New Age Threat - The Answers

A little while ago I wrote an article highlighting ‘new age’ threats to business data in an ever connected world.  Although the term ‘new age’ is not new, I feel it easily sums up the situation facing many business owners and C level executives every day.  In this article, which is Part two, we explore some of the simple techniques you can apply to your business to ensure that you make it much harder for you to become a victim of data loss.

At the end of the day, it comes down to being as cautious online as you would in real life.  Take wireless access for example.  Many businesses use WIFI access points to allow access to the network for laptops and other connected devices.  WIFI is extremely insecure and effectively an open door to your business network, regardless whether you have a password to gain access or not.   Many out of the box wifi networks can be cracked in minutes and the attacker does not even need to be in the same building. Access points have got more powerful and intelligent and so wifi network coverage now covers a greater area.  This often extends beyond the boundaries of buildings and so opens up the network to attack from outside your building.  

I know WIFI is an easy mechanism for your staff to connect to the network so removing this completely is not always an option.  You can make it more difficult for attackers to gain access and hopefully they will move on to a more easier target.  I would recommend the following:

1. Make sure your WIFI SSID (the name of the WIFI network) does not resemble your company name.
2. Make sure you use a minimum of WPA personal security to connect to the WIFI network.
3. Consider hiding the network form being broadcast - it can still be used but needs to be setup manually.
4. Consider only allowing access to specific devices by locking down access to specific MAC addresses (a unique alphanumeric code each device has).
5. Carefully place access points to provide the best internal coverage that at the same time prevents external leakage of WIFI signals beyond your building.
6. Change your WIFI password at least once a month and make sure its alphanumeric and has at least 10 characters. 
7. Consider segregating WIFI access to a different VLAN or subnet which has firewall access to data you wish to keep secure.
8. Implement a separate guest WIFI which has no access to your network and filtered access to the internet.

After implementing all the recommendations above, WIFI can still be hacked.  By making it harder the opportunist attacker will hopefully move on to easier networks.  The more determined attacker, if presented with the above, will likely turn to a social hack to gain access to your network as people are the next weakest link in your network defences.  This will mean they try and trick their way into the building and then your network or use other resources such as emails or USB sticks which contain dangerous payloads.  All of which rely on the good nature of your staff and using publicly available information to back up their claims to make it sound more credible.  Tightening up on more physical security procedures like escorting visitors at all times and checking ID’s and credentials before allowing access can help.  So too does blocking USB data sticks from being accessed unless they have been issued by the company/IT and encrypted.  This would have prevented the scenario described in part one of this article.

Another area that needs attention is the passwords staff use to gain access to your network.  Many, are not very secure and can be guessed using dictionary word attacks very easily.  The more complex you can make a password, the harder it is to guess and fall foul to a dictionary word attack.  The trouble is, we all find it difficult to remember complex passwords.  A good trick is to use a phrase that is made up of many words or part words, like “ThisisAmoresecurePassword2use”  mixing in numbers and the occasional capital letter also make it more challenging to guess.  The longer the password, the longer it takes to guess and so makes a dictionary word attack longer and not always viable.  One more topic on passwords relates to IT staff that have the ability to reset passwords for users.  This is an area that is an easy social hack, imagine someone phoning up in a panic as they have to reset their password - they are at home today and the CEO (who they name) has asked them to urgently do something but their password will not work.  The helpful IT staff are likely to reset the password and not think more about it.  The trouble is, that person does not work for the company and now they have a username and password they can use to break into the network. IT staff are always looking to help, its the type of people that they are, and so this is often a week area.  What you need to do is simply implement a way to identify callers (by asking for their payroll number) or phoning back on a known company mobile or contact number.  Further more, changing a password and then releasing it only to their manager is another way to ensure that security is maintained.

As you can see, there are often small changes that can be made to processes or systems that help make it harder for an unauthorised person to gain access to your network and your valuable business data.  The idea is to make it harder for the opportunist attackers that they don’t bother and for the more determined, that you have a means to potentially identify someone acting suspiciously.  

If you need specific advice always consult with a security expert as they will help identify the risks associated with your market and IT systems.  Many offer penetration tests which will highlight risks by employing an ethical hacker (or white hat hacker) to try and break into your systems - their results will better prepare you and your staff for when it happens for real. 

Cheers
Nick

[Footnote: Nick Butcher is an IT consultant who works with business leaders to help make IT a profitable and secure business tool.]