A Threat You Could Not See, Does Not Mean It Is Not There

A Threat You Could Not See,
Does Not Mean
It Is Not There

WEME – Ts. Saiful Bakhtiar Osman

Home » Blog » When Experts Meet Experts (WEME) » A Threat You Could Not See, Does Not Mean It Is Not There

A Threat You Could Not See, Does Not Mean It Is Not There

The best security advice I got from a senior colleague of mine during my early years of working, “Simply because you couldn’t see the threat, doesn’t mean it’s not there.” The same applies to your organisation’s security infrastructure, whereby, if your tools were unable to detect any threats going through your environment, it does not confirm that your environment is threat-free.

In May 2021, Osterman Research came out with a White Paper on “How to Reduce the Risk of Phishing and Ransomware”. Among the key takeaways I can share here are as follows: 

  • Half of organisations believe they are effective at counteracting various phishing and ransomware threats. Of the 17 threat types we asked about in the survey, 37% of organisations believed they were highly effective at counteracting 11 or more of the threat types.
  • Only 16% of organisations reported no security incident types related to phishing and ransomware in the past 12 months. In other words, it is a widespread problem for most organisations.
  • Respondents indicated only mid-range confidence in the ability of various groups of employees to recognize phishing attempts through email and other channels. Confidence levels in the ability to recognize ransomware attacks were lower still.
  • The most effective mitigations against phishing attacks, from our research, are multi-factor authentication, security awareness training, and the ability to remove phishing messages from employees’ mailboxes. For ransomware, it is multi-factor authentication, rapid patching of vulnerabilities, and security awareness training. 
  • Best practices to reduce the risk of phishing and ransomware include focusing on significant root causes, not waiting to start, and making it harder for yourself.

The importance of signature or pattern updates

No matter how strong the Endpoint Security protection software you bought for your organisation, it is rather useless without a consistent signature or pattern updates. During the old days, all devices reside on premise, and it was easier to deploy Endpoint Security signature updates centrally from the server to all devices. The IT has more control and is able to contain or react to any threats faster and more effectively.

In today’s world where a hybrid environment comes into place and we have a lot of staff working remotely away from the office, this has become an apparent challenge for IT to keep up. The most logical approach is to have a direct signature update from the Endpoint Security’s Cloud as it may get downloaded from anywhere with an internet connection. Hence, the frequency settings of an update and the availability of the devices to be connected to the internet plays a very important role.

It is very important to have the signature or patterns being updated to the latest because the Endpoint Security could not protect against something that it could not recognise. The threats are real. Even now, it would take about 24 to 36 hours for an Endpoint Security Protection company to come out with the signature to detect and fight against a newly emerged Virus or Malware. All the devices are left vulnerable during this period as the threat can easily penetrate because the current version is unable to recognise it as a threat nor take any reactive action to combat it. 

You just imagine the impact should any devices in your environment be lagging weeks behind on the signature updates. This scenario would be true for cases where sales staff goes for leave, cases where devices are unattended due to resignation, mobile workers working only on spreadsheets and seldom connecting to the internet, etc. You would need to anticipate all these scenarios and come out with an easy-to-follow SOP so that the device is not left vulnerable which may result in impacting your organisation’s security posture.

Go beyond the normal Endpoint Security protection

endpoint security

The technology has evolved quite well to keep up with the rapidly emerging threats. Now we have what they called the Next-Gen Antivirus (NGAV) or algorithm-based protection that we could choose to protect our organisation. Even there are renowned IT Security players out there who claimed that their solution could cover end-to-end, personally I am still sceptical and being conservative to put all my eggs into one basket. It may be too risky to take that approach based on my point of view.

You may opt to add another layer of protection within your organisation and go for this NGAV solution provider. As discussed earlier, the disadvantage of a traditional Endpoint Security software is that all our devices would be left vulnerable in between a new Virus/Malware emerging and the Endpoint Security to come out with a specific signature/pattern for this. To make the matter worse, your devices were not updated on time even after the new signature was released.

How this NGAV works is that it will learn and copy all your settings and register it as good. Subsequently, the algorithm-based will protect your system and registry settings from any attempts of tampering or changing from unknown resources. One of the key characteristics of a Malware is to change your system settings to expose it to future undetected penetration or data leaks. Hence, it is very important to make sure the device is clean and safe before installing an NGAV. If the PC or laptop is already compromised, then NGAV would just be protecting an already corrupted setting which defeats the entire purpose of having an NGAV.

The NGAV shall act as an additional layer of IT Security to protect your organisation against a Zero-Day Attack. This is considered a preventive protection because it protects your devices settings and registry from any malicious changes. NGAV would complement the traditional Endpoint Security protection by manning the fort while waiting for a specific signature or pattern being produced to combat and contain the threats. However, as I mentioned, it is a double-edged sword, and you must make sure of the hygiene of your device’s system before implementing the NGAV.

Also read about: Is Antivirus Enough to Protect My Data?

Strong filtering and threat mitigation

Recently, I participated in a free assessment campaign for an email filtering solution. I was very confident of what I’ve already got for my organisation, but then again, a free assessment would not hurt to confirm my belief. What I already have is a complete solution package that comes together with the Cloud Infrastructure solution. However, it came to my surprise that it took only 14-days of this assessment to show us that there were a lot of phishing emails and even malicious attachments that were able to slip through our current email filtering defence. Even the Management was surprised by this report and decided to have this solution as an added layer of security to reinforce our overall IT security protection.

This relates back to what I said earlier, just simply because your tools were unable to detect any threats, it does not mean the threats are not there. I put quite an emphasis on email filtering capabilities because it is one of the methods that perpetrators would use to send out the Ransomware exploits into an organisation. We should always be vigilant and keep on a lookout for new tools that may complement the existing setup of our organisation.

Another good tool that I would like to highlight is the web and email filtering tools that come with a Sandbox isolation capability. In the beginning, you would receive a lot of complaints from users because of too much filtering that may affect the delivery of the email or the browsing experience. However, once it stabilises and works at the optimum level, you would enjoy a worry-free protected environment. How this tool works is that all web browsing requests and email (incoming and outgoing) would be channelled to this tool’s Sandbox. 

All the attachments will be stripped off and only links be provided in the email to the recipients. Subsequently, if the user needs to open the attachment, it will be detonated in the Sandbox itself and eventually safeguards your environment from any threat. It doesn’t matter if the attachment is genuine or malicious, all these attachments will only be opened in the Sandbox. Similar to web browsing, all the harmful pop-ups or malicious code execution, will be executed in the Sandbox while leaving the users with a lightweight browsing.

Strengthen the human factor

I could not stop myself from repeating again and again on the importance of End User education. Not only because of the ever-growing threats that we must face every single day, but also because there are no permanent users in an organisation. People join and leave the organisation all the time, and it is important that the same level of awareness is exposed to all the staff, old and new.

The standardisation is very important because the staff, especially the new ones, came from a different background and company. They need to be consistently reminded on what is the best IT Security currently being practised in our organisation. As for the existing staff, they would need a refresher and continuous updates on the latest threats behaviour.

Apart from the above, we need to also train and upskill all our IT staff so that they are competent enough to counter any emerging threats. IT Training should be considered as part of manpower planning as IT staff is also the employee of an organisation. What happened in most organisations before is that IT Training is parked under IT Budget which would put IT in a disadvantage should the overall IT Budget get reduced. Another factor is the old belief that if you train the IT staff, then they will leave for another job. The stigma is wrong because if you don’t train them and they end up staying, you will only have a bunch of outdated and unskilled staff to support the organisation.

Keep an open mind, always…

Always keep an open mind, even if you are currently working as a CIO of a huge company and have the luxury of getting the best solutions money can buy. The technology is evolving and even a start-up could offer a great solution to compliment your overall IT Security infrastructure. Never look down on any solutions being brought up to your attention by thinking that what you already have is world class and not comparable to others.

Catch When Expert Meets Expert by Ts. Saiful Bakhtiar Osman articles every bi-weekly Tuesday. Don’t forget to subscribe to stay connected. You are also encouraged to ask questions and seek advice from him.

Share this post

Related Posts

Cybersecurity translated into golf terms with Tony Smith

Cybersecurity: Achieving the ‘Hole-in-One’ of Digital Defence

Discover the connection between cybersecurity and sports with Tony Smith, Regional VP at WithSecure. Let’s achieve the ‘Hole-in-One’ of Digital Defense.

Read more

Beware of Scare Software aka Scareware

What is Scare Software or Scareware? Learn more about this Social Engineering technique that aimed to scare the victim with ArmourZero mentor Eugene Chung.

Read more

Job Hunting Tips for IT Graduates

Job Hunting Tips for IT Graduates

The job market is tough and competitive. Learn some tips on how to do job hunting for IT graduates from ArmourZero’s mentor and expert Ts. Saiful Bakhtiar.

Read more

Tips to Successfully Sell a Credible Cybersecurity Solution

How do Cybersecurity sales convince prospects to trust their services and/or products? Learn more about it from ArmourZero’s mentor and expert Eugene Chung.

Read more