Ho-ho, whoa The downtime created by the holiday season is a fan favorite for enterprise employees and hackers alike. As workers are enjoying time away from the office for vacations or working remotely, hackers are viewing this slow down as an optimal time to attack corporate systems. To avoid having your organization turn into this holiday’s victim, security professionals provide tips for IT managers to protect corporate data, as well as share recommendations for using the slower cycles to test security systems.
Tell your employees to go home for the holidays Mike Orosz, Director, Threat and Investigative Services, Citrix:
Use the holidays as an unassuming time to perform program reviews and audits. In every security organization it’s all too likely one or two employees perform critical security roles. Periodic verification of procedures is necessary in order to avoid unexpected but avoidable security incidents or disruptions. First for review should be procedures and process. Are there documented processes in place to match the day-to-day responsibilities of all team members? Are those procedures sound or based on best practices? Lastly, are those processes / procedures readily available and/or easily found?
Take this time to critically analyze team maturity, develop a strategic road map for the New Year and to close critical gaps that typically go unnoticed during routine operating times.
Use the holidays to test your incident response and disaster recovery plans The key to a world-class security program is a solid foundation. Having well documented incident-response plans is a critical necessity. Having a set of binders on a shelf or in an obscure folder isn’t enough. Not only should incident-response plans and the teams that perform those duties be tested frequently, they should be stress tested. What better time to conduct testing than during a major holiday when many staff members are out of office.
Running a disaster-recovery test during a holiday will reveal gaps in plans, personnel staffing and identify critical areas for improvement. Not to mention, during real times of disruption or disaster, it’s unlikely every member of each team will be available. That said, by testing during times of minimal staffing, you will quickly find out how your plans come together and which ones need improvement.
Sweep for enemy surveillance Simon Puleo, Security Researcher, Micro Focus:
Malicious Wi-Fi devices have been found in conference rooms glued under desks and most commonly plugged into the wall. Consider that a Raspberry Pi can be made as small as a credit card. Criminals will use these devices to analyze network traffic, create false Wi-Fi networks and couple with cameras to create the perfect spying devices. While everyone is out of the office, sweep for unknown wireless network connections and look for suspicious devices plugged into electrical receptacles. One security sleuth found a device that was plugged between a microwave and the wall socket in the break room!
Business devices are for business The holidays are a great time to raise awareness. Remind employees that company-issued devices should be used for business only. I don’t know how many times I have heard the story, loaning out a PC to a son, friend or relative only to be left with malware that infected the network. If someone asks to use your computer even to find directions to grandma’s house, don’t relinquish control of the machine.
Create a honey pot Criminals most likely strike when everyone is out of the office, catch them in the act! For security professionals that suspect there may be malicious behavior in the physical environment, making a honey pot in an open area may be a way to catch criminals in the act. A honey pot is made by intentionally putting what looks like important data on a system then simply monitor that machine and wait to see if it is accessed. Place an unlocked PC in an open area with video surveillance, install monitoring software on it, see if any files are touched or if users do the right thing and report it.
Beware of Business Email Compromise (BEC) and Business Email Spoofing (BES) Lucas Moody, CISO, Palo Alto Networks:
Enterprises should be on high alert against the threats of Business Email Compromise (BEC) and Business Email Spoofing (BES)—estimated by the FBI to cost organizations billions of dollars. As shown in Palo Alto Networks Unit 42’s latest research, “SilverTerrier: The Next Evolution in Nigerian Cybercrime,” the infamous Nigerian threat actors are becoming more organized and have taken up BEC and BES with unprecedented sophistication and success worldwide. Most successful attacks use known, patched vulnerabilities, so ensure systems and devices are up-to-date, well ahead of the quarter- or year-end “lock downs” on enterprise systems.
Remember, you are a target during the holiday season Remember, you are a target year-round, but inevitably during this time of year, laptop and device thefts go way up. Whatever the cause, vigilance is in order to actively keep company and personal data safe. Keep your valuables out of sight—or better yet, out of your vehicle. Make sure data is encrypted, or work with your technology staff to verify if you’re unsure. And remember that in the chaos of the holiday season, thieves and bandits are looking at you and your devices as their next targets.
Make sure that the backups of corporate data taken on external hard drives are stored off site for safekeeping Ruchika Mishra, senior product marketing manager, WhiteHat Security:
All enterprises have a backup data protocol. Some companies, because of the nature of their business, are required by legislation such as the Sarbanes-Oxley act or HIPAA, to backup and archive their data. Whatever your backup method of choice may be, be it external hard drives, tapes, or flash drives, ship it off for offsite storage. Backup data left onsite may be rendered useless in the event of a disaster in the form of a fire, earthquake, or a burglary.
Pay special attention to patching operating systems within specialized devices tapped into your network Remember that episode from Mr. Robot, where Elliot plans to destroy the Steel Mountain facility by hacking into its climate control system? A software security system is only as secure as its weakest component, and often times, specialized devices such as thermostats, conference room scheduler consoles, even video conferencing systems can get overlooked when it comes to patching. The key tip here is to not just update the main operating systems like Windows, OSX, and Linux when patches are available, but make sure that smaller operating systems within the specialized devices do not get overlooked.
Hackers may go holiday shopping online too Chris Morales, head of security analytics, Vectra Networks:
According to the National Retail Foundation, 2016 online holiday sales are forecasted to increase between 7 and 10 percent – more than double the 3.6 percent increase forecast for overall holiday shopping – putting employees who reuse credentials or shop from their work computer at risk.
Recommend employees go directly to a vendor’s website rather than clicking the “shop now” button in a promotional email message. For example, an attacker can easily create fake Best Buy or Amazon promotional email message to entice direct clicks to purchase sought-after items at a special discount. Faux holiday emails could be a phishing attack infecting computers with ransomware or exploits to initiate a targeted cyber attack, while everyone is supposed to be enjoying holiday cheer.
Wrap up your data first, before wrapping your gifts Ransomware attacks strike fast and encryption of an organization’s network file shares can happen within a few short hours. Even if your security systems provide an early warning, holiday celebrations will provide attackers with an excellent diversion. The attack on Sony Pictures was revealed on Nov. 24, the Monday prior to Thanksgiving in the United States. With people taking time off during the holidays, there may not be anyone there to take action from early warning signs of an attack.
A solid backup and recovery mechanism is excellent insurance against ransomware. There are merits to having hot backups, cold storage (periodically connected backups), and even offsite cloud backups with version control.
Implement always-on SSL Jeannie Warner, security strategist, WhiteHat Security:
Pre-loading HSTS and setting your organization’s website to HTTPS is easy, and can help prevent successful attacks from Firesheep or Poodle, as well as some man-in-the-middle attacks. For e-commerce sites, these measures will keep customers safer during holiday shopping. Update to the best security protocol possible – TLS 1.2 – as it is the most secure version available.
Do not neglect DevOps’ tools It’s not just the operating system and applications that need patching in an organization. Start the New Year with every development and de-bugging tool updated to the latest version as well! Don’t forget the lesson that JBoss taught us about new avenues of Trojans and ransomware that skip the user entirely.