Online Security is a pressing concern for all IT Heads. The increasing incidence of malware, both in itself and in new distribution vectors is a real headache. Most of the common threats are well documented as are preventative measures and recovery techniques. There are, however, a few issues that are often overlooked causing gaps in the Online Security environment.
One that certainly does not receive enough attention is that of users. The FBI estimate that over three-quarters of all security incidents are caused by user inaction or malicious actions. Some common ones include:
Carelessness with Identity Information
Users can be irritated with credentials. If each application and access to the corporate network requires different credentials, the tendency is to write them down, even to the extent of putting them on a post-it note stuck to the desktop terminal Other common locations are on the calendar pad on the desktop or at the front or back page of their office diary.
A second area is that of obvious passwords. Birthdays, car numbers, pet’s names are often used because they are easy to remember.
A third is for users to give out identity information over the phone or to someone at their desk pretending to be from IT Services. A common excuse is that their desktop software needs to be upgraded, and “Can I have your credentials because I’ll need to restart your computer”.
What can one do?
First, enable automatic password expiry. Make sure that the user must specify a new password at specified intervals.
Second, use password rules to make them complicated, a minimum of eight characters in length, and a mixture of special characters, numbers and upper and lower case letters. Some sites use a password generator.
Third, train users that they should treat their credentials with the same care as they treat their bank information and that they should never disclose their password.
A very common method of extracting information and distributing malware is through email as a phishing attack. The attacker creates an email appearing to come from a trusted source like a colleague or bank and sends tens or hundreds of thousands of emails to a distribution list.
The email can have an attachment containing malware or a false weblink in the body of the text. Opening the attachment or clicking on the weblink starts the attack.
Opening the attachment causes a piece of malware to start up which then infects the computer. It can either be an invisible application which simply collects information and sends it back to the attacker for sale or later uses. It might be one that is programmed to spread itself to other computers on the corporate network, with the ultimate objective of infecting the major systems servers.
False weblinks take the user to somewhere other than where they think they are going, again with the objective of installing malware on the desktop or extracting information.
Phishing is probably the most difficult attack to thwart, but the best way is to educate users not to click on web links and not to open attachments, even if they look good. Periodic reinforcement is also to be recommended.
At a more technical level, there are software solutions that vet links when users try to connect to them and to block suspicious and known bad links.
USB attached removable media like portable flash drives and portable hard drives are an often overlooked threat. Users bring these devices from home to show colleagues holiday snaps for example, or to take work home to work on over the weekend.
If they are used on home systems that are unlikely to have the same level of malware protection, they are an easy vector on which malware can enter the corporate network. For example, the computer that the employee uses to update corporate information is also used to play online games and for social media applications.
Industrial espionage is also a threat. Being able to download corporate data onto a device that can easily leave the premises without detection is an obvious security hole. Perhaps not intentionally, but it won’t be the first time-sensitive information has been left in a taxi.
If possible, disable USB ports on the desktop machine and prohibit the use of portable media. There are also software applications that monitor requests to link to external sites and to block requests to dodgy sites.
Some sites block uploads to public data stores like OneDrive and Dropbox for security reasons.
An unhappy user or a user with a grudge is a dangerous user. When someone resigns or is dismissed, they should have their access credentials immediately revoked.
Online Security is not just anti-malware software and keeping detection rules up to date. It is a continuous process of reviewing process and procedures.