It used to be that keeping your business protected meant remembering to lock the door at the end of the day. But today, IT admins need to keep their company safe from threats on the other side of the world.
As the business world becomes increasingly decentralized, more and more sensitive work takes place online. This explains why 2014 was “the year of security breaches” with massive (and well-publicized) compromises of a host of major companies, including Target, Neiman Marcus, and Sony. You don’t want your business to be next.
Neither do we. At JumpCloud, we eat, breathe, and sleep IT security. With the help of security expert Chris Nelson (@cryptzero), we compiled a categorized list of the top 15 security threats that IT departments face and how to confront them head-on.
Top 15 IT Security Threats
Imagine getting locked out of your own computer system. Then you go to access your cloud-based resources on another device only to find out that they’ve all been encrypted. That is the reality of Ransomware and the way that hackers extract sizable ransoms from their victims.
McAfee Labs 2015 report on cyber espionage identifies Ransomware as one of the top growing threats, hypothesizing that the malware will evolve to target more mobile devices. McAfee said, “we predict ransomware variants that manage to evade security software installed on a system will specifically target endpoints that subscribe to cloud-based storage solutions such as Dropbox, Google Drive, and OneDrive.”
Backing up your files is necessary, with hackers getting more sophisticated by the day. Here’s another good article about how to protect yourself from ransomware.
This term refers to any virus, Trojan, or spyware that escapes anti-virus software by constantly changing (“morphing”). According to SearchSecurity, “the best method of dealing with polymorphic malware is to employ multiple and diverse blocking, filtering, detection and removal programs.”
It’s important that you have a solid hardened platform. This should include removing administrative rights for end users, or controlling which rights your end users have with a good central directory.
Patching is absolutely critical in malware defense. We recommend starting with something like the CIS or DISA hardening standards for your platform, then continuing to patch regularly from there. Make sure you have strong endpoint protection as well. We suggest finding something like SaaS-based patching service, PatchSimple.
Finally, we strongly recommend network protections such as firewalls, IDS/IPS solutions, and gateway malware protection (email, firewall, proxy) and network behavior analytics such as ProtectWise or even just Netflow and ELK and/or BroIDS.
Domain Generation Algorithms
DGA is a particularly nasty form of polymorphic malware that was popularized in 2008 by Conficker. These algorithms generate up to 50,000 domains in a day, each one a different site to host their malware. This makes it very difficult to detect and control the threat.
Learn more about this threat in Damballa’s DGAs in the Hands of Cyber-Criminals in which they examine what they call the “state of the art in malware evasion.”
#2 Account Compromise
A complicated password isn’t worth much if it’s used reused on all of an employee’s accounts and devices. People regularly reuse passwords. This becomes a problem for their employers when major hacks happen (think the 1.6B passwords stolen from LinkedIn). An unsecured personal account is hacked – and suddenly it’s the company’s problem. The worst part is that it exists outside of the IT department’s purview, so they likely won’t know there has been a breach until it’s too late.
You’ve read all about how Millennials in the workplace are making waves with their novel work habits and expectations. This impact extends to the realm of security, too. When innovating in the workplace, there’s a fine line between brilliant and reckless. The savvy of younger generations at using a variety of electronic mediums to collaborate, communicate, and transfer files can create unmanaged and insecure avenues of discourse.
The Information Security Forum, a nonprofit that analyzes security and risk management issues, releases an annual ‘Threat Horizon’ report. The security practices of younger generations made the top ten threats for 2016.
To avoid these issues, it’s critical that your organization implement MFA (multi-factor authentication), which makes compromised credentials essentially useless.
For applications that do not provide MFA, it’s critical to have stringent password requirements, and teach your employees that regularly re-using passwords is a huge problem and one of the main ways that hackers can break into accounts.
#3 The IT Skill Set Gap
Back in the good old days, being an IT admin meant knowing how to put up a firewall. But IT has matured. In today’s world of multifaceted infrastructure and sophisticated cyberattacks, it takes a highly specialized and adaptive IT admin to apply security solutions to the myriad of today’s challenges.
One of the biggest threats facing IT today is not being able to fill out their staff with knowledgeable IT professionals. Companies caught in the “skill set gap” are ultimately settling for diminished security.
Ultimately, the solution here can’t be just hire the most experienced IT professionals. As an industry, we need to grow more IT admins and that take time and training. Finding people with a burning desire to learn and that are good cultural fits for your organization will pay off in the long-run. Those people can be grown into top notch talents, it just takes some time and dedication on your part and theirs.
#4 Key Management
Successful key management is difficult, as it requires system policy, training, and interdepartmental cooperation. However, it is it crucial to the security of your cryptosystem, and poor key management is a huge threat to being compromised.
Proper key management consists of the following:
Key rotation: Frequently changing your keys increases the effort a hacker must take, which is what we’re aiming for. It also decreases information loss, because the number of stored encrypted messages which become readable once a key is found decreases as the frequency of the key change increases. So how often should you change your keys? They should change with each message or interaction, so only the individual message becomes readable if the key is learned (aka “hacked”).
Key Storage: If you store your keys in an insecure place, what is the point of having them in the first place? The most common technique to store keys securely is to use an encryption application that manages user keys and uses an access password to control use of the key.
Key Exchange: How do you securely exchange public keys to transmit sensitive data? Keybase is a widely used application, but some people still prefer to meet face-to-face to sign each other’s keys, doubting that social media is enough proof of identity. It’s up to you.
File Permissions: A key should only be accessible by the owner of that key. Anything else is a security issue. File permissions (also known as file system ACLs) ensure that the owner has read and write permissions – and everyone else has none.
Hardware Security Modules: these are physical devices that safeguard and manage your keys for stronger authentication and cryptoprocessing, and are a great thing to have to guard yourself from attacks.
#5 Social Engineering
Social engineering is still a very effective method that hackers hack, and it isn’t going away anytime soon. Train your staff on what social engineering/phishing looks like, and hire or have someone call up and attempt to socially engineer their way into your company to test the strength of your trainings.
What’s the most coveted digital asset for hackers? That would be corporate identities that grant access to the highest levels of IT resources and classified information. Social engineering is one of the top ways that hackers are able to steal these corporate identities.
Three other ways include hacking employee used sites, compromising partners and vendors, and then traditional techniques (e.g. brute force attacks and dictionary attacks). Learn more about how hackers steal corporate identities and how to stop it.
#6 Shadow IT
Shadow IT refers to IT systems (often unapproved SaaS solutions) that employees implement without the IT department’s knowledge or explicit approval – and it is increasingly prevalent in the modern office. Shadow IT can lead to some innovative solutions, which is part of why Forbes says that CIO’s should be happy about Shadow IT.
But in other ways, Shadow IT lives up to its shady name. Potential risks include higher cost, duplicate services, and wasted time/resources. Security, scalability, and availability can all be compromised, not to mention the regulatory and compliance concerns that Shadow IT brings to the table.
“The worst part of Shadow IT is that it is not connected to the core directory structure,” explains JumpCloud’s James Brown. Many IT admins have no idea how to connect all of these newly implemented devices, applications, and networks back to their core directory.
#7 Lack of Incident Response
The worst of the worst happens and you get hacked. You don’t want to think about it, but it happens to countless companies and it isn’t going to stop happening any time in the foreseeable future.
Do you have a plan?
We recommend having pre-negotiated agreements with 3rd parties in case of a breach. We also recommend implementing a strong testing culture in your organization.
#8 Regulatory Issues
Is your business PCI compliant? It’s important for your reputation, it helps prevent security breaches, and if you get audited, it’s necessary anyway.
In certain fields, IT adherence to HIPAA is crucial. Failure to adhere to regulations could have serious implications, including the ruin of your company.
It’s best to read up on the specific regulations you need to adhere to and to stay up to date.
With the rise of BYOD, more and more employees are taking their work devices home with them. That has contributed to making stolen user devices a huge target for breaches.
Obviously, no employee gets their laptop or smart phone stolen on purpose. But they need to be extra vigilant with a device when it has access to work resources and networks. Preach proper security practices regularly and make sure they know to notify the IT department immediately when there has been a theft.
All work devices should be encrypted from the get-go (most modern operating systems have full disk encryption as an option) and installing software like Prey can help you to locate and return a stolen device. Truly savvy IT admins employ lightweight agents on all devices to ensure that they maintain control even in case of theft. A good directory service will be able to do this for you.
Another potential security issue is when employees prefer to work on Mac devices… wait – I thought Macs were more secure than PCs?
In many ways, they are. But a huge security issue is created when you have data on an unsecured device of any type. Asset management needs to apply to every device that an employee owns. If you’re running Active Directory, then the rise of Macs in the workplace means that a large number of devices may have centralized user management, but are neglected when it comes to enforcing standardized security and operational policies. OpenLDAP also has trouble with Macs, especially when it comes to managing access to web applications.
Find a directory that treats Macs like first-class citizens. Also, implement anti-malware software on Macs; they are not immune like most people think. It’s also wise to implement hardening standards for all your employee’s devices.
#10 BaaS (Bad Guys as a Service)
These days, there is a lot of specialization in the dark underbelly of the web.
Symantec.com says, “Advances in exploit kits, free tools, leased botnets and hackers for hire have made what was once only possible by highly skilled hackers available to anyone with a little technical skill.” Scary. This can make attacks on your systems more effective and more frequent.
What can you do about this? Make sure software patches are up to date with a great SaaS-based patching service. Have a timely plan in place in case of a breach, and stay informed about what is going on in your industry.
#11 No KISSing (Keep It Simple, Stupid)
Today’s world is becoming increasingly complex, a trend which isn’t going to reverse anytime soon. This complexity within organizations increases the possible attack surface and makes tracking data and assets more difficult.
Make it easy to track your assets and data. Come up with a simple system, buy the right SaaS applications, and do not deviate from your plan.
Infidelity website Ashley Madison recently was hacked. The hackers, seemingly acting on moral grounds, asked for the website’s complete shutdown or they’d risk exposure of their customer information. This is a prime example of hactivism, where hackers act as activists while compromising a company’s information.
Have you ticked anyone off lately? You might not even know you stepped on the wrong toes, but in this day and age you need to always be on yours.
A common form of attack by hacktivists is a distributed denial of service (DDOS) attack. Turns out that DDOS attacks are not only increasingly common, but they’re getting larger in size and speed as well. Do you have a plan for these kinds of attacks, and have you tested it? If not, it’s time to get started.
#13 Lack of Security in Intentional Design
When considering SaaS applications, when starting a company, when implementing a new program, you must ask yourself: is security a part of the initial designs? Does that SaaS app you’re thinking of buying have a stringent security initiative and does it have great features revolving around security? Does your company have a comprehensive strategy regarding its security? Can your product tell the user a story about your security?
If not, it’s time to get to work.
#14 The Unmanaged Cloud
The cloud has the potential to be highly secure. But some companies are hesitant to make the move. Many are still stuck using Microsoft AD, which is notoriously clunky when it comes to cloud management.
Companies in the cloud benefit from a directory that can follow their IT infrastructure onto the cloud. The good news is that since cloud security can be averaged over a larger number of customers and systems, it is often less expensive on a unit economic basis. You can’t protect what you don’t know about, and a directory service helps you track your assets and organize them for policy enforcement and credential management.
#15 Wifi Networks
Think that it’s enough to drop an SSID and WEP or WPA key into the access point? Think again. This attitude is the reason that few wireless networks are actually secure – and why gaining access to wireless networks is one of the top ways that hackers get IT resources.
Wireless credentials are rarely rotated and they are often given to visitors. Since wireless networks go past the walls of the business, a hacker can gain access from a car parked on the street.
In order to protect your network, you’ll have to authenticate your users individually on to the wireless network. That can be achieved by back-ending the wireless infrastructure with your directory. The best tool for this task is RADIUS / Radius-as-a-Service.
Things we left out but are worth mentioning
In his Big Data Market Forecast, Jeff Kelly reports that Big Data vendor revenue (including the sale of related hardware, software, and services) reached a staggering $18.6 billion in 2013. That’s a 58% increase from the year before.
While analyzing terabytes of data can lead to never-before-possible insights for your business, it also introduces new risks. It’s impossible to make Big Data completely anonymous and things like a compilation of GPS coordinates can ultimately be used to compromise identities.
The Internet of Things
More and more of daily life is getting connected to the web. The “Internet of Things” means a smarter and more convenient world, but it also opens up a whole new world of vulnerabilities.
So how big of a threat is the Internet of Things, really? Jamison Nesbitt, the founder of Cyber Senate, identifies it as “the main cybersecurity risk for 2015.” From our perspective, it’s still a few years out before the IoT is prevalent enough to pose a top security risk, but proceed with caution.
To Sum It Up:
In this day and age, true security means constant vigilance. Secure companies see security as a daily discipline and an ever-evolving pursuit. It’s daunting, but worth it.
Remember, test everything, and test it regularly. Hardening your systems is well worth it. Train employees on the risks they contribute to IT (like Shadow IT), and teach them how to recognize social engineering and other possible attacks.
It’s also important to be able to securely manage and connect employee identities to IT resources, devices, applications, and networks. That’s what we do here at JumpCloud, and it’s called Directory-as-a-Service®. If you’re still new to the concept of DaaS you can learn more about DaaS and security here. Of course, you’re always welcome to get in contact with us personally through our contact page. If you appreciated the advice you received here, we’d recommend following Chris Nelson (@cryptzero) who was monumental in making this article what it is.
We hope you learned something new from our article today. Feel free to share and pass the knowledge on!