Defense in Depth Cyber Security

Combatting the increased exploitation of software vulnerabilities with a layered Defense in Depth cyber security strategy

We all know that it’s important to eat well and get enough sleep, but we still grab quick meals and burn the candle at both ends all too often. It’s only when we’re faced with a health crisis that we commit to taking care of ourselves.

Similarly, it’s no secret that, with most IT applications now hosted in the cloud, a layered defense strategy (Defense in Depth) is essential to keep today’s systems safe. Yet only now, in the face of recent cyber threats, may organizations be ready to act on these best practices.

Over the past quarter, our Cyber Services team has seen an uptick in network attacks. In the US specifically, many of these have been driven by cloud-based software vulnerabilities. And with recent supply chain attacks on the rise world-wide, the access opportunities available to hackers are only increasing.

Cyber criminals are getting quicker at identifying vulnerabilities and using them to gain entry into networks. This means that organizations must work even harder to stay on top of these exposures – and to ensure that even if someone gains entry into their systems, multiple layers of defense are in place to prevent the worst outcome.

This quarter’s Cyber Security Snapshot takes a deep dive into the current exposures that are driving the need for a Defense in Depth strategy and lays out concrete suggestions for implementing your own layered security solution and data minimization practices.

Christian Taube
Vice President, Cyber Services (International)

The Current Risk Landscape

Phishing and software vulnerability exploitation are on the rise.

After a relatively quiet end to 2022, cyber incident frequency has skyrocketed in Q1 2023, with a notable month-to-month increases in incidents.

Globally, phishing is on our radar again. Though this social engineering trend is not new, the heightened frequency is notable – and speaks to the need for greater diligence on the part of organizations and individuals alike.

In the US, claims data shows that incidents that start with an exposed software vulnerability are rising in frequency. As new critical vulnerabilities are exposed on hundreds of thousands of servers, there is growing likelihood that a hacker may gain access to your organization’s systems.

The Emerging Risk Landscape:

Cybercriminals are becoming more interested in supply chain attacks.

Hackers are now specifically targeting MSPs and cloud hosting providers, knowing that one successful compromise can give access to thousands of organization networks.

The Go Anywhere breach is one recent example. When the data hosting system was extorted and declined to pay, the hackers moved on to extorting their clients, aggressively calling and harassing employees of companies that use Go Anywhere’s services.

Similarly, software vendors are also being targeted. As an example, a 3CX employee downloaded trading software that contained malicious content that gave a cybercriminal access to the 3CX network. From there, the TA introduced a malware into 3CX software that was later on downloaded from legitimate website by 3CX customers

The Solution:

Defense in Depth is an essential cyber security strategy for organizations of all sizes.

Assume that a cybercriminal can enter your network. What is in place to limit them and keep the risk contained?

Defense in Depth ensures that security is applied at all levels. This is an extension of the asset management discussion in a previous Snapshot.

Best practices for Defense in Depth that prevent cyber criminals from doing much damage:

• Utilize endpoint detection and response (EDR)
• Install security patches rapidly
• Reduce number and usage scope of domain admin accounts
• Limit users’ permissions and access
• Harden security configurations of systems, applications and cloud resources
• Segment your network using strict filtering rules
• Implement secure backup solutions that prevent users from altering or deleting backups
• Have a documented, properly tested disaster recovery plan

Looking Ahead:

Consider data minimization best practices in light of recent US data privacy legislation and GDPR guidelines.

The concept of data minimization – that you don’t have to protect what you don’t have – is a common principle of European privacy that has not until now been an American approach.

This principle puts the focus on data governance – being intentional about what data is collected. Rather than focusing only on how long to keep data, companies must consider whether they really need it in the first place.

This is not a control you need to pay to put in place – it’s just a matter of self-discipline, and can be reflected in organizations’ internal policies and project design principles.

BOXED CHART

A useful checklist for companies operating in the EU and/or holding data belonging to EU data subjects:

• We only collect personal data we actually need for our specified purposes.
• We have sufficient personal data to properly fulfil those purposes.
• We periodically review the data we hold, and delete anything we don’t need.