Cybersecurity is a complex term, it’s become all-encompassing and constantly evolving to include new and emerging technologies, attacks, actors, and a myriad of other points. What this means for organizations large, medium, and small is that each must have a cybersecurity plan in place.
An interesting point, however, is despite the mindshare cybersecurity now enjoys, the industry itself is still in its relative infancy. The first hack is commonly believed to have taken place in 1988 when Robert Morris released the Morris worm causing an inadvertent Denial of Service (DoS) attack. He was subsequently prosecuted for releasing the worm, becoming the first person indicted under the Computer Fraud and Abuse Act (CFAA).
In the 30-plus years since the Morris worm, we have seen a myriad of attacks and debatably not seen numerous others. A key observation in the evolution of attacks is the threat actor's motivation. DoS attacks still occur, but today these tend to be monetized through extortion of the target, whereas early on, such attacks could be viewed more as cyber hooliganism. These attacks have morphed to the point where we now see an almost constant stream of attacks, which is unlikely to stop.
Why? Because in the modern connected world, data has become an extremely valuable resource for companies and attackers alike, and it is not simple to defend against an aggressive and determined attacker.
One of the key changes we have seen at Trustwave is how we detect and protect against attacks. The cyber maturity of organizations varies greatly, but one commonality is that they all exist in a connected world. This connectivity is certainly a positive but it also means everyone can be targeted equally.
To an attacker, it does not matter whether your organization is a member of the Fortune 500 or a five-person firm; attackers do not discriminate. You may not consider the single email address you utilize to send invoices as an attack vector, but invoice fraud remains a common and successful attack.
The connected world is dangerous, nefarious actors are always plotting, but organizations can take steps and initiate a few programs to keep cybercriminals at bay.
It's important to take a step back, consider where you want and need to be from a cybersecurity point of view, and then take the necessary steps to achieve those goals. A cybersecurity strategy and roadmap will help you get there – we have examples of what this looks like in Trustwave's Security Colony and expertise in assisting any size organization through the process of refining a strategy and roadmap.
From here, you can invest and build in the right places, taking incremental steps in the right direction and in the right order. In the case of the Red Team without defensive capabilities, consider a . Deployment of a third-party option can be easier and quicker with the right experts on hand to guide you through the process.
Proactively discovering your weaknesses with penetration testing is one of the best methods of staying secure. Due to the introduction of regional regulations, larger organizations are often better protected because they are required to carry out some form of penetration testing. However, even smaller firms may carry out penetration testing or vulnerability scanning, but is this enough for either large or small organizations?
On the surface, the answer might be no, as we've seen some huge organizations victimized over the years. These successes are often due to a cybercriminal's creativity which may have been helped by poorly scoped and designed penetration testing. However, the key to ensuring this does not happen and building a successful cybersecurity program is to ensure that any penetration tests conducted are effectively scoped and considered from an asset-outward and asset-inward approach. When scoping, consider the targets of the attack – what would an attacker hope to gain from attacking my organization, and scoping accordingly ensures that access routes to those areas are part of the scope.
Much like the complexity in the term 'cybersecurity,' there is complexity in how to build a robust program. For example, a recurring penetration test conducted once a year that identifies the same low-risk issues during each cycle is unlikely to provide value or even the right level of confidence in your security. In addition, a Red Team test with numerous attack paths resulting in the need to rearchitect your entire environment completely, likely isn't the result you were hoping to see, particularly if you have minimal defensive capability, but it will divulge weaknesses that then can be fixed.
An effectively scoped penetration test should identify issues within your environment that can be, and where appropriate, were exploited to access further. The test should result in a report that includes recommendations against the vulnerabilities that the test uncovered and more strategic recommendations that will limit attack chaining and increase security maturity.
The above examples only cover a small portion of the activity that falls under the umbrella of penetration testing. Pen testing, sometimes referred to as Offensive Security, encompasses a lot of ground. It is a broad, general term that includes Network Penetration Testing, Web Application Penetration Testing, Web Services Penetration Testing, Mobile Application Penetration Testing, Cloud Reviews, Firewall Reviews, Network Segmentation Testing… I could go on and on. The very nature of penetration testing is agnostic to target type and technology. Therefore, when conducting penetration testing, it's important to understand the differences between the different types and scope of engagements.
Whether penetration testing is an internal or external activity, testing the correct aspect of your business is essential. If you're developing and selling production applications, but your security program only focuses on the security of corporate networks, then you should consider expanding the program to include testing your products. You can achieve this in several ways depending on how you develop and deploy your products. Whether you have adopted or are considering adopting a Secure SDLC and/or DevSecOps practices, a review of the process can be a powerful tool in improving and refining those practices.
Choosing the right partner can be the key to successfully defending your organization, but one must put serious thought into the selection process. Ensuring the partner can scale with you and provide the right services for your strategy is important when selecting a partner. These are things to consider as part of your strategy, particularly if regulatory compliance elements require specific certifications.
As businesses grow, evolve, and scale so does the cyber risk. Building out an internal security program is part of a successful strategy, but the current skills gap in cybersecurity makes this a challenge. Working with a partner can help ease that burden. In addition, a partner can help navigate the numerous difficulties that often appear. Whether it is correctly scoping penetration testing, helping design a cyber strategy with a vCISO advisor, or enhancing defensive capabilities through incident response, support or detection partners are here to help support you.
Navigating cybersecurity challenges can be daunting and difficult, so be sure to choose a vendor that can help support and further your program.
The threats we face in a connected world are well reported; even as new attacks and exploits develop, the cybersecurity community comes together to collaborate and defend its interests. We must remain prepared and practice for the worst-case scenario. In the case of the Morris worm, the connected world was new and evolving – although we cannot prepare for the exact attacks and 0-days, we at least can be prepared and well-rehearsed.
Tabletop exercises can be an extremely useful tool for organizations. A tabletop exercise simulates an actual attack with various injects based upon threat scenarios and organization structure. These exercises, sometimes referred to as 'InfoSec D&D,' also help develop teamwork, and they are a great tool to highlight gaps in process, procedure, and organizational clarity. Additionally, the test can include scenarios specific to an organization based on technology, penetration testing results, and impact.
One thing I can say with confidence is cybersecurity will continue to evolve and encompass new and emerging threats and attacks. The following 30 years will likely hold as many surprises as the previous three decades. The evolution of the simple worm is staggering, from the Morris Worm to Raspberry Robin. We know attackers will continue to get creative, which means cyber defenders must follow suit in our efforts to detect and protect.
We will continue to support the evolution of cybersecurity through managed services, hands-on assessments, and consulting, helping you adopt new trends, technologies and protect against old, new, and emerging threats.