[BreachExchange] Red Alert: Evolving cyber attacks are forcing businesses to stay vigilant
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Nov 6 19:02:40 EST 2017
https://utahbusiness.com/red-alert-evolving-cyber-attacks-
forcing-businesses-stay-vigilant/
As I write this, news about the Equifax security breach is alarming pretty
much every adult American. And HBO just experienced a massive data breach,
the extent of which their forensic investigators are still scrambling to
understand. This follows on a Netflix hack of this past April, the 2015
Sony hack, and other corporate attacks. Information security (infosec)
experts and hackers seem to be in an arms race of measure and
countermeasure. And the criminals are winning. That’s the nature of the
battle: Law enforcement and the security establishment are usually a
step—or five—behind as they try to defend against the latest malware or
intrusion technology.
Small biz not off the hook
Your company probably lacks the data wealth of an Equifax or a Sony, and
therefore probably won’t ever attract the firepower that professional
cybercriminals bring to bear on large projects. Before you breathe too
easily, however, remember that small-time cybercrooks have plenty of
time—and plenty of incentive—to mess with your data. Hackers use virtual
private networks (VPNs), cryptocurrency (bitcoin being the most well-known
example), and other technologies to avoid being pinpointed. As a result,
most are able to operate with near-impunity. It’s the Wild West, and
there’s no sheriff in town. If you want protection against an attack, well,
it’s mostly going to be up to you to provide it.
So what’s a business owner or exec to do? Three things: “education,
education, education,” says Eric Montague, president of data security firm
Executech, based in South Jordan. “Most data breaches occur because users
are not vigilant and don’t have security at the top of their mind.”
While the majority of us aren’t falling for the Nigerian diamond heiress
who needs only a small cash advance to share her fortune, we can succumb to
equally avoidable scams. It comes down to minimizing vulnerability on an
individual level and also on an organization-wide scope.
Individual infosec precautions
When employees are using company networks and company hardware, individual
security is corporate security. Consequently, a major component of infosec
is simply getting personnel to follow practices that they should be doing
already.
“Straight-out hacking by traditional methods is actually pretty tough and
takes time,” Montague explains. “It is so much easier to trick uneducated
or distracted users into giving you access in some form.”
Phishing, for example, is a form of social engineering that seeks to prompt
an action from the person targeted by the scam; said action then gives the
perpetrator some form of access that they shouldn’t have. Phishing scams
have evolved significantly over the past couple of years and can be quite
sophisticated. Phishers understand their victim’s psychology and play to
greed, concern, or curiosity. Examples might include
- An email purporting to be from your bank, asking you to “log in here” to
verify a recent large withdrawal
- An email seemingly from your car dealership, offering a $200 gas card if
you fill out a short survey
- An email pretending to be from Facebook, asking you to click a link to
see a photo that a family member posted of you (the phisher may even use
the family member’s name for an added sheen of legitimacy)
In each of these cases, a skilled phisher would use the logo of the
relevant organization; at a glance, you’d never see anything amiss. And, in
each scenario, the proffered link would lead to a carefully crafted page
designed to plant malware, extract credentials or otherwise wreak sneaky
havoc on your digital world.
Here are some ways to fight back:
Pay attention to URLs. Phishers can fake an organization’s website, but
they can’t use the organization’s URL. Just remember that
www.amazon-savings.com is not the same as www.amazon.com;
www.realwellsfargo.com is not www.wellsfargo.com. Hover over any
hyperlinked text to see what URL it directs to (note that mobile devices
allow a user to touch and hold the link to similarly view the destination
without clicking through). If the URL looks questionable, steer clear.
Use multifactor authentication. Most major web platforms encourage
this—Facebook, LinkedIn, the suite of Google services, etc.—because it’s
highly effective. It works like this: You log in and it asks for a security
code, which it texts to your phone (alternatively, it can send the code to
your email). Without the code, nobody’s getting in. If a trusted site asks
you to enable multifactor authentication, click yes.
Use strong passwords. The no-brainer, everyone-knows-it tip that
surprisingly few follow. You don’t ever want to use the same password on
two different sites/applications. Nor do you want to use common tricks (@
for a, ! or 1 for l, $ for S, etc.) in an otherwise weak password—if you
do, it’s still a weak password. According to Eric Montague, your password
must have, at a minimum “eight characters, at least one number, one symbol
and one capital.” Too hard to remember? Don’t want a million passwords
written down (a terrible idea anyway)? Use a password manager.
Corporate infosec
As noted, corporate infosec encompasses the individual best practices
mentioned above—that whole weakest-link phenomenon—but also includes some
executive measures:
Regular education sessions. Teach employees about personal cyber-smarts
(see above). Also, Montague emphasizes, “employees need to be kept informed
about common scams and security risks.” If businesses invest a in educating
employees and personnel about common scams and techniques, they can save
themselves significant hassle and loss.
Computer lockout policies. Corporate computers should have a security
precaution wherein a user must log in again after a specified period of
inactivity. How long? “More than five minutes is too long in my book,” says
Montague.
Eliminate shared logins. Each employee should have unique credentials.
Pay attention to MFPs. Multiperipheral devices are those such as
printer/fax/scanner machines that have connectivity to the internet and/or
internal networks. “These devices can be vulnerable to hacking as they
typically have weak security protocols.” Montague recommends companies
“work with an IT specialist to individually secure these devices in their
office.”
Wipe or shred hard drives. Usually, a company retires its used computers
permanently; hence, shredding the hard drive is in order. Expensive MFPs,
however, are often destined for a secondary market. Many companies are not
aware that “a printer will store everything that has come through it,”
Montague says. “Once it is resold, a criminal could get ahold of any
information still on the printer simply by legally purchasing the used
model.” He recommends working with a professional who knows how to
thoroughly wipe the hard drive before resale.
Perform social engineering tests. Social engineering involves the
manipulation of human behavior and deception to access privileged
information or control of devices. Companies should perform their own
social engineering tests to determine human vulnerabilities and address
them. To ensure that these tests accurately reflect real-life attacks, an
organization can use a third-party contractor specializing in social
engineering penetration testing.
Firewalls. “A robust, active firewall will prevent most problems from
entering a system before they can do any damage.” Do your research,
however, and get a firewall that meets the needed criteria. “If you paid
less than $500 for your firewall,” Montague advises, “you don’t have a
firewall.”
Backups. “Chances are, you are going to get hit at some point, even with
good security,” Montague warns, adding that “in most cases, the breach is
just to cause havoc and destroy data.” With a good backup program, you can
recover from such attacks. However, “backups must have historical data sets
(i.e. daily, weekly, monthly etc.) or you do not have a backup.” Cloud
services need backups too. “Don’t be fooled that having your data or email
in the cloud means it is backed up.”
Third-party security audits. Along with social engineering testing,
companies should regularly audit all aspects of their infosec
infrastructure, using a reputable outside data security firm.
Restricted access to file sharing. Montague recommends ensuring “proper and
restricted access is setup on file shares regardless of them being onsite
or in the cloud.” Use data security experts (in-house or contracted) to
determine appropriate security clearance tiers and needed access to shared
files based on functional grouping. Enforce these restrictions and route
access requests through a security gatekeeper.
Corporate infosec brings a combination of common-sense practice and
technical protocol to bear on a single goal: keeping the bad guys (or gals)
out. It’s a team effort. If you don’t have your infosec structure in place,
don’t wait: Data threats are only going to increase in number and
sophistication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171106/139862cd/attachment.html>
More information about the BreachExchange
mailing list