If you look at the trend of reported data breaches, in 2004 there was one major reported breach by AOL. By 2008 this increased to 21, including companies such as Starbucks, AT&T, Stanford University and T-Mobile. Fast forward to 2020, and I can't be bothered to count them.
Clearly there is a big problem here. I am pretty sure most people will agree that this is disconcerting. These breaches usually meant that some of your confidential information has been stolen by malicious parties without your consent. This may be as benign as an email address, or it could be your social security (insurance) number. It can be as minimally disruptive as getting slightly more spam email than usual, or as bad as getting threatened to be exposed and then committing suicide.
Who are the targets?
So who is at risk? You might assume only large corporates are targets, and to some degree you are correct. Larger, or more public companies tend to be the focus of specific, targeted attacks more often than smaller, lesser known companies. This is no different from life in general - the more visible somebody is, the more attractive target they will be. The problem for smaller companies is the fact that they are often targeted by automated systems constantly scanning for vulnerable targets, also known as targets of opportunity.
These scanners can be computer systems trying to find potential targets on behalf of malicious people, or script kiddies looking for someone to exploit, or attackers looking to make money by finding weaknesses in companies' networks in order to hold them ransom. Regardless of the reason or origin of these attacks, they all have in common the fact that they do not discriminate between targets. It is similar to a burglar walking in a parking lot trying to open the door of every car until he finds one that is unlocked, then stealing it. The first one with a vulnerability will get exploited. Unfortunately with online attacks, there is no limit on the amount of targets a single person can attack at once. This makes the scale of the problem much larger than in the physical world. Clearly I am generalizing.
Since large corporates usually have dedicated IT security response teams in place coupled with policies and procedures to deal with attacks and breaches, I am mostly targeting this article at smaller companies without the luxury of such specialist teams. This would cover most companies though, since the ratio of small to medium to large companies is approximately 423 : 9 : 1.
Why is this happening?
So why are these breaches so frequently successful? Is it:
- Poor network management practises & negligence
- Poor quality software being used
It turns out it is a combination of the above reasons. Smaller companies typically do not have the same IT budgets than larger corporates. Their spending on IT usually is more focused on functionality rather than preventative measures. This makes common sense. Will you buy a UPS if you only have money to buy either a UPS or a computer? Clearly not - you will buy the computer and hope that the power will not fail often enough to become an issue. You'd rather deal with losing one or two documents you were working on due to power interruptions than not being able to do any work at all due to budget constraints. So budget is one aspect.
Ignorance is another. Many companies believe it will not happen to them. That you need to be large and visible to be targeted for attack. They do not understand that attacks are mostly indiscriminate. Therefore they take no preventative measures and put in no effort to understand the problem in the first place.
Negligence is usually coupled with budget constraints and ignorance. It is therefore not really a fundamental cause on its own. Poor network management practises is a result of negligence and ignorance.
Poor quality software is unfortunately a large part of the cause. You can apply all the best network management policies, be informed and spend lots of money on a problem but if the software has weaknesses and there are no better alternatives you are at the mercy of chance. There is however something you can do to mitigate this risk significantly.
What should you do?
In order to mitigate the risk of being hacked, there are several things you can do as organization. Take note I said "mitigate", I did not say eliminate. It is not possible with today's technology to eliminate risk, and the sooner you accept that the easier the rest of the process will be.
- Be Informed
The first thing you should do, is to make sure you understand the problem. You need to know that attacks are real, they happen each and every day relentlessly. They are never ending and because of this, statistically speaking the attackers' chances of success only grows with time. Unless you stay active in your engagement with this tug of war, being both proactive and reactive, you will lose. You cannot implement measures and leave them to their own devices like you would with a lock on a door. Securing your company's IT assets is much more similar to raising a child than it is securing your house from burglars.
You need to understand what is at stake should attackers gain access to your systems. Are you an online retailer? What would happen to your business if the attackers get access to all the customer information you have collected over the years? Credit card numbers? Addresses? Are you just a merchant with no online presence other than email? What will happen if attackers gain access to your email account and read all your emails? Send email from your account to other people? Your reputation could be at stake.
- Be Prepared
Once you understand the risks, you need to determine which risks are most important to mitigate for your specific business, and come up with a strategy that will help protect you. This strategy will be a living document, constantly being updated as new threats emerge and targets change. An outdated strategy is as good as no strategy.
The strategy should be all encompassing, covering online services you control, online services you outsource, local services, internal systems and anything electronic that relates to your business. Clearly there are physical security measures you need to take as well, but those are outside the scope of this article. You need to understand that disgruntled employees may be as big a threat as an anonymous attacker. You need to protect yourself from your own employees just like you would from your customers and strangers. Customers must not have rights to change other customers' orders. Employees do not need rights to change your firewall settings. The list goes on.
- Implement Your Strategy
Once you have your strategy in place, you will need to enforce it. That means implementing firewalls, segregating network traffic into separate VLANs, implementing access control lists, auditing all hardware and software in use, determining all internet facing services and locking them down, implementing auditing etc. This is the hard part as one single misconfigured checkbox in an application can allow attackers through. One unpatched application is all it takes. Typically you need an IT specialist to assist in implementing your strategy as this is the technical part.
- Monitor Your Network
Just implementing a strategy and moving on would be equivalent to installing a swimming pool and never taking care of it. After a couple of months you will not be able to use it as it will become toxic.
It is imperative that part of your strategy is to have monitoring in place so that you can assess the status of the various network components. You need to know if attacks are succeeding or actively being blocked. Is the e-commerce system still in the same state when you installed it, or did attackers modify the code and installed a backdoor? Is the domain name servers associated with your company.com domain name still pointing to the correct name servers you originally configured it with or has the bad guys changed it to point to their own servers?
- Response & Remediation
So you are monitoring your network and discovered a breach, someone installed a backdoor and now what? As important as monitoring is, equally important is your response to various scenarios. You need to have a plan of action already prepped way back in step 2 - "Be Prepared". This is not the time for panicking - you need to be calm and methodical in your response. You need to investigate the cause of the breach, how to plug the hole and how to get rid of any lingering remnants of the attack. You need to let your customers know about the breach according to the laws in your country after determining the extent of the breach and what was affected. Strategies need to be amended and enforced to ensure repeat occurrences are mitigated. If this is ransomware that encrypted all your company's data, now is not the time to be testing those old backups for the first time. You need to be assured that your backups have been working consistently and will restore properly.
Specific Example (Highly simplified)
It is crucial that you consider your own unique needs. There is no one-size-fits-all solution when it comes to network security. This is only an example approach for a hypothetical company that will put them in a better position from a data breach / network security perspective than just doing nothing about it.
It does not require tons of cash, however it will require some effort - for the initial configuration as well as the ongoing processes.
Scenario: Small company with online e-commerce store selling clothing, cloud based email from Office 365, intranet at office with Microsoft Remote Desktop and a domain controller, five workstations, mobile phones and tablets.
Step 1: Analyze risks
- The e-commerce site stores sensitive customer such as address information, names, telephone numbers and credit card information. Canadian government PIPEDA act mandates certain measures that need to be implemented to protect this information.
- Your email contains sensitive business related information that is proprietary in nature and if stolen, would give your competitors an edge and/or damage your business. It contains details about new designs in development, marketing strategies, etc.
- Since many of the employees work remotely, you have been asked to allow remote access to the Remote Desktop server from outside the organization. Your company's management travel a lot for business so you were instructed that it be accessible from anywhere in the world. Once on Remote Desktop, staff have full access to the company network and documents.
- Workstations are currently joined to the domain, some of then are Windows 7 and some Windows 10, and due to incorrect/missing Group Policies only some are being patched automatically.
- Staff use their mobile phones and tablets to connect to Office 365 for email and the remote desktop server.
Step 2: Prepare & Implement Strategy
- You decide it is imperative to implement all measures possible to secure the e-commerce system against attacks and data breaches.
- Email must be secured - nobody except authorized personnel should have access to an employee's email account. All devices that can store email locally must be fully encrypted to protect email at rest if the device is stolen / lost. Certain sensitive information must never be emailed - such as HR information (SIN numbers, payroll, credit card numbers etc.) A separate secure process must be implemented to share this information, namely secure HTTPS access to a portal in Office 365's SharePoint service.
- Remote access to the RDS server bypasses all firewall rules, so you decide to implement RD Gateway and Windows security groups to limit access to Remote Desktop only to specific users. Furthermore, you decide against VPN as this will interfere with the requirement from management that RDS be accessible from any computer in the world due to travel reasons, even though you strongly advised management this is an unwise decision (sometimes you will have to accept that business needs may outweigh security concerns). However, with RDS behind RD Gateway, and after implementing strong a Password Group Policy, you feel adamant that your risk window has been greatly reduced.
- Workstations need to be upgraded to Windows 10, and a Windows Update Group Policy must be implemented to force all workstations to properly apply system patches automatically. Servers are being patched monthly to reduce unexpected business interruptions, unless a critical security patch is released in which case it will be applied within 24 hours. You furthermore include several non system applications in the list of software to keep updated, such as Acrobat Reader, web browsers, Java etc. These are common vectors of attack.
- Mobile phones and tablets must have a PIN to protect them and/or biometric authentication to prevent a lost or stolen device to leak email or other sensitive data. An auto lockout after a short duration of inactivity must also be enforced.
- You review your backup strategy and ensure offsite backups are being implemented and monitored regularly. Monthly test restores are scheduled to ensure the backup set is readable.
- On the e-commerce system you decide to implement an Intrusion Prevention System (IPS) together with a stateful firewall that will monitor and block certain attacks. It will take a lot of fine tuning and adjustments to configure it such that it blocks most attacks yet allow legitimate traffic. You furthermore install a file audit system to take a snapshot of all files and their content, and compare it automatically each day with the new state of the system to detect any unwanted file changes. This will allow you to detect unwanted files / malware and help identify signs of a breach. These systems will report to an off site server so that any attack cannot compromise these logs. Alerts will be configure to email certain staff in the event that an anomaly is discovered, such as a sudden increase in traffic, change in traffic pattern, altered system file etc.
- The same IPS system will be deployed on the intranet together with the corporate firewall to analyze and block attacks aimed at the corporate network. IT staff will be assigned time slots to periodically review the graphs / logs / statistics to pick up on any anomalous behaviour. If detected, detailed escalation steps are documented and distributed to the relevant team members to deal with the incident.
- The exact details of how to respond to a breach gets detailed in a document accessible to all relevant parties. You schedule annual test drills to ensure your team can respond properly to a real data breach.
- The company IT policy document is updated to guide staff how to avoid common social engineering tricks, when not to open email attachments, allowed applications that may be used on the network, policy surrounding BYOD (Bring Your Own Device) etc. Staff hires / fires need to be detailed to ensure staff no longer employed are locked out of the various network systems, and new staff gets assigned appropriate permissions.
- Quarterly reviews are scheduled to ensure the IT policy is being followed and the appropriate corrective actions are taken and any amendments to the IT policy is made.
- Monthly reviews of firewall rules, antivirus status, SSL certificate validity, DNS configuration etc. is implemented to ensure nothing is compromised without your knowledge.
- An audit system is implemented to log login times, file accesses, account modifications, Remote Desktop accesses, firewall rule changes, software added / removed, hardware added / removed, etc. This audit system must be reviewed regularly.
- The e-commerce system is changed to not collect credit card details but instead make use of a third party credit card processor such as PayPal. This reduces the liability somewhat since your system is never storing credit card information.
- All software systems are reviewed and audited to ensure:
- They are fully patched
- They are set to production mode (if applicable)
- Debug logs / features are disabled
- All default accounts / passwords have been removed / changed
- Unwanted modules / features have been disabled
- Permissions have been set correctly
- You implement a password Group Policy requiring non expiring passwords, at least 12 characters long and complexity turned on. All other non-domain connected systems are reviewed to ensure strong passwords are being used and no default accounts are present. You decide to make use of a password manager such as 1Password to allow for the sharing of certain credentials and secure storage of other sensitive credentials.
- All WiFi networks are reviewed to ensure no weak passwords are present, that WiFi traffic is isolated from the main LAN and that there is a separate guest network for your office guests. You also ensure that WPA2/Radius is enabled.
- All staff working on devices not connected to the office network is instructed how to configure OneDrive and how to use that as main storage location for all company documents that are work in progress. This will allow for some versioning and off site backup of important data that is not backed up otherwise.
- Anti-virus is installed on all endpoints to mitigate risk of malware infections
- Quarterly IT awareness training is scheduled for all staff to ensure staff stay abreast of the latest security pitfalls and risks and how to identify and avoid becoming a victim.
These steps are highly simplified and not fool proof, but it certainly is a step in the right direction towards doing your part to protect your clients and your staff's privacy, as well as your corporate intellectual property.