Cybersecurity Commandments: An Insight Into Trivial Things Causing Big Problems
There are no trifles when it comes to security. The best thing you can expect is the “judgment day” to be delayed until problems reach critical mass. Although these issues appear to be constantly changing on the outside, they are all based on invariable principles — the “sins” of computer networks that are comparable to those of humans.
Let’s follow the Bible’s lead and compile them all into one list.
Gluttony (with traffic)
The amount of data being transmitted back and forth is growing rapidly: new apps are appearing, new devices are being added, and the shared resources are migrating into the cloud. Users are interacting more closely online, and an increasing number of mundane activities are going virtual — ranging from the document management workflow to things like ordering burgers. With such volumes of data, it is getting harder to identify and thwart unauthorized activity on the Internet. This has led to ISPs throttling your data. Cybercriminals with plenty of time on their hands can infiltrate a network deeply enough to retrieve a huge amount of information they can further take advantage of.
In May 2014, crooks succeeded in hacking the gigantic eBay, stealing personal data of 145 million users, including their names, phone numbers, emails, addresses, birth dates, and passwords. Having compromised the credentials of three employees, the malicious actors had access to the corporate network for 229 days without being exposed.
Detailed analysis of every computer and application can help determine the potential weak links in a network, whereas keeping track of suspicious activity and processes can enable IT staff to quickly find and identify the threat.
Lack of control
Total control seems to be the only solution, but the attempt to manage all the devices, processes and applications makes you waste too much time and resources. The hysteria is being heated up by constant incident reports.
For example, the Equifax hack hit the headlines in the United States in 2017. On March 8, US-CERT (computer emergency response team) released an alert about a new Apache Struts vulnerability. The cybersecurity department of the major consumer credit reporting agency in the US diligently scanned their network for the flaw, didn’t find anything, ran another scan a week later only to get the same result, and moved on with their regular routine. In late July, though, the vulnerability was detected in one of the web services, and it was patched immediately. However, it was too late: threat actors had been pilfering the financial and personal data on a total of 143 million customers from May to June. Equifax lost about $200 million, and the US Senate started considering fines for the loss of customers’ personal information.
Trying to identify a breach by indirect symptoms is a questionably reasonable strategy because you end up wasting your time, money and efforts. Instead, you should focus on predicting and preventing it. This is doable via predictive analytics based on the use of considerable computation power, including things like artificial neural networks, to process large volumes of threat data.
Inclination for dangerous files and fatal links
Hackers are probably the only people who are okay with human error in information security. People’s temptation to download something cool or follow an interesting link is too big. Social engineering techniques are getting more sophisticated, and users’ data is becoming increasingly sensitive.
Criminals often abuse major online platforms to obtain people’s personal information. For instance, one hacking group created fake profiles at CareerBuilder, added phishing links and attached booby-trapped files to CVs, and then submitted them to employers via the official recruitment platform.
Not only do companies incur serious financial losses over phishing attacks, but also they get their reputation tainted. In March 2017, perpetrators successfully pulled off a phishing attack against the Defense Point Security company and obtained the personal and financial records of all of its employees. It was a hit below the belt for a company that provides security services for government institutions. They had to pay a fine, provide staffers with legal assistance and reimburse their losses.
Permanent security awareness training of personnel is really effective, especially if it’s done in a fun way rather than in the form of strict guidelines. The technical facet of the matter shouldn’t be neglected, though. Employee’s disorganization and negligence should be countervailed with a centralized fast blocking of access to suspicious files, preliminary filtering of email and web services as well as secure data transfers using VPNs.
Greed for work
The employees who use any available instruments for their work can pose another risk. You cannot reverse the progress: long gone are the days when you could fully control your cozy, safe perimeter. The organizations whose executives fail to understand this can run into serious problems. For example, using public cloud for backups is a slippery slope. In the aftermath of one such incident with cloud backup, the medical and financial records of US military personnel were exposed online. It was pure luck that American patriots quickly identified the breach.
Cloud services and remote access from personal devices have become part of our daily routine, and losing a smartphone or laptop is a common occurrence. In order to bolster security, it’s necessary to build adaptive protection and provide employees with a safe work environment in any part of the globe no matter what device they use. Some of the effective solutions include compartmentalization, encryption of corporate data, and MDM (mobile device management) systems that allow for separating work files from personal ones on employees’ smartphones and tablets, with an extra option of remote data destruction in case the device is stolen or lost.
Regular employees can make mistakes by accident, but things are entirely different when it comes to system administrators and security personnel. Their sloth and carelessness lead to serious issues.
“We’re a small company, why would anyone possibly want to attack us?”, “It’s going to update itself without our involvement”, “This app wasn’t made by fools, the default settings will do the trick” — information security researchers have a cure for this type of negligence as they are finding some really interesting things. For instance, a data backup of a plastic surgery clinic was leaked in early 2017. An unprotected rsync service exposed sensitive medical records, including photos of women before and after breast correction.
In October 2016, the administrators of Adult Friend Finder Network dating service discovered that the database of their 412 million users was exposed online. It included personal information, passwords, IPs, as well as last session and payment time. Besides the gaping security holes, this incident also unveiled a few more unpleasant facts: in contrast to the advertisements, there were several times more men’s profiles than women’s, and the leaked information was a perfect material for blackmail. In 5,650 cases, the registration email was in the .gov domain; and in 78,301 cases, it was in the US Army (.mil) domain.
It’s not even the scope that’s astonishing in this story. The passwords were only encrypted with SHA-1 algorithm, the database itself contained details on remote users, and the admins failed to patch the vulnerability in time.
Tools that automate the routine actions are a godsend for administrators. They can run scheduled software updates and rank the detected vulnerabilities. Meanwhile, predefined response and reporting scenarios help reduce the incident response time significantly.
Strict compliance with information security guidelines makes incidents less likely, makes hackers’ lives harder, and also makes it impossible for employees to do their work. Zero-day vulnerabilities are regularly invigorating those who follow the principle that goes, “If it works, don’t touch it”.
You’re lucky if somebody warns you of the vulnerability, as was the case with the British company DM Print, where the information of 31,000 users were at risk of being exposed due to a MongoDB flaw that was fixed more than a year ago. One hacker, though, took advantage of outdated software to make a lot of money — by harnessing a vulnerability in the popular Jenkins servers, he infected the machines with a Monero miner and made about $3 million.
You can’t configure a system “once and for all” nowadays. The modern InfoSec systems are living organisms that need to constantly learn and develop, which requires permanent progress and improvement. Add new sensors to your security system to make it more intelligent and observant, feed it with data from the community of professionals, regularly check how tamper-proof it is, train your employees and refine your own skills.
This one certainly deserves a separate chapter. Not using encryption is one of the most common mistakes in administering networks. In late 2017, American clothing retailer Forever 21 reported a theft of its customers’ credit card numbers. It turned out that some of its POS terminals hadn’t been using encryption from April to November, and the payment data was being added to open logs that the hackers were able to obtain.
However, this wasn’t as serious as the Deep Root Analytics company incident. A terabyte of American election-related information, which included private data of 198 million US voters, ended up on Amazon’s unprotected cloud server. Anyone could access that data by simply going to the subdomain. All the information in that database was systematized for political processes modeling, which made it a potential instrument for mass phishing and spam attacks, targeted marketing campaigns, and public opinion management.
You cannot neglect encryption — it is the last line of defense, even for stolen information. It prevents cybercriminals who manage to steal files from accessing the encrypted data in these files.
Security is a permanent struggle against external threats and your own weaknesses. The hidden dangers are ubiquitous, and it’s impossible to ensure ultimate protection. What you can do, though, is increase your odds of winning that battle. You need to understand the stages of an attack and react to each one of these stages the right way.
Attack prevention should exclude most threats by filtering out all well-documented symptoms. Here’s what you need to do:
- Analyze all network traffic;
- Control all applications and processes running on workstations and employees’ devices;
- Block access to suspicious resources;
- Maintain up-to-date spam and phishing filters;
- Scan the network for vulnerabilities on a regular basis;
- Automate software updates and patches;
- Encrypt all the data being stored, especially when using cloud services.
At the stage of intrusion and contamination, it’s critical to identify the troublemaking software before it causes harm. To do it, you need access to every workspace in the system, manage user privileges, and most importantly — be able to detect unauthorized and anomalous activity as fast as possible.
Photo Credit: dotshock/Shutterstock
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
The list of link building products and prices currently offerd at LinkMarket.Net.