Thursday, January 21, 2016

5 Tips To Keeping Hackers Out Of Your Business in 2016

So, to start off 2016 on a secure footing here are 5 tips that can radically reduce your risk profile....

We recently released the edgescan 2015 Vulnerability stats report to positive feedback
You can find it here: edgescan - resources page

The tips below are based on the vulnerability stats report. So they are in effect a result of 1000's of security assessments in 2015 and what we believe are simple but effective tips to help you consider some of the right things. 

Sometimes focus on  "doing the right things" and not "doing things right" is what matters.

The findings were not too surprising for 2015 covering off the volume of high profile cyber attacks, the root cause and how we can improve our security?. 

Here's my Top 5 based on the most common issues discovered in the stats report and effective fixes which could dramatically improve your security posture.

Patch Or Recycle Your Servers!!

In 2015 63% of vulnerabilities discovered could of been mitigated via patching, configuration or component management. - That's a high % and in many cases not a relatively difficult thing to do. 

Over 7.1% of patch related vulnerabilities were Critical or High Risk. In the cloud if we don't patch, define secure baseline instances and deploy new versions (recycle) once we know they have a patching of configuration weakness. This can have a huge impact on your security posture. Patching is not exclusive to Operating systems but should also include frameworks, services etc.
Consider automation such as 

Use TLS, Drop SSL

This also relates to the above point of configuration management and patching. A very large proportion of issues discovered in 2015 related to weak using SSL or weak cipher implementation. 99% of users browsers support strong transport security so turn up the crypto and remove the old crud!

Use HTTP Security Headers

Implementing HTTP Security headers generally takes literally a couple of lines of code and can make life difficult for attackers. HTTP Strict Transport Security (HSTS) prevents man in the middle attacks and associated attacks associated with malware on infected devices/PC's. X-Frame-Options headers, again easily implemented can help prevent some Phishing and social engineering attacks. 

In 2015 a 15% risk reduction could be achieved if all sites assessed used HTTP Security Response Headers!!

More on security headers to be found here

Frequent Assessments and Root Cause Analysis

The "old model" of an annual penetration test is broken and always has been. 

Systems are in a constant state of flux and change and testing a dynamic system for security once a year does not have any positive impact on it's security posture. Once we discover an issue we also need to try and determine how the bug/vulnerability got deployed undetected. 

Root cause and frequent output of security assessments can feed into training requirements and also help identify any holes in the SDLC from a security standpoint.

 Awareness, Auditing, Detective Controls

Underrated and ignored but detecting attempts to breach your business is rather important. To implement such controls does not need to cost the earth. Logging on servers for specific events and archiving of logs is a good start. 

Application Layer logging in the case of exceptions is also worthwhile and inexpensive if done with some thought.

Client-side logging is also worth consideration in order to track browser scripting errors which can help detect malware on users browsers.

Check out: