By Daniel Aldam.
In today’s corporate climate, it is commonplace for an IT manager not to have high levels of professional IT experience. While the manager may be great at management, it makes it difficult to provide technical direction for staff, not to mention bridging the communication gap between the purely technical, and normal people. In this article we will investigate what it is to be secure in IT, and what steps you should be taking in 2015 to ensure your business isn’t the next company to be attacked.
Until an argument can be framed, it can’t be effectively analysed. Among academics in IT, security as a concept is based on the ‘C.I.A. Triad’. Confidentiality (availability to those that should have access, and nobody else), Integrity (the data should be verifiably accurate, and in its intended form, free from modification from illegitimate sources, free from defects from operating system, software and hardware), and Available (those that should have access, should have it at the anticipated times – a stolen server could still remain confidential, and maintain integrity, but it’s pretty useless in the local pawn shop). In reality, most businesses consider availability to be more aligned to business continuity rather that security, and within reason this is a completely valid view, that we will stick with in the context of this article.
As with all business decisions, financial considerations are paramount. The old way of thinking was that the amount that a company should spend on IT security needs to be significantly less that the potential losses if a security incident were to happen, based on the probability of an event occurring. We all need to recognise that there are new legal requirements since March 2014 to protect personal information, and only a business imperative to protect trade secrets. That’s right – all businesses (with a small number of exceptions) that have an annual turnover of more than $3 million per year are legally required to protect personal any information they have. The penalties that could be applied are significant, so although we don’t need to be reckless with the budget, it is essentially an expectation in Australia that most businesses need to spend a portion of their income on IT security. This is now a cost of business, in the same way it is expected that someone suitably skilled will perform bookkeeping and accountancy services for the purpose of taxation.
So, we’ve established what it is to be secure, and that it is an expectation that your business will take reasonable actions to be secure, the next step is to assess risk. Is your business going to be targeted by attackers? The simple answer is an emphatic “yes”. Let me give a couple of quotes here to illustrate.
“There are two types of companies: those that have been hacked and those that don’t know they’ve been hacked.” 2013, Mark Russinovich, Technical Fellow in the Cloud and Enterprise Division at Microsoft.
“There are two types of companies: those that have been hacked and those that will be hacked” 2012, FBI Director Robert Mueller
“Intruders are looking for information on Australia’s business dealings, its intellectual property, its scientific data and the government’s intentions” 2014, Defence Signals Directorate (dsd.gov.au)
It’s pretty clear that some well-informed individuals and organisations believe the threat is real. And, just in case you really believe that your business has nothing of value, you need to realise that attackers view you as money. Your details are worth money on the Black Market. Your credit card and its CVV number are worth $2, your full name and date of birth and address are worth $3, bank account details – $5, health information – $10, recent credit card number up to $45. A skilled attacker may be able to harvest tens of thousands of these details from one well-placed piece of malware. Imagine earning up to $450,000 for a few weeks work in software development. CryptoLocker, a recent piece of malware that encrypted people’s data and would only decrypt it for a fee was conservatively estimated to have earned a minimum of $30,000,000 in just 100 days. Anyone with the propensity to act in defiance of laws is not going to stop hacking when the financial rewards are potentially so high. You are a target, you will be a target for the foreseeable future, and worse, there will be an increase in attacks for some time to come. After all, if you were making this kind of money, would you stop?
A final note on the concept of security before we deal with mitigation – Information Technology grows at an exponential rate, and security suffers as a result. Essentially, all IT hardware and software is shipped with security issues, and as such, there is no such thing as a secure system. Security is a journey, not a destination, and we all need to continually modify our environments and thinking to try and stay ahead of the attackers.
Now for the really juicy part – at least 85% of targeted cyber intrusions can be defeated with these seven achievable steps. In most organisations, the infrastructure is already in place to make these changes, so there is no capital outlay. There are design and implementation costs. However, they shouldn’t be too burdensome for a well-maintained network.
Remove administrative/root rights for users. Administrative/root rights give a user the ability to perform any action on a given computer. A user with these rights can install software (including malware), see all data, change security policies, and anything else you can think of, and it isn’t restricted to their own user account – they have unrestricted access to everything on that computer. Many years ago, this was often a requirement for some legacy software. However, the IT landscape has changed significantly since. Many companies haven’t updated their policies to reflect this – giving administrative rights to people certainly makes IT support easier, but at the cost of security.
If a user doesn’t have administrative/root access, then any malware they receive will be limited to their user account. It is a much smaller problem to deal with when one person in the entire organisation has a potential issue, than all users on all computers, which is the usual alternative if administrative/root permissions are given to normal users.
Apply application whitelisting technologies. The default mode for all operating systems is to allow execution of any application, the only restriction being the permissions that the user requires to perform a selected operation (i.e. if administrative/root permissions are required, and the user does not have these rights, the application will fail).
Application whitelisting is the name given to the technical constraint of blocking access to all applications, with the single exception of applications residing on a whitelist that users are unable to control. There are various ways of implementing this strategy that should be discussed with your IT team, as there are pros and cons with each option.
Malware attempting to gain access to your systems will be unable to execute at all, unless it is on the whitelist – something your IT team will be trying hard to ensure doesn’t happen. This measure alone will significantly reduce your risk of malicious activities occurring.
The downside to this method is that it takes some time to pre-define the list of applications without impacting users. There are training modes that can be employed to assist with this, but you should expect this will take some time to analyse and deploy.
Patch Operating Systems for security updates within 2 days. We all know that patching your operating systems is a necessity for all computers connected to a network, or the internet. Research has indicated; however, that patches need to be applied to the computers and servers within 2 days of release to prevent most attacks. If patches take longer than 2 days to apply, it is likely that attackers will have developed an automated exploit to attempt to find any vulnerable machines on the internet, so your chances of being attacked are statistically much higher.
Patch other application software within 2 days. The same principles apply to applications as to the operating systems. You should be regularly patching all software on all machines. Adobe Reader and Java should be your immediate concerns. However, you also need to be ensuring that any software on any computer in your organisation is up to date. Your IT team probably have the technical means to achieve this, so although it seems daunting, most of the applications across most of the computers could be placed on an automated schedule for only a few hours of work.
Enforce strong and sensible password policies throughout your organisation. An attacker doesn’t need to try and install malware on your systems if they can simply log on by guessing a username and password. For a password to be hard to guess, it should have some key characteristics.
- Be long – a minimum of 8 characters, but ideally 16 characters or longer
- Contain no personally identifiable information. i.e. don’t use spouse’s name etc.
- Not be a string that you would expect to get a result for if you did a Google search (but don’t actually do the Google search!)
- If a password is made of dictionary words, ensure they are correctly obfuscated, by adding punctuation, numbers etc. For example “MaryHadALittleLamb” is actually an easy password to guess, as all of the words are known to anyone with a dictionary. However, “Mary_-_Had/-\a<<<LittleLamb…..” is much more difficult to guess and isn’t (much) harder to remember
- Remember that users are people with too much going on in their life! Making a complex password is great, but users won’t tolerate changing it every month, and will try to cheat if you ask it of them. At work, we find that a 16 character, complex password, being changed every 180 days seems a good compromise for everyone.
Train users to recognise potential attacks before they become security events. The users of a system are not in IT, and we can’t expect them to act like they are. The best we can do is to train users about the dangers of clicking links in email (never do this – ever), opening attachments from anyone (if that attached Word document wasn’t expected from Fred, verify Fred actually sent it before opening it), and downloading files from the internet is generally unsafe, and should be done with caution.
Keep up to date with security trends and events. Find a reliable, trustworthy source of current security trends, and monitor them on a daily or weekly basis. Keeping ahead of the curve will prevent many future incidents. If you don’t know where to start, visit Twitter feed (@eyeTSystems or https://twitter.com/eyeTSystems)
Oh, and one final note – don’t be fooled by the lure of cloud computing’s security. Cloud computing is an economic decision, not a technical one, and there are significant technical complications that arise from using a cloud, or hybrid cloud solution. Cloud isn’t inherently bad – it’s just not inherently good either – but that’s for another article!
Daniel Aldam currently works for eyeT Systems, a small IT firm based in the Clare Valley of South Australia. He has 13 years of professional IT experience, with a strong security focus. Past experience ranges from micro business through to consulting for multinationals, with a current emphasis on 5-200 computer businesses.