a few Identity & Access Management (IAM) best practices. Granted, that might mean you will need to spend some money, but considering that a breach could cost you $15 Million or more, according to Ponemon, and considering that 81% of breaches involve a weak or stolen password, wouldn’t it make sense spending your money where it has the most impact? Organizations need to reduce their attack surface!
Now before I share tips provided by Verizon and Centrify on how you can protect an organization and how to reduce the attack surface, I want to highlight two examples that stand out to me (we have all heard of them or know someone who this has happened to or possibly have become a victim ourselves).
Point of Sale (POS) Intrusion
POS breaches are remote attacks against environments where card-present retail transactions are conducted. POS terminals and POS controllers are the targeted assets, and physical tampering of PIN entry device (PED) pads or swapping out devices happens. Back in the 2011 Verizon DBIR report, the findings were dominated by scalable, automated attacks targeting internet-visible POS servers with default credentials. Fast forward to the 2014 report where 2013 was referred to as the “year of the retailer breach.” This is not because of how many organizations fell victim, but the fact that POS intrusions were affecting big retailers with significant impacts.
Almost 65% of breaches involved use of stolen credentials as the hacking variety, while a little over a third employed brute force to compromise POS systems. Following the same trend as last year, 95% of breaches featuring the use of stolen credentials leveraged vendor remote access to hack into their customer’s POS environments.
Point of Sales Intrusion Conclusion
According to the Verizon DBIR, POS vendors should apply more efforts in securing their remote access mechanisms to their customers. The recommendation to all businesses, small and large, is to ask the right questions to any third-party management vendors about their security practices; especially about use of two-factor authentication. So, the first step to secure your POS environment is to limit remote access, and more important, to strengthen authentication through multi-factor authentication (MFA).
Web Application Attacks
Almost half of the web application attacks involve the use of stolen credentials either by means of good old fashion social engineering or the injection of bot nets via a phishing attack. Another new trend is attackers standing up infrastructure to serve up malware or phishing websites to subsequently use credentials captured by keyloggers running on that "fake" infrastructure.
Web Application Attacks Conclusion
As websites become more interactive and versatile, and provide a solid user experience, organizations should focus more on the underlying infrastructure, logic and functionality of these assets. When users access their web applications through an access portal, it not only enhances the user experience with a single point of entry to all his or her daily used applications, but it also reduces the risk of becoming a victim of a phishing attack that redirects the user to a compromised phishing website.
With the implementation of federated authentication via SAML, supported by most common web applications such as Office 365, Salesforce, AWS, G Suite, Workday, Box, DropBox, etc, and the use of MFA, enterprises would be able to eliminate more than half the web application attacks.
Many organizations say, “we don’t have the budget,” but, if a homeowner is trying to keep a thief out of his house, would he spend all of his money on a big wall around the house but not spend money to buy a door lock?
As cybercriminals adapt to new and emerging technologies, they are changing their methodologies by improving their tactics. But, common mistakes still made are the use of easy-to-guess passwords, unchanged default password of infrastructure devices, shared use of privileged accounts, insecure remote access to on-premises applications and two-factor authentication not implemented.
While no system is 100% secure, too many organizations make it too easy for cybercriminals by not implementing some basic security measures. I mean, if someone really wants to hack into your network, he will be able to do so -- but with the right security measures in place, it can make it so expensive in time and effort that 99% of the “drive by hacking” criminals will just move on to a lower hanging fruit. And, if someone really manages to breach an organization's defenses, it will at least have mechanisms in place to detect a breach faster, as well as limit lateral movement, in its network and therefore minimizing the impact and damage they can cause.
Below are some tips from Verizon and Centrify that cover the simple mistakes seen time and time again.
Make people your first line of defense
Train staff to spot the warning signs of a phishing attack and social engineering.
Assists in guarding against many attacks.
Encrypt sensitive data
Make your data next to useless if it is stolen.
Use multi-factor authentication
Limit the damage that can be done with lost or stolen credentials.
Implement least privilege access controls
Make sure the only staff that need access to systems to do their jobs should have it. This will reduce insider abuse and accidental data leakage.
Implement controls and monitoring tools to access privilege systems and data
Stay informed on who can access what data when and be alerted when suspicious activities occur. Log files and analytics systems can give you early warning of a breach.
Protect your Mobile and Cloud applications
Improve security by with context based adaptive MFA and eliminate the use of easy-to-remember, reused and/or improperly stored passwords secure app access
Stop breaches that start on endpoints
Grant access to apps and infrastructure only from trusted and secured endpoints. Manage and secure your heterogeneous endpoints through a single source of identity and a least privilege access model.
Implement portals for accessing Web and SaaS applications
Improve end user productivity and secure every user’s access to apps through federated single sign-on, eliminating the risk of redirection to phishing websites.