It’s that time of year again when security professionals are preparing for the onslaught of security threats like phishing emails or other social engineering attacks to take advantage of people’s good nature or just the fact that most people are busy trying to get everything ready before they leave on their breaks. Many of you will have already read my previous article - Don’t let the cyber Grinch get you in which I asked everyone to be prepared for the festive season break because it is a very active time for cybercriminals and we all need to be aware of the threats as well as what we can do to better prepare for that well-deserved break.
If we can do it right, we won’t have to experience that dreadful call at 3 am when someone reports that your network has been breached and everything is encrypted on Christmas morning. I feel that would have to be the worst present that any CIO or CISO could ever get (if that happens the Grinch certainly found you).
As per the previous article make sure you have all the basics covered, have some antivirus protection on your systems (if you don’t even have this, then I feel you have probably already been hacked and we should probably have a bit more of a thorough conversation about good security practices). Make sure that you have all of the latest patches, staff know what to look for with regards to scams (or at least know if it looks funny that they should go to your team to look at it – feel like they can approach without any condescending attitude).
If you have all of the basics covered that is great we can create a good security posture from that baseline, but this is just the starting point and we should never stop trying to improve on our security as malicious actors/cybercriminals won’t stop trying to break into it. So doesn’t that make sense that if they are not going to stop trying we shouldn’t ever? It does to me.
So with that in mind do you even know what is on your network? Have you done in-depth scans of your networks and laid a physical hand on every device? Can you tell me that every device is controlled by your team and is as secure as it can be? Most of you will have not answered yes to many of these questions and that is fairly normal. Most of you will have BYO mobile devices, laptops that you allow staff to use on your company WIFI which is a calculated risk on its own that your organisation needs to manage with mandatory protections (AV provided by business or cant connect to corporate network is one option companies use), Guests/client devices or similar depending on your organisation (motels will provide Wi-Fi to guests – I really hope they are an isolated network but I bet there is a few of you out there that just let them all on the same corporate network).
They are the most common but with the advancement of IoT (Internet of Things) do you have an internet connected fish tank in your company foyer, what about a smart fridge in the company lunchroom. Did you know that you could even get a connected fish tank, the thermostat can notify the owner of the temperature is abnormal, the filters can signal if there is a problem that needs to be rectified and a malicious actor can use it to run a script on the network or do some investigations without any security sensors being tripped, Do you monitor your fish tank filter?? Should this even be connected to the corporate network, no it shouldn’t? Maybe the guest network that is isolated.
What about that smart fridge, that someone thought was a great idea to enable the milk supplies to be automatically ordered from the local supermarket? Firstly if I was just wanting to have some fun I would order 50 bottles of milk and or something really weird that would just irritate the owner of the fridge (50 punnets of strawberries and 20 packets of dipping chocolate – I am sure that would raise some eyebrows in accounts when that bill came through) I was able to take control of but if a malicious actor got in and could stay undetected for months undetected gathering information on the networks weaknesses before launching their offensive, by the time you realised it was happening it would be way too late.
Just think about it, you spend 1000’s or maybe even millions on securing your network but the $200 connected device with no interest in security during development and no way to update them (why would they add this feature these are just supposed to be mass produced and cheap to deploy. They don’t care about if they are secure that’s not what they are trying to achieve but we need to change that opinion long-term or when every device has a connection on the internet we will lose control of our own systems (yes, we probably already are starting to lose control).
I can see you all rolling your eyes, no one could breach my network via a fish tank... think again, do a search for “Casino breached via fish tank” you will find many articles on a casino breach that occurred via the heater in the fish tank in the casino lobby. No one would have ever thought it was even possible and to be honest their security team probably didn’t even know that it was on the network.
So let me ask you all again, do you really know what is on your networks? If not, find out and secure them as best as possible maybe even disable the connected features that you really don’t need. Do some full scans of your networks and find every single device, know what it is, where its located and why it needs to be connected (if it doesn’t – you know what to do). Once you know everything you have on the systems you can better make decisions on what risk you feel is acceptable and create plans that will ensure your systems are more secure than was ever possible before.
Knowledge is key if you don’t know what you need to protect how can you truly believe your systems will ever be secure. Do the basics, know your systems, make sure you have at minimum basic protections in place and update your systems. Then reduce what you allow on your network if it isn’t used anymore or doesn’t truly need to be connected to the outside world or have access from external sources take them off the network entirely.