At Netrix, our security practice sees trends and patterns in the industry that are worth mentioning and monitoring in 2017. If these items aren’t on your mind and you don’t have a strategy in place to solve each of these, please read on.
Careless or uninformed employees can compromise all of the preventative security measures we might put in place. It takes just one click of a link to compromise an entire organization these days. It only takes 20 emails to different people in a company to guarantee someone will open the email and click the link, 100% of the time. A careless employee might forget or lose an unlocked smartphone, and expose sensitive information. Just as risky are employees who might have weak passwords, visit unauthorized websites, or click on links in emails.
Organizations must convey a culture of security awareness, and this tone and message must be communicated from the top down! Every employee in a business or organization must take responsibility for security. The saying goes “culture trumps strategy every time.” Firms should embrace security, and roll out an executive message, security policies, and expectations, and employee security awareness training and reinforcement. This should be coupled with assessment, and can even include internal phishing, to measure the training’s effectiveness. Seeing how many employees are getting phished can allow for remedial training, or as we sometimes call it the “Top 10 Wall of Shame” or “Phishing Derby Trophies.”
It is critically important that top management recognizes the need for security, allocate resources, communicate, support, reinforce, and sometimes enforce this message throughout the organization.
In 2015 the security industry saw a 900% rise in ransomware or advanced malware. That was bad.
In 2016-2017 through Q1, ransomware infection numbers spiked 3500%. This is an epidemic of malware! Cisco reports 40% of its customers have seen a ransomware attack.
Ransomware infects a computer or firm’s network and encrypts all of the data it can access, then the perpetrators ask for a ransom payment to unlock the data, or they delete it forever. Once infected, there are only two choices: pay the bad guys, or recover the data and systems from a backup.
We hear and read stories on a regular basis about the organization that didn’t have a good backup and had to pay the ransom. (You do have a good backup, right?).
The best defense against ransomware is prevention. An important part of prevention is good IT hygiene, practices such as patching, hardening, scanning for vulnerabilities, and backup capabilities, good basic measures, but we often find a problem in one of these basic areas when it’s too late.
Technologies in security have evolved significantly in recent years to fight these threats, and have coined a term called “nextgen.” We see “nextgen” firewalls, endpoint anti-virus, and other solutions emerging into the market to fight the growing tide of this type of advanced threat. Don’t forget to consider and protect the remote and mobile workers in your organization, who can be especially vulnerable.
We hear about massive headline data breaches every day, Target, Yahoo, others. Hackers account for 85% of data breaches, so we should be concerned. There are two motives for this, financial, and espionage. Manufacturers are especially susceptible to espionage, those with credit cards or other valuable data are more likely victim to financial motives.
A single cyber attack against Panamanian law firm Mossack Fonseca turned the legal security world upside down in 2016. Outsiders stole massive volumes of sensitive data, and the implications were severe on the firm and their clients. How did it happen? Simple really, the firm left old, unpatched web servers running. This is a case of negligence. The old servers were so vulnerable even a beginning hacker could have broken in, and simple security measures weren’t in place.
Patches had been around for these systems for years but weren’t installed. Patching means more than just constant windows updates; it includes websites, applications, databases, and other devices like firewalls. Coupled with patching is configuration management, deploying secure systems via standards, and vulnerability scanning, all of which is the security process we refer to as hardening.
We want to make it a lot harder for a bad guy to break into the corporate network.
In the latest 2017 Verizon DBIR report, they found that of 1935 data breaches in the last year, 88% of these were accomplished using an old list of nine well-known security attack vectors. Most of these could have been pretty easily prevented using simple cyber-hygiene measures.
Some basic examples include:
• Don’t reuse password
• Use strong / not weak – crackable passwords
• Ensure systems, servers, software, even network devices are patched
• Use 2-factor identity authentication
• Encrypt sensitive data
• Segment the network to protect sensitive data
• Scan everything with an IP address for security vulnerabilities
Anyone with access to sensitive insider information can be a big potential risk for cyber security. 14% of data breaches are due to an insider threat. Although outsiders may pose a big risk to an organization, those with inside access are often overlooked. Of this population of miscreants, the numbers further break down into an internal employee, external employee/contractor, cases of collusion, and sometimes a partner. Motives primarily include financial gain, but can also include espionage, a grudge, fun, or some ideology or belief.
In recent years the case of Edward Snowden has brought a lot of publicity and awareness to this issue, as troves of sensitive insider information have been leaked online. We often see employees copy large amounts of data to USB drives, email, or cloud storage servers, usually an indicator that person is about to leave an organization.
Does your organization regularly review and limit access to systems and information? Do you regularly review user IDs and permissions? Are employees local administrators on their Windows PCs?
Intentional or unintentional, insider, external, regardless of the course, data leakage is a big problem and a risk many of us face today. Simple measures like encrypting all data, limiting access, and purging old, unneeded data make a big difference. Firms tend to keep data, especially email, around for a long time, and the information in those systems can put them at risk. Advanced measures can include DLP technology, data loss prevention, which allow a firm to “tag” data as sensitive or protected, then stop it from being copied or leaked. Data retention and data disposal policies can go a long ways toward limiting risk exposure should some data leakage occur. It can’t be stolen, compromised, or cause harm if the data simply isn’t there any longer.
Visa and card brands have started enforcing increasingly shorter retention times and periods for card data, for instance. After all, why keep the raw card data around when it can cause a breach and isn’t needed any longer?
The rise of mobile devices, iPhones, Androids, tablets, coupled with the trend towards BYOD (bring your own device), present some difficult challenges for organizations. Typically data on devices isn’t encrypted, and in some cases, a user may not even have a simple pin code on their phone, so a lost or stolen device can lead to a serious data breach. Everyone loves the flexibility of using their own devices, and the device of their choosing and BYOD saves on costs to the firm of issuing and supporting a fleet of mobile phones, but at what risk?
MDM solutions (mobile device management) allow an organization to embrace BYOD but lock down the device, requiring security measures such as encryption and strong PINs on the device. They can further enforce policies that allow a device to wipe itself after a number of incorrect pin entries, encrypt data, locate or track a lost or stolen device, and in the worst case, initiate a remote wipe of all information on the lost device.
BYOD raises an interesting legal issue. If I have an employer’s corporate email on my personally owned BYOD device, the employer doesn’t necessarily have the right to “wipe” the device. It’s not their device after all. What happens if the employee quits in anger, or is fired, and has our corporate email and other information on their device? In this case, an MDM solution can perform a “selective” wipe of the information, in which we wipe only the corporate information we do still legally “own” and don’t wish to have sitting on a remote device outside of our control.
Can your organization detect a security breach? (Most can’t). Is someone monitoring the security of your network and systems 24×7? The mean time for most organizations (even large ones), to detect a breach is at 197 days. Worse, of those companies breached, only 31% found it themselves. Typically a law enforcement, third-party, or other agency is the one notifying a firm about a data breach.
Companies are hiring outside firms to act as their SOC (security operations center), and monitor the security and integrity of their networks for them 24×7. It is becoming a best practice to outsource this MSSP security operations SOC capability, as it is a better solution and more cost effective than building this capability in-house except in the very largest enterprise level organizations. It is too difficult to staff in-house for 24×7 coverage, and finding a team of skilled security professionals to hire to do it in-house is also expensive and difficult. This is exacerbated by the current shortage of IT Security Professionals globally.
Sure, that old machine still works, and it costs money to upgrade it to something newer. Just a few years ago, this wouldn’t have been too much of a concern, but as the pace of technology has increased, so have security threats. Windows XP is not secure, and Microsoft no longer supports it or patches it, and this is also true of other older technology in companies. It was state of the art back in the day, but then so were tube TVs, and fast internet dial-up 56k modems (hint: most of us don’t use those old technologies any longer either).
Anything with an IP address can be a security weakness, from the copier to the system running the door card readers, and even things like smart TVs. It is important to scan your network using security testing software on a regular basis and find these things, and of course, fix them before someone else finds and exploits them!
Please upgrade your technology; there truly is a major security difference in later versions of Windows such as Windows 10 and Server 2016. This is true across the board, as “nextgen” firewalls, “nextgen” endpoint av, and other security solutions have emerged and evolved to try and keep pace with new threats.
Written by: George Quinlan, Security Consultant