Stock up on sprouts, hang the decorations and prepare for a barrage of cyber attacks, because the festive season is upon us. The past two Christmas periods have seen a spike in hacks, with cyber criminals taking advantage of employees who are either easing off at the end of the year or are away from the office.
Retailers are the most affected, but lax security over Christmas is a problem for all organisations. Understaffing is usually a big reason, and there isn’t much organisations can do about that, but other vulnerabilities are entirely avoidable.
We’ve highlighted some of the biggest mistakes organisations make and how to address them. After all, Christmas may be a time of giving, but that doesn’t mean you have to give hackers a free pass into your systems.
1. Poorly configured devices
Inexperienced or underfunded organisations often install routers, switches and other networking gear without involving anyone who understands the security ramifications of each device. Misconfiguration can happen at any level of the application stack, including the code, web and application servers, databases and frameworks.
Here are some signs of a poorly configured device:
- Default account information: Attackers can easily break into your application if you’ve left your account name as ‘admin’ or ‘test’ and not changed the default password.
- Third-party applications installed on a production server: A production server with additional applications on it leaves organisations exposed.
- Ineffective firewalls: If more ports than necessary are open, or if unauthorised hosts can connect to the server, attackers can gain control of the server.
- Missing operating system security patches: Attackers exploit security holes that have been identified by patches. If you haven’t applied those patches, you are vulnerable.
To avoid making those mistakes, organisations should:
- Use a strong application architecture that separates components;
- Create a process for applying software updates and patches as they are released; and
- Conduct regular scans and audits to help detect future misconfigurations or missing patches.
2. Weak passwords
Hackers can crack passwords in a variety of ways:
- Dictionary attacks: Hackers download a text file containing a list of words (usually from a dictionary) into a cracking application, and run it against user accounts located by the application.
- Rainbow tables: Most modern systems store passwords in a hash. This means that even if hackers can get to the area or file that stores the password, the information will be encrypted. A rainbow table helps reverse the hash by comparing the hashed password with a list of hashed dictionary entries.
- Brute force: The hacker tries common passwords in the hope that they will find a match.
The received wisdom about passwords is that they should have at least eight characters and mix letters, numbers and special characters. However, this often leads to ridiculously complicated passwords that are hard to remember and, ironically, comparatively easy for computers to crack.
There’s another problem: even though complex passwords are theoretically hard to crack, you’d do well to not have to write them down somewhere, which immediately compromises them.
A simpler and more secure technique is to create a mnemonic or cipher, such as taking the first character from each word of a sentence.
Organisations should create a policy that lists specific requirements for creating passwords and instructs employees to change default passwords when they create accounts. If the account contains sensitive information, organisations should consider using multi-factor or hardware-based tokens in place of system-level passwords.
3. Insider threats
Employees are often directly responsible for data breaches. These can be broken down into three categories:
- Malicious actors, who steal or expose data for financial gain, political reasons, revenge, etc.
- Accidental loss, such as misplacing a removable device.
- Negligence, where, for reasons other than malice, employees fail to comply with security policies.
It’s hard to identify potential sources of insider error, because everyone in the organisation is susceptible. Accidental loss and negligence can be mitigated by providing your staff with regular awareness courses that remind them of their security obligations.
Preventing malicious actors requires stricter measures, such as:
- Implementing access controls to limit the amount of information any one employee can view;
- Creating policies restricting the use of removable devices; and
- Monitoring unauthorised accounts.
Get cyber secure with penetration testing
It’s easy for vulnerabilities to sit on an organisation’s systems for months or years unnoticed. To prevent this, it’s important to regularly check any areas that could be vulnerable to data breaches or cyber attacks.
This is where penetration testing comes in. It’s essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
A level 1 penetration test provides adequate protection for organisations that want to identify exploitable weaknesses, such as those in the OWASP Top 10. These tests replicate the kinds of low-budget attack that an opportunistic criminal hacker would attempt, and are ideal for SMEs or those with no experience of security testing.
Book a penetration test before 22 December 2017 to get a 10% discount.
Staff awareness courses are an essential part of cyber security, and by addressing phishing, you can help mitigate one of the biggest threats your organisation faces. Our phishing e-learning course helps employees identify phishing emails, understand the damage they cause and respond to them responsibly.
Security in the Digital World is a straightforward guide for the home user, parent, consumer or home office. It gives an overview of who conducts cyber attacks and why, and covers a broad range of information security issues, including data security, identity theft and the safety of children online.