It seems we can’t go a single week without a major company being hacked. As a security professional, I can’t help to wonder how and why these breaches happen in the first place, given the amount of attention we seem to be giving it already.
It can be easy to point a finger at the company’s security team for not putting up the best defence, but the reality is that hackers can still often find blind spots that may have been overlooked and bypass existing defences. If there is anything we can learn from recent breaches, such as that of Equifax, it is this:
The management culture of a company can sometimes be at fault. If management doesn’t view digital security as a core function of the business, it’s possible that the warnings and recommendations of even the best security teams may not be heard or taken seriously.
A lot of companies feel safe and secure behind their ISO compliance, which is a great thing to have. But in many cases, it only means they have the right processes in place and that’s all, not that they are being followed or implemented. Again, this comes back to a culture that does not put security as a priority.
This can lead to a false sense of security, where companies believe their ISO compliance is keeping them safe from malicious attacks. Some form of security test is often run as part of the compliance process, but it may not take into account other aspects of a real-world attack, so it could just be an automated scan of your network that gives minimal security benefits.
Even with the correct processes and controls in place, a lot of manpower is required to implement and do them properly. To make the matter worse, there is a well-known shortage of experts in cybersecurity at the moment, which is expected to go on for the foreseeable future.
Partially that’s a problem of our making, since we want experts but don’t really train people to this level of expertise. At the same time, security is a very specialised field of IT, requiring people to get trained up in many other areas before they get into this space.
Managing your assets
Today’s companies, particularly the big ones, have a lot of computers, servers, software and OS’s. It’s the elephant in the room and is often put into the “too hard” basket, resulting in little time or effort dedicated to it.
This means that companies don’t always know what’s running on their servers. This is further complicated at big companies where there may be different owners.
Business owners are often easy to identify, but the same can’t be said for the technical owners who are responsible for your technology and infrastructure. So if something goes wrong, you’ll likely find yourself in a situation where you don’t know who to go to, and you won’t know how, when or why it happened in the first place.
If you don’t look at the big picture, you’ll not only leave your biggest risks exposed, but your security investment will also get misplaced. What’s the point in putting in an antivirus, firewall, and/or intrusion detection when you completely overlook the blind spots?
Start protecting yourself
Based on what I have seen in the security space in the last year or two, here are some of my top picks for keeping your data safe and secure:
- Make sure to test your code as early as you can. The further left you can move in a project lifecycle, the earlier you can fix any security issues or loopholes. Then you can look into things like DevSecOps to tightly integrate security into the SDLC.
- If a hacker manages to get in, it is often with a low privilege account that can’t do much. They will then try to elevate their privileges to admin level, so stopping this will make their task a lot harder. If you’re still allowing admin access to desktops, a hacker can cause untold amounts of damage once they take over the machine.
- Multifactor authentication is gaining popularity and for good reason. The authentication consists of something that you know, such a password, and something that you have, such as a token or fingerprint.
- Daily backups of critical data are necessary with rising incidents of ransomware. If someone manages to hack your computer to encrypt or delete it, you are able to recover using the latest backup snapshot.
- White listing applications can create a controlled desktop environment, where only certain applications are allowed to run. This means the system won’t run any software it doesn’t recognise, including malware.
- If you have Java or Flash installed, but don’t use them for anything important, it may be time to uninstall them since they get hacked practically every day.
- A phishing simulation campaign can be very effective in identifying gaps in awareness about phishing emails. Afterwards, any affected people could be educated about good practices to stop them making the same mistakes again.
All in the password
Despite all the high-profile breaches we’ve seen, people still don’t believe in having a good password. Until we have everyone using multifactor authentication, the password is often your only line of defence.
Everyone needs to come up with a real good password that should be remembered for life. Random numbers and letters are good, but having a long password is better as they take longer to crack than shorter ones.
If you’re implementing a feature for users to create or change your password, check it against online lists of popular passwords to avoid having one that’s commonly used. That’s because hackers tend to use these lists to generate passwords that they then use to hack online services.
There’s no shame in using a password manager to keep track of your long and randomised passwords. There are several free password managers that you can use as plug-ins for your favourite web browser.
Enterprises may want to invest in a password audit exercise, which aims to crack as many passwords as possible. In my experience I have found the cracked number of passwords to be as high as 60 to 70 per cent.
In addition to the above, ensure that everyone in the company is aware that security is everyone’s responsibility, and not just the security or IT team. This will put people in a more proactive mindset where they will potentially think twice before clicking a suspicious link.
Here's a short video I did on the importance of a good password:
Safety starts with you
With so many technology companies promising the next silver bullet in security, you could easily end up dealing with more than 20 vendors for your security requirements. This then creates a big patchwork of solutions that doesn’t necessarily work well together.
It helps when a vendor offers several of its own complementing technologies, but for every piece you put in, you still need someone to implement, manage and monitor it properly. If any of these are overlooked, you’ll just end up with a potential loophole.
Security testing is one of the best ways to validate your security controls. Testing is effective because it looks at your digital assets, how risky and valuable they are to you, where to put in controls, and simulate what a likely attack would be.
Ask yourself: Do you know how resilient your digital asset is against a script kiddie? What about a cyber-crime syndicate?
Also, what kind of tools and skills will they use to carry out an attack? And is your defence designed to deter such attacks?
We’ll simulate a scenario like this with our Security Testing, which will then provide you with insights into the resilience of your digital assets based on your threat profile. On the defence side, we can help you put up the most practical, appropriate controls, so you can get the most out of your investment in security.
Contact us to find out how you can start protecting yourself today before security becomes an issue tomorrow.