Reducing the attack surface through vulnerability management

If we have to assume that the human vulnerability will be exploited sooner or later, the underlying IT infrastructure must be hardened accordingly and the attack surface consistently reduced.

Companies and organizations are under attack

There are already countless reports and papers on the human vulnerability and just as many offers to improve “awareness”. And yet, time and again, humans play the central role in significant security incidents in information technology.

Full-blown crises usually arise in situations where technical security gaps are added to human weaknesses. There are plenty of examples of this across all sectors and industries. Not only are companies threatened in their existence, but human lives are also endangered by attacks on the healthcare system. Well-known cases include Maersk, which had to operate in analog mode for weeks after a NotPetya attack and suffered millions in losses, and the Lukaskrankenhaus hospital in Neuss, which was the victim of a ransomware attack that paralyzed the entire hospital IT system for more than a month.

The good news is that although there is hardly an IT system that is free of vulnerabilities, technical vulnerabilities, unlike human weaknesses, can be effectively eliminated by appropriately technically supported processes.

The bad news is that human vulnerabilities can never be completely eliminated, despite extensive training programs.

Humans as an effective attack vector

From the point of view of a potential attacker, there are a number of human characteristics that make people such an effective attack vector, e.g:

Curiosity

Just one curiosity-driven click on a supposedly interesting link in a seemingly legitimate email is enough to infect your computer with malware. Common knowledge, but it still happens regularly.

Vanity and helpfulness

While many types of attack find their victims at random, the so-called CEO fraud (or CEO trick) is very targeted. The victims are spied out in advance using publicly available sources of information, making it easy to approach them directly via e-mail, but also via traditional mail or telephone.

The attacker appears to be a superior who asks for large sums of money to be transferred. The speeches are so well designed that they cannot easily be exposed as forgeries. But above all, the vanity and helpfulness of the victim play a very important role in this context: “I am talking to you because you are important, trustworthy and reliable.”

One of the most successful incidents of this kind to date occurred at Leoni AG in 2016. The damage amounted to €40 million.

Reciprocity

is regarded in the social sciences as a condition of being human. And what can be used effectively in marketing can also be applied to IT. “If you give me your password, I’ll solve the problem for you”. This explains why there are always cases where bona fide users are persuaded by a stranger on the phone to unlock a remote desktop session…

Reducing the attack surface through vulnerability management

So what to do?

If we have to assume that the human vulnerability will be exploited sooner or later, it is important to reduce the technical attack surface through vulnerability management and to harden the IT infrastructure accordingly.

The human vulnerability initially only compromises the individual system and may render it unusable, but it is the downstream technical vulnerabilities that enable the spread and cyber attack on the IT infrastructure of the entire organization.

There is hardly an IT system that is free of vulnerabilities. The requirement is therefore to identify vulnerabilities at an early stage, assess their relevance and eliminate them so that the spread of an attack can be nipped in the bud from the outset.

Effective vulnerability management process

To summarize, investing in awareness training for a security-conscious approach to IT makes sense, but will only provide the greatest possible security benefit if it is combined with an effective vulnerability management process. Components of this process are

  • detection
  • management
  • remediation

Would you like to find out more about effective vulnerability management? Get in touch with us! We support you in the seamless introduction of the appropriate technical infrastructure and the associated process. Without large start-up investments and without burdening your existing IT team.