Russians, APTs and Cyber Security: What’s So Common about Common Sense Anyway?
January 24, 2017 | Security and Risk | John Worrall
While the world awaits the next titillating chapter of the ongoing saga involving Russia and the U.S. presidential election, there is one section of the recently released Joint Action Report (JAR) compiled by the DHS and FBI that has gone unnoticed and woefully under-reported — and worth digging into.
Yes, there was a lot of discussion as to whether the JAR achieved the goal of proving the Russians tampered with the US election, but I didn’t see one report on the section that every business and agency should pay attention to – the mitigation strategies to prevent cyber attacks.
In the “Top Seven Mitigation Strategies” section of the report, the DHS states:
DHS encourages network administrators to implement the recommendations below, which can prevent as many as 85 percent of targeted cyber-attacks. These strategies are common sense to many, but DHS continues to see intrusions because organizations fail to use these basic measures.
Let that sink in…8 out of 10 cyber-attacks could be stopped if organizations embraced “common sense” and basic cyber security strategies.
Is Common Sense Really That Common?
It can’t be that easy, right? Surely the DHS is highlighting advanced cyber security strategies that are too timely, costly and intrusive for organizations to implement. Let’s look at the recommendations:
- Patch applications and operating systems
- Application whitelisting
- Restrict administrative privileges
- Network segmentation and segregation into security zones
- Input validation
- File reputation/AV tuning
- Understanding firewalls
Well, I have to agree with DHS on this one – these are basic, they are common sense, and they are imminently achievable by any organization that cares a modicum about cyber security. Yet far too many organizations either aren’t aware of basic security best practices, or worse, simply choose to ignore them.
While we’re channeling the righteous anger at the prospect of Russian interfering with the U.S. election, could we spare some indignation at the continued failure to address basic security issues?
This isn’t a political issue. This is a problem that spans the public/private sector.
Why We Fail To Embrace Basic Security
This is a question that keeps me up at night – why? Is it an issue of awareness?
Well, a lot of these recommendations are found in long-standing compliance regulations, including HIPAA, PCI DSS, FDDC, Government Connect, FISMA, SOX and more.
On the Federal side, the U.S. GAO issued reports highlighting critical cyber vulnerabilities at the FDA, the FDIC, the IRS, the Department of Education, the FAA, and, in one case, called out 24 agencies in one report. These vulnerabilities align with the seven steps outlined above.
Private enterprise hasn’t proven to be much better (don’t worry John Podesta, you aren’t alone) – spear phishing campaigns have been used to attack major global banks, retailers and technology companies.
Is it a case of a lack of funding and spending? I’d say no. According to IDC, in 2020, organizations are expected to spend $101.6 billion on security software, services and hardware.1 We’ve seen other estimates that go even higher.
Can We Be Secure?
It’s a tough question to answer when basic cyber security practices are met with an audible sigh across all sectors. We’ve reached a point where the entire ecosystem – politicians, Federal and State government, media, security vendors and businesses – are talking at each other about security, but no one is really listening.
We’re on a cyber security carousel with no sign of it stopping – we call out the same vulnerabilities and issues again and again, yet there’s little action to actually address the fact that we’re leaving out front and back doors open to our geopolitical enemies, and anyone else who wants to come in.
1 – IDC Press Release, “Worldwide Revenue for Security Technology Forecast to Surpass $100 Billion in 2020, According to the New IDC Worldwide Semiannual Security Spending Guide,” October 12, 2016