As businesses place more reliance on technology for their day-to-day operations, the risks associated with data breach or compromise and their potential impact on business operations are also increasing. Threats are diverse and fast-changing; we’ve recently seen attacks ranging from simple ‘phishing’ e-mails to full scale network breaches gaining business critical and sensitive data.
At Stephens IT we support and engage with a wide and varied customer base, from standalone single networks to multi-national corporate WANS. With notable differences in customer set-ups, we are constantly advising and consulting our customers on their individual security approach, all of which can take many different forms and are bespoke to each individual business.
Recently, we are seeing a profound increase in cyber related incidents across our customer base, from an increase in phishing e-mails attempting to gain access to customer e-mail accounts, through to security breaches caused by a range of malware, ransomware and compromise attacks.
With global ransomware damage costs predicted to exceed $11.5 billion in 2019 (up from $325 million in 2015), businesses need to ensure their security systems are not just up-to-date, but also well tested, as we detail below.
We recently undertook a project for a large customer as part of a security review of their IT estate, in which we provided a network compromise exercise without the knowledge of the internal IT team. The outcome of our exercise resulted in a scenario where we gained ‘complete control’ of the corporate network. Regular network penetration testing forms part of our proactive security policy and is something that we perform for clients as well as our own internal systems.
During the exercise, our security engineers were purposely ‘let in’ to the system to simulate a phishing exercise which would give a hacker access to the employees’ system. During this first breach, our engineers discovered valuable encryption keys and security credentials which were easily comprised, giving them access to wider elements of the system. Our engineers were able to create a deep access tunnel to send data back to our own servers without being detected (no real customer data was sent across the network – only test data). The customer’s internal team then noticed this unexpected traffic after 36 hours, subsequently closing the tunnel and noting the system compromise.
This exercise enabled us to create a comprehensive report for the customer, which included a detailed analysis of our breach strategy and important security aspects to ‘highlight’ within their system, such as storing admin credentials on user accessible shares. Recommended security policies were also included.
The key principles of security still apply even within smaller environments, regardless of the headcount or infrastructure size. However, we recognise that not all businesses will even perform a security policy review, let-alone a full scale penetration and breach testing exercise like the one detailed above. With cyber threats on the increase, we are helping our customers understand and modify their systems to mitigate the risk of attacks or breaches. A few key points are:
- User education is key, end-users are often unaware of the level of threat that even clicking a link on a phishing e-mail can subsequently lead to, so enhancing user knowledge of different types of attacks and strategies can be helpful to reduce the risks of compromise.
Recently we performed a ‘phishing’ simulation for a corporate network. In this scenario, we produced a fake phishing e-mail which we sent to members of the finance team, requesting them to review a document which actually contained a suspicious file. Disguised as the company’s CFO, we sent the email from an external domain with the CFO e-mail signature that users were used to seeing on a daily basis. The result of the test showed that 38% of the finance team opened the link and acted as if the e-mail was genuine – a staggering figure which shows how important user awareness is, along with prompt reporting to internal or external IT teams who can then determine the authenticity of the mail.
- Implementing basic security policies– We often find many business and corporate networks attempt to deal with security by installing firewalls, which are typically un-monitored. Simple policies can have a drastic impact in improving the security and vulnerability of an IT network – some commonly un-used policies include:
- Local administrator rights given to standard users enabling users to more access to systems than should be permitted
- Ensuring shared drive / data permissions and controls are up-to-date
- Procedure for reviewing / actioning Anti-Virus scan results / errors
- Re-direction and security of user profiles and user data
- Implementing Ctrl+Alt+Del start up requirement
- Login policies and scripts to specifically control user / network data
- Firewall protection and active and monitoring / reviewing threats
- Assigning roles and responsibilities to either internal teams or external, outsourced consultants is another area we find customers also do not evaluate until threats are realised. Clearly identifying the various roles of security within an IT infrastructure can be complex – with various providers, systems and experts needing to work coherently across all areas of the infrastructure to perform a clear security strategy and procedure. Often internal teams assume that external consultants are actively monitoring firewall traffic and investigating anti-virus logs, when this isn’t the case. Oftentimes, consultants will provide re-active services on a break / fix model rather than preventative monitoring solutions that are aimed at discovering threats before they arise.
While both threats and the techniques cyber criminals use continue to evolve, it’s the job of the security professionals to keep pace, monitor, isolate and resolve them as they occur. We urge business stakeholders (especially in the SME market where often these tasks are overlooked) to take the time to review their current security arrangements, ensuring protection and prevention is in place for the security of their business.
If you have any concerns relating to Cyber Security, or want to find out more, don’t hesitate to contact us for some impartial advice.