Attackers have first mover advantage
Attackers have first mover advantage. In defence you are always playing catch-up.
Your network and computer systems are a contested space.
Convenience is the opposite of security and it is up to you to determine the balance that is right for your company.
- USB flash drives can walk data in and out. (How the Stuxnet virus got into the Iranian nuclear program.)
- BYO Device. Popular among younger employees.
- Take home laptops. I once worked for a power company that had a serious incident because an employee took home his company issued laptop, connected to the Internet via a home router, was infected with a worm, then he came back to work plugging it into the company network. That worm had a zero day exploit in it and every server in the company was infected.
- Another company I worked for allowed employees to surf the web at home with their work laptops then come back to work and plug them into the SCADA network. What could possible go wrong with this? This is not just some quaint little company. I am limited in what I can say about this…
Someone hacking your company?
Since I have been doing this I have been surprised how much cyber warfare is going between rivals in small and medium companies.
The most common threats to your company are:
- Insiders, like the salesman who leaves and takes your customer list with him/her.
- Clicking on the wrong link. The email might be claiming to be from MyGov or the ATO with some alarming demand for payment attached.
- Software you have installed you thought was safe but steals you data, with your permission; or didn’t your read page 271 of the End User Agreement?
- Many well know cloud storage services and email services look through your data and sell it to marketers. Google and Microsoft don’t even make a secret of this. Edward Snowden disclosed it is also government agencies looking through your data.
Passwords
One of the most common mistakes is overly simple passwords on web sites and email accounts. 91% of people use one of the 1,000 most popular passwords and 98% of people use one of the 10,000 most common passwords. Consider this: If an adversary tries just 5 passwords per day they will have cracked 91% or their target’s accounts within 200 days.
The reuse of passwords is a major problem. If one site on which you have an account on has poor security that results in a data breach it could leak your user name (often the email address) and your password with weak encryption. If the same password is used across a series of cloud services and web sites the attacker now has a valid username and password for a large number of sites.
Check out: https://haveibeenpwned.com/ too see how often you have been compromised.
It is shocking how much data is lost via poor practices with passwords. This is particularly vulnerable when a company uses a large number of cloud services and SaaS where poor password practices by any one employee could be the source of a data leak.
Solutions to the password problem may include:
- Always use long complex passwords.
- Use password management software like KeePass or Password Safe https://www.pwsafe.org/ so you are not trying to remember dozens of different passwords.
- Use Multi-Factor Authentication (MFA)
A list of the 1,000 most common passwords can be found here: https://lucidar.me/en/security/list-of-1000-most-common-passwords/ There is software that can cycle through this list very quickly adding common numeric substitutions and numbers at the end.
The 10th most common password is dragon but Dr@g0n951 is not much better as it will be quickly guessed by password cracking software. Computers are fast and can run millions of variations on the common list in minutes. According to Bitwarden at: https://bitwarden.com/password-strength/ Dr@g0n951 would take 3 minutes to crack. Go to the site and test out some of your favourite passwords.