- "An employee is the weakest link of any organization"
The idea of security should begin at home. Even if you have access to the best firewalls, WAF's, Anti Viruses and 360 Degree protection if your employee is unaware of the significance of cybersecurity and how to protect himself in this digital world it would lead to a major hack. Remember that there is no scanner in this world that can identify vulnerable humans in an organization. Strong security policies go in vain if your employee doesn't understand their importance and impact on the organization. Organizations need to regularly organize cybersecurity training that educates employees about previous hacks and healthy security practices. Learning about cybersecurity stats like the number of hacks that happen in a year helps an employee understand the seriousness of the situation and these sessions help your employees to protect themselves from potential cyber-attacks.
- "Change passwords regularly and never share it with anyone"
If you haven't changed your password in the last 6 months, take a 2minutes break and change your password right now. Using default passwords means wearing underwear like a superman. According to a recent survey, 35% of users have weak passwords and the other 65% can be cracked easily. Many users have a tendency of using the same password for their social media accounts and work account which makes them more vulnerable to attacks. If any of their social media accounts are breached they simply change the password without realizing that their work and personal accounts are still compromised. This is still an unsolved problem with many company IT Security teams.
- "Follow the clean desk policy inside and outside the system"
According to a recent survey, 24% of the PCs worldwide are not secured by new versions of anti-viruses leading to 5.5 times more attacks by viruses and ransomware. We cannot forget the infamous 2017 ransomware attacks "Wanna Cry" that's targeted on windows systems which lacked a security update from March 2017 affecting 100+ counties and $8 Billion global cost across major industries. In order to avoid these attacks, keep your firewalls, antiviruses up-to-date and patch the vulnerabilities irrespective of the criticality of it. Remember that the business impact of a vulnerability is higher when its accessed by a common man than a hacker.
- "Think beyond traditional security practices "
Typically, the idea of security testing starts and ends with VAPT. Most of the companies just run a scanner and get a VA report to submit it to their clients to cut down the costs of testing but the amount of money saved in security testing means nothing when compared to your company's reputation, customer's data, and their sensitive information. A strong reconnaissance process will identify your digital assets across the web. Using tools like Burp Suite, Nexxus, Netsparker, Acutenix will help in the vulnerability assessment process but the vulnerabilities are either false positives or low hanging fruits. Performing a manual penetration testing with guidelines of OWASP Top10, SANS 25 will identify 40% more vulnerabilities and the real business logic vulnerabilities will be identified only when you execute business logic test cases specialized for your domain. Hackers understand the business context, write custom scripts and test cases to find critical vulnerabilities that will impact your business.
- "Performing Social Engineering and Red Team Activities"
Red team assessment is an activity carried out to compromise the target through an entry point. VAPT is scope oriented wherein ethical hackers test the application within the limited scope either one web application or mobile application but Red team assessment is an object-oriented activity that involves your people, process and technology. Objectives are getting access to PII data of the customers, credentials of admins and non-admins, account hijacking, compromising the CXO mailbox and so on. Hackers will perform manual VAPT to identify vulnerabilities in the technology first if they fail in doing it then they target the people by performing Social Engineering activities such as email phishing, spear phishing identifying and targeting the right employees to fulfill the objective. If they fail in doing it then they go to process wherein they physically enter into the premises tailgating and break into the server rooms to get the access. This activity will give the exact business impact of a real-time hack and performing this annually as a cyber-drill will create more awareness of security in your employees.
- "Not having a Secure SDLC in place is equal to using a Nulled Script"
There are many open-source tools in the market that can build any kind of application in a few minutes. The idea of security should be implanted right from the planning stage and should be carried out until the deployment stage. When you are in the analysis and requirement stage, perform a risk assessment and follow a secure requirement review. In the design stage, perform a threat modeling and get your architecture and design review; once it is in the development stage, your developers would be freely working on third-party libraries which comes with default vulnerabilities, so performing a dependencies check would help you to identify 60% of OWASP vulnerabilities in this stage. once you are in QA testing, perform a static analysis and secure source code review for your applications simultaneously. once it is in the deployment stage perform an aggressive VAPT for your application and close the remaining vulnerabilities. As security is not a one-time activity, for every sprint release it is recommended to test the application in the pre-pod mode and fix the vulnerabilities and then push it to a live environment.
- "Cloud is secured but if your configuration fails, your data is gone"
Companies want their employees/users to access their applications from various kinds of channels like web applications, mobile applications, intranet, and messenger clients. Amazon AWS, Microsoft Azure, Google Cloud are the leading cloud hosting providers in the market. Today many companies are migrating their applications, data and other business elements to the cloud for many reasons like cost-effectiveness, unlimited storage capacity, easy software integration, rapid development, and hassle-free backup and recovery options. The cloud storage companies are undoubtedly secured but if your configuration fails, your data will be open to the public then it doesn't matter which cloud hosting service you are using. many cloud hosting service providers present a default checklist that is limited to that specific version. There are good cybersecurity companies with 1000+ checklists who will perform a security assessment on your cloud and are helpful in evaluating new or existing policies. While performing a security audit, companies will uncover misconfigured security groups, overly permissive IAM policies for users/groups/roles, cloud credentials and many more. having a strong deployment review will help in identifying many security misconfigurations and will add a layer of security to your cloud.
These are a few common mistakes enterprises do while developing a product. It's recommended having an independent cybersecurity company reviewing your applications before you release them in the market which will decrease the scope of hacking.
How to measure anything in cybersecurity risk
Before measuring the cybersecurity risk, you will need to understand the data that you have, and what infrastructure are you protecting, etc. Starting with a data audit can also be considered. A good data audit helps you to understand the type and quantity of the data your company is storing and provides answers for the following questions:
What data are you collecting?
Where is the data stored?
How is the document the data being protected?
How long are you keeping the data?
The next step after the above GDPR compliance is to define parameters for your assessment. Given below are a few questions to help sail through that process:
Why are you carrying the assessment?
How successful can be the assessment?
Can any specific priorities or constraints affect the assessment?
Who in the organization can provide needed information?
What risk model are we going to use for this analysis?
Now let’s discuss the steps needed to be taken in order to carry this cyber risk analysis successfully:
Identifying threat sources
Recognizing threat events
Identifying vulnerabilities, weaknesses and the conditions under which they can be exploited.
Identifying the possibility of success of such attacks
Identifying the potential impact of such risks
Determining and exposing the risk posed
After measuring the cybersecurity risks by following the above steps you should now be able to prioritize your responses to the cybersecurity risks that you have identified.