While some of the cyber attacks making news lately are the result of sophisticated methods, many are not: they often take advantage of a lack of basic security protections. The 2013 Verizon Data Breach report notes that of the intrusions analyzed, 78% of the initial intrusions were rated as low difficulty. Let’s take a look at seven “sins” that organizations and users are committing that are leaving them vulnerable.
Mis-configured systems and unpatched systems/apps
Many devices and systems technologies are configured to default settings “out-of-the-box,” which are often geared toward ease of use and deployment rather than security. This results in vulnerabilities that are easy targets for hackers to exploit. Similarly, if systems and applications aren’t being patched on a regular basis, they are vulnerable. Proper security-focused configuration controls and patching are critical, and should be a key layer in any organization’s defense-in-depth strategy.
Weak passwords
It’s hard to believe, but people are still using passwords such as “123456” or “password.” In addition to using weak passwords, another bad behavior being committed is password recycling – using the same password for multiple online accounts. Once the hacker gets the password, he can get access to all those other accounts too. Organizations must have policies and procedures that implement strong passwords and force a password change at regular intervals. Using a utility to store passwords may also help. Look for programs that use powerful encryption algorithms, keylogger and phishing protection, and lock-out features.
Untrained employees
Many attackers target users directly to gain access to an organization. Phishing attacks are still one of the most common methods – hackers keep using this technique because it works! All users need training, minimally on an annual basis, to recognize and defend against the latest threats, including phishing and other social engineering scams. Of course, there is still no guarantee that a user won’t fall prey to a scam, and in that case, making sure that the organization’s systems and devices are as protected as possible (properly configured and patched), organizations can help minimize the vulnerabilities that an attacker could exploit.
Cloud Confusion
Organizations are moving more of their IT infrastructure into the cloud, but many do not really know what security protections are in place—nearly two-thirds of companies surveyedsaid they didn’t know how the cloud service provider was protecting sensitive data.It’s important to ask the questions: What measures are in place to protect data? Who has access to the physical machine hosting your data? Where is that machine located?It’s also important to understand that placement of data in the cloud does not eliminate an organization's need to meet legal and regulatory requirements such as PCI or HIPAA.
Mobile Device Mayhem
The perimeter has dissolved, and security protections are dependent on each user with a mobile device, as every new smart phone, tablet or other mobile device provides another opportunity for a potential cyber attack. More than 44% of organizations surveyed recentlyallow BYOD and another 18% plan to by the end of 2013. This increases the cyber security risks—such as unauthorized access and malware infections— for an organization, particularly if it does not have control over the employee's personal mobile device. Organizations need to develop and enforce strong policies regarding use, and implement controls to protect the devices and data, including installing and maintaining security software and enabling passwords and device time outs.
Social Media Mania
The recent hack into the Twitter account at the Associated Press, which caused an immediate impact on the stock market, once again highlights the power—and vulnerability—of social media. The sheer volume of users and the information that gets posted on social media sites create plenty of opportunity for an attacker to use social engineering to gain access to individual accounts and organizations. The sites are also key vectors for malware. Organizations must have strong policies regarding who and what gets posted on official organization sites, and also ensure the proper security controls are in place to protect the infrastructure.
Incomplete Inventory and Access Controls
How can you protect what you don't know you have? Many organizations are still not adequately inventorying their assets, conducting risk assessments to prioritize the criticality of those assets, or implementing proper access controls. Ensure that data is classified with appropriate security controls. Know what data you maintain, who has access to it, when they have access, where they have access to it and how they can access it.
About the Author: Rick Comeau is Executive Director, Security Benchmarks division at the Center for Internet Security.