5 easy cyber-security fixes
18 months ago, I wrote this post in response to a large number of ‘common’ issues we find when carrying out cyber review work for organisations and their supply chains. Over the last 18 months, we have carried out many more of these reviews, brought to market new products, helped dozens of new customers and expanded our team by 30%. GDPR has also become part of UK law under the Data Protection Act 2018, and we have seen the FCA issue their first cyber-security related fine.
Lots of change then. So, what has changed in terms of the security ‘baseline’ we see in most organisations? Not much, if anything. The things that were the top risk, ‘easy’ fixes from a cyber-security perspective 18 months ago, are, still, the same things as today. So, lots has changed, yet nothing has, at least in terms of reducing cyber risk. With cyber-attacks and the risk of business interruption higher than ever, now is the time for all organisations to assess their current approach, put in place the basics, then improve over time. But please, do start with the basics…
Do you know where your cyber risks are in 2019?
We have seen a fair number of risky things whilst carrying out our detailed cyber review for customers and their supply chains. One thing that never fails to surprise us however is the level of surprise itself. Most organisations we visit are unaware of the types and levels of risk they are exposed to. Largely, this is because they simply either don’t know that they have them, or that the risks they do have aren’t being communicated to top level management in an appropriate way.
In general, it is also reflective that 80% of cyber risks that businesses are exposed to could be reduced by implementing basic controls. It’s no surprise then that Pareto also says, to get to 80% effectiveness, you need to put in 20% effort.
I’ll break down some of the key risks that all connected organisations face and some potential strategies for reducing these to acceptable levels. Good Information Security Risk Management is about just that – reducing risks to a level that top management can accept. Ultimately, it is the business that will suffer from an exposed cyber risk, therefore it is the business that needs to make decisions about accepting those risks.
To that end, I would like to highlight some of the riskier things we have seen that all organisations need to be aware of.
1. Install internet facing firewalls
We have met with more than one organisation that had no internet facing firewalls. Surprising as that may seem, one organisation knew that they didn’t have an appropriate internet facing firewall but accepted the risk anyway. Having an appropriate firewall device is the first thing in the list on the Cyber Essentials scheme, and for good reason – it is your first line of defence. Let’s just consider a scenario where this might present a severe risk to an organisation. Let’s say, hypothetically, that your organisation has no firewall. Now let’s say it’s June 2019, and your entire customer database of 500,000 people is stolen by hackers. You find out about it as someone from the BBC has called to ask if you were aware of the breach. You now need to inform the ICO, as per GDPR. The ICO investigate and find that you are lacking the most basic of technical controls. The likely result? A very big fine, massively negative press and reputational damage, and most certainly a loss of customers.
2. Avoid using ‘Free’ anti-virus
The commercial focus of an organisation is of course high on any agenda. Part of any good commercial approach is being aware of your risks and managing them appropriately. I have seen a worryingly large number of organisations that rely on ‘Free’ anti-virus as it’s cheap, and it has the perception in many business leaders’ minds that it is the same as the paid for versions. Not so much the same, as it happens. One organisation I visited had installed a free version from a commercial vendor a few years back. They didn’t realise that it didn’t carry out ‘on-access’ scanning (scanning files and executables as they open), regular scheduled scans or get automated updates – these were all features in the premium or paid for options. In effect, they didn’t have anti-virus. A manual update of the virus definition files, then a manual scan of one PC revealed several issues – including well known keylogging software. A ‘good’ anti-virus solution will get regular automated updates, scan all files and executables when they are opened, carry out regular scheduled scans and scan websites as they are accessed for malicious downloads, scripts and other issues.
3. Lock down administration account use
The purpose of a domain admin account is to carry out high level administration activities. By default, this account has access to everything on your network. This makes it very easy to use the account for things on the network – like scheduled tasks, backups and other software that needs to run, like webservers for example. The challenge here is that if you were to run your web server with domain admin privileges, and it was in some way compromised, you have potentially exposed your entire network to an attacker. Seems like it should be obvious then, that it’s not good practice to run services with permissions they don’t need? About 70% of the organisations we visit run all their services as the central domain admin account. In those organisations, the IT team also ‘share’ that password and use that single account for all administration activity. Good practice is to have individually named accounts for all users, with individual login accounts for all ‘services’, locked down to just the required permissions they need to run and nothing else. That way if they do get compromised, the potential access that an attacker has will be much more limited than it would have been.
4. Train your users
Although it is number four on this list, it is the first thing that all organisations should do. It’s a topic we cover at depth in our Practical Cyber workshops. In IT, function tends to overtake security in that, generally, your computer ‘works’, therefore, everything is good. That one fake invoice email you click on, or the post-it notes with passwords stuck to the screen however suggest the function of a computer is not to be secure. Most attacks on organisations, including those involving ransomware, target users as the weak link. The simple act of opening a compromised attachment can have a devastating effect if the ensuing ransomware encrypts everything on your network. Training your users to recognise social engineering attacks, including phishing emails, is some of the best cyber-security money you can spend.
5. Update software & operating systems
Much is made of the need to patch software and operating systems. This is because new vulnerabilities are discovered on a daily basis, and potential attackers make use of these to break into computer systems. Updating software with security patches plugs these vulnerabilities and makes it more difficult for criminals to gain unauthorised access to your systems. It’s not just your operating system that needs updating either – any unpatched software presents a risk, especially if there are known ‘exploits’ available. An exploit is a well-known method of attack, often crafted into executable code that attackers use to compromise a vulnerable system. We visited one organisation that had previously not seen the need to upgrade old versions of a well-known pdf creation tool. The version they were running was several years out of date and had several easily exploitable vulnerabilities. If you never connected the machine that was running the out of date software to anything else, including the local network, then the risk of these vulnerabilities being exploited is massively reduced, however, it wouldn’t be very useful in our modern connected world. Therefore, upgrading it to a version that is supported by the vendor is a good thing – if there are any future vulnerabilities, the vendor will generally be obliged to release a fix for it.
So, what’s next?
Anyone of the previous challenges present a level of risk for any connected organisation. Combinations of these greatly increase the likelihood and impact of any potential breach and could leave your organisation exposed to interruption, loss of revenue, big fines and perhaps even a loss of future custom.
As you can see, we’ve come across several security vulnerabilities which can all be easily avoided. Our pragmatic approach and the range of services we offer to suit your individual business needs can help to highlight and reduce your cyber risk.
Contact us to find out how we can help or call 0330 403 0011.
Author: Todd Gifford, Certified Information Systems Security Professional (CISSP), Head of Consultancy at Optimising IT.