This past October, Kroll Inc. reported in their Annual Global Fraud Report that for the first time electronic theft surpassed physical theft and that firms providing financial services were amongst those who were most impacted by the surge in cyber attacks. Later that same month, the United States Federal Bureau of Investigation (FBI) reported that cyber criminals were focusing their attention on small to medium-sized businesses.
As someone who has been professionally and legally hacking into computer systems and networks on behalf of organizations (often called penetration testing or ethical hacking) for more than 10 years I have seen many Fortune 100 organizations struggle with protecting their own networks and systems from cyber criminals. This should come as pretty grim news especially for smaller businesses that generally do not have the resources, time or expertise to sufficiently secure their systems. There are however easy to adopt security best strategies that will help make your systems and data more resilient to cyber attacks. These are:
Defense in Depth
Attack Surface Reduction
Defense in Depth
The first security strategy that organizations should be adopting today is called Defense in Depth. The Defense in Depth strategy starts with the notion that every system at some point will fail. For example, car brakes, airplane landing gear and even the hinges that hold your front door upright will all eventually fail. The same applies for electronic and digital systems that are designed to keep cyber criminals out, such as, but not limited to, firewalls, anti-malware scanning software, and intrusion detection devices. These will all fail at some point.
The Defense in Depth strategy accepts this notion and layers two or more controls to mitigate risks. If one control fails, then there is one other control right behind it to mitigate the overall risk. A great example of the Defense in Depth strategy is how your local bank protects the cash inside from criminals. On the outermost defensive layer, the bank uses locked doors to keep criminals out at night. If the locked doors fail, then there is an alarm system inside. If the alarm system fails, then the vault inside can still provide protection for the cash. If the criminals are able to get past the vault, well then it’s game over for the bank, but the point of that exercise was to see how using multiple layers of defense can be used to make the job of the criminals that much more difficult and reduce their chances of success. The same multi-layer defensive strategy can be used for effectively addressing the risk created by cyber criminals.
How you can use this strategy today: Think about the customer data that you have been entrusted to protect. If a cyber criminal tried to gain unauthorized access to that data, what defensive measures are in place to stop them? A firewall? If that firewall failed, what’s the next implemented defensive measure to stop them and so on? Document each of these layers and add or remove defensive layers as necessary. It is entirely up to you and your organization to decide how many and the types layers of defense to use. What I suggest is that you make that evaluation based on the criticality or sensitivity of the systems and data your organization is protecting and to use the general rule that the more critical or sensitive the system or data, the more protective layers you should be using.
The next security strategy that your organization can start adopting today is called Least Privileges strategy. Whereas the Defense in Depth strategy started with the notion that every system will eventually fail, this one starts with the notion that every system can and will be compromised in some way. Using the Least Privileges strategy, the overall potential damage caused by a cyber criminal attack can be greatly limited.
Whenever a cyber criminal hacks into a computer account or a service running on a computer system, they gain the same rights of that account or service. That means if that compromised account or service has full rights on a system, such as the capability to access sensitive data, create or delete user accounts, then the cyber criminal that hacked that account or service would also have full rights on the system. The Least Privileges strategy mitigates this risk by requiring that accounts and services be configured to have only the system access rights they need to perform their business function, and nothing more. Should a cyber criminal compromise that account or service, their ability to wreak additional havoc on that system would be limited.
How you can use this strategy today:
Most computer user accounts are configured to run as administrators with full rights on a computer system. This means that if a cyber criminal were to compromise the account, they would also have full rights on the computer system. The reality however is most users do not need full rights on a system to perform their business. You can begin using the Least Privileges strategy today within your own organization by reducing the rights of each computer account to user-level and only granting administrative privileges when needed. You will have to work with your IT department to get your user accounts configured properly and you probably will not see the benefits of doing this until you experience a cyber attack, but when you do experience one you will be glad you used this strategy.
Attack Surface Reduction
The Defense in Depth strategy previously discussed is used to make the job of a cyber criminal as difficult as possible. The Least Privileges strategy is used to limit the damage that a cyber attacker could cause if they managed to hack into a system. With this last strategy, Attack Surface Reduction, the goal is to limit the total possible ways which a cyber criminal could use to compromise a system.
At any given time, a computer system has a series of running services, installed applications and active user accounts. Each one of these services, applications and active user accounts represent a possible way that a cyber criminal can enter a system. With the Attack Surface Reduction strategy, only those services, applications and active accounts that are required by a system to perform its business function are enabled and all others are disabled, thus limiting the total possible entry points a criminal can exploit. A great way to visualize the Attack Surface Reduction strategy is to imagine your own home and its windows and doors. Each one of these doors and windows represent a possible way that a real-world criminal could possibly enter your home. To minimize this risk, any of these doors and windows that do not need to remain open are closed and locked.
How you can use this strategy today: Start by working with your IT team and for each production system begin enumerating what network ports, services and user accounts are enabled on those systems. For each network port, service and user accounts identified, a business justification should be identified and documented. If no business justification is identified, then that network port, service or user account should be disabled.
I know, I said I was going to give you three security strategies to adopt, but if you have read this far you deserve praise. You are among the 3% of professionals and businesses who will actually spend the time and effort to protect their customer’s data, so I saved the best, most effective and easiest to implement security strategy just for you: use strong passphrases. Not passwords, passphrases.
There is a common saying about the strength of a chain being only as great as its weakest link and in cyber security that weakest link is often weak passwords. Users are often encouraged to select strong passwords to protect their user accounts that are at least 8 characters in length and contain a mixture of upper and lower-case characters, symbols and numbers. Strong passwords however can be difficult to remember especially when not used often, so users often select weak, easily remembered and easily guessed passwords, such as “password”, the name of local sports team or the name of their company. Here is a trick to creating “passwords” that are both strong and are easy to remember: use passphrases. Whereas, passwords are usually a single word containing a mixture of letters, numbers and symbols, like “f3/e5.1Bc42”, passphrases are sentences and phrases that have specific meaning to each individual user and are known only to that user. For instance, a passphrase may be something like “My dog likes to jump on me at 6 in the morning every morning!” or “Did you know that my favorite food since I was 13 is lasagna?”. These meet the complexity requirements for strong passwords, are difficult for cyber criminals to guess, but are very easy to remember.
How you can use this strategy today: Using passphrases to protect user accounts are one of the most effective security strategies your organization can use. What’s more, implementing this strategy can be done easily and rapidly, and entails simply educating your organization’s personnel about the use of passphrases in place of passwords. Other best practices you may wish to adopt include:
- Always use unique passphrases. For example, do not use the same passphrase that you use for Facebook as you do for your company or other accounts. This will help ensure that if one account gets compromised then it will not lead to other accounts getting compromised.
- Change your passphrases at least every 90 days.
- Add even more strength to your passphrases by replacing letters with numbers. For example, replacing the letter “A” with the character “@” or “O” with a zero “0” character.