Cyber security to protect your business

As malicious hackers develop increasingly sophisticated and effective techniques to attack business systems, we look at some of the most potent emerging threats, and the cyber security advances being made to combat them.

• 22 July 2022

Why online security is important

Within the next three years it is predicted that 50%, or 100 zettabytes, of all the world's data will be stored in the cloud. For businesses, healthcare services, and other organisations to stay up and running, it is vital that this data is safe. Experts predict that by 2025 the global cost of cyber attacks will be in excess of £8 trillion. Businesses looking to avoid becoming part of this statistic are already investigating ways to update and reinforce their cyber security.

Existing online threats

Phishing remains the most pervasive online threat to businesses, accounting for 37% of all cyber attacks. Smishing and whaling have also been increasingly used by the criminal community, with the former sending text messages to trick users into compromising sensitive information, while the latter imitates messages from senior executives, asking employees to perform actions that will compromise sensitive data (like making a bank transfer to a bogus account, for example). Studies suggest that while most people know what a phishing email is, around 97% cannot distinguish one from a legitimate email. With phishing techniques becoming increasingly sophisticated and personalised, this percentage is only likely to grow.

Other existing cyber threats include: network intrusion, accidental disclosure, lost or stolen devices, and system misconfiguration. The nature of these attacks suggests they can be prevented if staff are provided with the right tools and training. Staff members are the last line in a business' defence against cyber attacks, so training your users on how to spot and avoid such activity is critical. Despite this, 54% of UK users said their employers provided no training in cyber security, and when asked to choose between a fast internet connection or a secure one, one in three businesses chose the fast option.

Changing threats in 2022

Software supply chain attacks targeting systems in the DevOps cycle are predicted to grow in the coming years. This means we can expect to see DevOps tools and pipelines, such as Kubernetes environments, and infrastructure as code (IaC) deployments, targeted by cyber criminals, attacking the source of a business' infrastructure. Ransomware is also likely to become increasingly effective as economic shortages make it more likely that organisations will pay up, rather than risk further losses.

The rise of 5G, the proliferation of IoT devices, distributed networks, and other technological advancements present evermore opportunities for cyber criminals to exploit vulnerabilities in systems. These potential vulnerabilities are referred to collectively as "the attack surface".

Identifying the attack surface

The "attack surface" is the breadth of potential vulnerability within a company. The more links there are in the software supply chain, the greater the attack surface, and therefore, the greater the potential vulnerability. Committing code, building, testing, staging in pre-production environments, then deploying to production environments are all links in the software develop chain. Every product or service used with any of these links creates a potential vulnerability, broadening the attack surface. Potential vulnerabilities discovered in the attack surface are referred to as "attack vectors".

Adopting new cyber security approaches

To meet the increasing cyber threats and ensure the entire attack surface of a business is robustly protected, a range of measures may be adopted, including:

• Attack Surface Management (ASM)
• Zero-trust architecture
• Extended Detection and Response (XDR)
• Artificial Intelligence (AI) and Machine Learning (ML)

Attack Surface Management (ASM)

As mentioned above, a business' attack surface is the totality of its potential vulnerabilities, which is comprised of all digital assets and data, regardless of whether they are secured, unsecured, in the cloud, on local servers, or hosted by third-party vendors. Attack surfaces are dynamic, changing every time another link is added to the software lifecycle chain; whenever a component used in that chain is retired or upgraded; whenever new users are added; or when new devices are introduced.

The key to effective ASM is to think like an attacker. Attackers will analyse attack surfaces, seeking to hone in on any potential vulnerabilities that will allow them unauthorised access to a business' assets and data. The attack surfaces most frequently targeted are those with the most vulnerabilities, or those that have vulnerabilities that are easily exploited. Security teams need to continuously perform reconnaissance analyses to interrogate the attack surface for vulnerabilities. These analyses should detect threats like weak passwords, outdated or unknown software, encryption issues, and system misconfigurations. There are five stages to effective ASM.

Discovery

You can't protect an asset if you don't know it exists, so the discovery phase is critical to any ASM plan. Unknown unknowns present significant potential vulnerability, and the discovery phase of any ASM should seek to make these known so appropriate remedial action can be decided. Knowledge of the attack surface needs to be comprehensive and detailed. Components may include: web apps, services, and APIs; Mobile apps; cloud storage and network devices; domain names, SSL certificates, and IP addresses; IoT devices; pubic code repos; and email servers.

Continuous analysis

Components of the attack surface identified during the discovery phase are almost certainly not static. This means that analysis of the attack surface needs to be continuous. The specific intervals appropriate for conducting these reconnaissance analyses will be dependent on the nature and size of the business, but every analysis needs to be as thorough and comprehensive as those conducted during the discovery phase.

Context and classification

Business assets will vary in importance, and that variance will itself be different depending on context. It is therefore necessary to analyse each identified component of the attack surface to assess and record its technical significance, business criticality, compliance requirements, or any other characteristics deemed important by the business.

Prioritisation

It is unlikely that any security team will have the resources to remediate every potential vulnerability discovered. That's why prioritising where efforts to remediate should be targeted is key to a successful ASM. Tools that assist with this phase might offer risk ratings to help quantify the potential threat to a business if a vulnerability were to be exploited. Analyses on factors such as the discoverability of a vulnerability, its ease of exploitation, and its likely value to a malicious actor should be conducted to ascertain appropriate priorities for every attack vector.

Reporting and remediation

It's usually considered best practise to automate as many of the remedial actions as possible in your ASM. This ensures a consistent approach, negates the potential for human error, and frees up the time of your security team to focus on other areas of urgency or importance. Reports and analytics help inform the security team on how well the tools they've configured are working, presenting opportunities to tweak them as necessary. Reports can also be useful to share among with wider team for education, and with stakeholders to demonstrate how potential vulnerabilities are being identified and tackled.

Zero-trust architecture

Zero-trust has become popular over the past few years, largely due to a combination of the COVID-19 pandemic accelerating the adoption of remote working environments, and movement of data storage from traditional local servers to the cloud. It is a security framework that requires all users, whether internal or external to the network, to be authenticated, authorised, and continuously validated to access (or maintain access) to resources. This is achieved with a range of technologies, including: multi-factor authentication, identity protection, data encryption, and cloud workload systems.

Zero-trust architecture is a significant deviation from traditional access and authentication methods, which operated on a "trust, but verify" basis. It acknowledges that one-time verification (usually at the point of access) is insufficient, due to threats and user attributes being subject to change during active sessions. This means that real-time monitoring of every user connected to the network must be continuously exercised, assessing and validating user identities, permissions and privileges, geo location, and other information.

Extended Detection and Response (XDR)

XDR is replacing the more traditional security measure of Endpoint Detection and Response (EDR) as cyber security evolves. XDR goes beyond endpoint monitoring and analysis to provide simplified and holistic analytics across the entire technological ecosystem of any business in real time. It offers a means of decentralising cyber security practices, and collects data from endpoints, emails, networks, servers, and cloud workloads, with enhanced visibility of all data and the ability to drill down for further analysis.

XDR approaches also prioritise threats, having the ability to recognise unexpected, but harmless anomalies while simultaneously identifying surreptitious exploitation attempts and responding immediately. This automated threat detection and response reduces the need for security teams to continuously write and update rules, enabling them to focus on more urgent or potentially threatening issues, and therefore helping to improve the overall security efforts of the business.

XDR approaches incorporate multiple security products into unified, orchestrated detection and response workflows, creating powerful, bespoke, SaaS-based tools that provide improved protection and faster outcomes, while simultaneously helping security teams work more effectively and efficiently.

Artificial Intelligence (AI) and Machine Learning (ML)

As with all technology, AI and ML are morally neutral. It is their application that can be either malicious or benevolent. Cyber criminals are already using these technologies to accelerate botnet infections, create increasingly convincing phishing scams, disguise malware as legitimate network traffic, crack passwords, and perform many more hostile activities. Security teams must embrace AI and ML if they are to stay ahead of the criminals.

AI and ML have a number of cybersecurity applications. Supervised and unsupervised ML can be used to detect and prevent even the most sophisticated of botnet attacks. AI is providing increasingly more useful information on anomalous incidents, helping detect fraud with greater accuracy. As we've already seen, phishing is still the number one cause of system compromise in businesses, but AI is also stepping up to help prevent this, with spam filters becoming better at recognising suspicious wording in emails. Identifying specific types of data with AI has also helped reduce data leaks, with software that learns how to identify if text, image, audio, and video data contains potentially sensitive information, and preventing its dissemination. And when combined with more traditional approaches, AI can be used to detect 100% of malware incidents, essentially eradicating a business' vulnerability to such attacks.

These are just some of the general practices that are being developed to protect businesses from cyber crime. The most effective strategies will likely be bespoke and use a combination of these practices along with other other methods. To find out more about how to keep your business safe from online attacks, drop us a message or call +44 (0)8456 808 805.

Security teams must embrace AI and ML if they are to stay ahead of the criminals.