Vastly improve your IT security in 2 easy steps

It’s a rough number, but I’d wager that 99 percent of computer security risk in most organizations can be attributed to two root causes: social engineering and unpatched software.

I’m not talking about pure numbers of success exploits, but overall impact. Many CISOs and threat intelligence analysts have told me that 100 percent of the biggest events at their company involved social engineering. Certainly, bad things enter your environment through other means, which is why we still need to secure our servers, encrypt our disks, and prevent physical intrusions. But in terms of the biggest impact, most organizations can tie those events to two root causes.

Think about what that means. If your organization is like most, 99 percent of your current risk will be resolved if you address exactly two problems. Likewise, anything you do to address other problems accounts for 1 percent of that risk. If your own data analysis supports this assessment, then take a look at your allocated resources and see if they are aligned against these right threats in the right proportions.

Shore up unpatched software

Defeating this root cause seems to be simple. Patch your software! But if it were that simple, it wouldn’t be a top root cause stretching across two decades.

The key to diminishing this risk is to identify the right software to patch and do it really, really well. The risk reducers I respect know the difference between the largest unpatched program in their environment and the unpatched program mostly likely to be exploited in their environment. A security expert knows there is usually a gulf between the two.

For example, for many years, Microsoft’s Visual C++ Redistributable program, which is included with tens of thousands of applications, has been the most unpatched software—worse even than Oracle Java or Adobe Acrobat. The difference is that the Visual C++ Redistributable is hardly ever exploited. I’ve never heard of a single case of that happening.

Why? Because for attackers to exploit it, they need to know it’s there, unpatched, in the first place—then create a specific exploit that attacks a vulnerability in each program running it. That could mean creating tens of thousands of different attack programs, and because most of those programs don’t run as services or browser add-ins, they would be far harder to detect.

Instead, attackers target commonly unpatched programs that can be exploited using a single, predictable exploit. Hackers, like everyone else, would rather work less for greater impact rather than the other way around.

To reduce exploitation of unpatched software, use your own data to determine which programs are most exploited successfully, then go about patching (or eliminating) those programs as best you can. You’ll be vastly more successful decreasing risk by patching the most exploited programs than by trying to patch everything perfectly.

Defeat social engineering

Social engineering comes in all shapes and sizes, from someone calling you on the phone to web or email phishing to trying to get you to reveal a logon credential or run a rogue program (for example, fake tech support). No panacea can prevent all social engineering attempts. But you need to mount a sustained defense.

Start by training users to recognize social engineering attacks. You can create your own educational programs and content or use someone else’s: Internally created content can better address your organization’s specific needs, but it can be poorly done. Last week, I spoke to a security administrator of a big company who said his co-workers were more likely to click on a phishing email after their training and before. He wasn’t sure what was wrong with their internal training, only that it had a negative correlation and he had the data to prove it. 

Luckily, there are lots of fantastic external training companies. My personal favorites are Knowbe4 and PhishMe.

Yet everyone knows training alone can’t provide a perfect defense. Some people will click anything sent their way no matter what you teach them. 

My favorite defense is to implement an enterprisewide two-factor authentication (2FA) program and get rid of passwords across the board. This isn’t easy, but as long as employees are required to have passwords, they can be easily phished out of them. With 2FA, an attacker can’t succeed in stealing the initial logon credentials without physical compromise or a sophisticated malware attack.

Even if you defeat credential theft, you have to stop people from running rogue programs. Education can help, but you need more. Antimalware programs help detect and stop rogue programs, of course, but we all know they have accuracy limitations. I’m a huge fan of application control software (such as whitelisting programs), which I think will become far more pervasive in corporate environments than they are today. If you can’t use strict application control, then you have to do everything else, and everything else won’t be as good.

Stopping social engineering could involve many possible strategies for your environment. It could mean defense in depth, increased security boundaries, assume breach defenses, and more. But if you are able to identify the most likely causes of social engineering and fix the unpatched software, you’ll be way ahead of the game.