How to build a culture around security

It is much less expensive to prevent a data breach than to have to mitigate the damage afterward, but you have to understand human nature before you can successfully protect any company.

Any strategy you implement has to acknowledge and work with the people who are responsible for carrying out the program because their nature and actions will determine whether or not you succeed. You need their help to implement good security policies.

With that starting point in mind, your strategy should include the following key aspects:

  • A culture of security that includes everyone is the only way you can succeed in defending your organization against online threats.
  • To start creating the culture of security, everyone needs to understand they have a role to play in making sure their company does not fall victim. Emphasize the fact that security is part of everyone’s job. That includes administration, sales and executives.
  • Implement a training program that focuses on threat awareness. Employees areunlikely to prevent an attack if they don’t recognize what it is.
  • Create a secure development lifecycle. You can apply this principle to any internal process, not just software creation.
  • Segment information and only give relevant information to employees when they need to have it to do their jobs. Segmenting information helps prevent accidental or malicious disclosing of information.
  • Create a program to reward employees who perform well and do the right thing when it comes to security.
  • Create an open-door policy between all levels of the organization that empowers employees to point out flaws in the plan.
  • Make security fun. For example, you could add games to the training and implement

    an award system.

One important concept I would like to get across is that “security is porous.” Even if you implement the best industry-standard hardware and software to prevent a breach or malware, you won’t know whether your work is effective until you test your defenses. Your protections are only theoretical until that happens, but most companies don’t look for the holes until it is too late. To uncover the holes, start pushing and applying pressure against your security systems.

THREAT TYPES:

I would like to discuss types of threats that are actively being used to attack organizations today. This list is by no means exhaustive but are the most common types.

Data Breach is the type of incident that you hear about in the news, especially if it involves a large number of consumer accounts. Most of the breaches could have been prevented by implementing basic security measures and testing those measures.

The biggest data breach to date by number of records stolen is Yahoo, but there are other well known names on the list like Equifax, eBay, Target, TJX, JP Morgan Chase, and Uber. The key here is once the bad guys have this information, identity theft is a real possibility. Also, with Yahoo, once an account is compromised, this can be used to attack other online services that are not even part of the breach. For instance, imagine you have an account at Bank of America and you have a Yahoo account as your primary email address. Once the attacker has your email, they can ask for a password reset and voila they now have access to your checking account.

Ransomware attack is becoming more and more common today. The hackers do research on a target organization and determine the risk and reward. Does the organization have a large budget for security? Are they likely to have Cybersecurity Insurance? Many municipalities, nonprofits and government organizations, do not have a large budget and oftentimes rely on contractors to provide security services. They also usually have Insurance, so if they were hit by ransomware, it becomes economically cheaper to pay the deductible and have the insurance company deal with the criminals. This creates an incentive for the bad guys as they now have a “prospect base” to target and can be assured that they will likely get paid.

One recent attack in particular, “GandCrab”, was setup as a “ransomware as a service” where they would recruit partners that used their platform to collect ransom and the parent organization would collect a commission. According to Trend Micro, the organization collected over $2 Billion and decided to “retire” after laundering that money. I guess ‘Crime does Pay’.

While the number of Ransomware threats seems to be declining, 2019 has seen a market jump in targeted attacks and the amount of money collected by hackers. Again, this is due to the fact that the bad guys are now researching their victims and specifically targeting them.

A Crypto-Mining attack, the criminals install malware that does no damage, but uses your spare computing power to mine cryptocurrency. With enough systems infected, they can generate large sums of money. According to a Forbes 2018 article, hackers with 2,000 bots at their disposal, can generate $568 in Monero (another cryptocurrency) per day or $204,400 per year. As the number of infections increase, so does the amount of money that can be made.

Most of the time individual organizations do not have to worry about Denial of Service (DOS) unless you are hosting your own service. Today, the majority of software is housed in the Cloud and the responsibility to guard against a DOS attack falls upon the Cloud provider. Typically, these types of attacks happen when a hacker wants to bring a website or service down, either for notoriety or as a vendetta. It is very difficult for an individual business to protect against this as even the major Cloud providers sometimes struggle.

MOTIVATIONS:

Why do hackers do it? This is where “Human Nature” comes into play. The first reason is it does pay and because of the “dark web” it is very difficult to track down the perpetrators. So, they know that they will not likely get caught. Some hackers just like the thrill of it, where they can wield a large botnet or attack an organization they do not like. There is also the Nation State involved in hacking. An example of this is the “US Office of Personnel Management”, where it is believed that Chinese hackers were responsible.

COMMON ATTACK VECTORS:

The most common attack vectors are: Phishing Emails, where an employee falls for a scam, clicks on a link, and either installs malware or divulges sensitive information. Drive-by attacks occur when a user accidentally visits a malicious site or the advertisement being displayed in the browser contains malware. Vulnerabilities can be exploited if critical systems are not patched or if not properly secured. Your critical systems should be tested. Vishing, which is similar to Phishing, except sensitive information is given out over the phone. CEO Fraud can occur through email, text or over the phone, where the CEO is impersonated to get someone to perform an action.

There are many ways in which these attacks can occur. You could have someone impersonating a new employee to gain physical access or just leaving a USB key with the words “Payroll Figures” on the ground. All you would have to do is wait for the curious employee to insert that into their system and the bad guy is in.

All of these attack vectors take into account some form of Social Engineering. The bad guys are taking note of Human Nature and exploiting that to their advantage. In order to be effective, we have to do the same thing.

NEXT STEPS:

Some basic steps that you can take to protect your company are:

  1. Make sure your systems are on a patch schedule, so that security fixes are installed as soon as possible. (within days)
  2. Make a local backup of all of your critical systems, but then use the Cloud to move those backups offsite. Also, perform periodic test restores from your backups to make sure they work in the event of a disaster. You should come up with a plan and test it.
  3. Implement industry-standard firewalls and security policies. Test your firewalls and make sure they are fully patched as well.
  4. Make sure that your Security Cameras, Voice Over IP Phones, or any Internet of Things devices are separate from your internal networks.
  5. Make sure your passwords are longer than 12 characters and are not reused.       The best way to accomplish this is to use a Password Manager like LastPass. Also, do not force a password change more than twice a year if at all. Passwords should only be changed if there is a need.
  6. Most important is to focus on Education and Training of your staff.

There are many Security Training companies out there. My company, National Software Systems, partners with a company called KnowBe4, which provides Security Awareness Training as a service in the Cloud. We can assist you, to test your users initially to see how many fall for the attack, train all your users, schedule regular weekly Phishing Tests, and evaluate the results. You will be surprised at how many users initially fall for the attack, but over time and as they are trained, they will become better stewards of information security. As the old saying goes “Your weakest link is the link between the chair and the keyboard”.


John Bouley is President of 2MB corp. dba National Software Systems. NSS helps organizations of all kinds stay safe online as well as provide guidance on all things related to technology. John can be reached at 603-626-1115 or via email to jabouley@nationalsoftwaresystems.com