Cyber criminals only need to get lucky once. Make sure your people are making it hard for them.In 2016, cyber crime is an ever-changing thing, with agile attackers employing increasingly creative, exhaustive methods to find their prey. ‘Spear phishing’ rather than regular phishing, ransomware, exploit kits and ‘crimeware’ sold on the deep web have all played their part in fuelling a global cybersecurity market worth $75 billion.
For victims of these attacks, the consequences go beyond financial loss – a single hack can destroy your reputation, or have a ripple effect and compromise every company you interact with. Those who are least prepared suffer the worst consequences: weeks can go by without noticing the fraud, and by the time it’s discovered the money has been moved from account to account and rendered untraceable.
For Michael Conway, director of Renaissance, IT security distributors and business continuity experts, the first step is knowing your enemy. “We get asked ‘how do I stay one step ahead of the bad guys?’, and the answer is you don’t. You can’t stay one step ahead of them. If you’re doing really well you’ll be one step behind them . . .” It’s important to note that everyone is at risk: you’ll have read headlines about incidents like 2015’s Talk Talk hack (cost: an estimated £35 million), a DDoS attack on the National Lottery and another on Irish government websites in January of this year, but more and more SMEs find themselves targeted and opt to pay off their attackers and stay silent rather than reporting them.
Derek Mizak, solutions consultant with IT provider Ergo, described the compromise many businesses find themselves in: “a state-sponsored DDoS attack requires significant resources, but ransomware requires very little, and can target even the smallest businesses. And by paying the ransom, these businesses are feeding cybercrime. We always tell our clients not to pay, but they don’t always have the means to recover. Which leads to the question, what can they do as prevention, instead?”
“A lot of incidents aren’t big sexy data breaches,” said Pat Larkin, chief executive of Ward Solutions, which provides information security services and consultancy “It’s the relatively small incidents which happen all the time. “There’s a 91 per cent increase in targeted, custom attacks levelled at specific organisations, individuals or verticals. They target the chief executive or chief financial officer, the person with the most rights in the organisation. It’s a move from phishing attacks to ‘whale phishing’ attacks. The return is more substantial."
Engineering these attacks takes time and information, all too readily available in the age of social media. The attackers compile a profile on their target, including their email address, their role in the organisation, and their relationship to coworkers and other outside businesses. They then spoof the email address of an associate, often claiming to be the chief executive, and asking for an immediate financial transfer to be carried out in the next ten minutes.
“It all looks very credible,” Larkin said. “You’re not transferring funds to Australia or something. The spelling mistakes, the clumsy representation of company logo, that’s all gone.” Another tactic is to imitate or hack a supplier doing business with a larger company, the end target, and to send an email claiming to have changed bank accounts. They’ll also often attach what appears to be an invoice, but is instead loaded up with a Trojan virus.
Jonathan Boyle, security specialist at Data Solutions, explained how your company might be part of a larger plot: “If you were trying to get into a big enterprise, you might think the best way in would be through a smaller HR firm that they deal with. To hack into the HR firm infects the files and contacts they have, and then the real target can be compromised through a hack on the smaller business”.
Ransomware also poses a threat, with security professionals reporting a reporting a rise in the number of incidences. Conway explained how the typical attack works: “It’s nastier and more horrible. You innocently click on something, a PDF or letter or email, and instantly get infected. Typically it’s a zero day attack, which normal antivirus software won’t be able to find. Then suddenly you get a message saying ‘Good news, your data is very well encrypted. Bad news, unless you send us money your data will be left encrypted and unavailable to you.’” Often this ransom, which for smaller business averages €1,000, will double if it isn’t paid within twenty-four hours.
A yet more nefarious outcome is when the criminals start sorting through your data, selling off email addresses and bank information, or leaking personal details as per the Ashley Madison hacks. Prevention serves far better than a cure: back up your systems as frequently as possible, and limit employee access to your most sensitive data.
Dr Vivienne Mee, founder of VM Forensics, sees ‘social engineering’ attacks (aka attacks reliant on human error) all too often. “Humans, at the end of the day, are your weakest link. They’re the ones with the passwords. Threats are generated differently every time, and they’re getting cleverer. You can have the best tech measures in place, but if the user still opens that attachment or clicks the wrong link, it doesn’t make any difference.” Mee stressed the importance of encryption and setting up firewalls, but acknowledged that such measures are only the start. “User awareness training is key. We do a roadshow with security training seminars, giving people challenges. We might even do a couple of attacks on a corporation ourselves before we go in. We find it more practical to show people how they fell for something already,” she said.
Mee also noted how after these seminars clients are less afraid to ask questions, or doubt the veracity of email requests. “We always say there’s no such thing as a stupid question. Better to ask now than get hauled in after work hours and asked if you’re the reason the whole network is down.” And once you’ve done all you can to educate and strengthen your ‘human firewall’?
It’s time to bring in the professionals. As Mizak puts it, “It’s like your health. Prevention is better than cure, but if you do get sick don’t go on internet trying to find a way to cure yourself. Go to a GP instead.”
Hadi Hosn, EMEA managing principal for Security and Risk Consulting at Dell Secureworks, pointed out that an outside security expert might well work longer with you than your own employees: “Retaining skilled security staff is difficult even for large organisations, so employing a Managed Security Services Provider (MSSP) will help to alleviate some of this pressure.” Cover the basics – don’t store passwords in browsers, avoid suspicious free wifi and stay on top of updates to both your web browser and your operating system – then invest in security software. Hosn recommended a password manager (be sure to choose a complex master password and change it every six months), ananti-malware product with ‘heuristic protections’ enabled and an email with two-factor authentication.
Freeware is a hazard for businesses – you end up paying for it with adware or even malware which can sneak in and slow your system down. Boyle recommended sandbox applications which can isolate and investigate threats before granting them access to your computer and its network. “Checkpoint’s Sand-Blast and Threat Emulation are good. If there’s code (in an email attachment) operating in the background, it’ll open it and warn you if it’s not regular. Technology like that is good, and doesn’t necessarily interfere with your business workflow.” He also listed mobile device management as key, not least when employees use the same device at work as during their off-time: “There’s software out there that can contain the business part of your phone. It gives you a separate email, separate apps, and you can still keep part of the phone for personal use. Then if the phone is lost, or stolen, you can remotely wipe files and documents from it.”
If educating your people is the first step, and investing in good technology is the second, then the third step is staying up to date. Conway reported an inevitable apathy among clients dealing with constant system update notifications: “People complain and tell me they did a Windows update recently. But Window’s is not your main concern anymore. It’s Adobe. It’s Java. It’s Flash.” Hackers find their way in through programmes, rather than the main system, which often isn’t even up to date on security in the first place. “If you have an IT technology solution in place, and it’s stayed the same without evolving or developing in the years since you bought it, then you’re probably wasting your money.”
Outdated software gives businesses little more than a false sense of security: it’s as good as a disconnected house alarm. Boyle agreed: “If a hacker gets in, and they will, you want to limit your exposure. A machine could be compromised for months without anyone noticing, so you need to install software that can spot irregularities straight away and lock down the system. “A firewall that just identifies that there was an attack some time ago, without explaining if the threat is still active or how far it got, is not enough. You need instant and actionable intelligence that can say ‘This is happening right now, and we can stop it right now.’”
Conway recommended clients look for software with a ‘heartbeat monitor’, which can track and report malicious threats instantly and address them. “They can tell you when a computer is trying to connect with a malicious site. That’s how it completes the cycle of ransomware.” Products from names like Sophos and Heimdal offer a chance to evaluate what’s happening and clean up the infection in real time, as well as auto-updating with minimal inconvenience to their users. “If you don’t patch your systems, you’re leaving your doors open. Ask some ‘do you want to patch this product now and restart your machine?’ and no one is going to want to do it, but we’ve seen a massive uptake in the last year in silent updating solutions, which minimise risk and make updating easy.”
Finally, the last step for complete cybersecurity, or as ‘complete’ as it can possibly be, is to propagate information throughout every part of your company, from the highest ranked employees to the most junior. As Mizak put it: “Security is not a ‘technical issue’. Security should be discussed at board meetings. It comes down to training, staff screening, a proper HR department . . . there’s no one magic silver bullet
Hosn said: “Better education of end users is critical - they are, after all, at the front line of security. Endpoints including laptops, smartphones and tablets are fertile ground for security attacks, creating numerous access points and vulnerabilities.”
Similarly, Boyle cited simple errors in endpoint security as the main threat: “The biggest threat to businesses in general are their users. It’s bad passwords, failure to change passwords or bad password choice, or not using two factor identification. The users are always going to be the variable that can compromise.”
The universal advice is to stay sceptical, and to educate as much as possible. It’s as much about communication as compliance: security measures are essential at every level of a business, and for businesses of
every size. Mee cited a client who has worked out a good way to stay on top of threats: “I work with an organisation where we do security bulletins every month where we send around samples of new threats and remind employees that they can call the help desk if they’re uncertain. It’s about keeping in with the native security forums, seeing what’s trending, and relaying that knowledge back to the organisation, from the top down to the end user. Knowledge is key, at the end of the day.”
In my last blog (8 Steps to Increase User Adoption of Office 365), I outlined the steps involved in succeeding in taking...Read now
To run a business, one must make decisions. To run a good business, one must make good decisions. To run...Read now