The vast majority of people value convenience over security. Properly securing a business’ online presence and network infrastructure takes constant effort. With all the good intentions in the world, if security gets in the way of productivity and efficiency, best practices will fall by the wayside.
The best way to maintain a secure business is to educate employees about the risks and train them in simple procedures they can implement in their day-to-day activities to mitigate those risks. It’s not a watertight system, but maintaining a level of awareness about potential vulnerabilities and the possible repercussions helps to keep people on their toes.
In this article I want to take a quick look at four strategies and vulnerabilities that hackers and criminals use to infiltrate private business networks.
Phishing is a frequent cause of security breaches in businesses. It’s one of the most effective social engineering tools in the hacker’s kit. Simply put, phishing is the process of representing oneself as a trusted entity to extract information.
The prototypical example involves banking. A criminal will send an email to a bank customer that appears to be from the bank. It will contain a link that seems to lead to the bank’s website, but in fact leads to a site the hacker has created to fool unsuspecting victims. When they attempt to log in to the site, the hacker will harvest their credentials, giving them access to the victim’s account.
Variations on this strategy can be used to trick victims into visiting a site that contains malware. Once a computer in infected, the hacker may be able to access the sensitive information it contains.
The best way to avoid being the victim of a phishing attack is to help people understand the risks of clicking links in unverified emails. Employees should be made aware that if they receive such an email, they should navigate directly to the relevant site by entering the address in their browser or with Google to make sure they end up on a genuine site.
When conducting a phishing attack, hackers will often target staff that may not have direct access to highly sensitive information, instead choosing to target secretaries and other “low risk” employees. Once the secretary’s machine is compromised, the hacker has access to infrastructure within the company’s firewall they can leverage to attack high-value targets. They hop from one island of access to the next, patiently gathering information and working until they reach their target — island hopping is also known as pivoting.
The lesson to be learned is that all employees should undergo security training, not just those with direct access to sensitive information.
Poor Password Management
People are terrible at managing passwords securely. They will choose easy passwords that can be cracked very quickly. They will use the same passwords for their work accounts that they use on a forum with lax security. Hackers are skilled at figuring out insecure passwords.
Microsoft Windows XP is coming to the end of its lifecycle. Soon, Microsoft will stop patching it to fix vulnerabilities. I’d put good money on vulnerabilities being discovered in the future, which means that businesses choosing to stick with XP are going to be vulnerable to attack.
The same principle applies to all software. Vulnerabilities will be discovered and they will be fixed, but to benefit from the fixes, businesses must ensure that they update. Having out-of-date software on Internet-accessible machines creates an open invitation to hackers, who scan hundreds of thousands of machines each day looking for those with out-dated software.
The solution is obvious. Update!
There are, of course, many other potential sources of vulnerability, but security is about reducing risk, not eradicating it, which would be immensely expensive and harmful to productivity. Concentrating on these sources of vulnerability isn’t enough to remove the risk, but it will help lower it.
Image: Flickr/Alexandre Dulaunoy