Getting the security basics right is hard, but it remains essential

Getting the security basics right is hard, but it remains essential
Image artwork by Necip Duman

A few weeks ago I was invited by Mancosa to present to their staff and students.

MANCOSA | Undergraduate and Postgraduate Education Provider
MANCOSA is a leading distance educational provider who has partnered on the first pan-African higher private education platform.
MANCOSA

The topic: the importance of building a strong security culture.

3 core messages I wanted to communicate:

  1. How most cyberattack victims, failed to get the basics right;
  2. Why victims then respond with increased security spend; &
  3. Burn millions on new products and services, with little return.

What does this have to do with culture? I want to highlight how talent, design, testing and training are the highest yielding, yet most overlooked, defence tools in any arsenal.

Failing to get the basics right?

In most of the incidents we were called on to respond to (either as Snode or through a partnership) the initial compromise is a resultant of a basic control failure or oversight.

The following high-profile breach (covered in the media) illustrates this point nicely:

Playing truth or dare with TransUnion hackers
ITWeb news editor Admire Moyo is one of the 54 million victims compromised in the credit bureau hack.
ITWebAdmire Moyo

The cyber-attacker claimed: "They were using the word ‘password’ as their password.”

While this is a progressive organisation, with excellent leadership, this incident is a pattern we see in most cyberattacks we have responded to globally. Getting the security basics right, is hard, but it remains essential - if you want a resilient posture.

An absolute, timeless truth used to focus our efforts.

Here are five common (initial) attack vectors Snode sees when called in to respond:

  1. Unauthorised VPN (virtual private network) access using a compromised account.
  2. Unauthorised RDP (remote desktop protocol) access using a compromised account.
  3. Unauthorised access exploiting a known RCE (remote code execution) vulnerability.
  4. Unauthorised access to an internet-facing database using a compromised account.
  5. Unauthorised access using a social engineering (e.g., phishing email) attack vector.

Unsurprisingly, this correlates to the most prevalent attack vectors seen by other firms.

For example, let's look at the top five human-operated ransomware group kill-chains, specifically for initial access (taken from SentinelOne's Watchtower Report for 2023):

Initial Access techniques for LockBit
Initial Access techniques for BlackBasta
Initial Access techniques for Clop
Initial Access techniques for AlphV
Initial Access techniques for Play

Unauthorised access, not using zero-days, is gained by forcing an error on our side.

Examples include, clicking on phishing links, reusing passwords (for a compromised account), not installing software updates and unnecessary attack surface exposure.

These are behavioural issues, better solved with training, awareness and testing.

More products, same problems?

Getting the latest "pew-pew" map wont solve your problem.

Client's with really good security postures rely heavily on simplicity and security by design. I once had a talented CSO (chief security officer) describe his secure design philosophy to be simply "lean and mean". Complexity is truly the enemy of security.

Clients who often drift from one buzzword to the next - from one product to another - typically have one thing in common: They fail to truly understand their problem; and don't have the (right) people, processes or visibility for data-driven decision making.

For example, what controls could protect Transunion from weak passwords?

  1. You could perform an audit of all passwords to identify weak passwords.
  2. You could enable multi-factor authentication for internet facing systems.
  3. You could train developers/ database administrators on secure practices.
  4. You could have periodic penetration tests to identify all weak passwords.
  5. You could restrict access to authentication services to authorised sources.

Such solutions are effective - and none of the above require a new product purchase.

Keep in mind that the products (e.g., vulnerability scanners) failed to detect this issue. This may be indicative of an over-reliance and false sense of security in such controls.

Penetration testers often say that - a fool with a tool, is still a fool. You need talented, trained professionals and well-designed processes to convert products into solutions.

In the wake of a breach, ambulance chasers will push a product, as the panacea. Without any root-cause identification, incident analysis or forensic investigation? Think about that. Sadly, I only need to think back 48 hours for a prime example,... :(

Improve talent, testing & design.

Product spend is increasing while business value is diminishing

Training, testing, design and awareness (intelligence) are the foundation to robust and resilient defences. It can be surprising at how resilient your posture becomes when you have all basics in place. Over and above having the basics in place - when countering any asymmetric force - intelligence is key for efficient and effective resource allocation.

Snode and our approach.

Snode Technologies does not provide cyber defence systems alone. Our clients have unlimited access to our internal training, tooling, process design and intelligence, at no additional cost.

We no longer provide cyber threat intelligence as a subscription service - since we deem it a foundational requirement for all clients. Our training includes a host of global security specialists and subject matter experts. Design and testing teams are available to clients ensuring that all new technology innovation or adoption is secure by design.

If you would like to know more about Snode - or need Snode's assistance - contact us.