Tim Simons, UK Security Product Manager at Proact
To understand how an attacker chooses a target we’re going to put ourselves into the mind-set of a cyber-criminal. Much like a burglar casing a property, cyber attackers are looking for indicators that a potential target is weaker than the others.
The cyber-criminal is likely to conduct simple reconnaissance using freely available information obtained through advanced search engine queries (known as ‘Google hacking’) and other online tools. It’s surprising just how much information is available via your organisation’s online presence. Whilst the results may not necessarily provide a direct vulnerability to exploit, they can provide the attacker with valuable insights into the security posture of your business.
Poor configuration issues would suggest that overall security is not at the forefront of the organisation’s visibility or high on their list of concerns. Therefore the attacker knows they are likely to meet less resistance and fewer controls when trying to gain entry. The same thought process could apply to a burglar who chooses a property without a fence, perimeter lighting or visible cameras. They’re much more likely to select this than other properties in the area that are better protected.
Just as burglars will assume that even poorly protected properties will reap some kind of reward, a cyber-criminal will consider enterprises in the same way. Whilst the target may not hold 500,000 credit card details or extremely sensitive secret industry intellectual property, they will be exploitable in other ways. There’s ransomware, financial fraud, credential theft or routes into other organisations (supply chain attacks), just to name a few methods. So the rewards may be less but if the effort required to get them is minimal, then the effort, risks and rewards are justified and this makes any organisation a potential target.
The truth is that no guarantee can ever be made for complete protection. Even the most sophisticated security defences can be vulnerable and thus breached if enough resources are dedicated to the task. However, organisations can make reasonable efforts that will return good enough levels of protection against the majority of adversaries.
What you can do
Planning your defences against a nation state actor is not a realistic target for the average organisation, but defending against the average opportunistic cyber-criminal is. By layering in some basic controls and monitoring your systems, you can drastically reduce the chances of a successful attack and greatly increase the effort that’s required to make an attack viable and worthwhile.
We refer to this as the ‘Work Factor’:
“An estimate of the effort or time needed by a potential adversary, with specified expertise and resources, to overcome a protective measure”
Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies
So even small increases in cyber defences will reduce the number of adversaries who will not only be capable of targeting your organisation, but also those who will be willing to put the effort in to do so.
Want to improve your cyber security approach? Learn more about Proact’s SOC services that can help you protect your organisation against emerging and existing threats in a cost-effective way.