Cybersecurity: The Importance of Securing your Cyber-Doors and Windows

Posted on 04.28.17

Cybersecurity: The Importance of Securing your Cyber-Doors and Windows

Everyone reading this knows where all the doors and windows in their homes are. And I'm sure that you tend to keep your windows locked and check that your doors are locked before you leave the house or go to bed at night. And some readers may have security systems with automatic intrusion detection and connectivity to emergency services built-in.

When it comes to cybersecurity, the fundamental process is no different. You first need identify all your cyber-doors and cyber-windows, then secure them. Just like actual doors and windows are at the boundary of your homes, cyber-doors and cyber-windows reside at any boundary where your data, devices, or transactions meet or move across the unsecured open internet.

The following are some of the most common cyber-doors and cyber-windows into an organization.

Software

Every piece of software on your company computers and servers is a potential attack surface. Hackers regularly develop malware and attacks designed to exploit weaknesses identified in software. Generally, the more common a piece of software is, the more hackers invest time into developing exploits. Microsoft Office products, Adobe Acrobat Reader, and Adobe Flash are some of the most popular targets for exploits.

Most organizations are likely to see a ransomware attack at some point. When a malicious file is opened on a computer with unpatched software, the exploit allows the attacker to execute their own software. With ransomware, the attacker’s code puts a password between you and your files and generally requires a Bitcoin payment to obtain the password.

The good news here is that Microsoft, Adobe, and others are typically attentive to known exploits and regularly release security updates to patch vulnerabilities in their software.

Simply keeping software up-to-date mitigates most of this risk.

Before you can reliably keep software up-to-date, you must know what software is installed. Therefore, it is important that organizations maintain an inventory of the software installed on organizational computers and servers. Once you know what software is installed on what devices, your team will be better equipped to keep software up-to-date.

Hardware

It is also important to know what hardware is installed on your network. Just like software, hardware can also be used as an attack vector. Many find it surprising that most of the hardware in your office (e.g., printers, cameras, routers, etc.) have updatable software called firmware. When manufacturers identify flaws and security weaknesses, they release updated firmware, which should be installed timely.

Perhaps the most important aspect of your hardware inventory is identifying hardware that comes with default login credentials or other unsecured-by-default settings. For example, Wi-Fi routers are typically configured with default login credentials to ease the installation process. These credentials are public information, usually retrievable from the manufacturer’s website and can provide easy access to an attacker. These login credentials should be changed, and if the product is unsecured-by-default to ease installation, it is a good idea to alter the configuration to a secure mode.

If hardware is not patched or configured to a secure mode, attackers can turn the devices into botnet nodes used to mount attacks on other companies. Recently, krebsonsecurity.com was attacked with 620 Gigabits per second of data primarily originating from thousands of unsecure hardware devices residing in homes and businesses.

Vendors

Just about every organization today entrusts a service provider with sensitive data. Some common examples include: email, your webhost, payroll service, web-based customer relationship manager, accounting firms, law firms, backup services, and even maintenance workers and janitorial service providers.

It’s true that when data is processed and stored by a service provider, you expect them to be responsible stewards of your data. After all, you don’t have the ability to implement cybersecurity controls at their place of business.

It’s also true, however, that you still have some responsibilities and capabilities to protect the data. Businesses should first inventory all the organizations to whom they entrust data and, to the extent practical, evaluate their security prior to retaining their services and on a periodic basis. Evaluations should consider the criticality and sensitivity of the data to which the service organization has access.

The recently formed Vendor Security Alliance, a non-profit funded by several technology giants, published a questionnaire that you can ask your service providers to answer.

 width=Company Internet Connection

Your Internet connection connects your company’s network to the rest of cyberspace. But your company has private data that you don't want others to see, so it is important to have, at a minimum, a barrier to separate your internal network from the open internet. A firewall is a piece of hardware or software that controls the data coming into and leaving your network according to rules that you can define. If data attempts to get into your network in violation of those filtering rules, it is rejected. Likewise, a firewall can prevent data from being sent out of the network in violation of those rules. For example, a firewall may block access to websites known to contain malware.

Wi-Fi (wireless) networks provide great convenience for staff. However, that convenience also presents risks that must be contained. Wardriving is the act of driving in a vehicle with special equipment that allows attackers to discover unsecured or poorly protected Wi-Fi networks. Once connected to the network, attackers have a much easier time deploying malware, stealing sensitive data, or installing backdoors that can be sold to other cyber-criminals.

Any organization that uses Wi-Fi should be using the latest and greatest encryption available in their hardware, which should say WPA-2 PSK (AES). Unfortunately, many organizations and homes still use encryption protocols, such as Wired Equivalent Privacy (WEP), that have been compromised. Still others go completely without any wireless network protections. Thankfully, encrypting network traffic is typically easy to do once logged into the router.

Older Wi-Fi routers may have a setting called Wi-Fi Protected Setup (WPS). This is a network security feature that has well-known exploits and should be disabled.

When employees leave the organization, they should not retain access to the corporate network. Organizations that use a pre-shared key to access the Wi-Fi network should change the password to prevent further access by separated employees. Note that if an organization is large enough that changing a pre-shared key to access the Wi-Fi becomes a frequent occurrence and burdensome to staff, then you will likely need a more complex setup with a RADIUS server.

Many businesses provide visitors complimentary internet access via the Wi-Fi network. Visitors, however, should not have access to your company network unless absolutely necessary. By allowing visitors to connect to your company network, you are exposing it to any malware, exploits, or other vulnerabilities that may be on the visitor’s computer. Businesses that wish to provide internet access to visitors should create a separate guest network. Many Wi-Fi routers, even some consumer routers, have this functionality built-in.

Email

The security industry is in a constant tug-of-war with the cyber-crime industry. And there may be no better example than email-borne malware attacks. Attackers are constantly finding new ways to defeat virus scanners, malware filters, and spam filters. For example, cyber-criminals that sell malware to other criminals have created a process whereby they continuously scramble the code of their malware in a process called crypting until antivirus software can no longer detect it. In response, the security industry is working to improve their detection functions.

Anti-virus and SPAM/malware filters remain critical parts of organizational cybersecurity. Although user security awareness training is necessary in the fight against email-borne attacks, the best way to stop attacks is by preventing them from reaching inboxes in the first place.

Mobile Phones, Laptops, and Other Mobile Devices

Many organizations today allow all or some employees to access their email over their mobile device. Other organizations have company-issued laptops that are constantly on the move. The more physical devices move, the more likely they are to be lost or stolen.

If a device with sensitive data is lost or stolen and the device is not properly protected, it can be considered a data breach requiring notification of the affected parties and may produce a liability for your organization. In 2009, the Department of Veteran Affairs settled a $20 million class-action lawsuit brought about by the theft of a laptop that contained personal information of 26.5 million active-duty military members.5

However, if a device with sensitive data is lost or stolen and is properly secured, it does not present a breach risk.

There are two primary methods of protecting data on mobile devices. First, data on mobile devices can be encrypted to prevent unauthorized access to the phone without the passcode. Second, the ability to remotely wipe the data on a device further protects data from falling into the wrong hands.

The content in this article covers just one aspect that small to mid-size businesses need to address for Cybersecurity. Download the entire whitepaper below to access additional Cybersecurity suggestions.

 

…………………..

Posted by: Christopher Moschella, CPA, CISA

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog