6 scarily simple security slip-ups businesses still make
October 31st, 2016
Happy Halloween, reader! Forget about ghouls and ghosts though because today we’re talking about something seriously scary. Working in the managed IT support and consultancy sector, we always hear about the latest breaches, newest methods of attack and many other security horror stories.
But even with scammers devising dozens of devious new attacks every day, zombie computers that answer the call of the botnet and stealthy malware which lurks in dark recesses of the network. By far the scariest thing we see when auditing businesses is that so many are ignoring old and known risks. It’s the stuff of IT nightmares!
What follows are the six most fearsomely frightening security stumbles we still see businesses make…
1. No centralised (pumpkin) patch management
With cyber-attacks a constant threat, maintaining systems security is critical and requires constant vigilance. However despite the threat of attack many businesses often still decide not to implement some of the latest security updates. One reason is that they decide they cannot afford the risk of disruption to services that patching can sometimes cause. This is a false economy. Leaving your business open to vulnerabilities could end up costing you more than the potential patch disruption.
Once a vulnerability has been disclosed it’s only a matter of time before hackers use that information to devise exploits. Heartbleed is one such example. Attacks against systems vulnerable to Heartbleed, a vulnerability within OpenSSL, allowed the disclosure of a small amount of data held in the system’s memory – which was potentially enough to retrieve usernames, passwords or other sensitive data.
A good patch management schedule should keep operating systems, services, firmware and applications patched and up-to-date. The patches should be applied regularly, on an agreed schedule and soon after any newly identified critical vulnerabilities are disclosed.
2. No multi-factor authentication
Passwords alone aren’t particularly secure. Weak passwords are like a cheap lock, easy to break and a useless defence against criminals. Despite the consistent advice telling them otherwise, many people continue to use classic passwords like 123456, qwerty and password. To try and combat this many IT teams will implement password policies, but sometimes these can often exacerbate the problem.
Typical advice is that passwords should be: a minimum of 7 characters and contain uppercase, lowercase and numeric characters. However, that’s actually quite an easy requirement to bypass standard Microsoft technologies. For example, many users would pick Password1. As hackers become better at cracking passwords, what was once critical for password security is becoming less important
It’s important to strike the right balance when setting rules which determine how frequently users should change their passwords. Forcing users to create highly complex passwords and change them frequently is often a recipe for disaster. Users will simply choose simpler and simpler passwords so they can remember them. Or they will end up just making small variations to the same password. For example, changing one character or one number. It’s also common to find passwords written down if requirements are too complex.
Lock Out Rules
When it comes to preventing brute force attacks rules which require the account to lock after a certain number of failed log-in attempts are the most effective. When establishing these rules consider the sensitivity of the account, how likely authorised users are to enter the wrong password and how much of a hassle it is to fix the situation when users get locked out.
The ideal option is some form of two-factor authentication, e.g. a password and a key fob. Sure, someone may find out a password but it’s unlikely they will also have an authentication fob. On the other hand, if someone were to find the fob it would be unlikely they could access your systems because they wouldn’t know where you worked or your password.
3. Not testing backup and restores
While it’s great that companies are investing in backing up their data, it’s no good if, when disaster strikes, the backups won’t work. All too often testing is the missing step when it comes to backing up data. This problem has only become acuter as backups become more complex. You must test simple backups much more frequently than Disaster Recovery plans – at least once a quarter. You will also need to test whenever there is a major hardware or software change to your backup system.
Your tests should be as realistic as possible, duplicating the condition you will face when you actually need to restore. If possible, test on the hardware you will restore to. Especially if you will restore to a different machine than the one that created the backup. Many businesses are also backing up to the cloud with no real plan on how they will restore operations should they lose a key system.
4. Running critical services on ADSL
Outages at the big providers are still a frequent occurrence and you only have to look to last month to see the painful impact of a major outage. Faulty domain name servers resulted in a widespread outage for Sky Broadband and BT customers starting at 07:00 and lasting for 9 and a half hours –wiping out the day for affected homes.
However, home users weren’t the only ones affected. Many businesses were hit by the outage as well – but this really shouldn’t have been the case.
Asymmetric Digital Subscriber Lines (ADSL) services aren’t a suitable solution for businesses. They are rarely backed up by a service level agreement (SLA) which strips you of your ability to claim compensation if their downtime damages your business and are typically down for extended periods when they do go down.
But despite all this, we still see businesses using them worryingly often. If you’re running a business of any meaningful size, you need leased lines at a minimum. These give you a reliable connection, are backed by SLAs and, if you invest in redundancy, can provide connectivity even during a disaster.
5. Not encrypting devices
Imagine having to explain to a client or your board that their sensitive information has been stolen or released to a third party? Terrifying? Well, it’s a real possibility for the business we’ve seen still failing to apply encryption across all devices.
A scary stat for both business leaders and customers alike is that encryption is used in only 4% of breaches. For customers, this means their private information is being released to criminals in an easy-to-read format. And for businesses, this means they will be facing higher fines due to their negligence.
Full encryption capabilities on all devices have been a necessity for years now and with the enormous quantity of data being shared and stored, the opportunity for a leak has never been greater. It’s now easy for information to fall into the wrong hands and, as far as the law’s concerned, that’s a data breach.
Any device which stores corporate data needs to be encrypted. If a CEO loses a phone on a business trip, that’s a data breach. If a laptop is stolen, that’s a data breach. If a USB stick is lost outside the company premises, that’s a data breach. But if in any of these cases, the information on the machine is encrypted, the risk drop to almost zero.
There’s a large range of IT systems that can help automate and control much of this problem without much complexity so there’s no reason businesses shouldn’t be doing something this simple.
6. Ghost accounts and shadow IT
We’ve seen these two threats in many businesses before and they’re both as scary as they sound.
Ghost accounts are the accounts of ex-employees who are still active on the network. They often crop up when an employee leaves and their account isn’t disabled as it should be.
As many as 50% of companies say ex-employees still have access to corporate accounts. For a disgruntled employee seeking revenge, this is an easy route to deal damage to your business. But what’s scarier is an unknown attacker leveraging the unmonitored account’s access rights to gain a presence deep within your network.
The simplest route to prevent ghost accounts is having a clear policy and process surrounding an employee’s departure which contains disabling their accounts. But technologies like Identity and Access Management can also help restrict the root of the problem. By only providing accounts with the exact permissions they need, any account compromise – ghost or alive – has a much more limited impact.
Shadow IT is another basic risk we regularly see not being controlled. Shadow IT is hardware and software which is running on the corporate network which is used by employees but unknown to the IT team. Shadow IT opens innumerable risks for a business and, unless you’ve taken proactive steps against it, it’s likely already on your network.
Controlling your shadow IT requires more than just tech since the problem has its roots in culture too. We have details on controlling your shadow IT in this blog. Fixing the problem can be a long road but ignoring it is simply not an option your business can afford.