10 Ways to Improve Your Cyber Security
When it comes to cybersecurity, there are lots of ways to get it wrong, and far fewer ways to do it right. Sometimes, just because we know the right thing to do, doesn’t mean we follow company security policy and procedures consistently. These lapses in policy implementation can create an easier route for hackers to gain access to your systems.
To keep your company safe from falling victim to the most frequently seen forms of cyber-attack, ask your IT team these 10 questions.
This list has been compiled based on a joint security alert from the National Cyber Security Centre UK (NCSC-UK), which explains 10 commonly exploited security system weaknesses that can give hackers access to your system and compromise your devices. It also offers advice on the best practices to follow in order to protect you from these attacks.
What access controls do we have?
Controlling access is a great start to strengthening your defences. If a hacker can’t get into your network, then they can’t attack you! Access Control Lists (ACLs) allow you to choose which accounts have access to different areas of your system, letting you control which users can access the most sensitive data files. Start by using ‘allow lists’ which define who is allowed to access files and systems - this means no-one has any access to anything until you specifically allow them. This is the opposite of how most people think of security - it’s not saying what you can’t do but rather it is saying what you can do.
When it comes to giving people permissions on your system the best advice is: just enough and no more. Give people just enough access to do their job and no more. This is known as the principle of least privilege. A typical example is to restrict the use of ‘Admin’ accounts to only those people and tasks which really need them - all other activities such as reading emails or browsing the internet should use a different user login, with less access privileges.
Is all our software up to date?
Not updating software promptly is one of the most common poor security practices – and one of the easiest to do! The updates are usually free from the likes of Microsoft and Apple, you just need to install them.
When software updates are released by providers, they normally list which security vulnerabilities are being fixed. Hackers can read these security releases, and become aware of all of the flaws in the software that you use. This means that if you don’t update your software soon after the release of the update, you are in a much more vulnerable position to attacks. The industry best practice for installing software updates is currently that all updates should be applied within 14 days of its release.
You should also stop using any programmes that are no longer supported by developers – this is known as end-of-life software. These types of programmes will no longer receive any security updates, which makes them key targets for hackers. The older a piece of software is, the more time hackers have to find the security bugs which exist in it. Just because you have used a system for a long time in your company does not mean it is worth the risk of exposing all of your company and client’s data to cyber-attacks.
How do we set up new devices securely?
When you first get a new laptop or piece of software, the default settings have a lot of permissions that are unnecessary for everyday use, but allow for a more user-friendly set up process. These accounts will come with default usernames and passwords that are easy for hackers to access, especially if these credentials are publish online such as in troubleshooting blogs or customer service websites. Not only will hackers be able to access your data with these accounts, but the extra permissions will allow them administrative access to install malicious software on your device. Because of this, the default usernames and passwords of these accounts should be changed, and it is best to make them inconspicuous rather than calling them ‘Admin’, so that hackers do not know which account to target.
What is our password policy?
Weak passwords allow easy access to your systems, as any access granted to your users can also be exploited by anyone that knows their passwords. Password policies should be consistent company-wide, and include unique usernames and passwords for every user account. If a single user has multiple accounts, then their passwords for each account should be different also. This is so that if a single account does become compromised, it will not cause multiple systems to be affected. Password managers can be used to simplify the need for multiple passwords for different accounts without the risk associated with the re-use of passwords.
Default account passwords should always be changed by the user, to something complex and secure. Current advice is to use ‘three random words’ as a password, connected via punctuation or numbers. This creates a memorable password, that is too long and random for a hacker to guess. Policies should not require users to change passwords frequently, as this causes people to develop easy to remember (and therefore easy to guess) passwords that are not very secure.
Do we have multi-factor authentication enabled?
Multi-factor authentication (MFA) uses a password plus something else to authorise a login. These ‘factors’ are a combination of: something you know, something you have, and something you are. The easiest and free way to do this is to use an authenticator app (such as Microsoft Authenticator or Google Authenticator). Then when you enter your password to login to a website, a prompt comes on your phone which you must also click before the login will complete.
Most cyber-attacks are done at a distance – the hackers will not be able to get a hold of your phone even if they have stolen your passwords. This means they cannot pass through the MFA stage of the login process, and will be unable to perform their attack.
According to research from Microsoft, turning on MFA prevents 99.9% of password based hacking. MFA policies are particularly important for remote desktop access, and cloud-based systems. With more companies opting to continue working from home, remote access to company data is becoming more widely used. Don’t let attackers take advantage of this, and instead make sure you enable MFA on all possible login options.
Do we use virtual private networks (VPNs)?
A VPN is a secure tunnel that connects your devices across the internet, allowing employees to access work files from home as easily and securely as if they were using the on-site office network. This tunnel protects you from being exposed to the internet, where any attacker could potentially attempt to access your system, and reduces the vulnerability of your connection. MFA can increase the security of VPN connections, and installing firewalls can also help to keep out unwanted threats.
Additional software tools called Intrusion Detection and Prevention Systems can keep your network safe from unauthorised access. These tools work by notifying you of any unexpected or suspicious behaviour on the system. You should be quick to respond to these alerts, and investigate the cause, in order to limit the potential damage done before any threats are removed.
Using out of date VPN software (that is missing its latest security updates) is one of the main ways larger businesses have been hacked in recent years – so make sure your VPN is always using the latest software versions and requires MFA when connecting.
How do we protect open ports?
Computers, routers, and other hardware devices connect to each other and the internet through ‘doors’ which are called ports. Hackers can access any of these ports which are left open, and this is one of the most common cyber security weaknesses that occur. Cyber criminals use scanning tools to detect open and accessible ports for them to use in a targeted cyber-attack. To prevent this, all internet-facing services with open ports need to be protected with firewalls. Cloud-based computers can also be attacked in this way, when being access through remote access ports.
Don’t make the mistake of thinking that criminals would not know about your business to target you. Most cybercrime is opportunistic – hackers run a program that scans millions of computers in a few minutes and when they find an open port, they try to break into it – often without knowing who it belongs to. Once they have broken in, they can install ransomware or steal data from your network.
Network Segmentation is a process that adds additional firewalls into your system, separating out different areas into layers that are accessed one at a time. This allows users to access only the network layers they need in order to do their jobs, and helps protect the most confidential information in a more secure manner. Introducing a Demilitarized Zone (DMZ) between the internet facing services and your internal network adds to this security.
How do our Cloud service providers protect us?
Cloud service providers have a range of tools that can monitor unusual access to your cloud data. As with physical computers, cloud-based machines can and should be protected by the use of firewalls and VPNs in order to reduce the possibility of hackers gaining access. Cloud computers are also vulnerable to cryptojacking, an attack in which the hacker uses your Cloud PC to mine Bitcoin or other cryptocurrency, which requires very high levels of computing power. In other words, the criminals inflate your cloud computing bill in order to get their hands on this cryptocurrency which they then sell and keep the money.
Depending on what level of cloud computing your company uses, your cloud service providers will be responsible for different levels of protection. Making sure you enforce MFA on all user logins is one way you can help reinforce the security your cloud providers implement.
What anti-virus software do we use?
Endpoint Detection Systems, also known as anti-virus software, can detect known threats to your devices and networks. They work by producing anti-virus reports and logs that detail any malware they have found on your device, and any suspicious activity that has occurred on your accounts. These reports need to be checked regularly in order to keep on top of any cyber-attacks. If you don’t read through the logs then you are not taking full advantage of the protection these systems provide. It’s a sad fact that the evidence that a hack is taking place is always in the logs, but often not spotted for several months after it first happens.
Log files should be kept in a separate centralised system to safely and securely keep a track of events or incidents that have occurred. Use these logs to help investigate the reasons behind any suspicious activity or software. Security Information and Event Management (SIEM) tools can be used to centralise log stores, and should be well protected in order to prevent attackers from accessing and changing the log files, which could prevent further investigation into an incident.
How can we prevent phishing attacks?
Some anti-virus software will successfully block phishing attacks if the attack methods are well-documented. However, as many phishing attempts are zero-day attacks, not all attempts will be recognised and prevented. One of the best defences against phishing is proper training of users to spot phishing attempts and report them - such as educating staff to be cautious about receiving and opening unexpected attachments on emails. You can further protect against phishing attacks by ensuring that everyday user accounts do not have permission to change system configurations – restrict this access to administrator accounts only. Generally, administrator access should be required in order to download and install software, or run .exe files. The NCSC recommends a multi-layered approach to phishing defences, such as through the use of anti-spoofing controls, which make it harder for attackers to trick users by appearing as trustworthy sources.
Cool Waters can help companies like yours to make sense of Cyber Security and to introduce the right level of protection for your business and budget.
Arrange a free initial consultation to discover how we can help.
Click here to receive a free consultation with Cyber Coach and learn how we can transform your team into a security asset.