The way in which businesses set out their Cyber Security defences against malware attacks and hacking is often more in response to their perception of the types of attack they expect than in the types that will actually happen. That perception is often shaped by the media and their reporting on the latest threats.
Businesses need to realise that the greatest threat to Cyber Security is already inside the gates – their users. Far more data breaches occur as a result of user action, inadvertent or malicious, than by an automated malware or hacking attack.
Businesses can more quickly and cheaply enhance their cyber security by educating their users into proper behaviour rather than by investing in more appliances and software.
Spoofing and Phishing
The first and most frequent threat is from threats delivered using dodgy email or compromised web‑sites. The user sees an invitation to click on a link, either in an email or on a website, does so, and is transported to a webpage hosting a Trojan or other piece of malware. Sometimes this is a legitimate webpage that has been compromised, or is a spoof page made to look like the real thing. The malware downloads, installs itself, and you have trouble.
This is usually how ransomware finds its way in. The number of hacking exploits delivered by this attack vector exceeds all others by a significant margin.
The most effective way to defend against these types of phishing attacks is user education, coupled with a tightening of Internet access defences and policies. New starts must be given an induction course in which they are taught the company cyber security policies with an objective of their realising that they must never, never, never, click on a questionable link. All users must be given frequent updates and refresher emails reminding them of current email and website threats.
Internet Access Control
Companies must tighten up on who can access the Internet, and what they can see and do on it. If a job function does not need Internet access then the user in that job function doesn’t get it. Block media and entertainment sites and sites with questionable material, and prevent any downloads.
Users must not be able to install software on their desktops. Desktop anti-malware software must scan any flash drives and CD/DVDs before they can be loaded and used. Anti-malware software signature and application updates must be automatically downloaded and installed without user intervention.
Authentication systems must be configured for password expiry at regular intervals. Creation policies must ensure that new passwords are strong passwords, a minimum of eight characters long, and a mixture of letters (upper and lower case), numbers and special characters.
Ensure that when an employee resigns, either voluntarily or by dismissal, they immediately lose all access to company systems. An ex-employee with a grudge and access to company data can cause a lot of damage. Allied to this, and relating more to IP theft, is that ex-employees must be removed from all distribution and mailing lists, both company-wide and personal. If they remain on the list, they could continue to automatically receive confidential or sensitive information after they have left the company.
It’s no longer just Facebook and LinkedIn, social media apps more commonly associated with smartphones, WhatsApp for example, now have desktop and web-based versions. Malware distributed via social media can now reach corporate networks much more easily.
The countermeasures against attack through this channel are based once again on user education. Users must not make their corporate passwords known, they must be very much aware of account hijacking, either their own, or someone else’s account. Make sure they know how to report hijacked accounts, both to the app operators and to the company. You might consider making two-step authentication compulsory for such accounts. Or block access to social media. There are only some specialised job functions, for example Public Relations that need access to it.
A targeted attack
This type of attack is most common in financial services and e-commerce organisations that retain credit card or banking information. These attacks, sometimes called spearphishing, send compromised emails to multiple targeted individuals in an organisation in the hope that one individual is tricked into installing the Trojan. When that happens the exploit runs, spreads through the organisation, and does what the hackers want it to do. If the first batch doesn`t produce any results, try again.
Again, the best defence is user education. Users must be sufficiently well-educated not to click on suspicious links in email.
These measures can be easily, cheaply and quickly implemented, giving a quantum reduction in the threat level from malware arriving via email, internet and social media.