Going beyond blaming the CISO

Joe Evangelisto at NetSPI explains how to foster enterprise-wide security and uncover internal network vulnerabilities

 

In recent years, Chief Information Security Officers (CISOs) have been held solely responsible for cyber-security breaches, often leading to high turnover rates and professional burnout.

 

However, the landscape has significantly evolved over the past decade. As cyberattacks frequently make headlines and organisations of all sizes become prime targets for digital threats, IT security has risen to the forefront of business priorities, demanding attention from the entire executive suite. 

 

The role of cyber-security has become a crucial business enabler, directly impacting organisations’ financial health and compliance status. Recent regulatory changes, such as the upcoming NIS2 directive, now require critical companies to implement comprehensive policies to manage and report on any cyber-security breaches. This development necessitates unprecedented collaboration between business and security leadership teams.

 

Security is no longer viewed as a momentary concern. To effectively counter the expanding attack surface and increasingly sophisticated threats, organisations must develop a proactive security culture that permeates every level of the company.

 

This shift is akin to the evolution seen in financial management, where budgetary responsibilities have been distributed across departments rather than centralised solely with the CFO. A similar transformation is underway in the realm of cyber-security, with accountability extending beyond the CISO to encompass all departments.

 

Today’s cyber-security challenges

To foster this company-wide approach to security, organisations must first understand the intricacies of today’s threat landscape. In our hyper-connected world, the digital footprint of businesses continues expanding, providing adversaries with numerous entry points into networks and systems.

 

The adoption of emerging technologies, particularly artificial intelligence, adds a layer of complexity to the threat landscape, posing challenges even to the most skilled of cyber-defenders. A recent study showed that over the last year, 75% of security professionals witnessed an increase in attacks, with an astonishing 85% attributing this rise to bad actors leveraging generative AI.

 

Software supply chain vulnerabilities have become a particularly alarming threat vector, as evidenced by high-profile incidents like the MOVEit and Log4j attacks affecting individuals and devices. These breaches highlight the difficulty in detecting and mitigating risks that can come about from third-party vendors.

 

However, an often-overlooked aspect of cyber-security is the significant threat posed by internal networks. A recent NetSPI report revealed the startling fact that internal networks have nearly three times more exploitable vulnerabilities than external networks.

 

The findings underscore the critical need for organisations to re-evaluate their security priorities. While external networks, exposed to the internet, are often prioritised for remediation due to their high risk, internal networks, ironically, harbour more vulnerabilities. This discrepancy arises because internal networks are larger and more complex, often containing legacy systems and unused protocols that remain enabled by default, creating multiple entry points for attackers.

 

One of the key reasons internal networks are more vulnerable is the widespread use of common network protocols such as Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol version 6 (DHCPv6), Link-Local Multicast Name Resolution (LLMNR), Multicast Domain Name System (MDNS), and NetBIOS Name Service (NBNS).

 

These protocols are typically enabled by default and may not be fully understood or utilised by the organisations, making them prime targets for exploitation. Attackers can leverage these protocols to gain a man-in-the-middle position, leading to credential or sensitive data exposure, domain footholds, and privilege escalation. Moreover, unlike external interfaces, internal networks rarely enforce multi-factor authentication, making them more susceptible to compromise.

 

The report also highlights another critical issue: many internal networks are plagued by missing critical patches, such as the notorious MS17-010 vulnerability. Unpatched software with known security flaws is a beacon for attackers, providing them with direct paths to execute malicious code. In the fast-paced world of cyber-security, new exploits are regularly discovered, and outdated, unpatched software can quickly become the Achilles’ heel of an organisation’s security posture.  

 

Internal network vulnerabilities

To mitigate these risks, organisations must prioritise the hardening of their internal networks. This involves disabling unnecessary protocols like LLMNR and NBNS through Group Policy, which can significantly reduce the attack surface.

 

Additionally, enforcing strong password policies, including longer minimum length and account lockout thresholds, can help prevent attackers from easily guessing credentials. Organisations should also implement rigorous patch management processes to ensure that all critical vulnerabilities are addressed promptly.

 

Beyond these technical measures, fostering a culture of continuous improvement in cyber-security is vital. Organisations must regularly conduct internal network assessments, using the findings to refine their security strategies. This proactive approach not only helps identify and remediate vulnerabilities but also strengthens the overall security posture of the organisation.

 

Top leadership to the frontline

The expanding attack surface has turned cyber-security into an urgent ’all-hands-on-deck’ mandate. While the CISO will always remain a pivotal figure within an organisation, effective security now requires a comprehensive approach endorsed by the entire executive team. This includes CEOs ensuring security prioritisation, CFOs allocating appropriate resources and finances, and CIOs maintaining open lines of communication with security teams regarding potential high-risk applications.

 

Cultivating a security-first culture within an organisation demands a top-down strategy that involves every member, from the executive suite to the operational staff. In addition, developers and IT personnel must incorporate security considerations throughout the entire development lifecycle, embracing the concept of ’shifting left’ in security practices. However, security awareness must extend beyond technical teams to include all employees and even customers.

 

Employee training plays a crucial role in this cultural transformation. From the very beginning, employees must be taught fundamental security practices and how to recognise phishing attempts. Regular, evolving training sessions serve as a critical defence mechanism against human error and negligence.

 

Furthermore, organisations should extend cyber-security education to their customers, or at the very least, maintain transparency regarding data breach procedures to mitigate reputational risks.

 

Beyond individual awareness, cyber-security itself demands a comprehensive and ongoing strategy. Given the complexity and the number of exploitable vulnerabilities within internal networks, continuous internal testing and network audits become indispensable. Organisations need a continuous cycle of testing and improvement to enhance their overall security stance.

 

The rapid advancements of cyber-security have refined the role of the CISO. No longer just the chief security officer, today’s CISO must serve as an interdepartmental leader, managing the organisation’s comprehensive security framework. With cyber-threats becoming more sophisticated and the attack surface expanding, it has become evident that CISOs cannot independently prevent or predict all potential threats.

 

Achieving a secure future necessitates the concerted effort of the entire organisation, including external partners, working towards the common goal of robust cyber-security.

 

---

 

Joe Evangelisto is CISO at NetSPI 

 

Main image courtesy of iStockPhoto.com  and skynesher