Protect ​your ​midsize business ​from Cyberattacks

by | Oct 26, 2017 | Blog

If ​there’s ​one ​thing ​we ​learned ​from recent political scandals regarding ​​email leaks ​and hackings, it’s that cybersecurity matters. Organizations big and small need it to survive.

It is vital that every technologist and business leader understands the possible ​impacts ​of ​cyberattacks on ​their ​organization. ​These days, cyberattacks can range from espionage ​(i.e., ​internal ​secrets ​being ​leaked) ​to sabotage (i.e., ​internal ​data ​being ​corrupted ​or ​destroyed), and the outcome can precipitate a company’s downfall. Rice University Professor, Dan Wallach, recently presented on the most effective ways to guard against cyberattacks and we could not put it any better, so here are our favorite steps. Check out these 3 tips on how to guard your midsize business against cyberattacks. Hope you enjoy!

 

1. ​Know ​your ​adversary

 Generally ​speaking, ​there ​many ​sorts ​of ​adversaries ​that ​you ​need ​to ​defend ​yourself ​against:

1. Untargeted, ​remote ​(spammers, ​phishers, ​ransomware ​griefers, ​etc.)
2. Targeted, ​remote ​(spear ​phishers)
3. Targeted, ​in ​person ​(immigration ​agents, ​police, ​criminal ​trespass)

Everybody ​in ​the ​whole ​world ​has ​to ​deal ​with ​untargeted ​attacks. ​The ​​prince ​who ​wants your ​bank ​account ​to ​help ​with ​transferring ​ill gotten ​gains ​is ​spamming ​everybody ​and ​the ​defenses ​are pretty ​straightforward: ​learn ​to ​ignore ​them. ​Similarly, ​if ​you ​get ​a ​Facebook ​request ​from ​a ​friend ​of yours ​who ​you’re already ​Facebook ​friends ​with, ​then ​it’s ​entirely ​possible ​that ​somebody ​is ​trying ​to clone ​your  friend ​so ​you ​should ​ignore ​the ​request ​and ​let ​your ​actual ​friend ​know. ​There ​are ​many variants ​on ​this ​attack. ​It’s ​worth ​expressing ​a  healthy ​skepticism ​about ​a ​fresh ​email ​from ​an ​“old ​friend” or ​a ​Facebook ​friend ​request ​when ​they ​arrive ​unexpectedly.

The ​2016 ​attacks ​against ​the ​DNC ​appear ​to ​have ​been ​an ​example ​of ​#2 ​on ​this ​list. ​Notably, ​John Podesta ​received ​a ​fake-but convincing ​email ​telling ​him ​that ​his ​Gmail ​account ​had ​been ​compromised with ​a ​“click ​here” ​button ​to ​fix ​it. ​

There ​was ​nothing ​wrong ​with ​Podesta’s ​Gmail ​account ​before ​he ​clicked ​the ​button, ​but ​afterward? Yeah, ​that ​was ​the ​problem. ​This ​is ​an ​example ​of ​a spear ​phishing ​attack, ​where ​the ​attacker ​was ​going after ​a ​very ​specific ​high ​value ​target. ​Such ​attacks ​can ​be ​quite ​pernicious ​and ​cleverly ​done ​(e.g. sending ​what ​looks ​to ​be ​W-2 ​tax ​forms ​from ​HR ​around ​the ​proper ​time ​of ​year, ​when ​users ​would ​be
primed ​to ​expect ​such ​a ​communication).

This ​style ​of ​attack ​is ​unfortunately ​common, ​and ​every ​government ​has ​teams ​of ​experts ​who ​do ​these sorts ​of ​attacks. ​Readers ​may  enjoy ​this video ​of ​the ​NSA’s ​chief ​of ​“tailored ​access ​operations”. ​His message ​was ​that ​we ​attack ​others, ​and ​they ​attack ​us.

In-person ​attacks ​are ​probably ​the ​most ​difficult ​to ​defend ​against, ​because ​the ​threat ​actor ​has ​unfettered access ​to ​your ​phone ​or ​computer, ​whether ​by ​breaking ​into ​your ​hotel ​room ​or ​in ​the ​person ​of ​an ​border agent ​demanding ​such ​access. ​We’ll ​discuss ​a ​variety ​of ​countermeasures ​below, ​but ​the ​short ​answer ​is that ​these ​cases ​require ​anticipating ​the ​threat ​in ​advance. ​Information ​you ​don’t ​have ​with ​you ​is information ​that ​cannot ​be ​stolen ​from ​you.

 

2. ​Know ​your ​tech

 The ​single ​most ​important ​technical ​measures ​you ​can ​take ​are ​to ​use up-to-date ​equipment ​and best-of-breed ​cloud ​services. ​Whether ​you’ve ​got ​a ​Mac ​or ​a ​PC, ​you ​should ​be ​running ​the ​latest ​versions of ​OS ​X ​or ​Windows ​10. ​If ​you’ve ​got ​an ​ancient ​machine ​that ​won’t  accept ​a ​modern ​update, ​it’s ​time ​to retire ​it ​and ​get ​a ​new ​one. ​This ​also ​applies ​to ​the ​applications ​on ​your ​computer. ​If, ​for ​example, ​your Mac ​is ​running ​Office ​2008 ​or ​Office ​2011, ​then ​it’s ​time ​to ​upgrade ​to ​Office ​2016. ​Why ​the ​upgrades? Because ​Apple ​and ​Microsoft ​have ​really ​improved ​their ​game. ​If ​you ​run ​the ​newest ​software, ​you’ll ​be protected ​against ​the ​most ​recently ​discovered ​vulnerabilities.  This ​also ​applies ​to ​your ​smartphones. Many ​cheap ​Android ​devices ​are ​running ​ancient ​versions ​of ​the ​Android ​system.

A. Should ​you ​get ​a ​Google-branded ​Android ​device ​like ​a ​Nexus ​or ​Pixel ​or ​are ​third-party
Android ​devices ​acceptable? ​

Google ​pushes ​monthly ​security ​updates ​to ​its ​own ​phones. ​For third-party ​devices, ​some ​manufacturers ​are ​better ​than ​others ​at ​rolling ​out ​these ​updates, particularly ​for ​older ​devices. ​If ​you’re ​genuinely ​concerned ​about ​targeted ​threats, ​then ​using ​a Google-branded ​phone ​is ​likely ​to ​be ​more ​secure. ​If ​you’re ​using ​a ​third-party ​device, check what ​version ​of ​Android ​you’re ​running. ​If ​it’s ​anything ​older ​than ​Android ​7.0, ​it’s ​time ​for ​a new ​phone. ​Not ​sure? ​Go ​into ​your ​Settings ​and ​select ​“About ​phone”. ​Below ​is ​an ​image ​from ​a current  Google ​Pixel ​XL. ​Notice ​how ​the ​“kernel ​version” ​and ​“security ​patch ​level” ​have ​recent dates ​(relative ​to ​the ​date ​at ​which ​this ​document ​was ​authored: ​mid-October ​2017)? ​If ​your phone ​shows ​older ​dates, ​you ​need ​to ​replace ​your ​phone.

B. Is ​an ​iPhone ​better ​than ​Android ​for ​security?

Apple ​and ​Google ​have ​both ​worked ​hard ​to improve ​their ​security ​chops; ​newer ​iPhones ​are ​definitely ​better ​than ​older ​ones. ​When comparing ​the ​latest ​Apple ​iPhone ​7 ​or ​8 ​with ​the ​latest ​Google ​Pixel ​or ​Pixel ​2, ​I’d ​say ​it’s ​a wash. ​Get ​the ​one ​that ​you ​prefer. ​At ​that  point, ​your ​security ​will ​depend ​more ​on ​the ​apps ​you choose ​than ​on ​the ​phone ​platform.

C. What about Chromebooks?

If your needs can be satisfied with Google Chromebooks, you should seriously consider them instead of Windows or Apple laptops. Not only are they cheaper, but they only run a web browser and nothing else, making them much harder to compromise. Newer Chromebooks with touch-screens now also run Android apps, making them much more useful. Chromebooks are automatically updated by Google with the latest security patches and they have features that make it very hard for a hacker to install malware. And, of course, if they’re stolen, there’s nothing really there for an attacker to steal. All of the data is safely in the cloud.

D. Do I need third-party anti-virus software on my computer or phone?

Surprisingly, no. The most likely vector for which viruses might attack you is through email, and AV companies offer plugins for email servers. Cloud email providers like Gmail also have AV built-in. Windows 10 also comes with “Windows Defender” built-in, which is free and which serves the purpose. Conversely, there’s increasing evidence that many third-party AV engines actually make your security worse . If your devices are running the latest software versions with the newest security patches, you’ll protect yourself very well.

E. What about the apps I install?

The fewer the better. When you install a popular app from a big company like Twitter, Facebook, etc., you can have some confidence that it’s not out to get you. If you install games or whatnot, you have far less assurance. In some cases, even mobile web pages from sketchier parts of the web try to pretend that they’re apps and will generate fake warnings that they’ve detected security vulnerabilities. If you’re installing an app which has a “free” and a “pay” version, where the latter has no advertisements, you significantly improve your security posture by paying the money. Ads are a vector for attacks into your phone.

F. Can I protect myself by moving to the cloud?

Consider switching away from local infrastructure (e.g., Microsoft Office and local file servers) and using a managed cloud
infrastructure (e.g., Google Docs). One of the benefits of moving to cloud services is that the vendors who run them offer you a variety of security features that are hard to set up on your own. Google’s Gmail, for example, has top-notch anti-virus, anti-spam, and anti-phishing defenses. If you go wholeheartedly to the cloud, then you can replace your computers with Chromebooks (see Question C, above).

While you could run a small organization on personal Gmail accounts, it’s much better to pay for a “G-Suite” domain. At that point, you can have the familiar Gmail and Google Docs with your own custom domain-name. The security win is that you can centrally manage your users, making it easy to add and remove staff. As the administrator of a G-Suite domain, you can require all your users to use two-factor authentication (see below), making everybody more secure. Also, a G-Suite administrator can limit which third-party apps your users can use, eliminating a delegation attack.

G. How about two-factor authentication (2FA)?

It’s now considered an industry best practice to combine passwords (“something you know”) with physical tokens (“something you have”) and it’s easy to do. Many web sites let you associate an app like Google’s Authenticator with them as part of the login process. You have to enter your password, then you run the app and type in a 6-digit code. Google and others also support “Fido U2F” keyfobs which you plug into your computer ( only $18/each on Amazon ; a variety of U2F devices are available, the blue-colored Yubikey is the one to get). Just put it on your physical keychain and use it when asked. If you’re using G-Suite, you can even make these things mandatory for all your users. Had John Podesta been using 2FA like this, then divulging his password to Russian attackers wouldn’t have helped them log into his account. The way Fido U2F keys work, there’s no way for an attacker to request you give them the PIN, so they’re more resistant to phishing attacks than two-factor apps. Some web sites try to send you an SMS text as a form of 2FA, but this is now considered insecure and is not recommended for use. A single Fido U2F key in your pocket works safely with multiple web sites at the same time,
including Facebook and Dropbox.

 

3. How to communicate online and elsewhere

 A. Am I safe using a public WiFi in a coffee shop or airport?

The short answer is that you’re safer now than you were in years past. Most web sites you might use these days are encrypted; look for the “https” in their URL. Similarly, most apps on your phone will encrypt your data before connecting to their cloud servers. If you’re using a Chromebook or a recent smartphone, then you’re unlikely to be successfully attacked. If you’re using an older Windows laptop or an older Mac without the latest security patches, then a public WiFi service might have unacceptable risks for you.

B. Are there risks from social networks like Facebook?

The biggest risk is to your privacy.

Assume everything you say or do will be visible to the public . It’s just too easy to post something that you mean to be private and accidentally have it be visible to the whole world. “Private groups” on Facebook are somewhat better, but any group with thousands of members might well have somebody you don’t trust, just waiting for you to say something inappropriate and make a copy of it for later use.

Related: be cautions of all these online surveys and quizzes. Find out which Game of Thrones character you would be! Please don’t do these. You’re telling marketers about yourself so they can target you with advertisements.

C. Basic organizational functions.

There are a variety of other enterprise offerings, like Slack for group texting, or Expensify for expense reporting. As you evaluate these providers and their competitors, make sure you understand more than their dense legally worded security and privacy policies. Interview them about their security practices. Look for their ability to support two-factor authentication or, even better, to connect to authentication services provided by somebody else. Think: “Login with Google”. Every time you can get such a “federated login” or “single sign-on” feature, it’s one less place where you need to add and remove an account every time somebody joins or departs your organization.

This also means that you want to discourage your users from communicating with personal email addresses, text from their phones, etc. The extent to which you can manage and control your users’ communications is directly related to the extent to which you can protect them from being leaked or tampered. Consider what might happen if you need to fire an employee / staffer / volunteer. You want to be able to pull the plug on them, all at once, killing off their access to email, cloud documents, everything. You can’t do that if you’re using personal Gmail, but you can if you’re using G-Suite.

That said, if your organization is less organized, say it’s nothing more than a group of people planning and organizing political protests, then none of this advice is particularly helpful. At that point, the best you’re going to do are “secret groups” on Facebook (i.e., invitation only groups that are not publicly visible). You can also set up a free account on Slack, but you don’t get some of the cooler features, e.g., Slack only lets you require 2FA on a paid account. You can at least set up 2FA on a personal Gmail account, preferably using the U2F tokens discussed above.

**

Cybersecurity allows your business to thrive. Investing in cybersecurity helps you stay ahead of evolving risks and protects your most sensitive information. Advoqt’s cybersecurity experts partner with our clients to execute IT security projects tailored to each organization’s specific needs. We work to protect from the inside and proactively prevent, rather than react to potential threats.

 

Sign up to our monthly newsletter, and stay up to date with the latest cybersecurity trends:

  • Should be Empty:

 

Related content