The security landscape is continually changing, but the principles remain the same – finding the best ways to protect against insider and outside threats, including identifying and fixing the holes which allow a hacker to bypass your organisation’s defences.
1. Patch patch patchAlthough everyone knows the importance of Operating System (OS) and application patching, it’s one of those jobs that tends to be put off and moved down the ‘to-do’ list far too often by IT teams, especially during a busy week. By the time a patch has been announced it’s possible that the hole it fixes is already being exploited (a Zero day vulnerability).
However, the announcement of a patch can publicise to the unscrupulous that the vulnerability exists, so the longer you put off remediation of vulnerabilities on your servers or applications, the higher the risk that those vulnerabilities will be exploited.One tactic used by those with malicious intent is to send your users attachments which direct the unwary to a seemingly innocuous website which then scans your systems for vulnerabilities. This is why patches should always be installed as soon as possible.There are a number of ways to address the patching issue. The first is to automate it, using tools such as SCCM which can provide reporting and auditing as well as patching.The time required to set the system up is quickly repaid in time saved. Patching also can be provided by a third party as part of a managed service, and it is now available through the cloud (patching as a service) from organisations such as Fordway.It’s also vital to ensure that any thin client machines are protected by booting them from fully updated and patched OS images.Organisations should take a holistic and prioritised approach to patching, beginning with business critical systems. Resource is a cost, so ensure that you aim to first aim to carry out initial patch testing of systems representative of the whole environment. The lessons learned during this phase should be recorded and taken forward to patch the rest of the systems.
For example, did some patches break the service, cause other issues etc.? Did some patches also require changes to a registry key, or are there other pre-requisites to ensure the patch is applied successfully?Next, ensure that you target your business critical assets and those exposed to the internet, which present a back door into the organisation, ensuring adherence to the lessons learned during patching.Remember that it is not just a case of patching the operating system. Keeping on top of application patching and middleware patching is essential, as unpatched Adobe Flash, Reader, Java and internet browsers are increasingly becoming a way into your system and can be exploited simply by visiting a website known as a drive-by download or via malvertising.2. Beware data sticksWhether you’re visiting an exhibition, receiving product information from a vendor or attending a training course, you can expect to be given a USB stick. They’re ubiquitous – but are they safe?In a recent case, O2 sent USB pens to its business customers but soon discovered that the USB drive inside the pen contained a Windows specific virus which could install new programs onto their system, including some that might grant the virus’s author remote control over their computer.
If the computer was used as a web server, the virus would potentially attack anyone visiting their website.Most people rely on their antivirus software and occasional reformatting to ensure that they don’t transfer a digital infection to their desktop via a USB. However, there are some potential problems.First, if you’re running on thin client with no drives, you may not have the antivirus software on your machine to quarantine any malware. The second issue arises when you store sensitive information on a USB stick. What happens if you lose it – is the device encrypted and password protected?And what if your children borrow it and lose it? Lastly, simply formatting or deleting files on any data drive does not render the original data inaccessible and it can still be recovered using readily available tools on the internet or other dubious sources.These tips should help to prevent USB related security issues:• Always ensure you encrypt and password protect your USB drives, as well as external hard
drives and SD cards.
• Prior to selling, disposing or giving away your storage device, ensure you wipe any sensitive files through a secure sanitisation method.
Always ensure you are aware of the source of the USB stick. Even when you believe it has come from a trusted source, ensure that you AV scan it prior to accessing its content and ideally remove the content if not of use to you.
• Never insert a USB drive into your PC when the source is not known. This not only increases the risk of security compromise, you could even end up with a fried device! A Hong Kong-based company has created a USB stick that sends an electrical discharge into any unauthorised computer into which it’s plugged.3. Social reengineeringSocial media provides many opportunities for hackers which they are increasingly exploiting. Many people don’t realise how much information they give out through their LinkedIn profiles, Twitter conversations and Facebook pages, which can then be used against them.Data from social networking sites such as Linked in can be used in many ways. Knowing who is who in a company can lend authenticity to any email exploit, and a user under pressure might respond to a carefully crafted phishing email that seems to originate from senior management. Think twice before sharing information and contacts on LinkedIn with people you don’t know.The ultimate example is a sanctioned penetration test carried out in 2012 and reported at a conference in 2015, where security experts used fake Facebook and LinkedIn profiles pretending to represent a smart, attractive young woman to penetrate the defences of a U.S. government agency with a high level of cyber security awareness.
This demonstrates that social engineering attacks can be effective against even the most technically sophisticated organisations. Twitter can also be a source of attacks. Researchers recently claimed that a new automated spear-phishing framework had a success rate of between 30% and 66%, perhaps because people don’t treat links within tweets with the same level of caution as email attachments.The key is user education – training staff in your organisation about new threats, so that they know what to beware of and what to do should the worst happen. One very effective policy which we have implemented at Fordway is to have Security Champions in all departments. This ensures that security is embedded in day-to day activities and reminds everyone of their security responsibilities,while sharing knowledge and best practice and providing a channel for feedback. It can unleash previously hidden knowledge and assist in prioritising security activities using facts from staff across the organisation – helping to ensure a holistic approach to security.4. Don’t be held to ransomThere has recently been a surge in hackers targeting organisations with ransomware, keen to squeeze cash or bitcoins out of infected targets who feel they have no chance but to cooperate with the fraudsters’ demands.The attack may arise through attachments or links send via email, which appear legitimate but unleash ransomware or direct you to a legitimate looking site, which in the background is scanning your system for vulnerabilities to exploit to infect your system with ransomware or other malicious content.
Again, user education is important, but organisations should also ensure that all data is backed up in case the worst should happen, including data on mobile devices.You should also test a restore of the backup and ensure that the backup is in a location that will not become encrypted should the system or service it is protecting become affected.Finally, adopt the mentality that one day you will be breached and as a minimum ensure you have a cyber security incident response procedure in place, a back-up of all business critical systems and a disaster recovery plan.