No Silver Bullets in Cyber Security

No Silver Bullets in Cyber Security

The recent Wannacry ransomware outbreak has focused a lot of attention on cyber security, specifically on the use of out-of-support Operating Systems and the critical importance of having an effective patching regime. Almost immediately after the initial analysis that using unpatched Windows XP was a major problem, there was a flurry of activity from the marketing departments of product vendors saying something along the lines of “Use our tool / product / service (delete as appropriate) and you’ll be safe from ransomware.”

But the truth is that there is no single silver bullet which will protect your system and the information it contains from attack. And there are an awful lot of attacks every day. For example, Microsoft[1] reported that in 2016, on average, over one million emails carrying ransomware downloaders were sent every month, with anything between 100,000 and 400,000 thousand actually encrypting one or more computers. And that’s just ransomware.

There is also ‘Support Scam’ malware that tries to lure you into contacting fake tech support; Rogue Security Software that pretends to detect and remove malware for a fee; Keyloggers that collect user names and passwords as you type them; Exploit Kits that check your PC for software vulnerabilities that they then try to exploit or Macro Malware that hides in Microsoft Word or Microsoft Excel documents and then downloads threats onto your PC as soon as you open the document. The list goes on and on and gets ever larger with we, the defenders, always playing catch up, as the attackers find new ways to target our systems.

Of course it’s not only hackers and cyber criminals that you need to protect against. You cannot always trust everybody you work with and in 2016, one of the top three cyber-threat concerns was the Insider Threat where malicious actions are performed, either deliberately or accidently, by people inside an organisation. During 2016, current and ex-employees, sub-contractors and suppliers have all been caught carrying out malicious attacks on computer systems and security networks.

There are things which can help protect your network from each of these attacks and attackers such as up-to-date Anti-Virus, which will stop most malware laden emails from getting anywhere near your in-box and effective patching, which will prevent a lot of malware from being able to run. But these won’t stop a disgruntled member of staff from stealing your intellectual property on a USB stick[2] or loading a logic bomb onto the IT network that will start deleting files after they’ve left the company[3]. May seem far-fetched but these things have happened. For these sorts of threats, effective protection would include Data Loss Prevention software from companies such as[4] Digital Guardian; Forcepoint; Intel Security and Symantec and a Protective Monitoring solution like Splunk or Arcsight, implemented to a framework such as the UK National Cyber Security Centre’s GPG13[5].

I’ve been doing cyber security stuff for 20 years or so although it wasn’t always called cyber. I work in a specialist Cyber Security Consultancy, for the last two years contracting as the interim Chief Security Officer for a network with a couple of hundred thousand users worldwide. Before that I commanded the British Army’s first Technical Security Team and spent three years running the U.K. part of Exercise CYBER GUARD, the world’s biggest real time cyber defence exercise. All the things I’ve mentioned above I’ve seen at first hand. The big thing I’ve learned is that there is no single tool, process or procedure that will protect you and nothing at all will provide 100% guarantees. But an onion layer of security measures blending together a variety of controls such as good Boundary Protection, effective Patching Policies, Logical Access Control, Separation Of Duties, Anti-Virus, Protective Monitoring, off-site unconnected Back-Ups and decent physical security with a tried and tested Incident Response Plan is likely to result in an acceptable level of risk.

And this isn’t just my opinion. Big hitters like the UK’s National Cyber Security Centre and the SANS Institute recommend the same approach in their ’10 Steps to Cyber Security[6]’ and ‘Top 20 Critical Security Controls[7]’ respectively.

Implementing the controls is the technical part of Cyber Security and can be achieved by a reasonably proficient IT Department without recourse to a Cyber Security professional. The art comes in knowing which controls to implement and to what degree in order to achieve a cost effective level of security. That frequently is where you may need outside help. So, can you implement such a regime yourself? Do you have an IT department that can do it for you? Or are you going to call in specialist help? Whichever it is, you need to address the issue now if you want to avoid being a victim of the next cyber-attack.

This is the first article in our series focussed on Cyber Security for the SME. To make sure you never miss this insightful, actionable content, or to request a specific topic,  sign up to our newsletter, follow us on LinkedIn, or contact us directly.