I wanted to call this article ‘How crap invades your network’ – or something of the sort. Hopefully this title doesn’t get edited out by Internet cops after I post it online.
As a typical executive and end-user, I have so many things going on, that even as a security practitioner, other challenges push security from being top of mind. For the non-expert, it is sometimes hard to know what you don’t know about your computer systems. Organizations that write malware realize this, and are very tricky at how they use our haste and inability to really focus on multiple things, in our attempts to get the most important things done.
You’re busy trying to finish a sales quote, and you don’t notice the details on the web link…
and that email appears to be from someone you know…
The computer world has changed dramatically with most metro-based businesses having high-speed connectivity to the rest of the world. It’s also as if every person in the world has a transporter to the front door of your house – along with the ability to break in. All they have to do is slip the right thing under your door that you click on or open, and all of a sudden even unlock your front door.
Here’s where it hurts the most: once they’ve got their foot inside your door, they understand computer networking and software well enough that they know how to escalate their capabilities (unless you wrongfully made your everyday user account an admin level user). This means with your simple click on their link, they suddenly become an administrative user on your network with full access to everything.
One simple link is usually responsible for much of the ransomware
that you read about in the newspapers.
Oops, maybe I should discuss WHY, before all the HOWs.
I commonly hear business owners say, “I’m not worried about security, I don’t have any data that attackers would want.” That is probably what Fazio Mechanical Services, a Sharpsburg, Pennsylvania-based provider of refrigeration and HVAC systems, thought. Fazio was determined to be the entry-point for attackers getting into the Target network and credit card systems. Attackers are more concerned about easy targets. They not only want your data, but also the data of your clients or people you don’t even know. Hackers used Fazio Mechanical’s accounts to penetrate Target and get access to over 40 million customers back in 2013, one of the largest data compromises in US history.
Prices for a compromised medical record currently range between $20-$40 per record (sold via the Deep Web). The Deep web is also called the darknet, a secret communication area and home to online black markets. Thank goodness the rate dropped in half from last year’s $50-$100. The reason, so many more records have been compromised and are available for sale. Even if you don’t have any clients that you consider data targets, if I was a rouge nation or cyber-criminal, I would not attack your business directly. I would attack businesses that were easy to penetrate so I could compromise their networks and gain full control. Then I would use your compromised network to hit my real targets, where value per record is higher on the open market, such as healthcare, financial services and similar organizations.
Most networks and networking devices have the ability to generate logs. Healthcare, financial services and firms bound by compliance will most assuredly enable and view those logs. But since I attacked from my hacker-home overseas to point A, then to point B, I can delete the logs at point A so if you track back to me from point B, you only see the logs back to point A and never to my home.
Can you say scot-free?
So what are some of the ways a PC or a network get infected?
- Right in the front door
One of the most obvious ways that attackers could get into your network is right through your firewall. Even the smallest business probably has some type of network firewall to help facilitate access to the outside, but misconfiguration can accidentally facilitate outside-in access. Larger organizations follow complex change management processes to make sure no one accidentally allows users in, but smaller shops have to depend on their IT person being exactly right, with every single change he/she makes.
Even when making a desired change to allow remote access, IT personnel can accidentally open the door to compromise from other types of attacks. Email servers, terminal servers, websites and other public facing business systems can provide a foothold for attackers to get into your network. There are risks from hardware/software updates, access misconfiguration, permission challenges and other ways for attackers to gain access.
- We recommend your network people have a regular rhythm for updating firmware on firewalls, switches and wireless devices in addition to regularly patching servers and workstations. Additionally, you should conduct periodic network assessments to make sure you are following best practices for securing your environment from external parties. It’s kind of like a second opinion from another physician, just to be safe. While your compliance requirements might require audits more frequently, a small organization is probably fine assessing every 2 to 3 years, or after making major network or application changes.
- Phishing attacks
The term phishing refers to the attempt to gather sensitive information from you by pretending to be someone you trust, typically using email or other electronic communication. Hackers hope that with lots and lots and lots of phishing attacks, they will likely find a few people who end up giving access to electronic Protected Health Information, usernames, passwords or credit card information.
There are various types of phishing attacks but they all aim to get you to click a link and provide them with information, some even using images to bypass security systems. There are so many pieces of malware being developed each day that the average firewall and antivirus software stops a good bit, but not everything. The challenge with network security is that while you need to be successful 100% of the time, attackers only need to succeed 1% of the time. The challenge for a business owner is like that of a kid being bullied on the playground – not to be the easiest target on the playground, so that attackers go elsewhere – after their neighbors, competitors, anyone but them.
Phishing is mostly a volume business, though when your organization is specifically targeted in a custom attack, it is called spear-phishing. Attackers might check press releases or social media to identify your key partners for fake emails to come from. They might search resumes or LinkedIn postings of your IT team to learn what technology defenses they need to circumvent. The uniqueness makes it harder to avoid unless your people recognize and don’t fall for it.
Protect yourself by thinking before you click links. Anytime you get an email or instant message from a supervisor asking you to transfer money or do something out of the ordinary, double check with them in person or by phone (and not, of course, by replying to the email). There are also email filtering tools that can help pick out some of these phishing attacks via email.
- Free software
Many times free comes at a price. If you ever download software from the Internet, there are a couple of ways (a couple as we in the south see it, is anywhere from 2 to 11) for that software company to make its money:
- They can make a free or trial version and then try to upsell the consumer once they find value.
- They can include advertising with the application and charge advertisers to have access to their users.
- They can embed malware with your free product which, unbeknownst to you, gets loaded along with the application.
You may not even know that you downloaded the malware until you start getting pop-ups to download new antivirus software that doesn’t match the name of your current AV or it could just seem like your PC is running slowly. Beware fake antivirus malware. Sometimes when your PC mysteriously starts running slowly, it could mean that somebody else has control of your PC. It slows down because installed software can allow it to be controlled, then selling control of your PC for actual hard rubles becomes the objective.
Protect yourself by knowing what it is that you install on your PC. Also, we advise you come up with a list for your company of only the software that you know to be valuable and reputable. We like to organize our lists by department or lump like-departments together so that it is obvious what software everyone should have.
Antivirus is your best bet to catch errant software but there are web filtering tools you can also add to complement your AV. If your firewall does not have built-in web filtering, you can add Cloud versions of web filtering. Or a large organization might put in a dedicated web filtering device with more capabilities.
- Compromised websites
Every website is written on software and hidden behind hardware, even if hosted by someone else. For yours and other websites to stay safe they must continually be updated, configurations checked, have credentials secured, and generally protect against attacks that are uncovered over time.
It used to be that people got malware in their system from visiting sites they shouldn’t visit. Now, even the most well-intentioned person can have their PC infected by simply going to randomly unprotected sites on the Internet. If an attacker knows a site generates lots of traffic, they will target it knowing that victims will come to them.
By simply browsing a business, vendor or special interest website, the act of clicking links could install software on your PC. Current estimates put the total number of websites in the world over 1 billion. In March 2016, Google reported that over 50 million website users had been greeted with some form of warning that websites were trying to steal information or install malicious software. The year before that number was only 17 million.
When using your browser, make sure to double check the uniform resource locator (URL), which is basically the name of the site, to make sure it appears legitimate.
It is hard to protect yourself when a legit site gets compromised, but when you interact online with a website you can make your passwords harder to break, change them periodically and do things like clear your browser history. Each browser has its own instructions for how to clear the history.
Don’t forget to make sure your website is getting updated periodically by whomever maintains it to the newest versions of website software.
- Public access
It’s great to be an American right now. Just about everyone has a home wireless network. Pretty much anywhere you go, you either have Internet access from your phone or from free Wi-Fi. But Wi-Fi can be a double-edged sword, when you realize that if you have access to the rest of the world via the Internet (when using public access or via a poorly configured home network), oftentimes the rest of the world has access to you.
Several of the Wi-Fi protocols have been cracked, so you want to make sure that when you configure your home network you follow your manufacturer’s best practices, including such things as requiring at least WPA2 Encryption. You should also update the firmware on your home firewall or wireless device periodically. Try to avoid using public Wi-Fi but if you must, make sure your laptop or device has a firewall enabled on it to protect you from people who now have access to your system.
I mentioned you can get infected plugging into the public Internet but plugging in your laptop to the network drop of someone else’s business could also infect your system if they were compromised. So the message is to be mindful when using public services or somebody else’s services. So goes the saying, you’re only secure as your least secure connection. That is especially so when you plug your laptop into somebody else’s network.
- Sneaking in the back door using social engineering
Malware can lurk in any connection outside of your network. While it can be beneficial for your employees to utilize their home laptops at the office, there is a risk associated with that practice. When somebody uses their own home PC or laptop and connects into a business network, you do not know whether they have antivirus, or are regularly patching it, already have malware or plan to grab an entire database of customers or get copies of your template documents. The same could be said for USB devices or any portable media.
Social engineering is tricking people to do things they should to facilitate access. A common test attack to gain illegal access to somebody’s business is to purchase a batch of USB drives, load malware on them and drop them in the parking lot of the business. Most users would probably just think, “Hey, free USB drive! I’ll just plug it into my business laptop to see what’s on there and how large a drive it is.” Plugging the USB drive into your system will kick off Autorun to automatically start executing whatever it says on the USB drive, unbeknownst to you. The malware gets installed on your system allowing a variety of possible things up to full control.
Anything that comes in behind your firewall typically also has full access to your network. So, in addition to preventing USB drives being plugged into your PCs, you’ll want to limit visitors and other users from plugging into your network or using your business wireless. With all the malware coming out on smart phones we also suggest putting smart phones and visitors on their own separate guest wireless network, separate from your servers, data and systems.
Be “strategory” with your business network.
I have explained that rogue countries and crime syndicates can invade your systems to make big money because it is so easy now with high-speed Internet access. I also shared with you how phishing attacks, website compromises, using public or non-secure Wi-Fi access and unprotected USB drives can give your PC fits. Along the way I shared with you some typical attacks and ways to protect yourself as well.
One of the approaches that is certainly the most cost-effective but usually not very well done by small and medium businesses is the practice of security awareness training. Security awareness training is simply setting aside time to educate your employees on the dangers I outlined above, with the objective of training employees to think before they click.
We can also conduct exercises such as simulated phishing attacks to find out who clicks on links, so that you know who to target first in your education efforts. Studies say that security awareness training is not only the most effective method of ensuring network security, but also works out to be the least expensive security investment you’ll make. How’s that for a sales pitch?
Before you blame someone too harshly for an infected PC, think about how easy it is these days. There are so many different ways for malware to get in, and some of those ways might not even be your employee’s fault. If your system is not tightened down, or if you happen not to be doing any security awareness training, it could be that at least a portion of the responsibility lies with you. So do the right thing, protect your PC with the information that is currently available.
To make sure we protect everyone, don’t forget that Mac systems can also be infected by malware and have been more and more often, as their market share continues to grow. Follow the same guidelines for Mac, Linux and every other platform out there. Stay safe and stay in school, security awareness school that is. And keep that garbage out.