The intent of this article is not to scare, but rather to prepare. As someone with a cybersecurity background, my natural inclination toward digital security is better safe than sorry. I can share many data loss stories that would put even the most unflappable person’s hair on end. In the end, however, what matters is that your investment in security is proportional to the value you place on your data as well as the perceived value of your data by the bad guys. Your security measures need to be persistent and layered enough to deter the bad guys.
Why do you lock your front door? Is it because you see people going door to door, checking for unlocked homes to break into? Do you live in a neighborhood with a high rate of break-ins? Or do you just know locking the door is a good way to protect the valuables in your house? Bad actors come in all shapes and sizes — sometimes they just check and open unlocked doors, and sometimes they go after valuables. Cyber criminals range from scamps to professionals to cyber terrorists to nation-state sanctioned cyber-attackers.
The four main purposes of cybercrimes are: curiosity, fame, greed, and public interest. There also are four tiers of cybercriminals: script-kiddie, inexperienced, expert, and professional. Why does this matter to you? The size and nature of your business may invite different types of attackers. A script-kiddie may hone their skills on a smaller, easier target, like a five or six computer office with less protection but less valuable data. An expert attacker may know you have clients with valuable private information, sellable on the dark web. Every company is a potential target to somebody.
In the world of viruses and intrusion, the more things change, the more they stay the same. The advice for prevention by organizations like NIST remains the same.
• Have an antivirus software and make sure everyone uses it at all times, including the boss.
• Keep all computers patched with security updates.
• Have and use security products like DNS protection that block known risk sites on the internet.
• Have and use OS or third-party software that only allows authorized applications on your hardware.
• Do not allow BYOD (Bring Your Own Device), or at least restrict personally owned devices from the network. This again includes the CEO and owner — everyone’s devices unless you are securing them just as you do company devices.
Exceptions lead to exposure
Just one exception can lead to today’s boogeyman, ransomware. Ransomware is a type of malware that encrypts data and is used to hold victims hostage. Malicious actors threaten to destroy or release the data to the public if a ransom is not paid. The FBI and cybersecurity organizations recommend against paying any ransom, as it only encourages continued criminal activity.
Ways of minimizing risk from ransomware are:
• Back up your data, system images and configurations.
• Test backups and keep the backups offline.
• Utilize multifactor authentication.
• Apply all the measures mentioned earlier to defend against malware.
• Have, review, and exercise an incident response plan for a ransomware attack.
Beyond malware and ransomware
A common saying about security states that there are two types of companies out there: those that have been attacked and those that don’t know that they have been attacked. Even if you protect yourself from malware and ransomware, there are other vectors that bad actors can use to attack. Cyberattacks come in three phases:
1. Gather information via social engineering and spoofing.
2. Scan for entry points tracking data flow.
3. Secure, elevate, add entry points, and hide the attack to prolong and maximize the damage/gain.
What do they involve and how can you prevent them — or at least protect against them?
Education is the best defense against spoofing —where someone takes information, usually an email address, conceals the real address, and makes it look like another one that can be trusted. Ensure all staff knows what to look for, and reports anything that seems suspicious.
Social engineering can be done without the use of technology at all. A delivery person comes in and strikes up a conversation. You start telling them about your mother having liver problems, maybe you mention her name, or that your niece is getting good at dodgeball. All of this is personal information you may use to verify your identity. Social engineering is the study and manipulation of the human condition to extract information and can only be countered by training and vigilance.
Build a fortress
Hardware security for firewalls, wireless access points and printers can provide protection but also be a vulnerability for an attack. Firewall (hardware) protection is non-negotiable and needs to be set up properly. Close all ports not being used. If it is overcalibrated and you are inconvenienced at first, view it as growing pains to a more secure network, allowing it to right-size to your company’s network activity.
With wireless security, it is better to broadcast your SSID than to hide it, because in hiding it, all devices will broadcast all information to all other endpoints, not just to the ones with the SSID, allowing anyone to scan and collect information.
When setting up a printer, it is important to make sure certain items are set correctly. It should be connected to an email address you paid for and is on your domain; any unused ports and access should be locked down. If setting up the printer to scan to computers or servers it should have a separate user with its own properly scaled rights, ensuring that it isn’t just a domain or full admin. The idea is to reduce and remove threat vectors with this innocuous piece of equipment.
Physical access matters too
It doesn’t matter how secure a network is against remote attacks; if someone can gain physical access to a device, network or space, then they can control it. If someone is able to insert a USB drive undetected, then they will have all the time in the world to take over that device. Countermeasures for physical intrusions are name badges, unique guest badges and having a procedure for confronting unknown person(s) in the area. It should be company policy for users to lock their computers when leaving their desks, and to change passwords regularly. You must maintain these policies and stay vigilant to keep bad actors from gaining access and doing maximum harm to your valuable network.
The importance of strong passwords
How can your computer, application, system, etc. tell the difference between you and a bad actor? We all use passwords to access our world, but to what degree are they secure (tough or strong)? These questions are the basis for many issues within companies today. People have issues remembering complex, random passwords, they are hassles and people don’t have time for retyping them when a mistype happens. The NIST has found that length is better than complexity and are now recommending passphrases. Instead of having to remember Un!(0rN0425*? you can remember OneFish2fishRedFISHbluefish and that is your password now. It is recommended, to improve on that password, adding symbols and numbers to the length — e.g., 1FTwoFishRfBLU3F!$H — which will strengthen it exponentially. Limiting the number of attempts before the system locks the account and preventing brute force attacks will add even more layers of protection to strong passwords.
The top recommendation today is to set up multifactor authentication (MFA) for all logins. That means in addition to a password you have an additional form of authentication. The three forms of authentication are something you know (password), something you have (phone, ID card) and something you are (fingerprint). It is crucial to be rigorous with not just passwords but also security training and reinforcement of it with all employees.
The difference between IT and cybersecurity
The almighty dollar is what runs the world today, but when it comes down to budgeting, many smaller to mid-size businesses continue to skimp on the one area that will cost them most in the long run: IT and cybersecurity. Keep in mind that IT and cybersecurity are two different services, and generally MSPs just do basic IT work unless there is an additional agreement in writing speaking to the in-depth security coverage that is required today. MSPs will maintain some security principles and items like firewalls and backups, but for complete coverage it may be necessary to pay for MDR (Managed Detection and Response) or an MSSP (Managed Security Services Provider). The aforementioned services will provide security that a company needs, like a SOC (Security Operations Center) with personnel dedicated to watching for security issues, able to react to an attack and focus on firewalls and intrusion prevention systems. Many companies will need both an MSP for basic IT needs and an MSSP or MDR for the additional security layer. Money and outside support, however, will only get you so far.
Individuals play an important role
How do you encourage employees to understand, buy into, and implement the policies and procedures to keep a business and its data secure? The answer is to train and reinforce as prescribed by an MSP, or IT and HR department. Additionally, the NIST and CISA have guidelines on how to go about training and maintaining, along with most security solutions. Training and reinforcement is the foundation on which vigilance is created and built. Through vigilance, your investment will become more effective. Cyber-security begins and ends with personal responsibility. The best piece of advice is to train yourself and your staff to be vigilant, watch for signals of an attack, and be attentive in your everyday computing activities.
Knowing who and what you are defending your company and your clients from is just the beginning of the process. No one way will secure your company. Deploying antivirus software, firewalls, policies, backups, settings, MDR, spending money, etc., are all part of a multi-pronged, layered approach that offers the best chance at protecting your data. In the end, it is the human element that will determine whether you, your business, and the services you provide to your clients are secure and whether everyone is properly trained and encouraged to implement it. None of it matters if you don’t make sure your people are vigilant in their steadfast attention to security. Without that, your group cannot be secure in this 21st century digital world and beyond.