Every day, as we go about our normal duties, both personal and professional, we are exposed to Cyber risk. We each use a number of devices, and whether the risk lies in the device itself or the website or service we are accessing, someone, somewhere, would like to know what we are up to. The bad guys are out there and what they want, in the absence of any personal grievance, is to monetise our data.
Beyond choosing the right online services, we have little control over where our data gets to. Whether that data is our email address and associated password, or includes our home address, credit card details and mother’s maiden name. We rely upon service providers to keep our information and personal details secure.
What is likely to happen if a username and password is compromised by a hacker? They might just choose to sell those details on for others to exploit, or they can pass those credentials into an automated program that will attempt to authenticate with thousands of other online services.
So, are unique passwords important then? Personally, I use three types of password: unsecure, unique and business. Unsecure is for sites I am likely to only ever access once, sites that require some form of identification, so I would normally use my personal email address to register for these. I use a unique password for any services that require additional, personally identifiable information. I combine these with Multi-Factor Authentication (MFA) where possible and associate them with my business email. The password is complex, but, most of the password is common save for a portion identifying the service I am accessing. The third is my business password. It is not reused anywhere else, is complex, changed frequently, and without it and MFA, no one can get to my systems or data. MFA is very good at keeping the bad guys out and that is why banks use it (it might come in the form of a physical secure key, a mobile app, a secure SMS – they all provide you with a one-time password to use in addition to your username and password).
Social Engineering is the practice of gathering information by manipulation. Why would villains go to the effort of compromising a company using a system’s vulnerability when they can get someone to tell them their password over the phone? Of course, it is not just limited to passwords and can involve building access, financial fraud and extortion – which may, or may not result from you handing over your password in the first place. Here are two simple examples of Social Engineering:
“Hi, it’s John calling from TalkTalk. We’ve noticed a large amount of suspicious traffic originating from your home Internet connection. Please login to your computer and go to http://be-wary.com website so I can investigate what is causing it.”
I forgot to drop this on your desk earlier. Please ensure the attached invoice is paid this afternoon.
The first is an example of Pretexting and was experienced by my wife some months ago, though it preceded the well-publicised TalkTalk breach. The second, a simple Spear-Phishing email, can and will happen wherever you do not have effective email security systems in place. Unless the CEO’s password has been stolen and the email is from an “authentic source” of course – good luck stopping that one. MFA, again, would prevent that happening.
We get viruses and malware for a number of reasons, including the presence of thousands of criminals out there, busily writing code to compromise our data. Given that we have little control over what the bad guys are doing, what can we do to prevent the viruses getting in?
First and foremost, you must keep your devices up to date with the latest patches. That is for both Mac and PC, iPhone and Android, and not only relates to the operating system but all applications such as Office, Flash, Adobe, iTunes, Google Chrome, Firefox, Internet Explorer. In fact, any application you have installed should be updated regularly – with the correct solution in place this can be managed centrally for you. Many infections occur simply by visiting a compromised website and exploit vulnerabilities in the installed applications on your computer to install their payload. If I was only able to choose between Patching and Anti-virus to protect a device, I would choose patching. That might surprise many of you.
Second, make sure you do not have administrative rights on your own computer and instead are prompted to enter these admin credentials separately when you do install anything new (or when malware wants to install itself, meaning you are a step ahead and can thus deny it access in the first place).
Third, make sure your anti-virus product is licensed, always up to date and is running, not paused or disabled (chambers can centrally manage this for you, so that all devices are safe). That applies to Mac too. Gone are the days where Mac was considered a virus free environment – in fact Apple outscored Microsoft for vulnerabilities 689 to 570 in 2015 (http://www.cvedetails.com/top-50-vendors.php?year=2015)
Next, DO NOT open any attachment or file that you are not expecting, whether that is a link to a file, or an attachment in an email (with services such as Mimecast Targeted Threat Protection in place, you need not worry about this).
Last, but not least, stick to known, trusted, Internet resources – whilst this may not guarantee safety, larger organisations and online service providers are better able to patch and monitor their applications and services for vulnerabilities or suspicious activity.
Stepping away from your local device(s), another layer of security is at the network perimeter – between chambers and the Internet. A correctly configured Next Generation Firewall (NGFW) can provide significantly enhanced security and even inspect encrypted communication (many viruses use encryption to talk to their command and control servers, so, if you cannot decrypt the conversation, you cannot inspect the content for viruses and other threats). NGFWs will even prevent access to and from Internet resources based on geographic location, known server vulnerability, type of resource requested and even the time of day. Should access to the dark web or Peer to Peer (P2P) file sharing services be permitted within chambers given the security risk they present? The right technology will allow you to prevent that.
The way to stay protected from the bad guys is to remain informed of the evolving risk landscape. The threats are ever changing and technology is only part of the solution: according to IBMs ‘2014 Cyber Security Intelligence Index’ report, human error is involved in more than 95% of security incidents (http://www-03.ibm.com/security/services/2014-cyber-security-intelligence-index-infographic/index.html ). What is required is engaging, bite sized, Cyber Awareness training that you can fit around your busy schedules. It’s not about ticking compliance boxes, it is about actually learning and understanding the risks we all face, so that we are better prepared in our professional and personal lives for when the bad guys attempt to jemmy open the Cyber door.
By Danny Killeen, CEO, Sprout IT
|t||020 7036 8530|