Breach. The word calls to mind all sorts of things, from Shakespeare to spy movies. Almost all involve attackers breaking in from outside. Tom Cruise suspended inches above the floor in Mission: Impossible is but a glamorized, Hollywood image. In reality, most data breaches today happen with help from the inside — unintentionally.
While headlines about intruders grab attention, the real turning points for data security are the little mistakes that users make. From mishandling devices to time-saving shortcuts, users create security loopholes that must be closed for meaningful data security to take place.
Learning from others’ mistakes
The news is filled with stories of massive data thefts these days. From the Target and Home Depot losses to the OPM debacle, we want to know who did it. But knowing who is not as important as figuring out how. To prevent the next breach, companies have to look at the security loopholes that were exploited in previous intrusions. No matter how much policing takes place, there will always be hackers lurking in the shadows. The smart organization works on preparation… not just prevention.
Here are the most common security loopholes that intruders depend on to practice their craft and the steps needed to close them.
Spam filters can’t save you now
Yes, after all these years, people are still opening questionable email attachments. Just ask Sony. Their astounding loss of intellectual property, privacy and profits all started by a worker pulling an email out of their junk folder and opening the malware-laden attachment. Consistent reminders about security protocols are important. Using recent news stories of breaches as examples can help employees stay interested and understand what is at stake. The problem occurs, however, when people unquestioningly open email attachments and click on links without a second thought because they simply trust the sender.
While many of the phishing attempts of yesteryear are quickly caught by spam filters, it’s the concerted effort put into methods like “spearphishing” that quickly surpass spam filters and land employees, and their companies, in hot water. Spearphishing is a method where a hacker studies their targets, gains context, and then sends an email that would be indistinguishable from a malicious attempt, all by cloaking itself in familiar and confidential details. That is, if a hacker gains access to the secretary’s email account, they can quickly study up on their communication with the CEO and use those details to dupe the CEO into clicking on a link and thereby giving away the keys to the kingdom.
Even the trusted hotspot is not to be trusted. From network intrusions to stolen credentials, WiFi is a dream for hackers and a nightmare for security-minded IT professionals. While best practice is just to avoid open wifi networks, VPNs can help—but only if used properly. And remember that even security protocols like WPA are beginning to crumble in the face of consistent efforts to break them. The biggest loophole here comes from the increasingly mobile, BYOD-dependant workforce that many companies rely on. Company BYOD policies can also include setting devices to ask permission when connecting to WiFi and mobile device management software that allows for locking or wiping data in case of loss or theft. Beyond the hazards of public WiFi, even those digital nomads with your own, personal WiFi hotspots are far less secure than you might have initially imagined. How so? First, an estimated majority of mobile hotspots that are out in the wild today have the password of the admin account on the device automatically set to be the same as last 6 chars of the IMEI address.
While many hotspots have seemingly secure passwords, the formula is actually getting simpler. Today’s technology for gaining the IMEI number is certainly expensive, however we all know that once this technology gets replicated, the price will dramatically drop and availability will rise.
That corporate “guest” WiFi? It’s a cesspool. While we’re on the topic of WiFi, even that unsecured, unmonitored guest WiFi you offer can be a source of security loopholes. While employees may behave, for fear of repercussions, on your regular company WiFi, they may treat the guest WiFi as their own, personal playground.
While employees may never think to visit those sites that sit on the darker side of the World Wide Web while on the primary network, that guest network gives them a feeling of anonymity. The problem here is that employees are then jumping back and forth from secure to insecure WiFi, and bringing with them the malware that goes along with those sites. The employees are doing this naively and the bosses are blind to the threats. So, if you must offer WiFi to guests, lock it down and make it subject to the same policies as that of your primary network.
What it all means
Cyber security boils down to effective layering. From end-user education, best practices and workstation protection to firewalls and system-wide antivirus protection, IT departments need to work actively to thwart attacks. But knowing when the threat has become a reality can make all the difference in closing those trust loopholes before the damage is done. Everyone wants your data. Some already have access. Only you can seal the breaches.