Why being proactive is the key to effective cyber security…

• Print

Details

Published: Friday, 18 October 2019 08:10

Traditional cyber security is based on protecting the organization with barriers and reacting to any breaches that occur. Dean Moulden explains why this is no longer effective: and why taking a proactive, zero trust, approach is now essential.

When it comes to cyber security, it’s easy to bury your head in the sand. But as incidents of hacking and data breaches become more and more commonplace, businesses of all sizes are coming to realise the importance of being proactive about their data.

As a business grows, its digital estate can evolve and increase in complexity at a significant rate. For many organizations, a cursory attempt at information security can be made by addressing common threats and implementing a number of off the shelf antivirus and anti-malware tools to keep threats at bay. Some enterprises may even have the presence of mind to add filters and password protection measures to stop employees from compromising the business.

A conscientious company will also typically back this up with a solid business continuity plan – one that lays out a procedure for isolating and then ultimately restoring damaged systems, preparing forensic data and getting back to ‘business as usual’ as swiftly as possible.

This approach is by no means a bad one and, for many business managers currently reading this, it may well seem like a cut above anything they have in-house. Yet it is important to note that there is an important piece of the puzzle missing – one that can elevate a reactive information security strategy to a proactive one.

Yes, some preventative measures will be implemented as part of a business continuity plan. But by failing to test and challenge those tools, software programs and resources, it is almost impossible to identify where the vulnerabilities may lie and where a breach is most likely to occur. What is needed to enhance this security posture is a forward-thinking approach – one that is capable of addressing emerging attack strategies, unprecedented malware and zero-day vulnerabilities. A proactive information security strategy should also consider how business insiders might bypass existing protective measures that are in place.

Even if you are confident that your perimeter defences are effective in picking up the majority of threats, the simple fact remains that cyber attacks are now being encountered by over half of organizations each year. As a result, the development in hacking threats makes broad, generalised measures significantly less reliable than they would have been in years gone by.

While it may sound like a negative activity, it is important for enterprises to begin to consider their strategy from an assumption of compromise. This can be as straightforward as asking questions like: if you know your network will be breached what would you change? What are the resources you would opt to isolate? What are the measures for control?

You may ask why we should assume that an attack will be successful. And the simple answer to that is that cyber criminals know and understand the tools that most businesses use to protect themselves – and their raison d’etre is to work out how to circumvent them. Similarly, malicious insiders are also driven to bypass the reactive security measures that an organization has in place: and so taking a different approach to risk posture is crucial.

So, what should a proactive strategy really look like?

Fundamentally, this is about identifying and mitigating weaknesses and vulnerabilities on a regular basis. While a reactive information security strategy can feel like it is fit for purpose at a given time, the threat landscape is constantly shifting. It is necessary for organizations to appreciate that they cannot simply build their defences and sit tight. That would be like digging trenches to prepare for an oncoming attack but failing to look behind to check if the enemy is actually advancing from the rear.

What is required is a ‘zero-trust strategy’ and penetration testing is an incredibly important tool within such an approach.

Penetration testing is the quickest and most effective method for identifying potential security threats to businesses. When conducted by an experienced and knowledgeable information security professional, a penetration test – or ‘pen test’ – will reveal any weak spots within a business’s defences, simulating both internal and external hacks.

As part and parcel of a pen test, a specialist will look to assess the security of web applications and networks. In many cases, social engineering is used to simulate phishing, tailgating or baiting to reflect different attack scenarios.

Of course, the real value from a pen test comes in the form of a report that not only identifies problems but also presents solutions and support on mitigating risk in the future. The proactive element of a good information security strategy will depend on how a business responds to the findings of a pen test. This might be implementing software changes within the business; but it might just as easily involve improving staff training and introducing new procedures to handle data effectively.

This information can be presented to a company board, using jargon-free language to clearly indicate how the business might make the necessary improvements in the future.

The author

Dean Moulden is a senior penetration tester with Security Risk Management Ltd.