Even IT security professionals are guilty of developing bad habits and making some of the common security assumptions that place data at risk. There is now a legion of cybercriminals ready to take advantage of security vulnerabilities that have been allowed to develop. If you don’t correct bad security habits, there are criminals ready to take advantage.
Protecting company assets from cyberattacks used to be a fairly straightforward process. Many attackers were opportunistic and amateurish. They would hunt for companies or individuals with little to no security, and would take advantage. Spam emails would be sent out in the millions in the hope that some individuals would respond. Those emails were not even run through a spell check. They were easy to identify.
Today, the situation is very different. Sure, there are still many amateurs out there, but today’s cybercriminal is a different beast entirely. The men, women, and even children who are conducting attacks are organized, highly motivated, and they possess a wide range of skills. They are professional and their job is to make money online. They do that by taking it off of other people.
The attack surface is now broader than ever before and the threat landscape is constantly changing. Keeping data safe is no longer easy.
How is it possible to defend data with a constantly changing threat landscape?
It is difficult to keep networks and data secure, but it is far from impossible. It is essential not to make some of the common security assumptions that leave data unprotected, and to take a step by step approach and ensure that all Internet connected devices are secured.
Virtually everyone now has at least one Internet-connected device. Many people have several. With Internet-connected devices being so common and an essential part of daily life, one would think that we have all become quite good at ensuring those devices are secure. Unfortunately, that is far from being the case.
Furthermore, there are now so many data security threats that it is virtually impossible to keep track of them all. We now need to watch out for viruses, malware, spyware, rootkits, and ransomware. Then there are denial-of-service attacks to prevent. Cyberterrorists want to delete and corrupt data and take businesses down. Scammers are using social engineering techniques to obtain login credentials. Even your ex may be uploading and sharing compromising photographs of you online. The digital threats now faced by everyone are considerable. For sys admins it is even worse. So how is it possible to protect against all of these threats?
The best place to start is by determining what needs to be protected. There are many threats, but what is it that attackers all want? The answer to that is data. They may want to steal it, share it, corrupt it or delete it, but regardless of their intention, the worry is data. To protect data, you must know what data you have and where they are stored.
To protect your assets, you must first define your assets!
The first step to take if you want to protect data is to determine what data cybercriminals would like to obtain. This may seem obvious. Criminals want your bank account password and login name and your credit card numbers. However, that is not all they are after. One of the most common security assumptions is thieves are only after financial information. In fact, more money can be obtained from other data.
Assets you must protect
Cybercriminals want more than just your banking information. They would love to steal…
Social Security numbers
Government ID numbers
Passport details
Medical records
Insurance IDs and provider names
Financial records
Credit card numbers
Health insurance payment histories
Online passwords
Email addresses and passwords
Personal data such as dates of birth, genders, ages, addresses, & telephone numbers
Employment histories and employer names
Information that allows security questions to be guessed
Education histories
Business plans
Legal documents
Trade secrets
Many common security assumptions lead to data theft and financial loss
Once you have identified all the data that need to be protected, you must determine where those data are located. Where is information stored, and who has been given access? You must also forget a lot of the common security assumptions that many people are guilty of making. Common security assumptions invariably leave data exposed. What are these common security assumptions? One of the biggest is that the people that are trusted to secure data are putting all of the necessary safeguards in place to make sure information is secured. That is not necessarily the case.
If you want to keep your data secure, you need to develop some good habits and stop all the bad ones.
Bad security habits to eradicate
Not being aware what data you have
Not being aware where data are saved
Being unaware of your bad habits
Leaving data security to others
Storing data in multiple locations when it is not necessary
Sharing passwords with friends, family members, or work colleagues
Reusing passwords across multiple online accounts
Using passwords that are easy to guess
Believing most of the stuff you read on the internet or receive in an email
Trusting an email because it has been sent from someone you trust
Writing your login credentials down so you can remember them
Installing apps and software without checking authenticity
Giving out too much information about yourself online
Oversharing personal information on social media websites
Good security habits to develop
Using secure passwords containing letters, numbers, upper and lower case characters and special characters
Changing passwords at least every three months
Using a different password for each online service
Keeping your password totally private and not even sharing it with your partner
Keeping abreast of the latest data security news
Setting software to update automatically
Checking for security patches and software updates on a daily or weekly basis
Not storing your passwords in your browser database
Locking your devices (phone, tablet, desktop, laptop) with a security mechanism
Encrypting your communications
Not always answering truthfully when asked about your personal information online
Using a web filtering solution to block malicious websites
Stopping and thinking before taking any action online
Assuming that all email attachments are malware until you determine otherwise
Using powerful anti-spam, anti-malware, and anti-virus software on all devices
Ensuring devices do not automatically connect to open Wi-Fi networks
Not installing any software on work computers unless authorized to do so by your IT department
Develop good habits, stop making common security assumptions, and eradicate your bad habits and you will be much less likely to become a victim of a cyberattack!
Unfortunately, common business network security myths have led many small to medium sized business owners to believe they are well protected against hackers, malicious insiders, and online criminals. They perceive their network to be secure, but that confidence may be misplaced.
Sure, they know they are not impervious to attack but, on balance, confidence in their ability to prevent a cyberattack is high. Even if an attack is suffered, they think they will be able to identify it quickly enough in order to protect their data. However, the reality is that confidence is often based on some widespread business network security myths. The reality is many businesses are wide open to attack.
Common business network security myths that need busting
Some of the commonest business network security myths are listed below. Make sure that all of your IT staff are aware of the following misconceptions. Expel these business network security myths and you will be able to gain a much better understanding of how well your business, and its data, are actually protected:
It is easy to avoid phishing campaigns
That may have been true a few years ago. It used to be easy to spot a phishing or scam email. However, the situation has now changed. Phishing schemes have become much more sophisticated and it can be very difficult to identify scam emails, certainly by the majority of employees. Many of the major security breaches suffered over the past few years have started with a member of staff responding to a phishing campaign. The massive data breach at Target is a good example. Hackers gained access to Target via a HVAC company used by the retailer. Malware was installed on that company’s network. The attack on Target was launched from there.
I trust my employees not to expose data or infect my network
Your employees may not knowingly compromise your network or reveal sensitive company information but, due to the high phishing risk, they may do so inadvertently. Even after training employees to be more security aware, they can still accidentally fall for a scam and install malware on your network.
That is not the only problem. Your loyal and trusted employees may not turn out to be quite so loyal when they leave for another job. The Wall Street Journal recently conducted a data security survey, and half of employees admitted to taking confidential company data with them when they left their employment.
My business is too small to be targeted by cybercriminals
Cybercriminals want to gain access to as much data as possible. They want to infect as many computers with malware as possible and build bigger botnets. They also want to sabotage companies that they feel are doing harm, or acting irresponsibly. That means larger corporations are targeted. They have more data, they have more computers, and they tend to cause the most offense – by damaging the environment or making obscene profits, for example. They are also more of a challenge, and many hackers see that as reason enough to try to break through their defenses.
However, don’t think that as a smaller business you are a smaller target. Your defenses will probably be inferior to a multi-national corporation, and criminals like the path of least resistance. Your data is likely to be just as valuable as data held by a larger corporation. You just store a smaller volume of it. Small businesses are being targeted and there is actually a high risk of attack. As was the case with the Target data breach, a small company was targeted first and was used to attack the retailer.
If a cyberattack is suffered, you may not be able to cope with the aftermath. Data suggest that two thirds of small companies end up going out of business within 6 months of suffering a cyberattack.
I have not been hacked, so my security protections are sufficient
How sure are you that you have not been hacked? Many companies do not discover their systems have been compromised for months or even years after an attack has taken place. Take the eBay data breach for example. The massive online marketplace was first attacked in February and it took 3 months for the company, with all of its IT security resources, to determine that data had been stolen.
Network security protections are expensive
If you want the best protection for your company, you do not have to necessarily spend a small fortune, or a large one for that matter. There are many cost-effective protections you can put in place to protect your network from attack. In fact, it is probably not necessary for you to implement advanced threat analytics, but you should use email and web security solutions to protect against phishing attacks.
Weigh up the cost of implementing these software solutions against the cost of suffering a data breach. According to the Ponemon Institute, the average cost per record exposed in a cyberattack is $246. Multiply that by the total number of customer records you have and that will give you an idea of the likely cost of resolution. Unfortunately, small businesses tend to pay much higher costs per exposed record due to economies of scale. Ponemon has also calculated the chance of suffering a data breach over a two-year period is 22%.
Dispel these common business network security myths and you will be taking five steps toward a more secure network, and will actually be much better protected than you currently believe you are.
The Internet of Things of IoT offers a lot of potential, but unfortunately these Internet-connected devices also introduce a considerable amount of risk. The term Internet of Things covers any device that connects to the internet, which includes a wide range of equipment covered by your BYOD policies. As well as a substantial number that are probably not.
IoT includes devices such as traffic lights, GPS units used for cycling or walking, weather monitoring equipment, cars, some new refrigerators and washing machines, and activity trackers. An incredibly wide range of devices. Today, so many electronic devices have been developed that have Internet connectivity the mind boggles.
What’s your Point?
Any device that connects to the Internet and remains connected to the Internet for a long period of time is likely to attract the attention of hackers. They will use various tools to probe those devices. Their aim is to identify potential vulnerabilities that can be exploited. Once those vulnerabilities are located, they will be subjected to attacks, whether by brute force or by a skilled hand. Hackers will attempt to shut devices down (just because they can) or take them over with malicious intent. This will happen. This is not conjecture.
Will an electronic, Internet-connected billboard be hacked? Sure! Someone somewhere will have a humorous message they would like to display. Will someone hack a medical device such as a drug pump and change the dose of morphine that is administered to a patient? Certainly. It has already happened on at least two reported occasions. Both times were by the patients themselves. (it was very easy BTW, they got the instructions from the Internet and upped their own morphine doses!).
If it is possible to hack a device, someone will. It is just a matter of time.
Why not just make sure that all products are secure?
In an ideal world, no Internet connected device would come to market unless it was first made secure. However, this is not an ideal world. In fact, judging by the apparent ease at which hackers can compromise desktops, Smartphones, tablets, and servers, IoT devices shouldn’t pose too many problems. To make matters worse, the developers of these devices often don’t have any idea about the security of their devices. Their aim is to get a useful Internet-connected device on the market, not to prevent them from being hacked.
Many manufacturers have the budgets to develop appropriate security. The problem is that they do not. Don’t get me wrong, this is not always about them cutting corners. Oftentimes they just have no idea about how hackers will be able to take advantage of their devices or why they would choose to do so.
Unfortunately, devices are coming to market faster than it is possible to perform full security testing. Many of those devices are connected to Smartphones, tablets and laptops, from where they can be accessed and controlled. If it is possible to gain access to the equipment remotely, would it be possible to use the IoT device to gain access to the device that is used to control or monitor it? It is a distinct possibility!
How about the apps that are downloaded to control those devices? Could they be hacked? Could malicious apps for controlling a Samsung washing machine find its way into the Google Play Store? How about an app for a device that is part of the critical infrastructure?
The Danger of IoT and BYOD
Many organizations have wholeheartedly implemented a BYOD policy and are now allowing the Smartphones, tablets, and laptops of employees to be used at work. There are numerous advantages to doing this of course. The technology can be leveraged to give the employer benefits that would otherwise be unaffordable to introduce. Employees want to use their own devices at work and are often much more productive as a result. The problem however, is the security risk that these devices introduce, or have potential to introduce, is considerable. Any Internet enabled device that is allowed to connect to a corporate network could potentially be used by a hacker to launch an attack.
To tackle the security threat, a good BYOD strategy must be employed to control use of the devices. Employees must be told what they can and can’t do. Unfortunately, it doesn’t matter what you tell your employees. Some will go against company policies because it’s their device and they believe they can do what they want with it.
It is essential to perform training on security. Employees who are allowed to bring their own devices to work must have it spelled out, very clearly, what the risks are and why controls are put in place. They must be made to understand that the risk from the devices is very real, and policies exist for a very good reason. If they are unwilling to abide by the rules, they should not be permitted to use their devices at work.
A good BYOD strategy?
However, even by adopting a good BYOD strategy, you will allow the traditional security perimeter to be extended to include employees’ homes. Regardless of the controls that are used and the level of training provided, the risk that is introduced could be considerable. Employers should therefore think very carefully about the devices they allow to connect to their network. A good BYOD strategy may in fact be to prevent any BYOD devices from connecting to the network at all!
The financial sector is reeling from one of the most sophisticated cyberattacks ever seen. The APT-style Carbanak malware attack differs from other APT attacks, as the attackers are not after data. They want cold hard cash and they are getting it. Carbanak has been used to steal funds to the tune of around $500 million. Or up to $1 billion, depending on who you speak to!
The malware, discovered by Kaspersky Lab, uses sophisticated methods for obfuscation so it is hard to identify once it is installed. There isn’t much good news about Carbanak, but one chink in the armor is the method used to get malware installed. That is far from sophisticated. In fact, it is rather simple. Cybercriminals are getting bank employees to install it for them.
Banks that have suffered Carbanak attacks have been lax with security. They have not instructed their employees how to identify bank phishing scams, and they have not been performing scans for malware. It may be hard to detect, but it is important to actually scan a network for malware periodically! Consequently, banks have not detected breaches until a long time after they have occurred.
One of the most sophisticated bank phishing scams is easy to avoid
Carbanak malware is delivered via email. The phishing emails have been sent to large numbers of bank employees, and many have clicked on the malicious links included in the emails. By doing so they inadvertently loaded the malware onto the banks’ administrative computers. Once installed, Carbanak happily collects information and sends it to the criminals’ command and control servers.
The malware logs keystrokes and searches for security vulnerabilities in the network. The data collected is used to make bank transfers to the criminals’ accounts, although the data that is obtained could be used for a number of different crimes. Some security experts estimate that the criminals behind the campaign have managed to steal over $1 billion so far. The bad news, and there is a lot of it, is that they are still continuing to obtain funds. As bank phishing scams go, this is one of the costliest.
Bank phishing scams account for a fifth of all phishing campaigns
There is a considerable amount of disagreement within the security community about the level of sophistication of Carbanak. But that is really beside the point. The malware is installed on computers and remains there undetected for a long time. It is used to obtain huge amounts of money. It doesn’t really matter how sophisticated the malware is.
What is more important is the lack of sophistication of the initial attack. Bank phishing scams are not that difficult to prevent, and this is no different. Bank employees just need to know how to identify phishing emails. Bank phishing scams account for a fifth of all phishing campaigns so to prevent them it is vital that employees receive training to help them identify the scam emails.
It is also essential that after training has been provided that it is followed up with phishing email exercises to test employees’ knowledge. Can they actually identify a phishing email or were they not paying attention during training? Don’t leave that to chance, as it could prove costly!
Bank phishing emails are very convincing
The criminals behind bank phishing scams have spent a long time crafting very credible emails. The emails need to be realistic, as bank employees would not open an attachment in order to find out about a $1,000,000 inheritance they have got from an unknown Saudi relative (some do!). Cybercriminals are now developing very convincing emails, and are even running them through a spelling and grammar check these days.
Bank phishing emails provide a legitimate reason for taking a particular action. Typically, the reason is to:
Verify account details to prevent fraud
Upgrade security software to keep systems secure
Perform essential system maintenance
Take action to protect customers from fraud
Perform identity verification to allow a refund to be processed
Verify identity to allow packages to be delivered by couriers
The aim of most bank phishing scams is to get users to click on a link to a website that will download malware onto their computer, or to get them to open an email attachment (zip file) that contains malware, or to install malware in the belief they are opening a PDF or word file.
The Three Main Types of Bank Phishing Scams
Bank phishing scams can be highly varied, but generally fall into one of three main categories:
Opportunistic Attacks
Opportunistic attacks are the most common types of phishing attacks and they tend to be the easiest to identify. Millions of spam emails are sent containing malicious links or attachments in the hope that some individuals will install the malware they contain or link to. This type of phishing campaign is often used to deliver ransomware. Criminals often use links to websites containing common exploit kits to download malware onto machines.
Zero Day
A zero-day attack is one that exploits a known security vulnerability that has not yet been patched. Researchers are discovering new security vulnerabilities on a daily basis, but it takes time for software developers to issue patches to protect users. It takes more skill to conduct this sort of campaign as the hacker must develop a way of exploiting a vulnerability. However, the same shotgun approach is used to deliver the malware that exploits the vulnerability. The favored delivery method is mass spam email.
APT (Advanced Persistent Threat)
The third type of phishing attack is the one that was used for Carbanak. This type of phishing campaign also exploits zero-day vulnerabilities, but in contrast to ransomware that acts fast and makes the presence of the malware infection abundantly clear, APT attacks remain hidden for a long period of time. They are stealthy and their aim is to steal data. That said, in the case of Carbanak the attack was used to steal money.
These attacks tend to be targeted. Banks, financial institutions, healthcare organizations, and government departments are all targeted using this type of phishing campaign. Malware is not sent using mass spam emails, but the targets are typically researched and spear phishing emails are sent.
How to defend against these targeted bank phishing scams
Carbanak has been used for bank phishing scams for close to two years now so it is nothing new. What is peculiar about the campaign is it uses tactics that are more commonly seen in state-sponsored attacks for spying on governments and those used by cyberterrorists. The attack on Sony, for instance, started with a phishing email of this ilk.
Unfortunately, while the first two types of phishing emails are relatively easy to block with anti-spam solutions and phishing email filters, it is much harder to block APT spear phishing emails. They tend not to contain links to known malware sites, and are often sent from email accounts that have already been compromised. They also contain links to legitimate websites that have been infected with malware. They can be hard to identify and block.
There are steps that can be taken to reduce the risk of an attack being successful. It is essential to provide staff members with training to help them identify phishing emails. Employees must be aware of the common signs to look for and must be told to be extremely cautious with emails. Email attachments are a potential danger, but do employees know the danger of clicking links? Make sure they do!
Training exercises has been shown to be highly beneficial. The more times employees are tested on their phishing email identification skills, the better they become at identifying email scams.
It is also essential to ensure that patches are installed as soon as they are released. Zero-day attacks will take place until the security vulnerabilities are addressed. This applies to the likes of Adobe Flash, Microsoft products, and any software application.
Patches are issued frequently, so it can be almost overwhelming to keep on top of them all, but that is what is needed.
Perform regular training – and conduct refresher courses – and make sure regular security audits of the entire network infrastructure take place. It all takes time, effort, and involves a considerable cost. That said, the cost will be considerably lower than the cost of dealing with a Carbanak malware attack.
Measures to increase system security not only reduce the possibility of your system being hacked but, should a hacker gain access despite your best efforts, limit the amount of damage he or she can do.
In-depth measures to increase system security – like the measures we will be discussing in this article – prevent hackers who have penetrated your firewall from running amok throughout your network and compromising device after device.
The border device is the first line of defense
The first of the measures to increase system security you should implement concerns your border device. This will either be a router or a firewall, and you can use access lists to block unwanted inbound traffic.
Depending on your network design, find out if your network should be getting routing updates from Interior Gateway Routing Protocols such as OSPF, RIP and EIGRP.
You should also conduct routing updates on MPLS and BGP protocols – being in mind that if you do not need these protocols you should disable them, as routing updates can consume a load of bandwidth.
Block all requests that might originate from a private network. These would naturally include 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8, but don´t forget about:
One of the best measures to increase system security is a DMZ. DMZs add an additional layer of security to a local area network (LAN) and can be used to create a “border within a border”. You can install a firewall between devices that exchange data with the outside world (web servers, mail servers etc.) and protect the rest of your network behind a DMZ to prevent attacks from hackers, malware, viruses and Trojans.
The advantage of firewalls is that most traffic to the rest of your network is blocked by default. They are relatively easy to install and, although inconvenient for administrators that like to ping to check connectivity, are great for security. On the other hand, servers, routers, and switches tend to require a significant amount of configuration to toughen up your defenses.
One thing you can do to reduce the amount of work required is take advantage of any automated measures to increase system security provided by the manufacturer. These can restrict access from private and public IP addresses, shut down interfaces that are not required and disable unneeded services.
Special consideration should be paid to authentication servers and IPS/IDS devices. Depending on your organization´s preferences for service availability and security, these can either be set to “fail-open” – in which case all traffic is permitted if the device fails – or “fail-close” where, if the device fails, all connectivity is broken.
A special word about router security
Although routers come with built-in IPS/IDS modules and firewall software, the access list (ACL) is one of the most powerful tools at your disposal to enhance your network security. ACLs allow you to configure individual interfaces according to your specific traffic and data needs. Here are just a few of the measures to increase system security you can take using ACLs:
Switch and port security
Some switches and servers offer private VLANs that limit traffic between devices even more. Whenever possible they should be used to create different networks for management and data traffic. However, make sure your switch ports are configured with STP extensions to support BPDU guard. This allows authorized users to attach home routers and switches to the network.
Effective port security protects against eavesdropping and similar attacks. If your organization requires a high security environment, it is possible to configure a port to only accept MAC address connections. The issue with this level of security is that it restricts BYOD policies and makes hardware upgrades and office moves significantly more complicated.
In-depth measures provide higher security levels
The above measures to increase system security go deep into the heart of your system to deliver defense in depth. It is important to go beyond border security to ensure the integrity of your network and many of these measures can be changed as necessary as technology and organizational requirements evolve.
