TechRepublic's Dan Patterson spoke with Bart McDonough, the CEO and founder of Agio, about the best practices for cyberthreats.
Watch the video, or read the transcript of their conversation below:
Patterson: Cyber attacks impact every consumer in every business. But do you know the methods by which your business or your lifestyle maybe hacked? Bart, we have a fantastic list of the top five threat and attack vectors. Let's start at number five, poor vendor management. Help us understand this.
McDonough: Yeah. This is where our businesses, one, don't understand where their data lives. So if you don't know where your data lives, what we call in the cyber world, the surface area of your data, you certainly don't know how to protect it. This is one of the issues that's come up with proliferation of cloud services. Firms aren't managing their vendors well and what I mean by that is that they're not managing all the configurations that all of the sophisticated vendors, cloud services allow them. We advocate for firms to use governance around their vendors, understand where their data is, what's being done to it, how it's being protected, who's accessing that data and in general, though we find there's just a complete inadequacy around checking in on those vendors and on their data.
SEE: Password management policy (Tech Pro Research)
Patterson: As you know and as we know, integrations are a critical component of business and I'm sure you hear this all the time. I frequently hear CXOs of, whether they're SMBs, startup companies or enterprise companies, say, "Who really wants to attack me, who really cares?" I think that that point about vendor management is incredibly important. What about number four on your list, patch management?
McDonough: Yeah. I would tell you, we continue to see firms, where you go and do an assessment where they have patches that are a year to sometimes, three years out of date. This certainly applies to consumers and individuals at home. How many times do we know, when we see some pop up that says update your software and you say, "Not now, maybe later. Try me tomorrow," and we keep ignoring it, kicking the can down. As organizations, certainly we've seen this with the significant increase in ransomware attacks, where, if you had applied the latest patch for Microsoft, you could have prevented that attack. These criminal organizations are trying these massive drive-by attacks simply by trying to exploit the known holes in software. We call those vulnerabilities and those vulnerabilities are usually patched, very timely, by the major software manufacturers like Microsoft and Apple and Cisco, but people just simply don't apply those patches. This just is a very basic bit of cyber-hygiene, that if firms were to apply really good patch management to their systems, they can eliminate a significant source of risk.
Patterson: It is basic cyber-hygiene but it's something that we all probably are a little guilty of. Another thing that we are guilty of is number three on your list, which is weak and poor passwords. I can't emphasize enough that a strong password will protect you from brute force attacks, but what other threats may lurk behind a weak or a short password?
McDonough: Yeah. You're certainly right on the brute force attack. However, what we find to be a bigger issue is the reuse of passwords. When I think about weak passwords, I think about weak password management, not just a short password. We know that our passwords have been exposed through either the LinkedIn hack, or the eBay hack and if we're one of those individuals that has used the same password on more than one website, even if that password happened to be pretty complex and it got breached, there are automated bots out there doing credential stuffing attacks, account takeover attacks, that are using our previous username and password, a combination. We call those our credentials, and using those against hundreds of other websites.
SEE: 10 ways to raise your users' cybersecurity IQ (free PDF) (TechRepublic)
To me, when I think about passwords being a very vulnerable attack vector, it's not necessarily in short or simple passwords, it's in our reuse of passwords.
Patterson: One of the items on your list is an item that terrifies me because it is low tech. It doesn't require sophistication. "Hi Bart, this is John calling from IT. I wonder if you could help me access the login screen for administrators." Pretexting, social engineering, a tactic that Kevin Mitnick, the world's most famous hacker, really perfected. But pretexting is everywhere these days.
McDonough: Yeah. It is something that we do in a white hat environment for our clients to test them and we are sometimes, 70%, 80% successful on getting our clients machines using these, as you said, these lies, these scenarios, pretending to be from their IT provider or from some other service provider. This is where firms need to just raise their employees' awareness around what are those attacks, how are the bad actors trying to get in and then know their policies, know their procedures for when someone calls in, what are they going to ask them about. But this is extremely effective and damaging because once they get on your computer, really the sky is the limit for what they can do.
Patterson: Number one on your list is another tactic that is also low tech but has a high tech component and could be the most significant tactic to impact business and consumers that is most likely not going away. Tell us about modern phishing.
McDonough: Yeah. I like to set the stage when we talk about phishing is I think people, most individuals think that the pop culture image of hackers is they're trying to use code like you see streaming down from the matrix to crack into a firewall. The reality is that's hard. These hackers are operating in such scale, they're looking for the path of least resistance and the path of least resistance is the users, where you can trick them, you can socially engineer them through email. We call that phishing. For phishing, we want them to click on a link or click on an attachment.
The stats, are and we've backed this up with our own testing, is it takes about one in nine, one in 10 emails to get someone to click on something. It's incredibly successful and this is again, where massive damage can be done. We like to really raise users' awareness. Be extra careful when you're clicking on links or downloading attachments from your email.
Patterson: Agio's CEO and Founder, Bart McDonough, thank you for sharing these insights today. I wonder if you could leave us with some advice or insights. How can enterprise companies, startups, SMBs and consumers protect themselves from the threats enumerated on this list?
McDonough: Yeah. Governance is key. What I mean by governance is 10 years ago, 15 years ago, the cybersecurity environment was something like this. You get a one-time assessment, you remediate those, those vulnerabilities, those issues and then you put it in a drawer and you want to think about cybersecurity for another year. That environment is over. We need to be checking in on cybersecurity some frequent, some cadence, whether that's weekly, monthly, quarterly and check in because the environment is very dynamic. If we're not checking in on some frequent interval, we think monthly, is for most organizations, the right interval, obviously there's going to be some that need to have some daily or weekly checks. In very small businesses, if they don't have a lot of movement, might be able to go quarterly but governance is critical. You need to have some cadence where you are addressing this issue, making sure that you're assessing your cyber posture and then moving on and correcting any weaknesses in the environment.
- Special report: How to implement AI and machine learning (free PDF) (TechRepublic)
- Ransomware: Why the crooks are ditching bitcoin and where they are going next (ZDNet)
- Ransomware: A cheat sheet for professionals (TechRepublic)
- Fake cryptocurrency scam delivers ransomware - and more malware when you pay up (ZDNet)
- Why SMBs are at high risk for ransomware attacks, and how they can protect themselves (TechRepublic)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.