This year’s election is fast approaching, and one area I would like to hear each candidate discuss more in depth is the realm of cybersecurity. Symantec’s Internet Security Threat Report for 2016 (https://www.symantec.com/security-center/threat-report), highlights some staggering numbers: more than 429 million online identities were compromised, 75% of websites contained some form of vulnerability, targeted phishing campaigns increased 55%, and ransomware increased by 35%. The fact of the matter is that cyberthreats are very real, and are not going to decline in the near future.
How does one not fall victim to a cyberattack? Even in a perfect world, with employee training exhausted and IT staffed adequately, cyberattacks on companies can still happen due to “zero day” vulnerabilities being exploited. These types of vulnerabilities are those which no patch yet exists, because the tech giants (Microsoft, Apple, Google, etc.) are unaware of their presence. If an organization is hit with an attack that took advantage of a zero-day vulnerability, there may not have been anything that could have been done to prevent it. But what about thwarting the “classic” malware attacks, where an attacker writes or uses a program to gain remote access to a system?
The employees of the company are the ones who will be responsible, ultimately, if a cyberattack occurs. Their training – and adherence to (ideally) well written company IT policies – are essential to eliminating the low hanging fruit, or letting it dangle for an attacker to pluck.
Tips for end users to ensure they do not put the organization at risk
1) Never click on hyperlinks in e-mails from unrecognized senders. These links can download what the IT industry refers to as “drive-by malware,” where the computer becomes infected as it visits the link that was clicked upon. Mousing-over the hyperlink may illustrate the hyperlink’s destination – but what if the user accidentally clicks the malicious link while holding the cursor over it?
2) Never open e-mail attachments from unrecognized senders. These attachments can contain malicious programs used to gain remote access to the computer. An attachment may be named “Sign Up Form.pdf,” but it may actually be an executable program that will run if clicked upon. A file’s name does not always have to describe its contents.
3) Never respond to e-mails from unrecognized senders without consulting IT. Oftentimes, unrecognized senders may be attempting “phishing” schemes. They will send e-mails that appear to look legitimate but ask for personal information, like one’s middle name, social security number, or usernames and passwords. A legitimate company, and legitimate internal employees, should not and will not ever ask for this information via e-mail. A classic analogy is to not provide any personal information electronically that wouldn’t be provided over the phone. Phishing e-mails can easily be spotted by looking for obvious misspelled words, punctuation mistakes, and poor formatting.
4) Install updates for legitimate software when prompted. IT may manage this; however, if this is not the case…when Windows prompts that updates are ready to be installed, install them. When a browser states that it’s out of date, update it. These may be tedious tasks, but the reality is that these updates fix critical patches that plug up holes in program code that would allow attackers easier access into the system.
5) Antivirus software should always be present. My favorite paid product is Symantec Antivirus, and my favorite free solution is Avast. I prefer these two solutions because they are proactive, helping keep the computer safe in the background. Best of all, they install updates automatically (or with minimal user interaction).
6) Do not share passwords with coworkers, and do not share passwords with family members that you share an electronic device with. Secrets do not make friends, but secret passwords also help prevent cyberattacks. Passwords should also be strong – anywhere from 8-20 characters, containing CAPITAL and lowercase letters and $yMBo1$.
7) Change those passwords often. An acceptable rotation period is 90 days, but changing them sooner definitely does not hurt. Do not use the same password more than once. A password management tool can be used to document each password. Personally, I avoid using cloud-based password management software, because my passwords may become compromised if my provider becomes a cyberattack victim.
8) Use two-factor authentication whenever possible. This type of authentication requires a known credential – such as a password – and then something in the user’s possession – such as a cell phone. For example, the password of the account is required (the first factor), and then (depending on how it is configured) a text message will be received with a temporary code that the user will then be prompted for on the device that is attempting to login (the second factor). Using two-factor authentication prevents a hacker with only the user’s password from gaining access to the account.
9) Ensure home networks are secure. The same (hopefully solid) security practices applied at work should also be practiced at home. Home networks are used to connect to office networks if the employee is working remotely.
10) “Travelling” devices should be encrypted. Bitlocker, the Windows solution, and FileVault, the Macintosh solution, are perfectly acceptable. Android and iOS devices also offer their own forms of encryption (Android SD cards can – and should – also be encrypted). This prevents someone with physical access to those devices from extracting their storage medium and viewing its contents.
11) Be wary of connecting to unsecured networks with those “travelling” devices. One of the most distinct – and perhaps overlooked by the average user – features of an unsecured network is that anyone can use it. Network monitoring software whose sole purpose is to intercept traffic travelling through that network has existed for years, and is not new to hackers. The more people that are connected to the network, the greater chance someone will fall victim to a cyberattack. According to an article published on Politico written by Martin Matishak (http://www.politico.com/story/2016/07/rnc-convention-2016-data-security-225823), more than 1,200 people at the 2016 Republican National Convention in Cleveland connected to unsecured Wi-Fi network, with 68 percent of those people leaving their personal information accessible to third parties. The simplest solution when travelling is always to use secured networks.
Cyberattacks are only going to continue to increase and be a growing problem for individuals and organizations worldwide. With proper training, however, these attacks can be avoided.
Tips for Organizations
Taking the above 11 steps are items you can do on your own to help eliminate the low-hanging fruit in your IT environment, however, it’s important that your organization also utilize a CyberSecurity Expert as there are several other crucial layers they offer that you don’t want to miss.
CyberSecurity Experts see all kinds of things when going into an organization. Some are obvious and easy to point out, like the 11 points mentioned above, yet it’s always a surprise that even these basic things often aren’t being implemented. There are a host of other gaps that CyberSecurity Experts can identify that you don’t see or know to look for. They look at the gaps in the controls currently in place and make recommendations on an application control framework. They balance this with the business objectives of the organization to provide the best security while still making it as convenient and accessible to carry out the business of work.
Taking some common-sense tips on your own, as well as contracting with a CyberSecurity Expert will help eliminate the low-hanging fruit and keep data secure!
By Gene Snyder, GCFA, EnCE, ACE,
Senior Forensic Analyst at Vestige
For more information CONTACT US