According to a 2018 study led by Dr. Michael McGuire, Senior Lecturer in Criminology at the University of Surrey, worldwide cybercrime revenues are estimated at $1.5 trillion per year. In 2019, Canadian businesses of all sizes should take measures to stop contributing to the global cybercriminal haul.
APPLY PATCHES AND UPDATES
While exotic zero-day vulnerabilities grab headlines, in reality intruders frequently succeed by exploiting known security issues for which patches already exist. Unless patches are applied regularly, the resulting security landscape makes it far too easy for relatively unsophisticated cybercriminals to intrude into systems and steal data.
Many organizations, both public and private, suffer from misaligned priorities. They deploy expensive security products, but neglect basics such as patching. Intrusion prevention and antimalware are important, but they do little to protect servers and PCs riddled with security holes.
While it is possible to keep systems up-to-date through diligent system administration practices, a variety of vulnerability and patch management tools are available to help. If your organization has not made software updates a security priority in the past, make it one for 2019.
It is difficult to find security advice written in the past few decades that doesn’t include server hardening. Yet time and time again, security professionals and hackers find network services that shouldn’t be there in the first place, nevermind exposed to the network.
While legacy systems may present challenges, the majority of the time the real issue is that security is just not a priority. Insecure protocols such as FTP and telnet have no place on today’s systems. Unless the server is a file server, inbound connectivity to SMB ports should be blocked. While it might be more convenient for administrators to update web content via a Windows file share, it’s a poor security choice. SCP and SFTP are far more secure.
Server hardening also includes making privilege escalation more difficult. Web servers, databases, and similar applications should not run with administrative privileges, and when colocated on the server should be protected against each other. As an example, a database process should not have write access to a web server’s directories.
SECURITY AWARENESS TRAINING
Phishing and fraud are on the rise. Never in history has it been easier to research and target individuals and businesses, and criminals are getting much better at it. In the past, poor grammar and comically bad writing made fraudulent emails easier to spot. More recently, fraudsters have seriously improved their game. Employees today are receiving well-written emails, addressed to them by name, and purporting to be from managers and executives within their organization.
While technical controls can certainly help (it is amazing that in 2019 we don’t have a clear indicator of whether an email originated inside or outside our organization), the real key is security awareness training. In fact, training employees likely has a higher ROI than any other security expenditure.
Another opportunity to improve security this year is to adopt multi-factor authentication. Most major companies support it, and thanks to the standards charge lead by Google Authenticator, no extra hardware is required. Apps like Authy make it easy to manage multiple accounts and synchronize MFA credentials across multiple devices.
Low cost FIDO U2F and FIDO2 devices make hardware-based MFA simple and easy. A single device can be used to authenticate to an unlimited number of Internet sites and accounts.
Organizations should consider the services they use, and prioritize MFA starting with email and social media accounts. Those using cloud computing should, if they are not already, mandate the use of MFA for all administrator access.
The final line of defence against a multitude of security incidents, including ransomware attacks, malicious insiders, hardware failures, and natural disasters, is recovering data from backups. Protecting data is an obvious business imperative, yet many business fail to adequately do so. This is particularly problematic for small businesses and individuals. Ironically, unprecedented Internet bandwidth and low-cost backup services make it easier than ever. At a cost of around $5 per PC for automatic, unlimited backup, there is simply no excuse.