Losing the battle against the bad guys? Keep your software patched and defend against social engineering, and you might start winning a few Credit: Thinkstock It’s a rough number, but I’d wager that 99 percent of computer security risk in most organizations can be attributed to two root causes: social engineering and unpatched software.I’m not talking about pure numbers of success exploits, but overall impact. Many CISOs and threat intelligence analysts have told me that 100 percent of the biggest events at their company involved social engineering. Certainly, bad things enter your environment through other means, which is why we still need to secure our servers, encrypt our disks, and prevent physical intrusions. But in terms of the biggest impact, most organizations can tie those events to two root causes.Think about what that means. If your organization is like most, 99 percent of your current risk will be resolved if you address exactly two problems. Likewise, anything you do to address other problems accounts for 1 percent of that risk. If your own data analysis supports this assessment, then take a look at your allocated resources and see if they are aligned against these right threats in the right proportions.Shore up unpatched softwareDefeating this root cause seems to be simple. Patch your software! But if it were that simple, it wouldn’t be a top root cause stretching across two decades. The key to diminishing this risk is to identify the right software to patch and do it really, really well. The risk reducers I respect know the difference between the largest unpatched program in their environment and the unpatched program mostly likely to be exploited in their environment. A security expert knows there is usually a gulf between the two.For example, for many years, Microsoft’s Visual C++ Redistributable program, which is included with tens of thousands of applications, has been the most unpatched software—worse even than Oracle Java or Adobe Acrobat. The difference is that the Visual C++ Redistributable is hardly ever exploited. I’ve never heard of a single case of that happening. Why? Because for attackers to exploit it, they need to know it’s there, unpatched, in the first place—then create a specific exploit that attacks a vulnerability in each program running it. That could mean creating tens of thousands of different attack programs, and because most of those programs don’t run as services or browser add-ins, they would be far harder to detect.Instead, attackers target commonly unpatched programs that can be exploited using a single, predictable exploit. Hackers, like everyone else, would rather work less for greater impact rather than the other way around.To reduce exploitation of unpatched software, use your own data to determine which programs are most exploited successfully, then go about patching (or eliminating) those programs as best you can. You’ll be vastly more successful decreasing risk by patching the most exploited programs than by trying to patch everything perfectly.Defeat social engineeringSocial engineering comes in all shapes and sizes, from someone calling you on the phone to web or email phishing to trying to get you to reveal a logon credential or run a rogue program (for example, fake tech support). No panacea can prevent all social engineering attempts. But you need to mount a sustained defense.Start by training users to recognize social engineering attacks. You can create your own educational programs and content or use someone else’s: Internally created content can better address your organization’s specific needs, but it can be poorly done. Last week, I spoke to a security administrator of a big company who said his co-workers were more likely to click on a phishing email after their training and before. He wasn’t sure what was wrong with their internal training, only that it had a negative correlation and he had the data to prove it. Luckily, there are lots of fantastic external training companies. My personal favorites are Knowbe4 and PhishMe. Yet everyone knows training alone can’t provide a perfect defense. Some people will click anything sent their way no matter what you teach them. My favorite defense is to implement an enterprisewide two-factor authentication (2FA) program and get rid of passwords across the board. This isn’t easy, but as long as employees are required to have passwords, they can be easily phished out of them. With 2FA, an attacker can’t succeed in stealing the initial logon credentials without physical compromise or a sophisticated malware attack.Even if you defeat credential theft, you have to stop people from running rogue programs. Education can help, but you need more. Antimalware programs help detect and stop rogue programs, of course, but we all know they have accuracy limitations. I’m a huge fan of application control software (such as whitelisting programs), which I think will become far more pervasive in corporate environments than they are today. If you can’t use strict application control, then you have to do everything else, and everything else won’t be as good.Stopping social engineering could involve many possible strategies for your environment. It could mean defense in depth, increased security boundaries, assume breach defenses, and more. But if you are able to identify the most likely causes of social engineering and fix the unpatched software, you’ll be way ahead of the game. Related content news analysis DHS unveils one common platform for reporting cyber incidents Ahead of CISA cyber incident reporting regulations, DHS issued a report on harmonizing 52 cyber incident reporting requirements, presenting a model common reporting platform that could encompass them all. By Cynthia Brumfield Sep 25, 2023 10 mins Regulation Regulation Regulation news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe