The lesson many people took from the successful cyber attack on Target last year was that even giant, sophisticated corporations are vulnerable to intrusions, but a lesser-known detail of the story carries big implications for small and medium-sized businesses.
That detail is this: the cybersecurity hole at Target began with an attack at a vendor connected to the Target network — a much smaller HVAC company in Pennsylvania. Although that company was not the real target, it showed that cyber criminals are not ignoring small and medium-sized businesses. And when leaders of companies that size begin to explore their potential vulnerabilities and what to do about them, it can be a bit overwhelming.
Security weaknesses can come from applications developed without proper secure coding practices, insufficient security measures at third parties with whom data is shared, lax policies on use of mobile devices and poor password practices to name some of the more common ways. But this article will discuss another significant issue that is all too common at companies of all sizes: attacks directed at end users.
By end users, I mean the desktops, laptops and other devices used by employees to interact with a company's data and network, as opposed to the servers and other more centralized elements of infrastructure that typically sit in a data center and are well tracked and managed by an IT department.
The first step is to assess your risk by whatever means is feasible for your organization. To do that, you may well have to confront a problem shared by many companies — lack of a complete and up-to-date inventory of the devices employees are using to access your network.
A security program obviously cannot be effective without fully understanding what it is you are trying to secure. If you don't know about it, you can't secure it. So, organizations should develop an accurate inventory of end user devices. This list should include both devices that are owned and provided by the company and personally owned devices that are allowed to connect to the company's network or e-mail.
Once you have your list, here are some steps to take:
Keep up to date with security patches provided by software vendors for end user machines. Be sure to include application software patches such as Adobe, Java and web browsers, in addition to the operating system patches.
Provide spam filtering for every machine with sensitivity controls turned up. One of the most common tactics attackers use to make initial entry into a company's network is enticing end users to click on a spam email link that installs malware. While this won't stop every phishing attempt, if you can filter out even one, that is one less opportunity for an unsuspecting user to click a bad link.
Install "egress" filters. These monitor and guard outbound traffic from your network and prevent malware from communicating back to an attacker, potentially providing instructions about how to penetrate the system.
Remove local administrator rights from end-user machines. Local administrator rights give a user more power to make changes to a computer, and if an attacker gains control of a machine with those rights, damage to the network can be much more significant. You may receive objections to this change from users who want to better control their experience on the device. A hard line is advisable.
Install network intrusion prevention capabilities. These devices screen traffic attempting to enter your network and deny access to suspicious items. Make sure the IPS system is configured to block known attacks, not just alert on them.
Make sure there is up-to-date anti-virus/malware protection installed on every machine.
Require IT personnel to use different passwords when they work on servers. Even IT administrators can fall victim to e-mail phishing attacks when they are working on their own computer. If they click on a bad link while logged in as an administrator, attackers can gain big-time access to your network using their privileged credentials.
Conduct security awareness training for all personnel to help them understand their responsibilities when using a company computer system and/or handling sensitive data.
And perhaps most importantly, require "two-factor authentication" for users logging on to the network. That means that a password alone is not enough to gain access; another form of identification — also called authentication — is needed. That could take the form of such things as a fingerprint, a token (a physical device that generates a code that is entered on the machine) or a digital certificate. If two-factor authentication is in place, an attacker who successfully captures a user's access credentials still won't be able to remotely connect to the network without the second factor (the token).
Taking all these measures will not completely eliminate the possibility of a successful attack, but it will greatly reduce your exposure to this common attack vector, which just might mean a potential attacker moves on to a more vulnerable target.
Mark Burnette is a partner in the Information Security practice at LBMC, the largest regional accounting and financial services family of companies based in Tennessee, with offices in Chattanooga, Brentwood and Knoxville. Contact him at email@example.com or 615-309-2447.
As featured in the Chattanooga Times Free Press.