The image we have in our minds of hackers is changing. We’ve spent the last 20 years assuming that hackers were disenfranchised youths trying to take down ‘the man’ with justified attacks on their data – usually to reveal some sort of terrible hidden truth. We have been giving them too much credit.
Computer geniuses are generally portrayed as the good guys, as evidenced by titles like Mr Robot, Hackers, the video game Watch Dogs, and especially The Matrix. But, in light of recent events, it’s become far more apparent that hackers are not necessarily heroes – they can be malicious and potentially dangerous, so protecting your business from them needs to become a security priority. In this spirit, we offer you some problem areas and essential tips on helping you combat data hacks.
Passwords
I’m sure you’re sick of being told to improve your password, but you know what? It’s going to keep happening until everyone gets it (and probably after then, sorry). Ryan Kazanciyan, a technical advisor on Mr Robot, has mentioned in Q&A interviews that businesses are still struggling to handle security at a basic level. “Attackers don’t need to use the best card in their deck”, he said. This is because businesses are still treating security as a secondary objective. Proper passwords – probably the most actionable of all the measures you can take to deter attackers – is a great first step in taking security more seriously.
If you have a weak password, it can give a hacker relatively quick and easy access to your server. Google describes a good password as having “a combination of letters and numbers, punctuation, [and] no words or slang that might be found in a dictionary”. Hackers are aware of the half-hearted attempts of creating secure passwords, including replacing letters with numbers or putting an upper case character at the beginning or end of the password. In addition, it’s strongly recommended by security experts at Google that you use 2-factor authentication, whereby you need a password as well as a second step of verification, such as a code sent to your phone. Make sure you aren’t using that same password throughout your business, or one hack could become an entire network hack. If it sounds like it could all get too confusing, then you can use a password manager service, such as Dashlane. If you give them one master password, it will manage the passwords for your entire company and encrypt everything. It’s not as helpful if your master password is easy to guess, however, so if that is the case you can use one of Dashlane’s tools to find out how secure your password is. As if that wasn’t enough, the same tool also lets you know if your website has been hacked.
Keep an eye on your server log to check for suspicious activity, such as multiple login attempts for an admin account, or unusual admin commands.
Out-of-date software
How many times have we dismissed software updates and simply pressed the ‘remind me later’ button? Surely too many to count, but those updates are essential to businesses. Hackers are always looking for vulnerabilities in your system and software, and those updates often contain crucial alterations to the software that remove those vulnerabilities.
Bear in mind that these vulnerabilities can crop up in unexpected places, such as the software in your WiFi router, your content management system, plugins… the list goes on. Some of these can be encrypted (such as your wireless router) while for others you may want to restrict administrative access so you can control what gets installed and when. For Flash and Microsoft Office, install the recommended updates as soon as possible. These are some of the most popular programmes and, for this reason, they are the most commonly targeted by hackers.
Offensive security
One of the most effective ways to understand cyber security and how at risk you are is to try ethical hacking. To be clear, hacking is never ethical unless it’s actually part of your legally permissible job. Or, in this case, if you’re hacking yourself.
Most businesses rely on defensive security, which focused on reactive security measures. Ethical hacking takes a more proactive approach, allowing you to take the offensive. Sites like Kali offer you the tools necessary to hack systems, and the training required to know what you’re doing and what to look for. By understanding how you can hack your own systems, you can learn what your vulnerabilities are and what to do if you find yourself under threat.
Another offensive measure you can use is to bait and trap malicious hackers. The Canary box generates a system that seems to contain all the best, valuable data of a business, but the catch is, it’s fake. Think of it like a honeypot for hackers. Once they enter the system, the security team is immediately notified of their presence. You can also bug some of your sensitive documents with a Web Bug or Web Beacon. These will let you know when someone is looking at your documents, and where they are accessing the files from.
Be careful you don’t get too offensive in your security, however. If you use your new powers to counter attack your attacker, you’ll be breaking the law, and also become everything you hate.
Social Engineering
Many of the biggest hacks in history began with a friendly phone call. Social engineering is an attack that relies heavily on human interaction, usually by tricking them into giving something up. I use the word ‘attack’ rather than ‘cyber attack’ because this practice dates back a long way, including back to 1849 where Samuel ‘confidence man’ Thompson would simply ask people to be confident in him that he would give back their money or possessions the next day (he didn’t).
In the modern day, the term refers to hackers making contact with businesses and conning those they communicate with into giving up information or opening malicious documents. Even just a seemingly innocent phone call can help them. The tools that hackers use to break passwords work more efficiently the more information they have about the account owner, so anything they can get out of the person they’re talking to will help them.
Another technique is to send phishing emails to many employees with a malicious attachment. If the email is crafted well enough it could be convincing enough to make an employee open the document, and it only takes one employee to allow a hacker access to the network and sensitive information. This is exactly what happened to security firm RSA. An employee opened a convincing attachment that opened up a vulnerability in the Flash application and ended up costing the firm $66 million.
In order to prevent a social engineering scam, it’s essential to make sure everyone is aware of this kind of scam, at every level of the business. To be thorough, you can also go beyond this by making sure your third party contractors understand the risk, or else you could end up like Target. A hacker was able to use credentials taken from contractors for heating, air con, and ventilation to break into Target and take details of 70 million credit and debit cards.
There are many forms of social engineering so it’s essential that you and your team stay especially vigilant. Everyone should understand exactly what information is OK to give out, and what could put your security at risk.
Be vigilant, even when not in the office
It might be a necessary part of your business operation to travel around and go to meetings. You may also want to bring an office device that contains valuable business information, such as a phone or iPad. These devices are designed to look for and connect to WiFi networks automatically. This is where the risk comes in because, unbeknownst to you, there could be shadow network. These will seem like any other network you might connect to, but they are monitored by predators. If your device connects to this network, you could be exposing your confidential business information without you even knowing it’s happening. Even if the network you’re connected to is safe, hackers that are connected to the same public network could still get access to your data through that router.
It’s also worth remembering that, if you’re in an airport or hotel, about 90% of the WiFi networks are insecure, making it much easier for your device to be compromised. You can reduce the risk of these hacks by using a Virtual Private Network (VPN). These mask your IP address and encrypt all internet traffic between your device and the VPN, meaning that anyone spying on your connection will only get the IP address of the VPN, not your device.
Hopefully, this blog will help you feel more confident in your cyber security. Being aware of the risks is half the battle, and by ‘being aware’ we don’t just mean you, but your entire business. Everyone, from top to bottom, needs to understand the risk of not taking your business security seriously.
To find out more about cyber security for your website, check out our blog on keeping your website safe!