Everyday, news of another data breach hits the headlines. Malicious actors target businesses and governmental IT systems for either financial or political gain. Most recently, malicious actors compromised approximately 400 GB of United Nations data by gaining access to IT systems located in the Geneva and Vienna offices. Although most data breaches arise from third-parties, nearly every organization sits in the middle of a supply stream. In other words, almost every business today is someone else’s third- or fourth-party vendor. Cybersecurity monitoring in your business is more important than ever to ensure your organization’s continued financial stability.
What are the costs of a data breach?
Reports of data breach costs vary depending on how the report defines the costs. More importantly, data breaches account for only a portion of the data security events that occur. A data breach involves the exfiltration, or unauthorized acquisition, of data. Meanwhile, a security event often incorporates unauthorized access, not necessarily a download, to systems, software, and networks.
When determining the value cybersecurity monitoring brings to your organization, you need to think not only about the “hard” costs of a data breach but also the “soft” costs that arise from a data security incident.
Data breach costs
In 2019, Accenture released the “Ninth Annual Cost of Cybercrime Study” that detailed the costs arising from data breaches where malicious actors exfiltrated information. The report provided the following cost statistics:
- $13 million: the average cost of cybercrime in 2018
- 12%: the increase in the average cost of cybercrime from 2017-2018
- 72%: the increase in the average cost of cybercrime for the last 5 years
Notably, the report defines “a successful attack” as one that infiltrates a company’s core network or enterprise systems, and costs include discovery, investigation, containment, recovery, information loss or theft, business disruption, and equipment damage.
However, they specifically exclude the costs associated with attacks stopped by a company’s firewall protections.
Data security incident costs
Although the Accenture report incorporates a wide variety of costs, the report focuses on successful cybercrimes. Meanwhile, the Net Diligence Cyber Claims Study 2019 Report provides additional insight into the overarching costs arising from cybersecurity incidents.
The data in the Cyber Claims Study differs from the Cost of Cybercrime Report because it uses information provided by organizations who made cyber insurance claims.
Focusing the data on cyber insurance claims means that the report incorporates information about data events that fall under insurance policy coverage but may not rise to the level of exfiltration. For example, the report compares the costs associated with “Recordless Claims” against those arising from “Exposed Records.”
- 39%: the percentage of claims arising from “recordless” events
- 63%: the increased proportion of recordless claims made
- 90%: the percentage of recordless events arising from social engineering, business email compromise, banking fraud, and ransomware
- $216,000: Average cost of a recordless event for large enterprise
- $87,000: Average cost of a recordless event for a small- or mid-size organization
While the actual costs arising from recordless claims are significantly lower than those connected to exposed records, the cost impact of these types of claims is not considered when calculating the Cost of Cybercrime. Additionally, these numbers just note the average cost of a single recordless event.
What threat vectors do malicious actors target?
Open or unsecured ports offer a low effort, high return on investment threat vector for most malicious actors. Ports act as the gatekeepers to your IT systems, giving physical devices access to external devices such as connected printers or on-premises servers. In other words, even though these access points may be located in your physical buildings, they create a threat vector by using the internet so that devices can “talk” to one another.
Why do malicious actors target ports?
Ports provide an electronic entryway into your systems, software, and networks because they allow devices to create the two-way communication paths through which data travels. Often, attackers insert malware or ransomware into devices using these ports. Once the malware infects one device, it can spread to all devices connected to the network.
Some ports provide malicious actors with an exit strategy. Malicious actors can gain access to your data, but they need a way to download the information. When these ports lack security controls, malicious actors can manipulate the data, send it to their own servers using the port, and then translate it back to readable form.
The primary problem with ports is that they require organizations to configure them as part of the security control process. Unfortunately, organizations often use vendor-supplied passwords or other built-in configurations. Since the malicious actors know the vulnerabilities and vendor-supplied passwords, misconfigured ports become a threat vector.
What are the most commonly targeted ports?
Understanding the most commonly targeted ports enables you to better protect these threat vectors. Once you know where to look, you can reconfigure the ports to mitigate data breach risks and better secure data.
The 2019 Data Breach Investigations Report, in its appendix, notes some of the most valuable ports that malicious actors use in targeted attacks:
- cLDAP (389)
- DNS (53)
- NTP (123)
- SSH (22)
- Telnet (23)
- HTTP (8080)
- NetBIOS (445)
- Dell Open Management
As with all research, the Data Breach Investigations Report provides limited information. While these ports may have been the most commonly targeted at the time of the research, malicious actors continuously evolve their threat methodologies, meaning that they target other ports as well.
Continuous cybersecurity monitoring for defense in depth
Continuously monitoring your cybersecurity controls with artificial intelligence/machine learning enables you to gain real-time visibility into new risks. Defense in depth is a cybersecurity controls model that incorporates multiple defensive practices layered over each other so that if one protective control fails, it has others to back it up. Unfortunately, without cybersecurity monitoring, you may struggle to implement a defense in depth strategy.
Suggestions for creating a defense in depth strategy for ports
As part of your defense in depth strategy that protects against attackers targeting ports, you should be continuously monitoring for:
- Unused open ports
- Host-based firewalls
- Network-based firewalls
- Port traffic filtering
- Strong passwords
- Access controls
- Penetration testing
While all of these suggestions seem simple, your interconnected IT infrastructure complicates them. For example, adding more devices increases the number of ports which in turn means you need to continuously scan for unused ports. Firewalls control the way information flows across your network, but they also lead to application visibility and control issues.
Cybersecurity monitoring enhances defense in depth strategies
Continuously monitoring controls effectiveness is the only way to ensure that your defense in depth strategies protect data security. Three of the primary controls that protect against a data breach – unused open ports, host-based firewalls, network-based firewalls – often require manual processes and review to ensure their continued effectiveness.
What does cybersecurity monitoring do?
Unused open ports often remain unnoticed because organizations lack the capability to continuously scan their networks. Digital transformation objectives leave you adding and removing services on a regular basis. Monitoring the ports that these services use can become overwhelming when done manually, ultimately creating a human error risk that can lead to a data breach.
How cybersecurity monitoring locates weaknesses
Meanwhile, firewalls require regular monitoring to ensure that you have updated them with the most recent security patches. Like every other service in your organization, attackers continuously look to exploit vulnerabilities in firewall code. If you fail to update the firewall in a timely manner, you place your data at risk.
Cybersecurity monitoring solutions enable you to continuously monitor your IT controls to ensure continuous data protection. These solutions look at the publicly available information on the internet, such as open ports or firewall updates, and alert you to new risks. Many provide alerts to new risks and offer remediation steps.
How to enhance defense in depth with cybersecurity monitoring
Your defense in depth strategy exists so that you always have a “back up” in case one control fails to protect you. However, you can’t rely on that back up control to continuously protect your information. Since attackers continuously evolve their strategies, the control that works today may not work tomorrow. For example, if your host-based firewall requires an update, you have the network-based firewall as an additional security measure. While the network-based firewall maintains your security posture in the short term, leaving the host-based firewall unpatched means that you’ve compromised your defense in depth strategy by leaving one of the layers vulnerable. If attackers find a vulnerability in the network-based firewall before you patch the host-based firewall, you face a greater chance of being breach.
Cybersecurity monitoring helps provide visibility into these weaknesses so that you can maintain your defense in depth strategy continuously. Maybe you didn’t know that the host-based firewall needed a security update. Even if your overburdened IT department knew that the firewall required an update, they may not have recognized that it was a security patch that needed to be a first priority. Updates often do nothing more than provide a better user experience or fix an insignificant coding bug. IT departments often become overwhelmed with alerts, unable to prioritize most important needs.
Cybersecurity monitoring solutions both alert organizations to new risks and provide insight into the risk level. A low-level risk update can wait. A high-risk level update needs to be installed as soon as possible. When IT departments have the right tools to empower them, they can better secure your information.
How SecurityScorecard’s cybersecurity monitoring enables defense in depth strategies
SecurityScorecard’s security ratings platform continuously scans the internet for information across ten groups of risk factors including IP reputation, DNS health, patching cadence, web application security, network security, endpoint security, leaked credential, hacker chatter, and social engineering. As part of our IP risk factor, our sinkhole system reviews signals that indicate potential malware infections. Meanwhile, our endpoint security risk factor focuses on all devices connected to your network. Finally, both our network security and DNS health factors scan for misconfigurations that attackers can use to infiltrate your systems.
SecurityScorecard’s security ratings also indicate the level of risk. We use an A-F scoring system, applying it both to the organization and the individual risk factors. This provides organizations and IT departments with real-time insight into their security posture as well as their top priorities.
By looking into your security the way an attacker would, SecurityScorecard provides a way for you to measure your defense in depth strategy’s effectiveness.
