It is widely understood that common sense is not common. It is more frustrating when the approaches used by some organizations to prevent cyber attacks from enterprise assets lack the application of common sense. This article documents recent studies on the frequencies at which several large organizations scan their networks to identify vulnerabilities and improve their security posture. While zero-day attacks (malware introduced into the cyber space for which counter measures have not been developed) constitute about 13% of all the vulnerabilities (Ponemon Institute, 2014); the remaining 87% are well known and countermeasures exist for preventing them. The article also identifies some of the complacencies of some organizations in fighting cyber threats, and offers some suggestions for protecting the information and communication systems that support both government and private organizations from cyber attacks.
Current tools that merely alert the IT staff to respond to information on cyber threats are inadequate to address the massive volume and sophistication of modern cyber threats. Therefore intelligent cyber security solutions that can predict and stop threats on the networks are needed to address the limitations of traditional threat management tools. Current efforts to secure the cyber space have resulted in generating large public databases of vulnerabilities at NIST and Symantec. However, access to vulnerabilities databases is just the first step in managing threats to the networks, but it will not reduce the frequency and damages caused by cyber attacks unless network administrators are equipped with automated security tools. Those efforts to secure the cyber space are not being helped because several organizations and consumers are slow to apply published security updates.
Alarming statistics from market surveys: Published reports from recent studies by two independent market research organizations on the frequency of full-network active vulnerability scans (a.k.a. credential scanning) provide some very disturbing statistics. The 2015 Cyberthreat Defense Report on 814 organizations by the CyberEdge Group and the 2014 survey of 678 US IT Practitioners by the Ponemon Institute, LCC arrived at very similar results about the complacency of several organizations. Their findings show the following active scanning frequencies: Daily: 4%; Weekly: 11%; Monthly: 23%; Quarterly: 29%; Semi-annually: 19%; and Annually: 14%. A large number of organizations scan their networks to be compliant with Government regulations with little attention to risk management. The reports show that about 38% of those organizations scan their networks monthly. Several organizations that claim to perform continuous scanning actually perform passive scanning which does not provide a detail picture of the vulnerabilities of the network elements. Even the latest directive from the White House to government agencies to tighten security controls in response to the hack of the Office of Personnel Management (OPM) recommend that the agencies patch any security holes in response to the list of security vulnerabilities provided by the Department of Homeland Security every week. (Lisa Rein, The Washington Post, June 16, 2015).
The need to focus on automation instead of relying on human capital: Scanning the networks generates a huge amount of vulnerabilities that must be analyzed in order to gain intelligence about the network otherwise known as Situational Awareness. Merely publishing the most vulnerable nodes and alerting the system administrator to respond is not effective. It makes no sense to expect the human brain to process over 300 vulnerabilities and apply necessary countermeasures daily without expecting a brain freeze. Instead of lamenting on the shortage of personnel or cybersecurity experts, a significant amount of resource need to be devoted to process automation. Rather than rely on humans to perform penetration testing after the vulnerabilities have been identified, tools that automatically generate possible attack paths and prevent attacks on enterprise assets should be the focus.
Defense in Depth: The concept of defense indepth is widely understood by cybersecurity professionals and should be applied. To protect or harden each node on the network, it is critical to employ at least five strategies. I) Employ up-to-date anti-virus software that can disinfect both known and unknown malware. 2) Control the use of certain devices (such as disabling the blue tooth on your laptop) in public especially at air ports and Coffee shops; 3) Encrypt the hard drive and the media to protect stored data (lessons from Sony and OPM); 4) Control applications to prevent un-trusted changes (e.g. SQL injection); and 5) Patch management to ensure that the system is running the most current software. Defending in Depth is also called Host Based Access Control in certain quarters. Once the host has been protected, diligent attempts should be made to defend the network (i.e., connected nodes).
Almost every week, we read about the vulnerabilities of the government and private networks and the significant cost to the economy, intellectual property and privacy of individuals. Many established companies and government agencies expend significant amount of resources to develop and deploy cybersecurity tools, yet the attacks continue. Why, one may ask. While we all understand that the problem is hard, there are some basic steps that we need to take to address the issue. Weekly scanning of the network assumes that the hacker does not attempt to penetrate the network less often. Are we comfortable to allow the hackers to roam the network for a week? Controlling access to critical assets require more than 2 or even 3-factor authentication. Encrypting the data with very strong encryption algorithm to make it very difficult for the thieves to use stolen data makes sense. Instead of lamenting on the shortage of cybersecurity professionals (which is true), focus on intelligent automation to reduce the level of effort for performing several mundane tasks. Those steps are what this author call common sense approaches.