As we have all seen in the news recently, the lack of a solid, cohesive cybersecurity strategy can lead to a large disruption of business. Recovering from a cybersecurity disaster typically requires extended operational downtime, costly infrastructure improvements, and loss of a business’s reputation.
If these reasons aren’t enough to convince you that cybersecurity is critical to your business, consider what happens if you lose access to your customer data, trade secrets, or financial databases.
What if this data is completely unrecoverable? Chances are that the cost of implementing a robust cybersecurity strategy is far less than the cost of recovery if these things are lost.
An “attack vector” is simply a method that hackers or bad actors will use to gain access to proprietary systems or networks.
Virtually every network or accessible computer system uses some form of username and password to gain access. Username and password combinations are typically termed “credentials”. These credentials can be exposed in data breaches, via phishing attacks (more on this later), or simply stolen.
You should never write down credentials on sticky notes to help remember them. This simply makes them easier to steal. Avoid writing down credentials at all. If you must do so, destroy the document as soon as it’s no longer needed.
A lot of people get annoyed when websites require combinations of lowercase, uppercase, or special characters, then have a long password length requirement. While potentially frustrating, these requirements serve a purpose. Weak passwords are easy to guess for “brute force” attacks.
Hackers have access to computer programs that will try various combinations of easy-to-guess passwords, such as basic dictionary words, words with letters substituted for numbers (for example, 4s instead of As), with numbers at the end. These attacks get much easier if the hacker targets a specific person and has personal information available, such as birthdays, addresses, etc.
Using the same password across multiple sites or services is also exposes your credentials. It’s an unfortunate reality of today’s world that data breaches occur. If your password is exposed in one of these breaches, savvy hackers will attempt to use that password on other services you’re likely to use. If they gain access to your primary email account, they can likely reset any password they want.
Proper data encryption ensures data is secured during storage, processing, and transmission. While encryption during processing is typically handled internally by whatever system is utilizing the data, we have more control over encrypting our data during storage and transmission.
Securing data storage is thankfully included in most modern operating systems such as Microsoft Windows. Windows has a feature called BitLocker which encrypts hard drives on computers. You should enable this feature by default. Of course, encryption is only as good as the password used to secure it, so make sure your credentials are not weak!
Surprisingly, common encryption methods such as SSL certificates are often overlooked. Modern web browsers have a padlock icon near the address bar to let you know when the connection with any website is secured.
You should avoid typing any personal information on sites where the padlock is not locked or you see the text “Not secure” near the address bar. Instead of using http:// for websites, try using https:// instead. This usually redirects you to a more secure version of the website. Not all websites have this feature, but be cautious of giving out sensitive data on those which do not. This helps you secure your data during transmission.
Far too often, security settings are let to their default settings, including admin credentials. Do not do this! Allow someone knowledgeable to customize those settings and ensure there are no weak admin credentials. If you don’t check, someone else will.
Also, setup and configuration sections should not be exposed to users who do not need this access. Removing access to these pages ensures that a user with bad credentials can’t cause more damage than is necessary.
Ransomware is software that will delete or encrypt data unless a ransom is paid to a hacker group. This type of software was recently in the news for shutting down a large transmission pipeline until the multi-million dollar ransom was paid.
Companies can mitigate the risk of ransomware in a few different ways. Utilizing proper backups that cannot be accessed via normal network means should help if disaster strikes. Ideally, these backups are also physically off-site as well. Segmenting networks will stop the spread of damage. If one is infected, the others should remain operational.
Phishing is a social engineering technique designed to trick users into providing sensitive data, such as social security numbers, credit card information, or user credentials.
Preventing phishing attacks is more of an art than a science. Hackers have many clever techniques at their disposal designed to trick users. Companies should conduct training for employees on how to recognize phishing attacks regularly. Installing IT systems to display phishing warning messages can help as well.
Although stopping our work to update our computers can sometimes be a chore, patching software and a computer’s operating system is often one of the best ways to prevent a security disaster. Zero-day vulnerabilities are vulnerabilities in software that have just been discovered by the security community.
While these vulnerabilities may not be exploitable yet, hackers will attempt to exploit users via these methods sooner rather than later. Timely software patches can protect against this. If able, you should automate the updating process to minimize the impact on users.
Two-Factor or Multi-Factor Authentication requires the user to verify their identity via a secondary means when logging into a system for the first time from a new device or location, such as an authenticator app or verifying a code sent via text message. This is an added layer of security beyond user credentials.
Under no circumstances should a user give a verification code via phone, text, or any other means if they did not log into the service providing it themselves recently.
If able, companies should enforce strong passwords consisting of lowercase, uppercase, and special characters. There should also be an acceptable minimum character count for passwords. These rules help reduce the effectiveness of “brute force” attacks mentioned above.
The most common cause of weak passwords is a user’s ability to remember a more complex one. To aid in this, consider adopting password management software, such as LastPass or Bitwarden (my personal favorite). Software such as these helps users have longer, randomly generated passwords on sites and allows them to remember a single password instead of hundreds. Make sure these accounts are secured with good passwords themselves, though!
Sentences containing facts make for very secure passwords that are easy to remember. Try something like “MyFirstStreetAddressWas123Lane!”. Given the length and mix of uppercase, lowercase, and special characters, passwords such as these are notoriously hard to break, yet simple for users to remember.
Consider issuing multiple sets of user credentials to users that need admin access to various systems. If one of these credentials is exposed or stolen, the access granted is limited to that system only.
This increases the number of credentials users need to remember, but password management software (mentioned above) can help with this.
Modern operating systems will prompt users to grant app-admin access when attempting to perform functions that need this access. It is far too easy to simply click ‘yes’ and move on.
Take a second to consider what is happening before granting this access. If it is expected, you likely have nothing to worry about. If prompted out of nowhere, it is probably best to deny this access until you understand more about why it was requested.
Password sharing exponentially increases the likelihood that credentials will be stolen or exposed. There is no good reason to share credentials.
SISC is available to help you understand and implement any items suggested above.
Please don’t hesitate to reach out to us to assist with making sure your business and critical infrastructure is hardened against cybersecurity attacks!