In November 2013, a group of cyber-criminals broke into one of the nations largest retailers using passwords stolen from an HVAC contractor. Once in Target’s network, these criminals were able to traverse the network and install their malicious software into some of Target’s cash registers. Once they confirmed that their access was successful, by Black Friday the majority of Target’s registers were infected. In approximately two weeks, 40 million credit and debit card records were stolen and distributed through a world wide network of brokers and sold on the black market. (Krebs on Security).
The news is filled with data breaches of large retailers such as Target and Neiman Marcus. Unfortunately, smaller companies are also targets for attacks, pardon the pun. In Verizon’s 2013 Data Breach Investigations Report reports that attackers did not discriminate based on business location, size or industry. These stories also tell us that just complying with PCI (Payment Card Industry standard) is not enough.
The traditional way to protect computer networks in the past has been to create a strong perimeter by setting up firewalls at the edge as a traffic cop on what is allowed in and out. We recommend that you look at your areas of risk and protect from the inside out. I’m going to talk about some quick best practices and how they could have prevented or reduced the affect of these breaches.
- Use two-factor authentication wherever possible, especially for remote access. For example a smart phone application that provides one time passwords each minute. Not only the HVAC contractor, but all remote users should have had a two factor system in place. PCI states that a two factor system should be in place to access the payment network. In this case the HVAC vendor was not connecting to the payment network…which leads us to.
- Separate your important stuff network from your really important stuff network. If you have systems that process payments and store Personally Identifiable Information, separate it from your main network and keep contractor systems off of your main network as well.
- Along those lines, only allow access to systems and data when its needed. Don’t give privilege to users or networks that shouldn’t have access. Your R&D people don’t need access to the Payroll server.
- Keep your systems and software up to date. Vulnerabilities and bugs can lead to holes that hackers can get in.
- Put in effective email filters and educate your employees. A good email filter will go a long way but none are perfect. Educate your employees on making good decisions regarding opening emails that they get. The old adage was that you don’t open email from strangers. However, your friends and colleagues are sending stuff unknowingly too. Phishing – the act of using a fake email or website to get you to give up your information – is the number one way that external threat actors are collecting password credentials and gaining access.
- White list your applications wherever possible. It’s like having a bouncer at your party. If you aren’t on the list, you don’t get to go inside. This isn’t always possible in dynamic organizations and is difficult/costly to maintain but probably will provide the most protection. if you have systems that are fairly static like Point of Sale terminals, white listing would go a long way to prevent the bad stuff from taking hold.
- Create an IT security Policy, disseminate it to your employees, follow it, and test it. Creating a policy gives you props when you are talking to a compliance policy auditor, but it doesn’t do you any good protecting an attacker. Social engineering (including email phishing and even by phone) is common vector of attack used by malicious users. Give them kudos or rewards for thwarting an attempt.
- Monitor all of the above using automation where possible and ensure that you or your IT team is effectively alerted when bad stuff happens.
No security measure is fool proof and the bad guys only have to be right once. Although you may sacrifice a little convenience by using a strong pass phrase rather than 12345, you will go a long way to protect your data and your client’s data…oh and lose the post it note…