We’ve written before about what it means to meet compliance standards without going completely overboard. Today, we want to talk about how that applies to cloud security as well. Some teams mistakenly believe that their security posture needs to be absolutely perfect. That’s not only overwhelming — it’s impossible.
More to the point, the reality of today’s security landscape is that cybercriminals are always looking for the path of least resistance. If company A has reasonably good security safeguards in place and company B does not, criminals aren’t going to waste resources poking at company A until they find a weakness. They’ll go after company B.
This is why we tell organizations that, when it comes to security, perfect can often be the enemy of good. Rather than trying to make your organization perfectly airtight, it’s time to focus on making your company as unappealing an attack target as possible. Here’s how.
Understand How Hackers Think
Criminals want the best returns with the least amount of effort. You can see this in the rise of ransomware-as-a-service. RaaS is basically a franchise model for ransomware, such that criminals with little technical expertise (or those who just don’t feel like DIYing) can run ransomware attacks without having to build anything from scratch. This has led to a sharp increase in ransomware attacks, as you might imagine.
The best thing about ransomware attacks, from a criminal’s perspective, is that it often costs less for a company to pony up than it does for them to clean up an attack. Even better, criminals can often hit the same company multiple times. If the company paid up once, they may very well pay up again.
Another common low-effort tactic from cybercriminals is the use of exploit kits, which essentially scan the internet for known vulnerabilities and then target organizations that have not addressed them. These are automated and relatively easy to use, so they too have proliferated. Exploit kits generally don’t focus on new, rare, or hard to find vulnerabilities. They go after the obvious ones, because they require the least amount of resources to target.
You might be sensing a trend here: Cybercriminals like to take the path of least resistance. There’s plenty of money to be made going after organizations with major gaps in their security postures, so why bother with reasonably well-secured infrastructure? The harder it is to crack a company, the more expensive it is for criminals. Their ROI goes down every time they have to work around a barrier.
So, unless attackers have a very specific end-goal in mind (say, cyberespionage between nation states), odds are they will simply troll around until they find an easy target. Your mission? Don’t be that easy target.
Ignore the Headlines
“But what about the Target attacks and the Anthem attacks?” you might be wondering. Here’s a good reminder: The headlines are just that. They are the biggest stories of the day. What rarely makes headlines are the common, low-level attacks that are directed at the average organization. Those are the ones you actually want to be concerned about, and the ones that you should focus on building a defense against.
In other words, while Zero Day threats seem like a scary problem that requires a solution, the reality is that very few organizations actually need to worry about them. It’s a lot more likely that a criminal will go after your Windows OS because you didn’t install a patch that’s been out for several months… Oops. By focusing your security defenses inward, not outward, you can cover a lot more ground. (We covered this topic in an earlier post, if you’d like to get into more detail.)
Prioritize and Address Vulnerabilities
So, where should you start?
Each company has its own security issues based, in part, on factors such as size, industry, compliance requirements, data, infrastructure, assets, etc. And you should take these into account when you analyze your needs.
However, before you go too much further, consider the fact that most companies that run in the cloud today are using AWS, and therefore, a logical way to start improving your security is to assess how well your AWS environment is configured. If this sounds like an overwhelming task, a tool like Threat Stack’s Configuration Audit provides an automated way to quickly create a security baseline that will let you compare settings in your environment to AWS and Center for Internet Security (CI) standards. You can then quickly and easily modify your settings to improve your organization’s security — and thereby avoid being low-hanging fruit for an attacker.
Once you have accomplished this, you can go on to identify and prioritize other areas where you can improve your security and then strategically tackle these over time. This is a realistic approach that takes into account the realities of limited organizational resources and criminals’ inherent laziness while you improve your security posture.
Crawl Before You Run
To plan your cloud security program, remember that you must crawl before you walk and walk before you run. Your goal should always be to focus on security measures that will demonstrably improve your security posture and thus make you an unappealing target for cybercriminals. It’s not possible to address every security concern at once — because no organization has unlimited time, talent, or resources. But you can focus on the security issues that most directly impact you, and take the steps that will make hackers take one look at you and say, “Next, please.”