The Fight Against Cyber Threats Requires a Dose of Common Sense
It is widely understood that common sense is not common. It is more frustrating when the approaches used by some organizations to prevent cyber attacks from enterprise assets lack the application of common sense. This article documents recent studies on the frequencies at which several large organizations scan their networks to identify vulnerabilities and improve their security posture. While zero-day attacks (malware introduced into the cyber space for which counter measures have not been developed) constitute about 13% of all the vulnerabilities (Ponemon Institute, 2014); the remaining 87% are well known and countermeasures exist for preventing them. The article also identifies some of the complacencies of some organizations in fighting cyber threats, and offers some suggestions for protecting the information and communication systems that support both government and private organizations from cyber attacks.
Current tools that merely alert the IT staff to respond to information on cyber threats are inadequate to address the massive volume and sophistication of modern cyber threats. threat intelligence solutions Therefore intelligent cyber security solutions that can predict and stop threats on the networks are needed to address the limitations of traditional threat management tools. Current efforts to secure the cyber space have resulted in generating large public databases of vulnerabilities at NIST and Symantec. However, access to vulnerabilities databases is just the first step in managing threats to the networks, but it will not reduce the frequency and damages caused by cyber attacks unless network administrators are equipped with automated security tools. Those efforts to secure the cyber space are not being helped because several organizations and consumers are slow to apply published security updates.
Alarming statistics from market surveys: Published reports from recent studies by two independent market research organizations on the frequency of full-network active vulnerability scans (a.k.a. credential scanning) provide some very disturbing statistics. The 2015 Cyberthreat Defense Report on 814 organizations by the CyberEdge Group and the 2014 survey of 678 US IT Practitioners by the Ponemon Institute, LCC arrived at very similar results about the complacency of several organizations. Their findings show the following active scanning frequencies: Daily: 4%; Weekly: 11%; Monthly: 23%; Quarterly: 29%; Semi-annually: 19%; and Annually: 14%. A large number of organizations scan their networks to be compliant with Government regulations with little attention to risk management. The reports show that about 38% of those organizations scan their networks monthly. Several organizations that claim to perform continuous scanning actually perform passive scanning which does not provide a detail picture of the vulnerabilities of the network elements. Even the latest directive from the White House to government agencies to tighten security controls in response to the hack of the Office of Personnel Management (OPM) recommend that the agencies patch any security holes in response to the list of security vulnerabilities provided by the Department of Homeland Security every week. (Lisa Rein, The Washington Post, June 16, 2015).
The need to focus on automation instead of relying on human capital: Scanning the networks generates a huge amount of vulnerabilities that must be analyzed in order to gain intelligence about the network otherwise known as Situational Awareness. Merely publishing the most vulnerable nodes and alerting the system administrator to respond is not effective. It makes no sense to expect the human brain to process over 300 vulnerabilities and apply necessary countermeasures daily without expecting a brain freeze. Instead of lamenting on the shortage of personnel or cybersecurity experts, a significant amount of resource need to be devoted to process automation. Rather than rely on humans to perform penetration testing after the vulnerabilities have been identified, tools that automatically generate possible attack paths and prevent attacks on enterprise assets should be the focus.