Posts tagged wireless security
The importance of cyber security is now being stressed to the point where pretty much everyone these days is aware that there is an urgent need for it, and that literally, every company connected to the Internet could be subject to an attack. The types of attacks carried out against company networks and databases have been found to fall into several predictable categories, for which some fairly effective defenses have been developed.
This doesn’t mean that companies are now safe from cyber-attack, but it does mean that more companies are availing themselves of the right kinds of security measures because they understand what the consequences might be if they fail to do so. This being the case, many cyber attackers are now turning their attention to a more exploitable link in the security chain for companies around the world, which is the human element.
For some time now, there has been an increasing development for company employees to become the focal point of criminal attacks, because they are not usually equipped with the same kind of defenses that hardware and software can be. Humans can be tricked into making security mistakes, which can then be exploited by the criminal-minded for their own monetary gain.
Since humans do constitute another link in the corporate chain of security defenses, that is definitely an area which every company needs to consider, in order to protect itself against the threat of cyber-attack. The actions taken should include a combination of systematic education and campaigns to raise awareness, as well as encouraging employees to behave in a more secure manner.
Here are some of the ways that companies can help to make their employees less of a security risk, and instead become one of the strong links in the defense against cyber-attack.
It will be worth the time and effort it takes to canvass the entire company so that potential entry points for malicious software can be identified and remediated. One of the most obvious entry points, of course, are emails coming into the company, and this calls for thorough training of employees, so as to spot potential risks such as those emails which ask you to click on the attachment.
There are also malicious emails sent to employees where the sender impersonates a company official and asks for some payment to be sent to a vendor at the address on an attached invoice. Other impersonation attempts could be from companies which the email recipient supposedly does business, asking for payment on a recent purchase.
Whatever the weak points might be around the company for potential exploitation, these need to be identified in a campaign which seeks them out, and these should then be used as examples to employees of what to avoid.
Raising Employee Awareness of Security
Another track that your security assessment campaign should take is to evaluate the culture of your business, in terms of how effective training is, how often it’s conducted, and how it can be tailored to your company environment. When that understanding has been achieved, a suitable training program should be implemented, so that your employees are constantly thinking about cybersecurity.
The educational components should include all those possibilities which constitute cyber-attack risks, and what actions employees should take when suspicious activity is identified. Most importantly, employee training should not be a one-time operation, but should instead be something which is updated every six months to a year, and at that time, new training sessions should be initiated, so that updated material can be conveyed to employees.
There are always new and more malicious methods being devised by the criminal-minded, so that means training of employees has to be adapted periodically as well, to include all those new threats.
All usage of the company network should be periodically analyzed and evaluated to determine whether or not there has been any malicious activity occurring. Transaction logs and other sensing software should be assessed for anything that looks like a preliminary attempt at a data breach.
Things to look for in particular might be employees who are attempting to access the company network after hours, extremely large downloads of data files, and possibly individual employees spending unusual amounts of time accessing sensitive company data. Any such digital trails which strike the evaluator as being out of character for normal company business should immediately trigger a red flag, and possibly an action by a response team.
Top Management Support
It’s essential for any cybersecurity program in a company to have the full support of upper management, which means it should be more than lip service and should be a legitimate effort, which is appropriately funded and supported. When employees recognize that top management is in earnest about cybersecurity issues, they will be much more likely to adopt the necessary measures themselves.
There should also be a dedicated cyber security manager or officer within a company because this is the type of program which requires full-time implementation and monitoring. If there are multiple individuals involved in the cybersecurity program, there should be a clear hierarchy, with well-defined roles for each person in the group.
One of the most urgent priorities for all businesses connected to the Internet is making sure that all employees and staff members are trained to avoid the possibility of data breaches. The following guide will include some of the specific practices which all employees should be trained in or which they should put into practice, in order to bring about desired results.
Get Employee Buy-in
There are, of course, some things you can do to deflect viruses, and there are software measures which can be taken to take advantage of the latest security protections. However, the most effective tools at your disposal for maintaining cybersecurity are those used to obtain employee buy-in for security measures.
It’s essential for you to convince your employees of the need to be vigilant against the possibility of cyber-attack because it will impact them personally. Employees need to understand that they could have their own data compromised and that if serious harm is done to the company, that could result in an interruption of work, if not a total cessation.
If the company’s reputation is damaged by a security breach, that could lead to declining fortunes of the company and in a worst-case scenario, even bankruptcy. Making employees understand how all this affects them personally is a very important point to use as a means of obtaining their buy-in to cybersecurity.
Make Sure Employees Understand Their Roles
Employees need to understand that the majority of cyber-attacks these days are perpetrated against humans, and not through the exploitation of weaknesses in firewalls or other preventive measures. Humans can easily be duped by phishing attacks and other social engineering techniques which seek to exploit their general unpreparedness against security breaches.
Train all employees to avoid sending sensitive emails to external sources, not clicking on files which are un-validated, being tricked by phishing attempts, using the social media carelessly, and connecting to Wi-Fi with a work laptop.
Implement Digital Precautions
If your company deals with financial transactions, these should always occur with safety in mind, and every possible means of data protection should be implemented. First of all, transactions need to be conducted over a secure network, rather than using open source software for transaction processing, since you can’t be sure of software security.
If any devices or appliances in your office workplace are connected to the Internet of Things (IoT), make sure that passwords are regularly changed, and that these are strong passwords. Already, numerous attacks have been made on devices connected to the IoT, for instance transforming them into gateways to company networks.
Keep antivirus subscriptions up to date, as well as any malware subscriptions you have, and as soon as you are supplied with patches by your vendors, make sure that those patches are scheduled for the application.
Everything possible should be done to make access to your data files extremely difficult, especially information which is considered a business-critical or high priority. Create an environment where it’s easy for your employees to report suspicious activity, such as emails that don’t seem legitimate. By encouraging an open environment which emphasizes security, you can have all of your employees on the alert, and inclined to report anything suspicious at all.
Employee training should be conducted at least twice a year so that all the information provided is reinforced constantly. It may seem like a bore to employees, but that repetition will be well worth it if it thwarts a serious cyber-attack. Make sure no one is exempted from the biannual training, and that it’s tailored to specific groups within the company that has specific responsibilities because these could be subject to different kinds of security attacks.
Try to keep training sessions simple, so that they become very memorable to employees, and so the practices become more implementable. In between formal training sessions, it’s a good idea to post safety reminders at strategic locations throughout the company.
Cyber Security Reviews
It’s a good idea to review communication processes used by the company every three months or at most every six months and make sure that all company employees are receiving the security messages which are being broadcast. Make sure that you have a reporting system which identifies any security breaches, and is sure that the statistics are trending in the right direction.
There can be a lot involved with keeping employees trained to avoid cyber-attacks, and all the work involved should not be left up to the I.T. department, because typically these individuals already have plenty on their plates. If the training program is to be successful, there should be dedicated personnel to conduct the training, and there should be a formalized plan which covers several years.
In the first year of the training program, it might be advisable to keep things simple and just get training guides issued and implemented. The next year, a deeper cut can be made at instructing employees, possibly by tailoring security content to specific groups of employees and individual departments.
After those initial years, your training program might focus on quality control, obtaining employee feedback, and developing more sophisticated methods for delivering your safety messages. Throughout the entire training process, for as long as it’s conducted, all changes in the cybersecurity environment should be monitored, and it should be verified that training is kept current.
If you can provide this kind of in-depth training to your employees on a regular basis, and make sure that the content is actually useful and relevant, you will go a long way toward protecting your computing environment from attack by the criminal-minded.
Having the right connection to the Internet can be a crucial consideration for your business since both wireless and ethernet connections have advantages and disadvantages. Both of these connection technologies have their own specific levels of security, and both can provide a stable environment for your company. In choosing which one is better to implement for your particular circumstances, you should consider the advantages and disadvantages wired versus wireless security described below, before going one way or the other.
Ethernet connections are characterized by the cables which connect them to switches and routers in your network, and they allow for local area network access by all your employees. One of the advantages provided by ethernet connections is that they are recognizably faster than wireless connections because cables are less prone to any kind of interference.
If yours is a business which routinely deals with high volumes of data transmission, or if that data is deemed to be extremely critical, an Ethernet connection may be the better choice for you. Ethernet is also very reliable, or at least as reliable as all the hardware components in the network, and the Internet provider whom you are associated with.
One of the disadvantages of Ethernet is that it relies on cabling, which must be implemented all throughout your office environment in order to reach and connect every workstation which needs access. Every one of these cables must somehow reach the server room, where the Internet connection is. Needless to say, making these kinds of cabling runs can be fairly expensive, and if there are ever any kind of changes which need to be implemented, there can be another heavy expense in a re-cabling, or adding cables to the existing wiring runs.
Another downside posed by the huge physical presence of cabling is that there’s a possibility that they pose a safety threat to employees, especially when there are any cables situated within high traffic areas, or in locations where cables are not well secured, and away from common pathways.
Wireless Internet Connections
With regards to wireless security, a new set of considerations must be made. When using wireless Internet connections, the switches and routers are used to broadcast data signals, rather than using the cable connections in an Ethernet environment. Any employees needing access to the network must have approved credentials and must have authorized access to the network.
One of the great advantages of wireless connections is that they offer more flexibility than ethernet connections do. Computers in a wireless environment need not be slaved to cables, which means they can literally be taken anywhere in the company building, where the signal can still be sent and received.
Since there’s no physical connection requirement, all your mobile devices can be used to connect to the Internet in locations where a Wi-Fi signal is in effect. This, in turn, generates a great many opportunities for conducting business in the modern business environment. One of the big examples of this is the Internet of things, where literally millions or billions of devices around the globe can all be connected to the Internet without the use of any cabling, so that backend analysis and recommendations can be forwarded to the connected devices for self-improvement.
It might take more upfront time to implement a wireless network, but once it has been set up, it’s much quicker to achieve your business objectives wherever you might happen to be. This means that you can send emails while you’re on the road, rather than needing to get back to the office to access your workstation, connected to the network.
In a factory environment, decisions can be made much more quickly, because mobile access is possible from wherever a device owner happens to be, rather than having to get back to an office and get connected.
One of the downsides to wireless connections is that they are not completely reliable in all settings. They are more subject to background noise and interference, and they can experience interruptions by large buildings or other objects, which interfere with the line of sight.
This means that it may not be a good idea to implement wireless connections when your company routinely transmits large volumes of data, or when it transmits extremely sensitive data to other locations. It should be noted that these kinds of disruptions are not frequent and that they certainly don’t detract from the reliability of wireless connections, but as compared to ethernet connections, they do occur more frequently.
Wireless Security Versus Wired Ethernet Security
In terms of security for the Internet, wireless connections would have to be considered slightly less secure, even though there are a great many actions which can be implemented which will improve wireless security, and make it more robust against potential cyber-attacks.
There is also a greater possibility of users being exploited when connecting to Wi-Fi networks because they might take their laptops to hotspots in cafés or other public places, where there would be a potential for data hijacking by cyber attackers.
This, of course, could be counteracted by not allowing company laptops outside the building, but that would restrict the productivity of employees who might want to work at home, or of those who need the mobility of being able to work on the go, for instance when visiting clients.
Ethernet is simply the more secure option because data which is transmitted over cables cannot be intercepted or hijacked as easily as it can be in a wireless environment. While Ethernet is not entirely secure, e.g. phishing attacks can still be made against off-guard employees, it must be regarded as the more secure of the two connection options when compared to the factors pertaining to wireless security.
That was the question on the table when researchers examined the vulnerabilities of 44 different nations. Let’s take a look at how the U.S.’s cybersecurity fared, which nations were the most secure, and which could face serious trouble from hackers in the future.
Why This Study Is Important
Unfortunately, cyberterrorism is a global scourge. Some nations have a better system in place to defend against attacks, and other nations could stand to learn a thing or two. Plus, it is important to be able to respond quickly and appropriately to a cyber-attack. It’s not just criminals and terrorists who are lurking online. Sometimes a nation hacks another nation. So national defense now includes preparing for online attacks.
How the U.S.’s Cybersecurity Scored
Of the 44 nations in the study, the U.S. was ranked 11th. The 2-year study found that nations, including Denmark, Finland, and Norway, had the best systems and responses in place. Who were in the danger zone for attacks? Three of the worst-defended countries were superpowers China, Russia, and India, all of which boast a nuclear arsenal. Not the nations you want hackers being able to attack easily.
Takeaways from the Study
The researchers examined stats on trojans along with worms and viruses to see which nations were best prepared to handle them. The U.S. did really well in that department. Unfortunately disk cleanup utilities, fake anti-virus programs, and other misleading software exploits seemed to be very prolific.
These hacks are usually based on the user, and not the defenses of the system. Basically, it comes down to the fact that while the U.S. has really good security software in place, user error accounts for how poorly the nation as a whole did in the study. This means education is vital in order to avoid potential hacks.
What This Means for Your Business
Your business’ cybersecurity is probably in line with the results of the study. You may have firewalls in place and keep software up to date, but have your employees been sufficiently trained to detect a scam? This may be the most important thing to consider in your data security.
If you use the Internet, you use OpenSSL. It’s as simple as that. OpenSSL is the most frequently used software package when it comes to online data security. There’s just one problem. It may not be as secure as everyone thinks.
At least that is what researchers have discovered while looking for vulnerabilities in the extremely common security protocol. They referred to the vulnerability as a side channel attack.
What is this type of attack, and what is being done to protect your browser use?
What is a Side Channel Attack?
This type of attack allows a hacker to glean information regarding software through examining the use of a computer system. Some examples include how much of the system’s power is being used during activity or the timing in which the software is used.
Why is this ability to listen in on a computer so dangerous? Researchers were able to use this method to acquire the unique key that identifies who is using the computer. Does this have implications for your internet use?
What OpenSSL Vulnerability Means for Your Security
The fact is that hackers are unlikely to use this method to hack a computer at your home. Unfortunately, the reason for that is simply because there are many easier ways to hack a personal computer.
For businesses, we’ll just have to wait and see what kind of fix the researchers come up with, and hope that this exploit is deemed too time-consuming for most hackers who seem to be opportunists. After all, this type of hack doesn’t seem to be common, and OpenSSL has had this vulnerability for as long as it has been in existence.
While most manufacturers are sticking to their guns about this hack not being possible—but because it was repeated under controlled circumstance by the researchers, this was enough for the OpenSLL developers to start looking for a fix. In the meantime, it’s important to keep an eye out for potential attacks though this type of hack, no matter how unlikely it may be for someone to use it.
When it comes to defending yourself and your company from potential threats, knowledge is power. That’s why we will report on an extremely common type of cyberattack in the most basic terms possible. Knowing what an exploit kit is can help you to be able to defend yourself and your company’s assets.
Defining the Exploit Kit
Basically, this is a collection of different things that can be used to infiltrate a stream of revenue. It would include redirecting browser URLs as well as other exploits. An exploit kit is not generally used to target one particular system or company. It’s simply placed out on the internet, and it constantly searches for places it can go and do what it has been designed to do.
Many types of exploit kits are online today, including common ones like Nuclear, Angler, and RIG. Some of these kits exploit thousands of systems on a daily basis. Often, they are used to deliver ransomware or other exploits designed to cheat businesses and consumers alike out of money.
How the Exploit Kit Infects a System
It’s quite a simple process. These kits are already out there just waiting to find an in. It all starts when a user goes to an infected website. Frequently, it is an advertisement on the site and not the site itself that contains the exploit. This means the user doesn’t have to do anything wrong to start the process other than going to the shady site. The ad redirects the user to a landing page that actually uploads the exploit. However, this often happens in short time-frame, so the user never knows that something is happening until it is too late.
Defending Yourself from Exploit Kits
For a business, defense from exploit kits means restricting the sites that employees can go to on the company network. It also means educating employees. After all, your firewall doesn’t help if an employee takes a business laptop home, and then gets on a malicious site.
Knowing that these kits exist, and training users to avoid shady sites on any device being used for work, are the best ways to keep your company safe from an attack.
Cybersecurity is on the forefront of everyone’s minds. Just ask the Democratic National Committee (DNC) if they wish their email servers had been more secure. In the world of digital data, the hacker can do more damage in a day than almost any weapon. Businesses can be greatly compromised overnight due to hacks. How can you protect your business? Have you ever considered hiring white hat hackers to help?
That’s just what the Department of Defense (DoD) did a few months ago—setting loose 1,400 white hat (no criminal intent) hackers on the Pentagon’s cyber defenses. They were promised rewards for finding security flaws in the system so that the government could close the gaps to future black hat (criminal) hackers.
The white hat hackers filed a total of 1,189 reports on things they discovered. Of these, the government determined that 138 reports qualified as valid security concerns. In total, more than $70,000 was paid out to the hackers as rewards for the legitimate reports. In the end, the program was viewed as a success. The total cost of the program was estimated at about one-seventh (14%) of what a professional contractor would have cost.
This isn’t the only DoD project in place that provides bounties to hackers. Others in the future will allow hackers to search for potential exploits in applications and websites used by the government.
White Hat Hackers: What Does This Mean for Your Business?
The U.S. government may be happy with the results, but this probably isn’t the route you want to go with your business. Why not? What if, while fooling around in your system, a hacker leaves himself a backdoor to get in later? You simply don’t want to take that chance with your livelihood.
The fact is that, for an SMB (small to medium-sized business), a security audit is affordable. So there’s no need to provide a bounty to hackers and let them run wild on your system. A security audit can allow a consulting agency to determine the weak points in your data security, so these can then be secured.
If you want to protect your business, you have to protect your data, which means getting professional assistance.
Threats to your data security come from many different angles. The secret to being able to defend your organization is knowledge. That’s why threat intelligence is becoming an important part of data security. But what types of threat intelligence are there? We’re going to identify three.
1) Preemptive Threat Intelligence:
This type of intelligence involves gathering data on things that could potentially happen in the future. Your IT department or agency should look at trends in cybercrime to determine threat that will exist in the next 1–2 years. This will give your organization time to plan ahead to rebuff such attacks by updating hardware and software as needed. It also gives you the chance to train your staff to avoid risky behavior that could invite an attack.
2) Active Threat Intelligence:
Looking at the data collected by your network logs and other security features will help you determine current behavior that needs to be adjusted. It also allows you to see indicators of attacks that have already occurred so as to adjust your future defenses. Basically, you are auditing your current security to find the gaps that future hackers will use as an in to your system so you can proactively plug those holes accordingly. It can be something as simple as updating software or training a particular team member who needs to be more careful online.
3) Tactical Threat Intelligence:
Know your enemy in order to defend yourself from future threats. This means thinking like a hacker. What does your organization have that is worth stealing? How would you try to get into the system? Is your weak link the lack of a firewall? Perhaps the biggest threat is an unhappy employee who is willing to sell his login credentials to the highest bidder. Once you know which tactics hackers are most likely to employ to steal from you, this provides a starting point for developing a plan of preventative action.
If your organization is employing these three types of threat intelligence, you are not only making it tougher for hackers to attack your company, but you are also setting yourselves up to be able to say “We did everything we could,” if a data breach should occur, and that is important for PR.
What would you say if someone walked up to you and asked for your email password? You would probably immediately say no, even if you knew the person. You may allow only your most intimate associate, such as a mate, to have that information. So how do hackers manipulate people into giving out login credentials on a daily basis? Welcome to the world of social engineering.
Social Engineering: Infiltration Doesn’t Come Cheap
It can be expensive and time consuming for a hacker to develop a way into a secure system. It is far easier to manipulate someone into giving away his credentials. Not easy, just easier.
That’s why psychologists studied 1,208 individuals to learn some of the methods that prove to be effective in getting a person to reveal login information.
One of the methods used in the study was to give the user a reward. After first receiving a piece of chocolate, half of the users were asked for passwords during an interview. Others were asked about the password first, and then given the chocolate when the interview was over (fair is fair).
Over 43% who received the chocolate first were willing to give away login credentials. In fact, almost half of people who were given the chocolate immediately—before being asked the question—gave away their password, while just under 40% caved when the reward was provided early in the interview, and long before the question was asked.
People Cave to the Idea of Reciprocity
When an incentive is provided, many people reciprocate without considering whether the trade is equal. Even the timing of the reward or gift is crucial to how likely a person is to respond. Don’t get us wrong—nearly 1 in 3 people in the control group gave out their credentials without any “gift,”—but a reward increases the likelihood of a positive response. Clearly, the reward does not have to be much.
Knowing this, calls for employee training that encourages your staff members not to trust freebies online, especially if there is something required in return. Employees need to be taught never to share passwords.
While employees often do things such as open email attachments that they shouldn’t, fail to update software and apps, or visit websites that have been compromised, these aren’t the only ways someone can get to your data through your staff. Let’s look at a few more serious data security mistakes your employees should be trained to avoid.
Common Data Security Mistakes
- Password problems – Start with the concept of using passwords that are not secure. Not only should things like 12345 be avoided—and your IT team should make sure passwords like that can’t be used—but “personal-type” passwords should also be avoided. For example, it’s not a huge reach for a hacker to learn personal info about an employee, and then try the person’s birthdate or anniversary as a password. Besides these things, employees should be instructed to effectively protect passwords by never sharing them, even with another employee. Having a list of passwords on a mobile device, or even on a piece of paper under the keyboard, are also terrible ideas.
- Cloud computing – First of all, there’s nothing wrong or not secure about using cloud computing for The problem begins when employees feel they can share private company information through cloud file-sharing services that are not designed for business, and are thus less secure.
- Losing data/devices – Any time that data is removed from the office on a device like a laptop or a phone or even on something like a thumb drive, loss becomes an issue. Something as simple as leaving a smartphone at a restaurant can lead to theft. And once a thief finds private corporate information on the device, what is to stop him from trying to increase his payday by selling the information before selling the device?
It all comes back to proper training. Your employees need to know how to create strong passwords and manage them properly. They need to understand the difference between a secure way to send a file and a way that is inviting trouble. And they need to understand the importance of protecting devices with sensitive information on them, especially if such devices are taken out of the building.