Do we treat IT Security Risk like HPV?

“Everybody has HPV, okay? Everybody has it. It’s okay. Come out already. Everybody has it. If you don’t have it yet, you go and get it. You go and get it. It’s coming.” 

Ali Wong – Baby Cobra

So, said a very pregnant Ali Wong (with impeccable comic timing and a flawless delivery) during her hilarious stand up routine, “Baby Cobra”. But despite the raucous applause from the captive audience, the fact is that global trending around Sexually Transmitted Diseases (STD) are no laughing matter.

According to a report from the Centres for Disease Control and Prevention (CDC), STDs have been on the rise for the 5th consecutive year. In 2017, a record-breaking 2.3 million new cases were reported in the USA. Why are there so many more new cases of preventable sexually transmitted infections? Experts cite numerous factors (lack of condom use being the most obvious), but the one I like to put forward is indifference.

It seems that people just don’t seem to care enough to bring themselves to take the necessary measures to inconvenience themselves and ensure that they are safe. This indifference extends equally well to how some across the IT landscape treat their Security. It seems that IT Security is thought of in the same way as an STD; in that people are prepared to wear the risk of infection over undertaking the necessary measures (and inconvenience) to prevent it.

That may be perceived by some to be a harsh and overly simplistic statement, as many organisations would argue that they are “very serious” about Security. Maybe, but going on the data that seems to come across my desk from all industries and verticals, it appears the opposite is occurring.
The security layers normally deployed to protect organisations are now stretched very thin. The identities, data, devices and applications powering organisations are now being operating well outside IT’s pane of visibility and jurisdiction.

Just how thin are these veneers of security being stretched? Let me cite some very public breaches from 2018 to illustrate the point (in no particular order):

• Federal Group Hotel – November 2018
• Under Armour’s MyFitnessPal App – November 2018
• Austal – October 2018
• Perth Mint – September 2018
• RCR Tomlinson Engineering – August 2018
• Strathmore Secondary College – August 2018
• Airport Security Identity Cards (ASICs) – July 2018
• MY Health Record – July 2018
• Townsville City Council [Typeform] – July 2018
• Timehop App – July 2018
• Cairns council hit by data breach [Typeform] | July 2018
• PEXA – National e-conveyancing platform – July 2018
• Australian National University – July 2018
• Airtasker – July 2018
• Bakers Delight – July 2018
• Tasmanian Electoral Commission – July 2018
• Ticketmaster – June 2018
• HealthEngine – June 2018
• Flightradar24 – June 2018
• PageUp People – June 2018
• MyHeritage – June 2018
• Family Planning NSW – May 2018
• Svitzer Australia – March 2018
• GoGet – January 2018

Now in many of the above cases it appears that the attackers took advantage of security deficiencies in each of those environments that could very likely have been prevented. One of the elements that was common to most of the above cases is the attainment of privileged identities and the subsequent access to key resources. Depending on your analyst of choice, they will tell you that this type of identity compromise makes up approximately 63% of all breaches.

These breaches via elevation of privilege, would not have occurred in a single attack operation. The attackers would have been covertly present outside and inside the organisation’s IT perimeter for weeks. Your friendly analyst will also tell you the average time attackers persist inside an environment prior to detection is 146 days, conducting reconnaissance to get a level of access via a poorly secured identity. The attack “Kill Chain” or process they typically utilise moves from a “low privilege” cycle to a “high privilege” cycle once an elevated identity or “domain dominance” has been acquired.

Once the high privilege cycle is in place, the search for and exploitation of key assets within the organisation is explicitly targeted.
Few organisations are at a level where they can actively monitor in detail the lateral movement and activities of identities within their environments. Equally, they are in a limited position to be able to automatically ascertain which operations executed by the privileged identity were potentially anomalous.

These same organisations could very easily acquire or deploy the necessary tools to be able to thwart many identity or privileged access based attacks. As many organisations these days are Microsoft 365 E3 or E5 licensed, they have (or could easily enable) the additional layers of visibility and protection to their existing security screens. For example, an injection of the following simple tools could have saved many of the abovementioned organisations from identity compromise and infection in 2018:

• Microsoft Advanced Threat Protection – To monitor identity lateral movement and highlight anomalous activity across the network
• Azure AD Premium – Challenging identities with multi-factor authentication and mandating that conditional access requirements be satisfied prior allowing access
• Azure Information Protection – Protecting the key data sets and files themselves from inappropriate access or manipulation

The key to a strong security framework is to ensure that you have security checks and screens in as many layers of your operation as possible.
Having your IT security screens potentially compromised has now become an ever-increasing possibility for most organisations. Psychologically, this constant risk (inevitability?) of exposure may essentially breed a hardening or indifference to the consequences of infection.

Have we all just accepted the risk and or inevitability of infection and traded it for convenience and flexibility?
Maybe.

Personally, I think that you can enable flexibility and convenience but experience it within a very strong ring of security. It doesn’t take much more effort or cost much to have it both ways. In many instances, organisations are already licensed for the key toolsets, like Microsoft 365 E5, but have simply not provisioned them effectively or at all.

Although I love Ali Wong’s humour and perspective on most things, I will politely disagree with her view on the inevitability of infection, in that “everyone has it” and “it’s coming”. Deploying key toolsets, such as Microsoft EM+S, into your IT security framework, will significantly bolster your security defences at all layers.

These simple measures will ensure infection risks are lower and even if you do “get it”, symptoms can be identified early and consequences kept to a minimum.

In conclusion, don’t be indifferent with your security and you will be having the last laugh on infection…Sorry, Ali!