Image source: Wikipedia.org
No matter what they say, no matter how well encrypted your network is, no matter how many firewalls and anti-virus software you have, there is no such thing as truly secure network.
On a regular basis we hear a number of organisations being ‘hacked’. Think of NASA, Pentagon, Target, Adobe, Facebook, Forbes.com, US Navy and the list goes on. They are all large and high-profile organisations with seemingly unlimited resources at their disposal to protect themselves against these attacks. Yet they find themselves among many that suffer ongoing security breaches.
Interestingly, at least 4 of the organisations mentioned, have verified the cause of the breach was a form of ‘Social Engineering’ technique. According to Wikipedia, in the context of information security, it refers to psychological manipulation of people into performing actions or divulging confidential information. So metaphorically speaking, one does not need to disarm the alarm or break through doors or windows to get into your home if one can simply talk you into opening the door for them. The techniques employed are only limited by one’s own imagination.
The good news though is that you don’t need to spend big bucks to avoid such attacks. The following tips may not eliminate the threat but it will greatly minimise your company’s susceptibility to it.
You and your team are the weakest link
It all starts with awareness. Social engineers are relentless and often quite talented at their art. Knowing you and your team are the biggest threats to your IT, unintentional of course, is the first step. We humans are surprisingly easy to manipulate.
Rewrite your IT policy
If your current IT policy is more than 6 months old, it is time to re-write. Do not amend, just re-write. Technology and its usage is changing rapidly. Having an updated, all-encompassing policy is not just to scare employees into compliance but it is to educate them.
Control all mobile phones that access the business network
If you and/or your team use personal mobile phones for anything related to the business viz. phone calls, SMS, emails, apps and documents, you need to control it. Mobile phones connecting to multiple Wi-Fi access points, especially free public ones, are most vulnerable. There are free Mobile Device Management (MDM) tools that are easy to manage, are low cost cloud based solutions and can be easily deployed to manage these mobile devices.
Ban all external storage devices
The fastest way to break into a network would be to have a USB drive seemingly empty but loaded with a rootkit that unleashes itself the moment the drive is plugged in. Files can be transferred over your network’s storage or simply use services such as Dropbox, iCloud, Google Drive, OneDrive etc.
Emails are for correspondence not collaboration
This cannot be emphasised enough. Forbes.com was hacked and defaced by Syrian Electronic Army using a simple email phishing attack. Cultivate a culture and policy where basic text emails are only used to correspond and to collaborate you can use anyone of these free collaboration tools. Most importantly, seriously consider before opening email attachments or clicking on links in an email.
Reconfigure Router and Wi-Fi
Your router is the gateway to your network and if there is a Wi-Fi access point attached, it becomes very visible and hence very vulnerable. With the help of your IT support provider reconfigure your router to best practice standards.
Passwords and 2-Step Verifications
Google, Apple, Microsoft, Twitter, Facebook and a host of other service providers offer 2-Step Verification/Authentication, which once set up, you will need to enter your password and the 4-8 digit code sent to your mobile via SMS to access your account. This may sound painful but it would be nothing as compared to pain highlighted in Mat Honan’s case. So wherever possible, set-up this 2-step verification and change all passwords at least once every 1-2 months.
Trust NOBODY
Even seemingly unimportant information such as IT hosted in-house or cloud-based is valuable information to anyone interested. While sharing Wi-Fi passwords and other such security information can obviously be detrimental, create a culture of zero trust when it comes IT. Include a broad IT policy compliance clause in every contract and agreement with external suppliers.
Designate specific IT people
This one applies to businesses using external IT support providers. Designate no more than 2 staff, one primary and the other secondary, to act as liaisons to your service provider. No one else is to have any conversation or perform any actions pertaining to IT. Thus reducing potential information leaks and improving the effectiveness of the service.
Cultivate a culture
Doing a full circle we come back to you and your team. We are, after all, humans, creatures of habit. If habits are not cultivated to be good, they will form anyways, and in most cases, they will be bad. So proactively help create good habits and culture. Regular formal and informal meetings and training sessions will yield a long term sustainable IT aware culture.
So there you have it. The best things in life are indeed free. You do not need to be an IT guru nor would you need an addition to your IT budget to implement these basic yet effective tips to secure your IT. These will not eliminate the threats but will significantly reduce your chances of being ‘hacked’.
References
On a regular basis we hear a number of organisations being ‘hacked’. Think of NASA, Pentagon, Target, Adobe, Facebook, Forbes.com, US Navy and the list goes on. They are all large and high-profile organisations with seemingly unlimited resources at their disposal to protect themselves against these attacks. Yet they find themselves among many that suffer ongoing security breaches.
Interestingly, at least 4 of the organisations mentioned, have verified the cause of the breach was a form of ‘Social Engineering’ technique. According to Wikipedia, in the context of information security, it refers to psychological manipulation of people into performing actions or divulging confidential information. So metaphorically speaking, one does not need to disarm the alarm or break through doors or windows to get into your home if one can simply talk you into opening the door for them. The techniques employed are only limited by one’s own imagination.
The good news though is that you don’t need to spend big bucks to avoid such attacks. The following tips may not eliminate the threat but it will greatly minimise your company’s susceptibility to it.
You and your team are the weakest link
It all starts with awareness. Social engineers are relentless and often quite talented at their art. Knowing you and your team are the biggest threats to your IT, unintentional of course, is the first step. We humans are surprisingly easy to manipulate.
Rewrite your IT policy
If your current IT policy is more than 6 months old, it is time to re-write. Do not amend, just re-write. Technology and its usage is changing rapidly. Having an updated, all-encompassing policy is not just to scare employees into compliance but it is to educate them.
Control all mobile phones that access the business network
If you and/or your team use personal mobile phones for anything related to the business viz. phone calls, SMS, emails, apps and documents, you need to control it. Mobile phones connecting to multiple Wi-Fi access points, especially free public ones, are most vulnerable. There are free Mobile Device Management (MDM) tools that are easy to manage, are low cost cloud based solutions and can be easily deployed to manage these mobile devices.
Ban all external storage devices
The fastest way to break into a network would be to have a USB drive seemingly empty but loaded with a rootkit that unleashes itself the moment the drive is plugged in. Files can be transferred over your network’s storage or simply use services such as Dropbox, iCloud, Google Drive, OneDrive etc.
Emails are for correspondence not collaboration
This cannot be emphasised enough. Forbes.com was hacked and defaced by Syrian Electronic Army using a simple email phishing attack. Cultivate a culture and policy where basic text emails are only used to correspond and to collaborate you can use anyone of these free collaboration tools. Most importantly, seriously consider before opening email attachments or clicking on links in an email.
Reconfigure Router and Wi-Fi
Your router is the gateway to your network and if there is a Wi-Fi access point attached, it becomes very visible and hence very vulnerable. With the help of your IT support provider reconfigure your router to best practice standards.
Passwords and 2-Step Verifications
Google, Apple, Microsoft, Twitter, Facebook and a host of other service providers offer 2-Step Verification/Authentication, which once set up, you will need to enter your password and the 4-8 digit code sent to your mobile via SMS to access your account. This may sound painful but it would be nothing as compared to pain highlighted in Mat Honan’s case. So wherever possible, set-up this 2-step verification and change all passwords at least once every 1-2 months.
Trust NOBODY
Even seemingly unimportant information such as IT hosted in-house or cloud-based is valuable information to anyone interested. While sharing Wi-Fi passwords and other such security information can obviously be detrimental, create a culture of zero trust when it comes IT. Include a broad IT policy compliance clause in every contract and agreement with external suppliers.
Designate specific IT people
This one applies to businesses using external IT support providers. Designate no more than 2 staff, one primary and the other secondary, to act as liaisons to your service provider. No one else is to have any conversation or perform any actions pertaining to IT. Thus reducing potential information leaks and improving the effectiveness of the service.
Cultivate a culture
Doing a full circle we come back to you and your team. We are, after all, humans, creatures of habit. If habits are not cultivated to be good, they will form anyways, and in most cases, they will be bad. So proactively help create good habits and culture. Regular formal and informal meetings and training sessions will yield a long term sustainable IT aware culture.
So there you have it. The best things in life are indeed free. You do not need to be an IT guru nor would you need an addition to your IT budget to implement these basic yet effective tips to secure your IT. These will not eliminate the threats but will significantly reduce your chances of being ‘hacked’.
References
- http://www.crn.com/slide-shows/security/240165003/top-10-security-breaches-of-2013.htm
- http://en.wikipedia.org/wiki/Social_engineering_(security)
- http://online.wsj.com/news/articles/SB10001424052702304526204579101602356751772
- http://arstechnica.com/information-technology/2014/02/iranians-hacked-navy-network-for-4-months-not-a-surprise/
- http://www.forbes.com/sites/chrisversace/2014/01/22/2014s-hacking-pain-is-cyber-securitys-gain-for-symc-feye-pawn-keyw-csco-cuda-ftnt-impv/
- http://abcnews.go.com/Technology/story?id=119423
- http://www.forbes.com/sites/andygreenberg/2014/02/20/how-the-syrian-electronic-army-hacked-us-a-detailed-timeline/
- http://www.theinquirer.net/inquirer/feature/2320371/2013-was-a-very-hacked-year
- http://aneuron.com/stay-secure-friend-hackers-targeting-smbs/
- http://blog.quatrashield.com/2013/12/17/357/
- http://www.infosecurity-magazine.com/view/25357/pwc-and-infosecurity-europe-release-the-latest-information-security-breaches-survey/
- http://en.wikipedia.org/wiki/Phishing
- http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012014.pdf
- http://www.scmagazine.com/february-2014-threat-stats/slideshow/1809/#1
- http://www.cio.com/article/598122/15_Free_Enterprise_Collaboration_Tools
- http://www.androidcentral.com/no-excuses-its-time-turn-two-step-authentication
- http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
- http://www.computerworld.com/s/article/9181939/Infected_USB_drive_blamed_for_08_military_cyber_breach
RSS Feed
