Awareness critical to understanding cybersecurity risks
Published January 22, 2019
Over the years, the technology world has been really good at coming up with “buzz words.” We all knew that we needed to hop on the information super highway, but where was the on ramp (and is there an exit)? Are we on the cloud, and if so, which one? Next came Big Data, and how are we keeping our systems on the leading (or bleeding) edge? I could talk about the SPAM we consume every day and how through cross-platform deep learning artificial intelligence, block chain is going to consume the world. But I’ll leave that for another day. Buzz words describing the latest and greatest often leave us feeling behind the ball, and often, in need of new and better technology to get ahead.
However, cybersecurity is not a topic we can save for another day. The cyber crooks are getting smarter, and we need to be ready to protect our systems and our clients’ data. In its simplest form, a Cyber Threat is defined as “the possibility of a malicious attempt to damage or disrupt a computer network or system.” Our goal is to prevent those attempts from being successful. Threats are broken up into three primary categories–Remote Exploits, Social Engineering and Insider Threats.
A Remote Exploit is when a bad actor takes advantage of a software vulnerability to access a system. There are a couple quick fixes for this. First, make sure you have a good firewall and up to date anti-virus program running. This will block most of the attempts. Secondly, ensure your software is up to date. Whether your company has a formal policy or just a solid practice of updating, make sure all your software updates are being installed. Windows updates are a start, but don’t forget about Office, Adobe, Java, and any other applications you use. Personnel policies can go a long way, but there are software packages that assist with this as well. There is no single solution though. It’s the layering effect of multiple initiatives that provides the best protection against Remote Exploits.
Many of the bad actors have realized we can protect our systems from remote exploits, so now they are moving to a new approach—Social Engineering. A social engineering attack is “the use of deception to manipulate individuals into performing actions or divulging confidential information.” As an example, I’m sure you either have yourself or know someone who has a rich uncle in a third world country that wants to give you $15 million, right? All you have to do is send him your bank account information and he’ll wire the money right over. Maybe we’re too smart for that today, but what if you receive an email that your package wasn’t delivered, or the IRS is going to seize your property if you don’t follow the instructions and click on a hyperlink. These are all attempts at phishing scams. You may have heard terms like spear-phishing where the attack is more focused, or maybe whaling where the attacker spends much more time really understanding the habits of a higher value target. As with remote exploits, there isn’t a magic software or vendor who can sell you a solution to this problem. The best strategy is again to implement a layering of multiple solutions. First, talk with your IT department or the outsourced support vendor to make sure you have a good email content filter. These products don’t just block emails from known bad IP ranges, but the appliance can actually open attachments in a virtual space to make sure the desired outcome occurs when you run the program. In addition to a filter, ask for a visual queue when emails are received from outside your organization. Often an email appears to be legitimate when you open it, but in reality, someone is just pretending to be from your organization in an attempt to get your credentials.
A few other social engineering attacks include physical access attempts and “man-in-the-middle” attacks. From a physical perspective, the most important thing to remember is that most security systems are designed to keep external people and software out of your system. If you let them in, you just eliminated everything we’ve been discussing above. If you find a USB drive on the side of the road, and it says “HR Files,” don’t plug it in and check it out, just in case. Assume it was left there, specifically for you or an unwitting colleague, by a bad actor. If you insert the drive, it may load software onto your machine that will allow the bad actor access to your entire network. Assume anything you plug into your computer could have a “payload” that you aren’t expecting. If you have an IT department with a test machine, take advantage. A small dose of skepticism, along with some education, can go a long way against Social Engineering threats.
The final type of cybersecurity risk is Insider Threats. Just like physical security, we always want to provide users with minimal privilege. A security conscious network administrator will often have a general user account for daily network access, and only use the account with greater network privileges when performing network administration tasks. Just as we only give users keys to the departments they need, make sure network users only have necessary data access. Internal accounting departments often have different people performing AP and AR responsibilities, and others balance the books and provide strategic finance direction. Apply the same logic with cybersecurity, and should a breach occur, you can have better odds at isolating any risk or damage.
While it can be tricky for many to understand, most network security mirrors the physical security, both from a problem and a solution standpoint.. First and foremost, we need to use common sense and look for visual clues that make us think twice – and then actually do that thinking. Reach out to your IT department or vendor and ask the question when something seems strange. Skepticism is always a good thing when it comes to security, generally speaking. Do your research. Perform your updates, ask questions of and listen to the IT professionals around your office. Communication goes a long way in preventing a cyber breach.
Do all you can to live in a world of awareness. Technology is integrated in nearly everything we do now—from performing audits to simply pumping gas, and it’s important to be aware of the risks so we can protect both our own data and that our company and clients.