As 2014 draws to a close, we will not make any predictions for 2015. We’ll leave that to astrologers and TimeLords (and we don’t believe in either!). What we can do, however, is learn from the past. As an industry, we haven’t been good at educating others outside our industry of the key things they should be doing, yet the same basic security measures ,either poorly implemented or missing completely, pop up time and again. So here is our take on the 12 days of Christmas: The 12 days of Cyber Christmas: 12 essential security measures organisations should be taking, both large and small.
On the 12th day of Christmas,
Cyber Security sent to me:
12 remotes removing
11 policies persuading
10 defaults denying
9 apps a patching
8 coders coding
7 keys safeguarding
6 risks a weighing
5 unsolicited pings
4 complex words
3 Varied Pens
2 console dumps
And No View access to SNMP
On the 12st day of Christmas, Cyber Security sent to me: 12 remotes removing
It’s truly shocking how many accounts have remote access to resources which don’t require it. Think at about this from both a technical and “need to know” business case perspective. On the technical side, do you really need Remote Desktop (in Windows) via RDP. If you conclude you really do, make sure to remove the local admins account from RDP and have specific user accounts with strong passphrases (see the 4th Day of Christmas). In the United States Senate Report on the 2013 Target breach, published earlier this year, on of their key findings was that Target had given remote access to a third party vendor which did not appear to be following information security practices.
11 policies persuading
As we reported in September, organisations large and small need to work in security policies, user training and quarterly security KPIs, monitored by their HR teams. If you are looking for two areas to start then physical security and social media usage should be two good ones to start with in early 2015. It’s simply too easy to get into some organisations on the physical side; whilst we’ve seen numberous politicians and would-be politicians forced to resign following faux-pas on social media in recent months.
10 defaults denying
The constant revelations from Edward Snowden in 2014 remind us all of the dangers of giving too much access to data to one individual in the organisation. According to the Verizon 2014 Data Breach investigations report, 88% of security incidents were caused by insider misuse, either accidental or malicious. Review your access permissions to data too, and ensure you have appropriate technical controls in place to both grant access to data to only appropriate personel, and ways of auditing and tracking access to data. I’ve really been impressed with Vormetric’s Data Security Platform which specifically addresses this issue, using file level encryption and key manangement.
9 apps a patching
According to Secunia’s Vulnerability Review 2014, “the more widespread a program is, and the higher the unpatched share, the more lucrative it is for a hacker to target this program, as it will allow the hacker to compromise a lot of victims”. This is reflected in their research, where Microsoft IE (99% of market share) had 270 known vulnerabilities (at their time of publication); whereas Apple Safari (11% market share) had 75 known vulnerabilities. They also discovered 33% of users running IE were using unpatched browsers; and 14% of those users running Apple’s Safari browser was unpatched. Ensure you are patching all your applications – in-house and third-party regularly for 2015!
8 Coders coding
If you are developing any applications in-house applications, be sure to encourage secure coding best practices. A wealth of information is available on this subject, the Microsoft Security Development Lifecycle which is a good starting point.
7 Keys Safeguarded
In the eBay breach announced on 21st May 2014, hackers stole personal information of 145 million active users of eBay, after they compromised the database containing encrypted passwords. This suggests that their wasn’t proper key management in place to safeguard the data. Remember never to give user access to keys that isn’t required. Encryption of data, both in-house and cloud, along with key management is handled very efficiently with Vormetric’s Data Security Platform.
6 Risks a weighing
In any SME to large organisation, your organisation should be regularly reviewing the risk. In order to determine where your resources are spent mitigating the risk, you need to look at the costs of the assets you are protecting, the costs of the risks of a breach, the legislation you must be compliant with and decide where best to spend your resources. A good starting point for risk management framework is ISO 31000.
5 Unsolicited Pings
When was the last time you did a network/ asset discovery exercise on the network? If you deal with credit cards data you have a requirement to do a quarterly network vulnerability scan. Can you account for all the devices discovered on your network?
4 Complex Words
If there’s one message we need to get over to end-users in eCommerce in 2015, it’s the avoidance of using default, vendor-supplied passwords, and weak passwords. As the ICO warned us this November, with a Russian website providing live footage from thousands of webcams across the UK, we should never use vendor-supplied passwords on our devices. Make sure all your devices on the network are strong passphrases, comprising of not just word, but phrases, containing numbers and special characters. An example would be: MerryChr1stmas2You! Remember also to use different phrases per device/ logon account.
3 Varied Pens
It’s good security practice to change your penetration tester regularly: the black art of ethical hacking is partly creative and intuitive: what one pen tester finds, another may not necessarily. People do have their favourite methods and utilities, and overtime, if you keep re-using the same penetration testers, you may find you get the same results. Change your penetration testers regularly so that no stone is unturned looking for vulnerabilities. In addition, as well as having a human element, mid-tier to large organisations should also invest in some automated threat analysis. This year we’ve been very impressed with the offering from Alien Vault, with their large OTX database and threat analysis.
2 Console Dumps
One of the key findings in the 2014 Senate Report on the 2013 Target breach, affecting 110m credit card numbers; was their failing to respond to multiple warnings from the company’s anti-intrusion software. Ensure your SIEM is properly configured, and that you have the right resources to monitor these logs in real-time and on a proactive basis.
And no View Access to SNMP
SNMP (Simple Network Management Protocol) is used in systems management to monitor devices such as routers, switches, and printers. On your systems management consoles, it enables the agents to report the status of IP devices. Unfortunately, a large number of these SNMP v1/2 configurations allow each user to view an entire, unrestricted view of the entire agent tree, which could then be used to provide sufficient credentials to obtain read-write or admin level SNMP access.
Wishing all our readers a Merry Christmas and Happy & Prosperous 2015.