It seems that there is one constant in cyber security, the feeling that the situation is dire. For years, anti-fraud and cyber security solutions have been lagging behind their adversaries, mostly due to the rise of malware. The innovation coming from cybercriminal circles known today as the dark web, specifically the HTML injections and Man-In-The-Browser features that were added to popular banking malwares Zeus and SpyEye, forced anti-fraud solutions to play catch up. On the information security side, the “defend the perimeter” doctrine has proven powerless to stop nation state-backed actors and their methods of gaining access to organizations’ internal networks. It took several years for a new generation of security solutions to come out that were not only focused on the perimeter, but what is going on within the networks as well.
In both the anti-fraud and the cyber defence space, there was an abundance of news on successful attacks and today does not seem all that different. Every day we hear of another organization being victimized and much like in the past, it often involves malware, today it’s specifically Ransomware. However, there is a difference between what is happening today and the woes of the past.
The issues we experience today are not due to defensive technologies lagging behind. After all, as I’ve mentioned in a previous column on SecurityWeek, the methods used in these attacks are over a decade old. Instead, one of the main issues is the lack of properly implementing security practices. The technologies exist, but they aren’t necessarily being implemented correctly, if at all. Take for example the results of our research which I’ve discussed in an earlier column, where we found that only 8% of the Federal Credit Unions that we sampled implement strong E-mail security (SPF and DMARC). As these organizations are financial institutions and are targeted by cyber criminals as such, one could expect them to be at the top of their cyber security game. However, in reality, the majority have implemented permissive policies, with some credit unions not implementing any E-mail security at all. This lack of strong policies results in their customers and employees being more susceptible to fraud and cyber attacks. While faults can be found in larger and more security-savvy organizations, smaller organizations appear to be more susceptible to improper or lack of security measures implementation. Unfortunately, this creates a problem that isn’t only contained in those smaller organizations that were at fault, but affects everyone instead.
During the shift from perimeter defence there was an often-used term in the industry, the “extended organization”. This term referred to the need not only to expand the defences’ coverage inwards to the happenings within an organization’s internal network, but outside as well – to external threats. The term was used to note that an organization doesn’t start in its internal networks and ends in the perimeters – it has suppliers, vendors, service providers and more that can affect their security. In today’s world, with supply chain attacks being in the spotlight, as well as the move to SaaS and cloud services, it has never been more relevant (though the term may not be needed anymore, as the perception has successfully changed).
When smaller organizations are left undefended, large organizations are impacted as well. No matter how well defended a large organization is, it is still part of a larger environment which includes smaller organizations. While vendor security assessments have been increasing in popularity and they are indeed an important practice, they don’t necessarily cover everything. Enterprises aren’t always in a position where they can perform security assessment on every vendor and some of the relationships do not necessarily allow an assessment in which the vendor is involved. For example, registrars, webhosting companies and many SaaS-based services do not necessarily have a relationship with each customer that enable a thorough vendor assessment.
As long as smaller organizations lag behind, everyone’s security posture will be affected, and we’ll continue to feel that the situation is dire. That said, the security industry still seems deeply focused on mostly catering to large enterprise, build expansive and expensive solutions that seem to be designed for large SOCs. As today’s main adversaries seem to be using techniques that are a decade old, perhaps it is time for another paradigm shift, a new defence doctrine, one which understand that we’re only as strong as our weakest links and start focusing on securing smaller organization as much as we do large ones.