It’s a scary cyber world out there. Threats are becoming more sophisticated, effective, and pervasive everyday. According to a Government Accountability Office report, cyber threats to federal agencies increased 782 percent between 2006 and 2012. What’s more, a Center for Strategic and International Studies study estimated the global cost of cybercrime at over $400 billion annually.
With so much at stake, cybersecurity is becoming a primary concern for organizations in all sectors. However, simple mistakes continue to be made. Users take unnecessary risks and common security pitfalls are overlooked, putting networks and sensitive data at risk. To help people avoid these potentially disastrous snares, Sophos, a developer and vendor of computer security software and hardware, put together a webinar, “The 7 Deadly IT Sins: Know them. Fear them. Fix them,” led by Chris McCormack, Senior Product Manager at Sophos.
We’re not talking about greed or wrath, here. Instead, McCormack described how we can become “patron saints of IT security” by addressing the “sins” of mobile negligence, Mac malice, unsecure Wi-Fi, unencrypted email, faulty firewalls, unencrypted files, and delinquent web filtering.
1. Mobile Negligence
With the explosion of mobile devices, there is an increasingly blurred line between personal and business-related data. This creates more and more entry points for a phone to be hacked. Additionally, McCormack noted that Android malware is up 1800 percent in the past year. Plus, mobile malware in general is becoming more sophisticated and resilient. This can lead to data theft, financial consequences, and lost productivity.
What to do:
Your agency needs to manage and secure your mobile devices. It is important to have a mobile device management solution that can enforce passwords, wipe devices that are lost, control unwanted/unknown applications, detect jail-broken devices, and block malware. It’s also critical to have mobile network protection with next-generation firewalls, mobile network access control, and protection against advanced persistent threats (APTs).
2. Mac Malice
The idea that Macs are completely secure at all times is no longer a safe assumption, said McCormack. With the increasing popularity of Mac devices, they are now a key target for hackers. Macs sometime lack endpoint protection and can be exploited by malware, such as ransomware, that is signed with a seemingly legitimate working Apple Developer ID. Macs can host and spread Windows malware, as well.
What to do:
To steer clear from these issues, keep unsigned apps off your Mac devices, only allowing properly signed apps to be installed. Also, ensure Macs have business-grade endpoint protection and keep these protections up-to-date. Today, you need to provide your Macs with the same security policies that you provide to Windows systems, McCormack advised.
3. Unsecure Wi-Fi
Unsecure Wi-Fi puts your network and data at risk. For example, “Project Warbike” surveyed 107,000 networks in London and found that 27 percent had poor or no security. Unsecure Wi-Fi can allow passive attacks – snooping and theft of email contents – as well as active attacks – where a hacker joins the network, can set up man-in-the-middle attacks to snoop traffic and redirect users, steal data, and launch denial-of-service (DoS) attacks.
What to do:
To make sure Wi-Fi is secure, McCormack advised agencies to use business-grade Wi-Fi routers, enforce standard network security policies (i.e. Ethernet same as Wi-Fi), scan all network traffic, block access for insecure mobile devices (jail-broken or unidentified), provide connection profiles for your users (no “spoof” Wi-Fi connection), and keep guest network separate. Put simply, McCormack referenced Forrester’s Five S’s when looking at Wi-Fi security: scalable, shared, simplified, standardized, and secure.
4. Unencrypted Email
With over 140 billion emails sent daily, unencrypted email is a ticking time bomb, said McCormack. Snooping mail or “packet sniffing” – the process of capturing any data passed over a local network and looking for valuable information among it – is actually quite easy to do. In addition, if an email is accidentally sent to the wrong recipient, there’s not much that can be done if it’s not encrypted.
What to do:
Email encryption should be simple, elegant, effective, affordable, and usable. Implement a policy that integrates data loss prevention (DLP), encryption, and anti-spam, is easy to deploy, and detects sensitive data automatically. Also, make sure users can easily adapt to it – “Any solution that isn’t easy, isn’t really a solution,” McCormack said.
5. Faulty Firewall
Bandwidth demands, APTs, and social media have changed the threat environment drastically, rending many firewalls faulty. Inadequate firewalls can lead to poor performance, management complexity, missing functionality, and limited network visibility.
What to do:
Your agency needs a next-generation firewall that offers multi-layered protection. This includes (but is not limited to) prevention and detection of malware, the blocking of communication between command & control server and infected machines, and selective sandboxing, where suspicious samples are analyzed before they cannot infect the rest of the network. When selecting a firewall, McCormack said agencies should look to usability, performance, advanced protection capabilities, and vendor security expertise.
6. Unencrypted Files
Surprisingly, one in ten of organizations’ laptops will be stolen, said McCormack. Leaving files unencrypted is simply lazy, McCormack said frankly, and could result in leaks of sensitive data if devices are lost. This isn’t always a direct theft, however. For example, Coca-Cola sent company laptops to be destroyed without first wiping the drives or making sure they were encrypted. The laptops were hacked and sensitive data involving 74,000 employees was compromised.
What to do:
This should not be an issue, said McCormack, as full-disk encryption is available on all laptops (BitLocker for Windows, FileVault for Mac). Servers and emails should be encrypted, and file encryption across cloud and mobile devices should be utilized. No matter where files are stored, they should be secure.
7. Delinquent Web Filtering
Many people may think malicious links are only on adult, gambling, or other shady websites. However, 80 percent of malware is on legitimate sites, McCormack informed. In addition, there are 40,000 new web threats everyday and millions of dollars are stolen or extorted through harvesting of banking credentials, ransomware, or other means.
What to do:
With hackers constantly changing tactics across different threat vectors, agencies need to be diligent. To address this, agencies need spam filtering, real-time URL reputation filtering (i.e. knowing which sites are infected), web malware scanning, HTTPS scanning (i.e. inspecting even encrypted traffic), advanced threat detection, real-time cloud updates, business-grade anti-virus with host-based intrusion prevention system (HIPS), and must guarantee this protection wherever users go (i.e. multiple locations/devices).
Cyberthreats present serious risks for all organizations, regardless of sector or size. Even when everything is done right, a breach is still possible. So, don’t make it easier for hackers by committing any of these IT sins.
Matt, thanks for the good read chock full of interesting information. I recently wrote two featured blogs about cybersecurity as the #1 priority for the public and private sector in 2015 (below). I would appreciate any comments you or others may have, as well as sharing these posts to increase engagement on the issue. Many thanks!
Cybersecurity is #1 Business Priority for 2015 (01/02/15)
https://www.linkedin.com/pulse/5-resolutions-employers-profit-new-year-david-b-grinberg-1?trk=mp-reader-card
5 Public Sector Priorities for the New Year: #1 Strengthen Cybersecurity
https://www.govloop.com/community/blog/5-public-sector-priorities-new-year-1-strengthen-cybersecurity/