High profile hacks over the last few months have put large organizations front and center of a media frenzy that highlights the dangers of inadequate data protection. Global bank, Capital One, and leading hotel chain, Marriott International, have both been made an example of recently after customer data was stolen by cybercriminals, showing just how common it is for large corporations to fall victim to attacks.
Many smaller businesses have seen these high-profile hacks and taken it to mean that hackers – and the ICO – have bigger fish to fry other than their organization. But in reality the opposite is true, these hack cases show how agile cybercriminals can be, using back doors you are not even aware of to gain access to data. If they can penetrate the security measures of huge organizations, then it is likely they can penetrate yours.
To mitigate this, it’s important that businesses – of all sizes – understand the threats posed to them. While many are aware that ransomware and malware are a serious danger, they might not know that hackers have innovated a new type of spam. In similar fashion, here are 5 threats that need to be understood, but are less well known:
1. Unencrypted scan-to-email
Copiers and scanners have always posed challenges to IT security professionals. Scanned PDFs have the ability to evade traditional data loss prevention (DLP), despite it not being in plain text. There are no provisions for encryption or password protection, making it difficult to secure scan-to-email features and the resulting attachments. Of course, storing images with data on file also threaten an organization’s data protection. Images showing personal data such as that belonging to customers or employees must be considered as equally sensitive to data protection as any other confidential report or file. For many organizations, digital images or PDF files shared through digital collaboration channels put organizations at risk of falling foul of GDPR regulations, as most of today’s security solutions won’t inspect those file types for data breach threats.
To mitigate this risk, Optical Character Recognition (OCR) can inspect and analyze images and extract the text, so that data in an image can be processed like a normal electronic document using DLP functionality. This means that documents scanned to PDF and even screenshots can be protected using DLP. Furthermore, digital images can be analyzed using OCR during the transfer process, whether when emailed or uploaded/downloaded from websites and Cloud apps.
2. False code signing
Code signing is used by cybercriminals to ‘prove’ the validity of an application by adopting a ‘valid’ certificate to distribute malware onto the victims’ systems. The recent Fin7 hack saw cybercriminals attempting to re-tool with new malware and evasion techniques, and once again, showed that nothing can be trusted.
Just because an application has been signed, doesn’t mean it can be trusted. For many organizations, checking an application is signed has been a key method of approving updates and allowing them to be installed. On a macro level, looking at new updates shouldn’t be time consuming. However, with tens of thousands of applications (or components of an application) across the organization, this is a really big deal. Just think about how many times apps on your phone are updated!
Education is not enough to combat this issue – total changes to policies and processes are needed as well as further investment in technology. Organizations need to adopt a verified whitelist for all applications and components to ensure all components are ‘real’. This is both time consuming and expensive, but it is what needs to be done to ensure security. A process is needed to lock down what employees are allowed to install, only letting updates occur after the source has been verified. With more and more people opting to work from home, organizations must also ensure VPN solutions are used so that all web traffic and downloads go through corporate security and policies. Vigilance is needed to mitigate this risk, no matter the size of the application.
3. Fake updates
Fake updates are, in essence, like other attacks in how the user system or device asks to install an update or application which is unexpected. In this case, updates to applications like browsers, can be exploited by cybercriminals where the user has become used to being asked for an update and clicks ‘ok’ by default. By accepting a fake update, the employee inadvertently downloads and installs malware onto the organization’s entire network. With almost half of all cyber security incidents reported in the last year caused by internal errors, the potential for exploitation is high.
There are several ways that companies can protect against fake updates, primarily by only enabling updates from authorized sites which may be hosted internally. However, for organizations who are not set up for this, this is not a quick fix. In this case, simple rules on a web security gateway can blacklist all update servers except those which are authorized. Again, work from home policies become an issue when employees take their devices home and connect directly to their internet for updates. Organizations need to educate employees that this particular threat is becoming mainstream and therefore they need to be aware of the risk.
4. Mobile cloud backup
Employees must also be aware of the consequences of sharing data on the Internet, particularly through unsecured apps. An example of this is when corporate contacts from an employee’s iPhone are backed up to their personal iCloud. Employees regularly download and install new apps, unwittingly granting access to everything from the device’s camera, microphone and contacts without the knowledge of the IT department. Once an app is installed, it is difficult to know what it is doing with the access you have granted it.
How would you know if the app you have downloaded is listening in to your surroundings, and selling your information? We all remember the La Liga app hack which demonstrated the ease with which personal location data and microphones can be accessed. An app could even take all of your business contacts and other critical information and upload it to the Cloud without you being aware of it.
Organizations must ensure that any applications with access to their network have been thoroughly vetted to ensure they pose no threat from requests to access. Employees must be educated on the threats posed by BYOD and downloading apps onto devices with access to the network. A mid-point between doing nothing and stopping the use of Cloud devices altogether must be found – perhaps one where employees can only use corporate devices and are only allowed to download pre-approved apps.
5. Other organization’s security standards
Organizations risk suffering from collateral damage if a weak link in the supply chain is targeted by a cyber-attack. As information sharing increases and the ways and means for sharing grows, so do the opportunities for exploitation. Whether a complex breach, such as the Lockheed Martin data hack of RSA tokens, or a simpler hack caused by ‘trusted’ employees accessing information they shouldn’t, the whole supply chain is at risk and its security must be taken seriously.
Mitigation can be as simple as asking suppliers or partners about their cyber security policies in order to ensure they are in-line with your own. If not, security must be bolstered, or the supplier changed. GDPR is a shared responsibility. If one link in the chain is insecure, the whole chain is vulnerable.
Robust security measures are needed, no matter size or scope of the organization. Employees must be thoroughly educated on the value of good cyber security, and how they can mitigate threats. Processes need to be in place for reporting a breach, as well as how to recover from one. Technology should be a safety net and must be continually reviewed and updated at the same speed as new threats evolved. A well-rounded approach to cyber security is one which is continually evolving, and one which incorporates all parts of the organization.