When Benjamin Franklin wrote in 1789 “…in this world nothing can be said to be certain, except death and taxes…” the first computer was still 157 years from being built. So, he can be forgiven for not including ‘getting hacked’ in his infamous list of the inevitable. Statistics reported in CBS Money Watch indicating that 80 percent of businesses were hacked in the past 12 months offer a sobering reminder of the significant risks that accompany the substantial rewards technology makes available in a world Franklin probably would not recognize.
For every major news story about security breaches at large companies and government agencies, there are countless unreported smaller scale attacks that can be just as devastating. What is an organization, or any individual for that matter, to do about these threats? TDK Technologies Chief Technology Officer Mark Henman and .Net Team Lead Nick Zabenco offer some solid advice on developing a security mindset to deal with inevitable attacks on technology.
What is the best overall approach regarding IT security?
Mark Henman: Make sure you don’t trust anything. People want a silver bullet for security. And there isn’t one. You need to have a security mindset.
Nick Zabenco: There is a certain level of security that everyone needs. If you are not doing at least a moderate amount of securing systems and work stations, you are inviting disaster. You probably deserve to be hacked.
Henman: The basic security measures include an active firewall, virus protection, intrusion prevention and detection for servers, keeping software patched with the latest updates (weekly if not daily on newer operating systems and at least monthly on older versions) and making sure open ports are locked down.
Zabenco: Open ports are a surefire backdoor into a system. A port scan on a network will find ports that are open. You need to figure out what are the most likely attacks against you. Anytime you have data that is sensitive in any means it should be encrypted. However, every so often another tier of encryption gets broken. When that happens, you need to raise your encryption level. Data that can be decrypted by a single function is also a bad thing. Look at the data and determine the appropriate encryption level for it.
Henman: You can’t stop people from attacking you. So, you need a good perimeter and a good early warning system that indicates when someone might have gotten through. And at some point, someone will get through. Work on both fronts. How good are the defenses? How good is the spy network to let you know when someone has gotten in? And if they did get in: How did they get in, how can I get them back out, and what might they have done while they were there?
What is Social Engineering (or Social Hacking) and why is it such a serious threat?
Zabenco: Most attacks are opened by social hacking, where people manipulate others to gain access. A lot of basic pieces of information can be gathered through social hacks, which can open the door to security problems or fraud. It might be a guy who goes into a building, dressed as a delivery person, gets past the front guards, walks around, finds an open network port, plugs a little wireless receiver in and leaves. Now he’s given himself a clear access point to the network.
Henman: Social hacking is probably the most prominent technique that attackers use to get the information they need to launch a full-scale attack. And there’s no technological way to guard against it other than to train your people. If someone calls and asks questions, especially a call from an outside extension, automatically question what’s going on. The efforts often take place at a busy time of day (early in the morning, at lunch, or at the end of the day) when people have their guard down.
Zabenco: Educating your people is key. Help them to question things. A social hack can work if someone has just enough information about another person to make it seem legitimate, but they are looking for even more information to get access to systems.
Henman: The scariest attacks are not the ones with 10 million requests a minute hammering away, trying to get in. The scariest are where they get in through social engineering and then go dormant. They are very quiet; you don’t know they are there or what they are doing. But they are typically very slowly syphoning off information or putting pieces in place for a broader attack. Often someone gets in and starts small attacks here and there for months, probing for larger opportunities. Then suddenly they’ll do a large scale coordinated attack. And when they need all the other stuff, what they put in place goes into action, opening the doors from the inside.
How many companies would pass a rigorous security test?
Zabenco: If the test is for both coded penetration and social hacks, about five percent would pass the whole ball of wax. And those are generally small offices with closed, locked down networks. The more people you get, the more vulnerable you are.
Henman: You will never prevent every way someone will try to attack you. There are companies that will certify you as being secure. But that certification is only good the moment it is written. It’s not effectively valid an hour later. If I’m working with a company that says they’ve never had a data breach, I don’t trust them. They don’t know whether they are truly vulnerable or not, and they won’t know how to respond when it happens. And while they’ve tried to take some industry standard steps to protect themselves, they’ve never dealt with the aftermath of a breach. And that’s where you learn the most about how someone got in.
How then should companies assess their vulnerabilities?
Henman: Know your data. One thing to understand is that data can be stolen or modified. Companies should be willing to spend some time looking at their systems with a different set of eyes. You can hire companies to do penetration testing from a network level. The better companies will also do social engineering penetration testing. This can reveal what is most damaging: data loss or data modification (someone injecting data into the system that isn’t real). You can learn what someone can do if they get access to the data. That’s where you start to understand where you are vulnerable.
Zabenco: Another thing to keep in mind is that hackers are lazy. They want the biggest bang for their buck. It used to be said that you don’t need anti-virus protection on a Mac because you can’t hack a Mac. Well, it’s not that you can’t hack a Mac. It’s that the percentage of Macs in the computing workspace versus Windows machines is drastically different. If they write a virus that will affect Windows machines, it will hit a lot more than the limited number of Macs.
Henman: If you can’t afford to have an ethical company come in and penetration test your company, talk to people inside your industry or outside the company. Ask them if someone got hold of your data, what would they do? You need to know if the data is valuable. And if it is, maybe certain pieces of data coupled with other data creates a gold mine. So, put extra barriers between those sets of data. Part of security is a façade game. It’s making sure that when they try to attack, what they see and what they feel from cyberspace looks and feels very secure. And that it stays looking that way.
What are some effective deterrents to minimize security threats?
Henman: You must look at security from the very beginning. Security can’t be something you add on at the end, which is what most people do. They don’t think it’s something they can afford or they put in the minimum that they need. To be secure, you must think about it soup to nuts. It’s a cultural thing. It’s a technology thing. You must look at physical security, electronic security and at educating the staff. Regardless of how much security you put in place, what do you do when you do get attacked? That’s where a lot of companies get bit. They don’t have a good contingency plan. They don’t know what to do when the get hacked. Or they don’t know it when it happens.
How much should an effective security program cost?
Henman: The worst thing about security is that it costs money. You are either buying someone else’s security or you are investing a lot of man hours in managing it. There are companies that have gone out of business because they’ve spent so much on security, that it cost more than the money they were making on the product they were protecting. It always comes down to the costs. But a hacker is doing the same thing you are. You are figuring out how much it costs to protect your data. They are trying to figure out the cost of trying to get in, versus the value they can take when they do get in.
There are no 12 step programs for security. It is a constant, ongoing pursuit.