Red Alert: Evolving cyber attacks are forcing businesses to stay vigilant
As I write this, news about the Equifax security breach is alarming pretty much every adult American. And HBO just experienced a massive data breach, the extent of which their forensic investigators are still scrambling to understand. This follows on a Netflix hack of this past April, the 2015 Sony hack, and other corporate attacks. Information security (infosec) experts and hackers seem to be in an arms race of measure and countermeasure. And the criminals are winning. That’s the nature of the battle: Law enforcement and the security establishment are usually a step—or five—behind as they try to defend against the latest malware or intrusion technology.
Small biz not off the hook
Your company probably lacks the data wealth of an Equifax or a Sony, and therefore probably won’t ever attract the firepower that professional cybercriminals bring to bear on large projects. Before you breathe too easily, however, remember that small-time cybercrooks have plenty of time—and plenty of incentive—to mess with your data. Hackers use virtual private networks (VPNs), cryptocurrency (bitcoin being the most well-known example), and other technologies to avoid being pinpointed. As a result, most are able to operate with near-impunity. It’s the Wild West, and there’s no sheriff in town. If you want protection against an attack, well, it’s mostly going to be up to you to provide it.
So what’s a business owner or exec to do? Three things: “education, education, education,” says Eric Montague, president of data security firm Executech, based in South Jordan. “Most data breaches occur because users are not vigilant and don’t have security at the top of their mind.”
While the majority of us aren’t falling for the Nigerian diamond heiress who needs only a small cash advance to share her fortune, we can succumb to equally avoidable scams. It comes down to minimizing vulnerability on an individual level and also on an organization-wide scope.
Individual infosec precautions
When employees are using company networks and company hardware, individual security is corporate security. Consequently, a major component of infosec is simply getting personnel to follow practices that they should be doing already.
“Straight-out hacking by traditional methods is actually pretty tough and takes time,” Montague explains. “It is so much easier to trick uneducated or distracted users into giving you access in some form.”
Phishing, for example, is a form of social engineering that seeks to prompt an action from the person targeted by the scam; said action then gives the perpetrator some form of access that they shouldn’t have. Phishing scams have evolved significantly over the past couple of years and can be quite sophisticated. Phishers understand their victim’s psychology and play to greed, concern, or curiosity. Examples might include
- An email purporting to be from your bank, asking you to “log in here” to verify a recent large withdrawal
- An email seemingly from your car dealership, offering a $200 gas card if you fill out a short survey
- An email pretending to be from Facebook, asking you to click a link to see a photo that a family member posted of you (the phisher may even use the family member’s name for an added sheen of legitimacy)
In each of these cases, a skilled phisher would use the logo of the relevant organization; at a glance, you’d never see anything amiss. And, in each scenario, the proffered link would lead to a carefully crafted page designed to plant malware, extract credentials or otherwise wreak sneaky havoc on your digital world.
Here are some ways to fight back:
Pay attention to URLs. Phishers can fake an organization’s website, but they can’t use the organization’s URL. Just remember that www.amazon-savings.com is not the same as www.amazon.com; www.realwellsfargo.com is not www.wellsfargo.com. Hover over any hyperlinked text to see what URL it directs to (note that mobile devices allow a user to touch and hold the link to similarly view the destination without clicking through). If the URL looks questionable, steer clear.
Use multifactor authentication. Most major web platforms encourage this—Facebook, LinkedIn, the suite of Google services, etc.—because it’s highly effective. It works like this: You log in and it asks for a security code, which it texts to your phone (alternatively, it can send the code to your email). Without the code, nobody’s getting in. If a trusted site asks you to enable multifactor authentication, click yes.
Use strong passwords. The no-brainer, everyone-knows-it tip that surprisingly few follow. You don’t ever want to use the same password on two different sites/applications. Nor do you want to use common tricks (@ for a, ! or 1 for l, $ for S, etc.) in an otherwise weak password—if you do, it’s still a weak password. According to Eric Montague, your password must have, at a minimum “eight characters, at least one number, one symbol and one capital.” Too hard to remember? Don’t want a million passwords written down (a terrible idea anyway)? Use a password manager.
As noted, corporate infosec encompasses the individual best practices mentioned above—that whole weakest-link phenomenon—but also includes some executive measures:
Regular education sessions. Teach employees about personal cyber-smarts (see above). Also, Montague emphasizes, “employees need to be kept informed about common scams and security risks.” If businesses invest a in educating employees and personnel about common scams and techniques, they can save themselves significant hassle and loss.
Computer lockout policies. Corporate computers should have a security precaution wherein a user must log in again after a specified period of inactivity. How long? “More than five minutes is too long in my book,” says Montague.
Eliminate shared logins. Each employee should have unique credentials.
Pay attention to MFPs. Multiperipheral devices are those such as printer/fax/scanner machines that have connectivity to the internet and/or internal networks. “These devices can be vulnerable to hacking as they typically have weak security protocols.” Montague recommends companies “work with an IT specialist to individually secure these devices in their office.”
Wipe or shred hard drives. Usually, a company retires its used computers permanently; hence, shredding the hard drive is in order. Expensive MFPs, however, are often destined for a secondary market. Many companies are not aware that “a printer will store everything that has come through it,” Montague says. “Once it is resold, a criminal could get ahold of any information still on the printer simply by legally purchasing the used model.” He recommends working with a professional who knows how to thoroughly wipe the hard drive before resale.
Perform social engineering tests. Social engineering involves the manipulation of human behavior and deception to access privileged information or control of devices. Companies should perform their own social engineering tests to determine human vulnerabilities and address them. To ensure that these tests accurately reflect real-life attacks, an organization can use a third-party contractor specializing in social engineering penetration testing.
Firewalls. “A robust, active firewall will prevent most problems from entering a system before they can do any damage.” Do your research, however, and get a firewall that meets the needed criteria. “If you paid less than $500 for your firewall,” Montague advises, “you don’t have a firewall.”
Backups. “Chances are, you are going to get hit at some point, even with good security,” Montague warns, adding that “in most cases, the breach is just to cause havoc and destroy data.” With a good backup program, you can recover from such attacks. However, “backups must have historical data sets (i.e. daily, weekly, monthly etc.) or you do not have a backup.” Cloud services need backups too. “Don’t be fooled that having your data or email in the cloud means it is backed up.”
Third-party security audits. Along with social engineering testing, companies should regularly audit all aspects of their infosec infrastructure, using a reputable outside data security firm.
Restricted access to file sharing. Montague recommends ensuring “proper and restricted access is setup on file shares regardless of them being onsite or in the cloud.” Use data security experts (in-house or contracted) to determine appropriate security clearance tiers and needed access to shared files based on functional grouping. Enforce these restrictions and route access requests through a security gatekeeper.
Corporate infosec brings a combination of common-sense practice and technical protocol to bear on a single goal: keeping the bad guys (or gals) out. It’s a team effort. If you don’t have your infosec structure in place, don’t wait: Data threats are only going to increase in number and sophistication.