Cybersecurity Decisions. PHOTO: Cybercrime Magazine.

The Single Biggest Computer Defense Decision You Must Get Right

Get it wrong, and your security risk skyrockets

Roger Grimes

Miami, Fla. – Jul. 16, 2019

There is one computer security decision you must get right above all others. It impacts your entire plan, what mitigations you select and deploy, and how successful your computer security plan is to be. Get it wrong, and your security risk skyrockets. Get it right, and your security risk plummets and puts you in the rare stratosphere of upper echelon of computer security decision-makers who truly understand how to decrease cybersecurity incident risk most efficiently.

Inefficient Army

Let me start with an allegory. Suppose you have two warring armies: a good army and an evil army. The armies have been engaged in battle for decades. The evil army is having continued great success on the right flank of battle. Now, any real-world good army would have to address the enemy’s success on the right flank of battle, or they would lose the war. But for a myriad of reasons, in the cyberworld, the good army sees the success the evil army is having on the right flank of battle but responds by putting more troops and resources on the left flank of battle. The evil army puts even more of its resources on the right flank and makes even faster success against the good army, and the good army responds by putting more of its resources on the left flank. The good army, hearing that the evil army may one day attack by air, even starts building up more of its resources vertically in the center of battle. The good army, despite seeing the evil army’s success on the right flank of battle, responds in nearly every way except for putting more resources on the right flank of battle, and then wonders why the evil army is continuing to succeed.

If this seems a strange way for any army to fight, it’s exactly analogous to what is going on in the cybersecurity defense plan of most organizations. For over three decades there have been two root causes of cybersecurity incidents which have caused the vast majority of attacks, and for reasons that used to escape me, most organizations spend less than 10 percent of their IT security budget on. There are literally thousands of ways your organization can be compromised, but just two ways constitute most of the risk, and have constituted most of the risk since computers came into being.

The Top Two Cybersecurity Risks

Those two root causes are social engineering and unpatched software. Defend against those two things better and you’ll be far better off than any other money spent to decrease cybersecurity risk. Or better put, doing EVERYTHING ELSE, all together, will not decrease your cybersecurity risk as much. And if you do everything else, it won’t really matter, because those top two risks will be how you are likely compromised.

Currently, social engineering is responsible for 70-90 percent of all successful malicious data breaches. Unpatched software is responsible for 20-40 percent, with overlap because many attacks use parts of both. Together, they account for 90 percent or more of the risk in most organizations. In many cases, they are responsible for 99 percent of all successful cyber intrusions. And it has been this way for decades.

Social engineering wasn’t always number one, although it has always been in the top two or three reasons. For a long time, unpatched software, and in particular just a handful of unpatched programs (e.g. Sun/Oracle Java, Internet Explorer, Adobe Acrobat, Adobe Flash, etc.) were responsible for most successful attacks. For about 7 years, unpatched Sun/Oracle Java was responsible for most of the attacks by itself. In 2014, Cisco’s Annual Security Report said unpatched Java was responsible for 91 percent of all web-based attacks by itself. Microsoft, in their quarterly Security Intelligence Reports, also reported unpatched Java as the top threat for nearly a decade. Finally, the major browser vendors (e.g. Google, Apple, and Microsoft) disconnected Java from being an inherent part of the browser, and the Java threat significantly diminished. Since then, social engineering, which had already become a strong number two, took the lead and has never given it up. Attackers like social engineering attacks because they “convert.” That is, they work to exploit and compromise users, devices, and networks. And they work cross-platform no matter which OS you are running. They get past firewalls, anti-malware scanners, and past all the other inadequate defenses that organizations are putting up to stop them.

The main reason attackers are using social engineering as their primary attack method is because it works. And it continues to work. Most organizations, overwhelmed by the sheer number of different threats, tend to treat social engineering like the thousands of other threats. They don’t do a great job recognizing that social engineering (and unpatched software) are their biggest threats, by far, and they end up focusing too much on the other flanks of battle.

You Don’t Need to Believe Me

 I’m not asking you to believe me based on my word alone. Heck, I work full-time for a security awareness company which makes its living off of fighting phishing and social engineering. I’m possibly motivated to lie to you. I’m asking you to ask yourself, how do most malware programs and badness break into your environment? Your problem isn’t malware or ransomware — it’s how that malware and ransomware got in. Was it social engineering? Did someone in your organization get tricked into downloading something they shouldn’t? Was it because of unpatched software?

If most organizations look to see how malware and other bad things are getting past their defenses and getting in, they will find out that it’s likely social engineering, followed by patching. It’s even hard to find a big hacker news story that didn’t begin with one of these two root causes. So, don’t believe me just because I said so — do your own research at your own organization. When something gets by your defenses…if even for only a few minutes, start asking yourself how it got by? What was the root cause?

Do You Spend Enough Money On the Right Things?

Once you have your top root causes figured out (and it’s probably social engineering and unpatched software), ask yourself if you are spending enough money and resources to fight those top two threats? Is the budget, funding, and focus appropriately aligned? Most of the time you will see a fundamental misalignment of resources between your top threats that are being successful against your environment and the money and time spent to mitigate them. This is the crucial missing link that most organizations do not realize and mitigate.

If you aren’t realizing that a few of your threats are your top threats by far, and first focusing on them to significantly mitigate them first and best, aren’t you possibly being like that mythical army above which keeps focusing on everything but the right flank?

Be the fighter that puts the right defenses in the right places in the right amounts against the right threats. Anything else is incredibly inefficient.

Roger A. Grimes is a special contributor to Cybercrime Magazine. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist.