Every day we’re inundated with news reports about the latest high-profile hack or malware outbreak. We hear how companies get shut down or have to pay large sums of money just to get their own data back. We read these articles like thriller novels — eager to hear how the events unfolded and what the victims had to go through.
Unfortunately, while usually newsworthy, these reports almost always lack many details. However, they often share one common theme: The victim was said to be the target of a “sophisticated” attack.
I’m here to tell you that’s probably not true.
The Hard Truth
The hard truth is, most security breaches are caused by simple failures. Yes, there are cases of exotic software exploits and nation-state attacks, but even those advanced attackers are relying on their victims to make simple mistakes first.
One might assume that simple mistakes are reserved for small and underfinanced businesses that can’t afford cybersecurity help, but that’s not the case at all. In my many years of cybersecurity and forensics, I’ve worked for companies of all sizes and they all tend to make the same simple mistakes.
Every company I’ve worked with during breach recovery has made a combination of the following mistakes:
Relying On Single-Factor Authentication
Relying on usernames and passwords alone isn’t enough. When a user is tricked into giving up their credentials to an attacker — usually through phishing emails — there isn’t much they can do except change their password. Unfortunately, that also requires the victim to realize they have been tricked, which is rarely the case.
Multifactor authentication (MFA) isn’t only easy, but it’s almost always free and can prevent roughly 99.9% of account compromises.
This isn’t a secret, so why do so many companies choose not to implement MFA? Usually, it comes down to convenience for their employees. This has been the case every time I’ve encountered a business email compromise breach. The company knew they should be using MFA but simply never made the time to turn it on.
Allowing Users To Have Administrative Privileges
It’s admittedly much easier to use a computer when you can install your own software and change your own settings. However, that same level of privilege also makes it possible for most malware or ransomware to spread.
Malware is a piece of software. If users aren’t able to install software, most malware is stopped in its tracks. In the cases where malware is run directly — for example, from a user’s downloads folder — the damage will still usually be limited to that user’s computer. Modern malware uses local administrator permissions to spread, and limiting administrator access can stop that spread.
As with MFA, this step isn’t a secret either — it’s also free. The reasons for not limiting administrator access are also the same: It’s easier to allow everyone to have an administrator role.
While less prevalent in very large enterprises, it still exists in the vast majority of small- and mid-size businesses. This takes effort to implement, but every IT and security engineer knows the value.
Failing To Update
In March 2017, Microsoft released a critical security patch for their server platform called MS17-010. Two months later, the world was rocked when the WannaCry ransomware was released. WannaCry was responsible for over $100 million in losses in the U.K. alone, as well as the closure of hospitals and businesses around the world.
The reason: The organizations affected by WannaCry simply didn’t apply the free critical security update published by Microsoft during that two-month lead time.
Cybercriminals are constantly scanning the internet for outdated servers and websites. IT and security professionals know this, too. We can see it in security logs all day long. Yet this still isn’t enough for many companies to patch in a timely manner. It’s not always easy, but it’s always necessary.
But What About Nation-State Attackers?
Writing as someone who, in the distant past, had a system hacked by a nation-state attacker, I can tell you they are looking for a simple means of entry. While many government actors have exotic, custom and dangerous tools at their disposal, they also know that using those tools exposes them. In my case, the boss demanded access to the system and created a guest user account with the password “password.” I’ve learned a lot since those days.
Are nation-state attackers a concern? Absolutely they are. However, the majority of their tactics and procedures can be thwarted by following simple best practices like the ones above. Like all other attackers, they’re relying on businesses to make simple mistakes. You may never be the target of a nation-state, but you’re certain to be the target of an attack.
Perfect security doesn’t exist, but poor security does. Take the time to implement the easy security practices and avoid the simple mistakes — it makes all the difference.