The two most important ways to defend against security threats

Patching and security training programs will thwart attacks more effectively than anything else. You're already doing them. Here's how to do them better.

An average of 5,000 to 7,000 new computer security threats are announced each year. That’s as many as 19 every day. The rate at which new threats appear make it difficult to decide which ones require your attention. It might surprise you that, while your competitors waste money on high-tech, expensive, and sometimes exotic defenses, you can get far more value by concentrating on just two things you already do.  You can spend less money and nothing you do otherwise will provide a better defense.

The two things you need to do better are not a secret. You already know you need to do them. You know from your own experience that what I’m saying is true. The data in favor of doing them is overwhelming. Still, most companies don’t do them well enough.

Change your security focus

Most computer security defenders focus on the wrong things. They focus on specific threats and what they did after hackers broke in, not how they broke in. There may be hundreds of thousands of unique software vulnerabilities and hundreds of millions of unique malware families, but they all share about a dozen different ways that they initially exploited an environment, including:

  • Unpatched software
  • Social engineering
  • Misconfigurations
  • Password attacks
  • Physical attacks
  • Eavesdropping
  • User errors
  • Denial of service

Focusing on and reducing these root exploitation causes will help you significantly defeat hackers and malware.

If you want to minimize computer security risk the fastest, identify the biggest root exploitation causes in your company that allow threats to do the most damage to your environment. Stop the biggest root cause and you stop every threat that uses that root cause.

So, what are the biggest root exploitation causes in most environments? Unpatched software and social engineering.

Without a doubt, these two root causes are responsible for the most successful and damaging attacks in most companies and have been for decades. One of these root exploitation methods has likely been behind any big attack that has made news in the mainstream media. In my experience, when a company of any size or even the military suffers a big attack, it’s can be traced to one of those two root causes.

Your company’s experience may vary, and if it does, you can ignore this article. The biggest problems for the majority of readers are unpatched software and social engineering. If they fix those two things, it will do more to decrease security risk than all the other things they could do combined.

Better software patching

Both hackers and malware look for unpatched software as a way to break into an environment. They prefer unpatched software as an attack vector because it requires a minimum of end-user involvement. The hacker can attack network computers and services looking for unpatched software, compromise them, and then move on to further internal targets, if necessary. Or they can try to trick a user into opening an email or visiting a website that attempts to exploit an unpatched vulnerability.

Sure, attackers sometimes use software exploitations for which no vendor patch is available (zero-day exploits), but only a few dozen known zero-days are used in a given year compared to the thousands of publicly known exploits. In any case, it’s very difficult to prevent a zero-day attack and you would be far better off concentrating on the much larger, persistent threat. You don’t know if your company will ever be exploited by a zero-day attacker, but it will be attacked many times by threats looking to exploit unpatched software.

The key to driving down security risk the fastest is to concentrate on the highest risk software programs on your highest risk computers. Most companies try to patch every software program (and there are hundreds of thousands of unique programs) with the same effort. This approach is bound to fail. It’s a numbers game of applied effort times the number of devices and software programs you have to patch.

There is a big difference between the most unpatched programs in your environments and the most likely to be exploited software programs. If you can understand that difference, then you understand this recommendation perfectly.

For example, for many years the most unpatched program on a Microsoft Windows computer was Microsoft Visual C++ Runtime Library. It was a program library that was redistributed with many third-party programs. Even though it was the most unpatched program, it was rarely exploited by attackers or malware. Why? Because it wasn’t easy to exploit. It could be located in hundreds of thousands of different folders and usually wasn’t advertising itself in a way that would make it easy to exploit. The same could be said for probably 95 percent of your installed software programs. They may be unpatched, but they aren’t often exploited.

Instead, other popular unpatched programs like Sun/Oracle Java, Adobe Acrobat, and internet browsers, which were in consistent locations and easy to exploit, became the go-to exploitation targets. On servers, web server and database server software became the go-to targets. For that reason, you are far better off trying to perfectly patch internet browser-related software on end-user computers and advertising services on server computers.

Look at your patch management program. Does it prioritize the highest risk programs over everything else? Do you accept a 99 percent or lower patch rate for your highest risk programs? If so, why? Do you even know what your highest risk programs are? What software programs are used to exploit your company the most? Does your patch management program include hardware, firmware, and mobile device patches? These are questions that need answers to deliver a stronger computer security defense.

Better and more social engineering training

The other best defense you can implement isn’t software or a device. It’s training. For as long as computers have been around, social engineering threats, usually through internet browsers or email, has been in competition with unpatched software as the leading cause of most root exploits. Most of the biggest hacker attacks I’ve been involved with have involved social engineering elements, especially the ones that had the most lasting damage.

Social engineering hackers are famous for talking end-users out of their passwords and for allowing the hacker or malware to gain privileged access to sensitive resources. Users often mistakenly run Trojan horse programs or provide their logon credentials to fake emails and websites. Social engineering is so successful that many computer security defenders refuse to believe that more and better social engineering training is the answer, but it is!

Study after study shows that providing employees with awareness training, no matter how you do it, makes them less likely to be tricked by social engineering methods. Sadly, most companies do very little security training, often less than 30 minutes a year.

I was involved in a case study where two sets of employees were social engineering training. The first “control” set was given the standard, mandatory 30-minute video. The second group was given two hours of training with a focus on the most common social engineering attacks the company actually faced. Both groups were then tested by fake social engineering campaigns every two months for a year.

The results? It wasn’t even close. The group given more training learned so well that not a single employee was tricked by the fake social engineering campaigns for more than six months, and they were far more likely to report real social engineering attempts than the control group.

I’m not sure exactly how much social engineering training should be given to employees, but I’m sure it’s more than 30 minutes a year and is probably measured in hours per year. Those hours don’t have to be all at once and training should be repeated at regular intervals and customized to match the type of real social engineering campaigns your company is seeing.

You can create your own social engineering training program or use the services of an existing training provider that specializes in it, like KnowBe4. KnowBe4 has been on my radar for few years and is one of my favorite companies. It offers a ton of different training products and free tools to test your employees’ knowledge. It is led by uber social-engineering hacker, Kevin Mitnick. Who better to learn from than the guy who basically put social engineering on the map?

Significantly improving your computer security posture doesn’t have to be expensive or complicated. The two best things you can do, improving your patch management and security awareness engineering training, are relatively low cost and you’re probably already doing them. You just need to do it better.

Show Comments