By Lysa Myers
You might think that soaring rates of computer security breaches on businesses is simply bad news. How could it not be when we see report after report of major businesses whose networks have been compromised? While there may be an endless number of holes through which attackers can get into a network, there's another side to this story. There is always some hope to be gleaned from doom and gloom security statistics.
"Mature Market" or "Battle Tested"?
On the one hand, an increase in breaches means attackers are either more numerous or more successful than they have been in the past. It's likely to be a bit of both as the criminal underground has become a more mature market. For example, feature-rich toolkits fitted with the latest exploits are available to attackers even before vendors can patch their vulnerable software. Black markets are now mature and easily accessible. This means criminals know exactly how much data will sell for and they know how to best spend their time to generate a maximum return on investment.
On the other hand, these tools and data are available to everyone, not just the "bad guys". And, most importantly, the means to fix or mitigate problems are readily available too. These are just as easily used to determine your company's own weaknesses to find ways to protect yourself. Let's not forget, the cost benefits for protecting your business is inherently higher than it would be for an attacker to try to bypass your defences.
The more a platform or operating system has been successfully attacked, the more the attackers have shown their hands. We know what browser plugins or content management systems or software applications they prefer to attack. We know what exploit techniques they look for. We know how they try to thwart defences and hide their tracks. This is all information we can use to spend our time and money more effectively to decrease the value for attackers.
"Abandon Hope" or "Just Run Faster Than the Other Guy"?
There are a lot of people that like to declare that some security technology or other is "dead" – how it cannot possibly protect you, and is therefore useless. However, the fatalists are ignoring the fact that, while those same technologies were never meant to protect you against every possible type of attack, they still have some use. Just because something isn't a silver bullet doesn't mean you should toss it out the window, roll over and let the rampaging hordes strip you of all your valuable data.
By making incremental improvements to the protection of your data and the systems in your network, you can make yourself a less tempting target to cybercriminals. That's very important – there are plenty of businesses that are ignorant of how to properly protect their systems and data. And by being better protected than average, you will immediately cut off the least motivated attackers. By being well protected, you can either block or mitigate the damage of all but the most skilled and determined attackers.
You don't have to break the bank or have the greatest defensive minds in the industry to protect yourself, because the best defence is comprised of lots of different elements, so you can add a piece at a time. One of the best pieces of the defensive puzzle is information gathering, which may be time-consuming but also fairly simple.
How Can We Do That?
There are three steps you need to perform to be well protected. You can start small with each of these steps and then build on them as you have the need, time or resources.
Identification of the data and resources on your network can be a bit of a rabbit hole – you could spend an infinite amount of time watching the never-ending changes that happen moment to moment. But you can still get a lot of value out of simply increasing the visibility within your network, and there are a lot of products that can help you automate this process.
The first step is finding all the machines that are supposed to be connecting to your network. From there, you need to figure out what data lives where – both customer data and proprietary data. Having a product like Identity Scrubber can help you find a wealth of data such as passwords, credit card details, national insurance numbers, etc. Don't forget to check your publicly available information – is there information on your website that would give an attacker clues that could be used to talk your employees out of sensitive information?
Once you know the systems and data you have, you can then better monitor changes to those systems. For example, these changes will let you know when someone or something is in your network that should not be.
Now you know what you're trying to protect, you can go about restricting access to those people that shouldn't be accessing it.
The most obvious things to consider are things like anti-malware products and hardware / software firewalls. Larger businesses may have these in place already, but many smaller businesses may not feel they have the expertise to manage these. Modern security products have come a long way, and are now geared more towards simplicity. Also, many vendors now offer managed services, which means the difficult management is done for you.
Passwords are equally obvious, but often ignored – having an enforced policy for strong, unique and frequently refreshed passwords can go a long way towards deterring attackers.
The least commonly understood way to restrict access by attackers is what's called the Principal of Least Privilege. Users should not have access to any data or resources that they don't need. This could mean former employees, or people that only need data for a short period of time, or it could mean restricting people in one department from being able to access data from another department. Does someone in Development really need to be able to access information from Finance? Or does Finance really need to access Development servers? If someone does talk that person in Human Resources out of his or her login password, restricting access may be what keeps an attacker out of more sensitive information.
In the event someone does make it into your network, it still doesn't mean they will necessarily get the valuable data they seek. There are ways to make your data so difficult to access that their hard work will be for nothing.
The first step is to take the data you've identified and encrypt it. You will want to go a step further with usernames and passwords, by salting and hashing them so that they can't easily be retrieved. Security software can be helpful here too; known malicious behaviour or files should be identified before they can infiltrate systems.
Just because the news on information security appears bleak does not mean everything is doom and gloom. There are simple things you can do to drastically decrease the possibility of catastrophe and to get your organisation that much further ahead of the pack.
Now is the time to make those changes, so you won't have to be another statistic.
Lysa Myers is a virus hunter for Intego, a Mac security software company that has developed award-winning antivirus and network protection solutions for the Mac platform since 1997.