It has always been the case that when it comes to the security perimeter, it starts and ends with you, the end user. But a new report from RSA summarizing a security summit meeting held earlier this summer shows exactly how things are changing. The attack vector has shifted squarely to social engineering. “Anyone can be phished given the right context,” especially given that more attackers have more information about each of us. Thanks to Facebook, LinkedIn et al. they can use this information to identify the right targets within an organization and they can easily customize and personalize their pitch. It is a chilling document to read.
Some of the major highlights from the report:
Organizations should plan and act as though they have already been breached. Start planning now.
The key is to know what digital assets are important to protect, where they reside, who has access to them and how to lock them down in the event of a breach.
There is a rise in adversaries attacking third parties simply to beta test techniques to be used on actual targets. IT Managers should be aware of these trial balloons and recognize them as potential threats on their own organizations.
We’re only as strong as the weakest link in our supply chain. This means that your trusted partners shouldn’t be trusted so much. Some attacks have moved further upstream in the supply chain to gain access. Consider paying for an independent security audit of your key partners.
Responses to security incidents is a whole organization function, not just a provence of the IT security operations. You should consider having security response drills and planing for automated remediation activities, and making periodic tests to ensure everything works.
Malware is custom-written, sometimes minutes before attacks are begun. I saw examples of this when I attended a seminar at Symantec this past summer where we designed our own malware and saw how easy it was to produce custom code. “Attackers are increasingly agile and can take advantage of vulnerabilities more quickly than signature-based approaches can remediate,” says the report.
The IT security industry needs better frameworks for communicating threat information. These should include standardized reports and more technical and more automated resources to make sharing threat data easier.
Like a Chicago voter, IT security workers need to be out detecting attacks early and often. This is a continuous process.
Think beyond theft of data. Poisoning, disruption or embarrassment are all valid end goals of many attacks, as we have especially seen this past year.
Security by simplicity. As our IT infrastructure gets more complex, it becomes easier to penetrate. As Thoreau said, simplify. Decommission outdated systems. Choose the simplest solution whenever possible. Eliminate non-essential pathways.
RSA plans on taking some of the knowledge it acquired through this research on a road show, and the link above will eventually have the schedule posted. Maybe Anne Robinson can start a new TV show looking at IT security next!