How do you best protect your enterprise from cyber-attack, a threat that is growing and costs business £34bn a year, according to the Centre for Economic and Business Research? Well, why not start by asking hackers themselves? In this case, Michael Jack, who is in his second year ‘ethical hacking’ course at Abertay University and works part-time helping businesses stay safe with the Scottish Business Resilience Centre. Here are Michael’s top tips for avoiding that embarrassing and damaging moment when you have to tell your customers their private data has been breached.
Always run your patches
After vulnerability scanning your network, the first thing to is to make the software you use is patched (updated) with the relevant security, bug fixes and improvements. As Michael says: “If you’re like the nice people at Mossack Fonseca who are running content management systems that have not been patched since 2013, that’s easy pickings for people like me.”
Larger businesses should have IPS (intrusion prevention systems) and an enterprise-wide YARA signature for detecting bugs like Shellshock and Heartbleed. Smaller firms will rely more on patches or the latest Windows Hotfix or critical open-SSL update. “Just by being on the latest version of the operating system (Windows 10 or OSX 10.11) you’re mitigating a lot of the common attack threats that are out there,” says Michael. Older operating systems like Windows XP are no longer supported so are at risk; Windows 7 support is due to end in 2017, and Apple only support the two versions previous to the current version (OSX 10.10 and 10.9). The same applies to smartphones: make sure the IOS is updated on Apple, and with Android.
- DATA PROTECTION
Back up your data, and back up the back-up!
“I promise you your back-up strategy will save you money,” says Michael. “It will save you money on really expensive data recovery people with fancy scanning electron microscopes and big magnets.” Backing up data saves time and money and can defeat ransomware. If you have backups and you get attacked by CryptoLockers (a ransomware trojan) you can wipe your hard drive and restore from back-up within hours. Michael cites the example of an LA private hospital which had to pay millions of dollars in Bitcoins to get its data back, because it didn’t have a back-up sufficiently isolated from its main system. Weekly back-up is probably the minimum if you’re looking to avoid aggravating the business and always keep another offsite, in case of fire or similar catastrophe. It’s advisable to encrypt the onsite backup and keep it in a safe. If it’s unencrypted it could fall foul of PCI-DSS (Payment Card Industry Data Security Standard) and ISO (International Standards Organization) standards.
Encryption is not just for terrorists!
“If data is exfiltrated from your network and it’s not encrypted, once it’s left your perimeter the data has long gone,” says Michael. You should encrypt as much as you can – but be conscious of who needs access to what in the business. Therefore, internal controls should allow for individual document encryption, especially important financial information. Full disk encryption is available through Mac OSX (FileVault) and Windows (BitLocker/Drive Encryption) “If you can encrypt everything, encrypt it, but if you think you’re going to forget the password please don’t encrypt without writing the password in a book and locking it in a safe. The look on an average person’s face when they tell you they’ve enabled FileVault (Mac OSX) and then forgot the password, it’s a special sight to behold but not one you really want to see that often,” says Michael. Smartphones, if supplied to employees, should also be encrypted – in Apple IOS it’s advisable to set up the erase data function; in Android encryption this can be found through the security settings.
Size does matter!
Hackers can machine generate quadrillions of combinations of characters to ‘guess’ passwords, so the longer the better. Turn four words into a ‘pass phrase’ of 15 characters or above. These are much harder to crack than eight or nine-character long passwords, which can be cracked by ‘brute force’ methods. If you can’t remember your password, get a password manager like One Pass or Last to generate long, random passwords for you, and back up, enabling two-factor verification where possible. Use apps like Authy, which couple the device to the password for the service you are trying to access, by using an additional six-digit code. Check online whether your email accounts have been compromised in any data incidents using resources such as haveIbeenpwned? (https://haveibeenpwned.com). Try not to use low numbers like 1,2,3 and letters like the vowels a,e,i,o, (these are commonly chosen) and use the space bar (this counts as a character and makes a password harder to crack). Use services which have in-built ‘rate limiters’ (limiting the number of times a password can be entered before you are locked out of an app).
education, education, education
Around about 80% of corporate breaches are through phishing emails, according to research. Within your enterprise make sure there is user education and mandatory reporting of phishing emails, because the chances are that not all staff in an organisation will be aware of them. Phishing emails can get people to click a link through to a cloned website allowing hackers to take control of their accounts. Use enterprise-wide ad blockers – hackers like trying to take control of ad networks that serve ads to websites with malware built into the ad. Some in the enterprise may accidentally or purposefully click on an ad. Use secure, encrypted browsing through browser extensions like Https Everywhere – available on Firefox, Chrome and Opera. You can see if websites are encrypted if they have a padlock sign in the URL.
- SOCIAL MEDIA
Great fun, but a risk as well
Be careful what you say! Information you reveal about yourself can be ‘socially engineered’ by hackers and fraudsters looking to target people – especially the wealthy, or corporate executives. Facebook, LinkedIn, Twitter and Instagram are all great fun but they can allow access to your most personal thoughts, family information and even where you live!
Michael Jack is a 2nd year BSc Ethical Hacking student at Abertay University, Dundee. He works part-time for the Scottish Business Resilience Centre and has specialist knowledge in cryptography, defence and counter-terrorism. He presented at Scot-Secure 2016, run by Scot-Tech Engagement at Our Dynamic Earth in Edinburgh on Thursday, April 21.