No one online is immune to the possibility of a hack, and this includes individuals, corporations, or even government entities.
Whether you’re a one-person business, a massive enterprise or government agency, you have assets to protect. For most of us, it’s not an issue of knowing that we need protection.
Rather, it’s the fact that we don’t always know whom we are up against. It could be anyone from a script kiddie, a collective of anonymous hackers, to a foreign (or even your own) government. This article will provide insights to what types of evil are lurking online, and how to protect yourself from it.
Different Attack Vectors
Just like we don’t know whom we’re up against, we don’t always know what we’re up against. There are different attack vectors, and we must have protection against any and all of them, before we can be secure. Here are some examples.
- Social engineering involves using social skills to obtain or compromise information. For instance, an attack can involve claiming to be a new employee, a friend stranded on vacation in need of money, a researcher or an acquaintance. Many times, they offer credentials and other information to make themselves appear more legitimate and support their identity. Phishing attacks are a form of social engineering attacks.
- Brute force attacks involve a trial-and-error method used to get information such as a PIN or password. In this type of attack, an automated software generates several consecutive guesses to try to isolate the correct solution. These attacks can be used by hackers to decrypt data, or by a security analysis team to test network security. These attacks are both time and resource consuming. When successful, they are usually based on computer power and the number of combinations tried, rather than an algorithm.
- Distributed Denial of Service (DDoS) involves using multiple compromised systems, typically infected with a Trojan to target a single system to cause a denial of service, or DDoS, attack. It floods the server with incoming traffic, which overwhelms it, shuts it down, and renders the website or online service useless for visitors. Since the flood of traffic comes from multiple sources, solving it is not as simple as blocking an IP address.
Whether the prey is big or small, attackers will find a way to find intrusion points. For instance, Sony was attacked using a combination of technical vulnerabilities and social engineering.
A large-scale cyber attack from a group of hackers who calls themselves the Guardians of Peace, or #GOP, leaked everything including passwords, executive salary data and even unreleased films. It went a step further and threatened employees and their families. It continued and led to threats of harming anyone who went to see the release of The Interview in theaters on Christmas Day.
Sony is not the only corporate giant who has had to deal with data breaches lately. Home Depot, Target and even large banks such as JP Morgan Chase have all suffered the consequences of their security errors. The attack on Home Depot resulted in email address and payment card theft.
In response, the malware on the system was removed and the loophole closed. Home Depot responded by offering free credit monitoring to all affected customers. The attack on Target resulted in encrypted PIN information being leaked. Though the debit cards were not compromised because it could not be decrypted within the Target system, the company responded by offering free credit monitoring services to affected customers.
In the case of the banks, the attack resulted in the theft of consumer data, but reports never released specifics of this information nor went on to say whether customers experienced a financial loss as a result.
Security breaches can also come from internal sources, like the popular embassy cables that Wikileaks collected over the years, and which it continues to leak to date. The website leaks sensitive information to “open governments” everywhere, but because the information is so highly confidential, this means that the source came from the inside.
Do You Have the Right Tools?
Having the right tools to keep you protected is a critical piece of the puzzle. One issue, though: even security-conscious companies can’t always be sure of the protection they use. And it’s not easy to predict when, why and how one will be attacked.
Case in point: well-known security-focused publication SecurityWeek was recently brought down via DDoS. According to the hacker collective that launched the attack, it was carried out for the simple fact that SecurityWeek advertised Cloudflare the popular cloud-based content delivery network that recently came under fire because of their refusal to deny services to websites with ties to the terror group ISIS.
This has prompted SecurityWeek to beef up its capabilities in high availability and in warding off DDoS attacks by deploying Incapsula’s cloud-based security and network optimization suite, which ensures reliability and security against multiple types of attacks.
Do Your Policies Safeguard Against Potential Attacks?
You cannot cut corners. You must have the right tools, and you must also have a well-rounded network security policy in place that covers all aspects of your business, including infrastructure, personnel and other business tools.
This is especially important in the enterprise setting, in which systems can be mission-critical. If the system goes down, your business crawls to a halt.
- Personnel. Your personnel policy should address how anyone—employees, contractors, consultants and even vendors—who has access to company assets will protect them.
- The policy should cover who is responsible for what. For example, HR should be responsible for background checks on potential new hires, the security team will train employees on proper usage and protection of assets, and so forth.
- The policy should also be included in the employee handbook, and all new employees should receive a copy, and be required to sign documents certifying they’ve read and understand the policy.
- Non-disclosure agreements should also be put into place. The policy should also outline what is compliant, what is not complaint, and what happens in the event of non-compliance.
- Devices. Your device policy should outline procedures and permissions with regard to the use of hardware like laptops, smartphones and even USB drives, plus which departments have full mobile access to your network, and whether or not personal devices will be allowed to access that data.
- While you want to limit the employees who have access to your network on mobile devices, a common workaround is to provide a corporate mobile device to the employee.
- In any case, screen locks, secure passwords and remote wipe/lockdown capabilities should be required for use on all mobile devices that have access to sensitive data.
- Infrastructure. Your infrastructure policy should outline the security policies and procedures, examine the layers of protection and who has access to them, the levels of security at each layer, storage availability and room for expansion, frequency of software updates, virtual machines, and the like.
- Anything related to the network’s equipment and maintenance needs to be covered under this policy.
For your enterprise to be secure, you'll need to invest time and effort into designing the infrastructure that is best suited for your business. You’ll want to make sure it is implemented and maintained correctly, and that it has safeguards against the many possible attacks it will face every day. Cutting corners can result in costly mistakes down the line.