When an attacker penetrates an organization’s computer network and lays hold of institutional or personal data, the effects can be devastating. A company is likely to lose any of the following in the wake of a breach: reputation, time spent dealing with the breach, financial loss from lost business and critical data that may impact operations.
While protecting your organization’s data and networks may seem like intractable problems, strong cyber policy discipline can lower your data risk. To begin with, we drew on research by SANS, and recent events in the information security world, to bring you 7 important mistakes that make your organization vulnerable to cyber attacks. If you are able to avoid these, you will cut down on incidents of cyber attacks and operate more safely.
Practice 1: Prioritizing Ease Of Use Over Security In Server Access
Your data resides on your servers. For an attacker to access this data, they will typically route traffic through a web-based network. The attacker communicates with your servers and hosted services through common web protocols such as HTTP, SSH, and FTP.
When setting up your server access controls, you want to err on the side of making access too difficult for legitimate employees who have to have remote access rather than making it easy. Setting up a database port, for instance, with an open port that can be accessed publicly by all IP addresses, represents a serious security vulnerability that a hacker can use to attack your servers.
An example of this is the VeriSign computer network breach of 2010. Hackers were able to penetrate VeriSign’s servers and gain control over some of the company’s computer network. VeriSign is an authority in issuing SSL certificates that allow users to log in on servers across the internet. The fact that this breach happened to their servers meant that the effects were potentially very costly.
VeriSign handled the news of the breach in a way that made the situation potentially worse. They were hesitant to release information about the hack, thus depriving customers of critical security information that might have helped customers protect themselves.
Practice 2: Giving End Users Local Admin Rights on Their Workstations
If your organization gives admin rights to end users on their workstations, you are taking on a huge security risk. Admin rights allow a user to install software, which may expose your entire network to malware. By having so many admin users on your network, you have just increased the attack surface area available to an attacker. An attacker needs to gain access to just one of those admin accounts and your entire network could be at risk.
The Stuxnet worm that attacked and crippled parts of Iran’s nuclear enrichment program is an example of a malware of this sort. As Wired explains in an analysis of Stuxnet, the malware was designed to spread from infected USB drives.
In effect, when you allow local users admin rights when such a malware enters the environment, it’s able to take admin action across the network. The result is that an attack that could have been limited to just one computer can quickly spread and take over your computer your network.
Practice 4: Allowing Web-based Personal Email Services Which Are Susceptible To Phishing Attacks
A phishing attack occurs when an attacker routes a user to a website that poses as another website, typically, a big, popular website. These are websites like social media networks or personal email services like Gmail or Hotmail. In the process, the attacker has in place a mechanism to capture data that the user enters into the fake website. This can be usernames, passwords or other personally identifiable information.
In 2011, RSA suffered a phishing attack on some of its employees, which ended up stealing up to an estimated 40 million employee records, with potential impacts on RSA’s customers.
Practice 5: Being Slow To Apply Patches And Running Outdated Versions Of Software
Popular software like Microsoft Windows, Android and others are the targets of frequent exploits by hackers. As a result, the makers of the software regularly release patches to close off vulnerabilities as soon as they are made aware of them. In April 2017, for instance, the iOS and Android operating systems were discovered to be vulnerable to the “Chrysaor” exploit, which allowed hackers to spy on a user’s activities. Once a patch is made by the software vendors, you need to apply them quickly.
When your organization is slow to apply the security patches, you leave your data and networks vulnerable to cyber attack by hackers who actively study these vulnerabilities.
Practice 6: Using Permissive BYOD Policies
BYOD policies have gained popularity over the last several years. These policies have proven to boost employee morale and create digital working environments that allow employees to access data and work from personal devices. As mobile computing, in particular, has spread, BYOD seemed to be an inevitable switch since employees got used to having access to data from anywhere.
The problem is that attackers can take over workers’ personal devices fairly easily since most users are unable to implement the strictest personal security practices.
In 2014, for instance, it was revealed that hackers had used Aviva’s BYOD practices to gain access to employees’ Apple devices. From there, the hackers used a vulnerability in the Apple software for iOS and were able to wipe all employees’ data as well as take down the health insurance company’s server.
Practice 7: Neglecting Or Infrequent Penetration Tests And Red-Team Exercises
Though your company can take action to address a cyber attack when you become aware of it, this is often the weakest way to address potential attacks. You need an active defense plan with regular penetrations tests and Red Team exercises. Red Team exercises simulate attacks on your system and actively play out how you would defend against actual attacks. In the process, you find and fix any attack vulnerabilities.
Nintendo, for example, has started a bug bounty program where they actively work with fans and hackers to discover vulnerabilities in their products. This active vigilance will help a company find and fix vulnerabilities before they are lethal.
If your organization has not held a Red Team exercise in more than 6 months, chances are, you are too lax in your security preparation.