5 Tips To Keeping Hackers Out Of Your Business in 2016

By -

So, to start off 2016 on a secure footing here are 5 tips that can radically reduce your risk profile....


We recently released the edgescan 2015 Vulnerability stats report to positive feedback
You can find it here: edgescan - resources page

The tips below are based on the vulnerability stats report. So they are in effect a result of 1000's of security assessments in 2015 and what we believe are simple but effective tips to help you consider some of the right things. 

Sometimes focus on  "doing the right things" and not "doing things right" is what matters.

The findings were not too surprising for 2015 covering off the volume of high profile cyber attacks, the root cause and how we can improve our security?. 

 Here's my Top 5 based on the most common issues discovered in the stats report and effective fixes which could dramatically improve your security posture.
Patch Or Recycle Your Servers!!

 In 2015 63% of vulnerabilities discovered could of been mitigated via patching, configuration or component management. - That's a high % and in many cases not a relatively difficult thing to do. 

 Over 7.1% of patch related vulnerabilities were Critical or High Risk. In the cloud if we don't patch, define secure baseline instances and deploy new versions (recycle) once we know they have a patching of configuration weakness. This can have a huge impact on your security posture. Patching is not exclusive to Operating systems but should also include frameworks, services etc.
Consider automation such as 




Use TLS, Drop SSL

This also relates to the above point of configuration management and patching. A very large proportion of issues discovered in 2015 related to weak using SSL or weak cipher implementation. 99% of users browsers support strong transport security so turn up the crypto and remove the old crud!

 
Use HTTP Security Headers

Implementing HTTP Security headers generally takes literally a couple of lines of code and can make life difficult for attackers. HTTP Strict Transport Security (HSTS) prevents man in the middle attacks and associated attacks associated with malware on infected devices/PC's. X-Frame-Options headers, again easily implemented can help prevent some Phishing and social engineering attacks. 

In 2015 a 15% risk reduction could be achieved if all sites assessed used HTTP Security Response Headers!!

More on security headers to be found here



Frequent Assessments and Root Cause Analysis

The "old model" of an annual penetration test is broken and always has been. 

Systems are in a constant state of flux and change and testing a dynamic system for security once a year does not have any positive impact on it's security posture. Once we discover an issue we also need to try and determine how the bug/vulnerability got deployed undetected. 

Root cause and frequent output of security assessments can feed into training requirements and also help identify any holes in the SDLC from a security standpoint.



 Awareness, Auditing, Detective Controls

Underrated and ignored but detecting attempts to breach your business is rather important. To implement such controls does not need to cost the earth. Logging on servers for specific events and archiving of logs is a good start. 

Application Layer logging in the case of exceptions is also worthwhile and inexpensive if done with some thought.

Client-side logging is also worth consideration in order to track browser scripting errors which can help detect malware on users browsers.

Check out:
https://www.snort.org/
https://rollbar.com/
https://www.graylog.org/
https://www.pagerduty.com








Comments

Post a Comment

Popular posts from this blog

Edgescan, why we do what we do.....

By -
Image
  The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories!  I suppose we need to ask ourselves as companies from time to time why we do what we do?  So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection.... Vulnerability scanning alone did not work. The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives.  Accuracy : To that end we built edgescan as a combination of automation to discover vulnerabilities at scale but  when c
Read more

20 years of Vulnerability Managment - Why we've failed and continue to do so.

By -
Image
Cyber Security: Keeping Pace with Change. Getting breached can really ruin your day. Actually it normally happens on a friday evening as you are about chill for the weekend. The cause of must breaches is not rocket science, its more to do with the poor approach we have accepted because we underestimate the threat actor.  - An attacker does not scan your website/network once a quarter with a commercial or open source scanner or perform an annual penetration test against your systems to see if there is any low hanging fruit, so how do we expect to defend against such an advisory using that approach? Systems change now more frequently than ever due to the ease of cloud deployments and the speed of software deployments due to iterative development techniques. The rate of change increase results in exposures quickly manifesting and the organisation not even being aware of the exposure in the first place. Many organisations dont know what they have exposed on the public Internet. We need t
Read more
By -
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA
Read more