LRQA Nettitude Blog

74% of organisations lack a cyber incident response plan, according to Ponemon Institute. This is an incredible figure given most boardrooms would cite cyber-attacks as the biggest risk to their business. Quite often, leaders do not know where to start when it comes to cybersecurity. With the risk feeling widespread, where do you focus your resources?

A documented cyber incident response plan is a must for every business. Having this in place will accelerate your response to a significant attack and minimise damage, and it is not as complex as you think to create one.

Effective cybersecurity relies on your team being alerted to potential issues within your systems and networks. However, the sheer number of alerts generated by improperly configured cybersecurity technology and frameworks causes analysts to develop alert fatigue, as countless false positives and minor issues lead to significant disruption and distraction.

With so many potential threats and a limited number of resources, it can be difficult to prioritise which alerts to investigate. As a result, your team may become overwhelmed and start to ignore or dismiss potentially serious threats. In addition, constantly responding to false positives can take valuable time away from other tasks, such as investigating potential incidents. So, what can we do to resolve the challenging problem of alert fatigue?

Many organisations struggle to quantify the full extent of their threat landscape and attack surface. This is compounded by issues surrounding vulnerability prioritisation, which has become a problem. It causes headaches due to several factors such as cost, disruption, and time. Organisations, therefore, need to start adopting a risk-based approach to influence where effort should be invested to reduce the attack surface and the risk posed to the organisation.

Organisations need to start asking themselves what might happen if an asset were to be compromised: what information does that asset hold and what problems could that cause to the organisation if it was suddenly unavailable (or worse stolen) and in someone else’s hands? This approach helps with the plight of remediation, but it’s not enough.

If you do not know your risks, how can you be safe? This reality is prompting many businesses to set up regular vulnerability scanning to defend against cybercrime.

A 2021 cybersecurity report by the UK Government states that 39% of UK businesses reported a security breach in the last 12 months. Apparently, 21% lost money, data, or assets. The risk is real and 77% say it is a huge priority for directors.

Cybercrime can be indiscriminate. Whatever size your business is, you need to know how to scan for network, system, and website vulnerabilities that leave you open to attack.

In today’s increasingly connected world, it can be challenging to keep on top of your organisation’s cyber-risks. You might have insufficient resources and knowledge to achieve this in-house, yet you appreciate it’s vital to remain one step ahead of cyber-attackers.

Vulnerability management and scanning provide total visibility of your organisation’s risk, helping you react to weaknesses before damage is done.

Information Vs Intelligence

The cybersecurity industry can be awash with various terms, three-letter abbreviations, and jargon which is used incorrectly. This sets the wrong expectations and outcomes.

We are referring to Cyber Threat Intelligence (CTI), Open-Source Intelligence (OSINT), Social Media Intelligence (SOCMINT), Human Intelligence (HUMINT), and Technical Intelligence (TECHINT). All have a common theme running through them: the term intelligence. It is an industry buzzword that is designed to generate intrigue, resonate around boardrooms, and make practitioners of the varying disciplines walk ten feet tall.

There is however an underlying issue with at least three of those disciplines; the data they produce is arguably classed as information rather than intelligence, and commonly they are the terms used to aggregate collection capability rather than a polished end product. There is a clear difference between information and intelligence.

Imagine you have had a data breach and your only support is Google. That’s an increasingly common story. So, let’s rewind and consider how organisations can get into this situation, highlighting potential oversights that could make a risky situation dire.

What is Cyber Threat Intelligence (CTI) and why should you use it?

There is a common misunderstanding as to what Cyber Threat Intelligence is. Many think it‘s a buzzword or just simply raw outputs from data feeds and dark web monitoring. This couldn’t be further from the truth and isolating its use in this area could result in minimal output and value.

What is File Integrity Monitoring (FIM)?

File Integrity Monitoring (FIM) is a control or process that compares the current state of operating system and/or application software files against a known baseline to validate the integrity of the files (i.e. looking for inconsistencies).

The integrity verification uses a cryptographic hash function to calculate an initial checksum of a file, which is then compared with a newer calculated checksum of the current state of the same file. In essence, a checksum is a small block of data that is derived from another block of data.

Too many organisations risk cyberattacks via enabled legacy code they do not need. The warning comes in the wake of Nettitude’s cybersecurity team discovering a second high-risk vulnerability in Microsoft’s VPN protocol.

The vulnerability, called CVE-2022-23270, formed part of Microsoft’s 10th May Patch Tuesday release. Everyone should install it as quickly as possible.