Don’t gift cyber attackers access to your organisation this Christmas

Stock up on sprouts, hang the decorations and prepare for a barrage of cyber attacks, because the Christmas season is in full swing.

December is a busy time for cyber criminals, as they look to take advantage of understaffed IT departments and employees who are distracted by tight deadlines, Christmas parties and the upcoming break.

Let’s take a look at some of the most common mistakes organisations make and how to address them. Some are quick fixes that you can sort out before you go away for the holidays, whereas other require a refined, systematic approach to information security.

1. Weak passwords

Hackers can crack passwords in a variety of ways:

  • Dictionary attacks: Hackers download a text file containing a list of words (usually from a dictionary) into a cracking application, and run it against user accounts located by the application.
  • Rainbow tables: Most modern systems store passwords in a hash. This means that even if hackers can get to the area or file that stores the password, the information will be encrypted. A rainbow table helps reverse the hash by comparing the hashed password with a list of hashed dictionary entries.
  • Brute force: The hacker tries common passwords in the hope that they will find a match.

The received wisdom about passwords is that they should have at least eight characters and mix letters, numbers and special characters.

However, this often leads to ridiculously complicated passwords that are hard to remember and, ironically, comparatively easy for computers to crack.

There’s another problem: even though complex passwords are theoretically hard to crack, you’d do well to not have to write them down somewhere, which immediately compromises them.

A simpler and more secure technique is to create a mnemonic or cipher, such as taking the first character from each word of a sentence.

Organisations should create a policy that lists specific requirements for creating passwords and instructs employees to change default passwords when they create accounts. If the account contains sensitive information, organisations should consider using multi-factor or hardware-based tokens in place of system-level passwords.

2. Poorly configured devices

Inexperienced or underfunded organisations often install routers, switches and other networking gear without involving anyone who understands the security ramifications of each device.

Misconfiguration can happen at any level of the application stack, including the code, web and application servers, databases and frameworks.

Here are some signs of a poorly configured device:

  • Default account information: Attackers can easily break into your application if you’ve left your account name as ‘admin’ or ‘test’ and not changed the default password.
  • Third-party applications installed on a production server: A production server with additional applications on it leaves organisations exposed.
  • Ineffective firewalls: If more ports than necessary are open, or if unauthorised hosts can connect to the server, attackers can gain control of the server.
  • Missing operating system security patches: Attackers exploit security holes that have been identified by patches. If you haven’t applied those patches, you are vulnerable.

To avoid making those mistakes, organisations should use a strong application architecture that separates components, create a process for applying software updates and patches as they are released and conduct regular scans and audits to help detect future misconfigurations or missing patches.

3. Insider threats

Employees are often directly responsible for data breaches. These can be broken down into three categories:

  • Malicious actors, who steal or expose data for financial gain, political reasons, revenge, etc.
  • Accidental loss, such as misplacing a removable device.
  • Negligence, where, for reasons other than malice, employees fail to comply with security policies.

It’s hard to identify potential sources of insider error, because everyone in the organisation is susceptible. Accidental loss and negligence can be mitigated by providing your staff with regular awareness courses that remind them of their security obligations.

Preventing malicious actors requires stricter measures, such as:

  • Implementing access controls to limit the amount of information any one employee can view;
  • Creating policies restricting the use of removable devices; and
  • Monitoring unauthorised accounts.

Educate your employees on cyber security risks

Educated and informed employees are your first line of defence when it comes to information security.

Empower them to make better security decisions with our Information Security and Cyber Security Staff Awareness E-Learning Course.

This GCHQ-approved training course gives your employees a comprehensive overview of the threats they face and how to avoid them.

get started

A version of this blog was originally published on 1 December 2017.