You probably have security holes in your network...
A few common complaints that we hear over and over again: Security is boring! We are overrun with data on why it matters. But can it really affect my business? A virus? Who’s going to attack my server?
Well, we know of an organization where this exact scenario occurred. Their server was attacked, and taken ransom. Because of the nature of the threat (posting child pornography on the server and reporting it to the FBI), and the fact that this organization was a medical practice where reputation was critical, the organization reported this threat to the FBI. The FBI immediately confiscated the entire server as evidence, leaving this business to run on a backup server. It took many months for the organization to get their server back. So, although the topic of security may be boring, the risks of poorly managed security technology and practices can be essential to your business surviving an attack.
The statistics are scary!
Only 47% of the entire Internet traffic is Human Being driven. The rest (53%) of the traffic is automation. The vast majority is related to malicious activities like viruses, botnets, malware, etc. The computer and internet world is getting more dangerous every day. Compounding the problem, clients do not place enough emphasis on sound security policies. Passwords are almost universally weak and vulnerable. MotherG’s own studies find that over 75% of organizations assessed have inadequate malware protection. Commonly, firewall software is outdated, along with older hardware. There are loose policies around the use of the computer network.
6 Common Areas To Address Security Holes
What should be done? There is a combination of technology, process and education that can harden your defense against threats, or "threat surface." While you cannot eliminate threats of a breach altogether, the goal of good security is to reduce the areas of risk and make it more difficult to crack, and hardening the threat surface. Reduce and Harden. Here are the top six areas to consider in this effort:
- Gateway Security. Most commonly referred to as your firewall. Most are old – they do not break very often. But they do get old, and lose their effectiveness long before they break. Here are the tips for the gateway security.
- Consider a replacement cycle every 3 years. Newer threats demand newer engines to perform at acceptable levels.
- Enable penetration detection on the device. This will let you know if someone is trying to break in.
- Ensure the gateway virus protection is enabled and current. It should be updated weekly if not daily.
- GEO IP filtering. Unless you do business with certain foreign countries, consider preventing anyone from those locations from entering your gateway device. There is a strong uptick in foreign corporate espionage.
- Botnet filter. Botnet filters essentially check ingoing and outgoing connections for known bad IP addresses and domain names. If it detects one of these, it will automatically log the activity or drop the connection altogether.
- Update your device’s firmware. New firmware is released to combat known security problems and bugs. Many companies never update their firewall’s firmware either due to lack of knowledge, or laziness. Consider a managed firewall solution to have your IT partner do these for you.
- Endpoint Malware Protection. Every computer on your network must be protected. Computers, laptops, desktops, servers – everything needs protection. But this is not quite enough…
- Antivirus AND Malware both. You need to protect against spyware as much as viruses. They are different tools. Many newer versions of malware software have both, but be sure.
- Centrally Managed. Your malware software requires attention. You cannot "set it and forget it." It needs to be updated frequently – best daily. You need to ensure every device has the software installed and is getting updated regularly. The central management console helps report on this – but someone has to watch this.
- Full Scans Weekly. Every machine needs more than a filter. The little nasty programs can infect your computers in many ways. Do not rely solely on filters to keep the machines clean. You need to have regularly scheduled scans – typically weekly – to interrogate the system to ensure it is OK.
- SPAM Protection Outside Your Network. Spam is the most common delivery mechanism for threats that may be introduced to your network. Thus, fight the battle of SPAM outside your network. Don’t let those nasty things in your business.
- Cloud Service. There are many good services that will filter all your email outside your network. Given that over 90% of email traffic is spam, cleaning your messages before it hits the network will save on bandwidth and reduce your network traffic.
- Lockup the WiFi. Many networks have WiFi access now. With the proliferation of mobile devices, you might have lots of network traffic that is outside your control.
- Public/Private. Limit who has access and the purpose for that access on your WiFi. Consider a private and guest network for your employees and guests.
- Sound Technology Management. Even with good tools and technology, you need to manage the computer network effectively.
- Patch Management. There are many threats to your technology that will come through holes and bugs in the operating systems of the computers. Patches plug those hole and kill the bugs. This is as critical as good malware protection.
- Good Passwords. They don’t need to be goofy – just complex. 8 characters with complexity makes a world of difference – but maybe not enough. Most organizations have limited password complexity. Hacking tools can typically break over 75% of passwords in under one minute. Consider these examples…
- dave --> Instantly (simple)
- dave2013 --> Instantly (simple 8 character)
- Dave2013 --> 11 minutes (U/L 8 character)
- Dave*2013 --> 275 days (complexity high – upper/lower + special)
- Daveissmarterthanyou --> 6 billion years (long)
- Business Policies. Even with all of the above, you are still vulnerable. Add the following business practices and you start really hardening and shrinking the threat surface.
- Pen Test Annually. Hire a firm to perform a penetration test of your network annually. Be sure to remediate the issues found, or else it's a waste of time.
- User Admin Rights. Consider taking them away. Administrative rights allow users to install software and change settings. Taking these rights away limits the ability for the user and anyone spoofing the user from potentially opening holes in the network.
- AUP. Acceptable Use Policies give you legal authorization to limit, control and prosecute outlined actions on your network.
- Filter Sites. This is a blend of gateway technology and policies. The technology is what gives you the ability, but you need to make a decision for the organization what is OK for your users. Do you want them on Facebook? Threats come in many different flavors. Consider limiting users to what is needed to do their job. Let them browse on their mobile device, that is not connected to your wireless network.
- User Education. End users are not typically malicious in how they introduce threats. Contrarily, they do very threatening things to your network without even knowing it.
- Educate Users. Educate the users on the common threats, avoidance techniques and what is OK and not OK in the course of doing their job. Awareness could be your biggest prevention tool.
So What Do We Get?
Money. Time. Peace of Mind. There is much to be gained from sound security. There are many impacts and benefits.
- Less downtime. Servers are less prone to attack and will remain operational – allowing your organization to work as normal. Virus attacks will not hinder users. Your server won’t be confiscated by the FBI.
- Increased user productivity. These security efforts also result in better computer hygiene. They will run smoother and faster, with fewer problems. Users will find they can do their work with fewer interruptions. You have also minimized the risk of lost data from a virus.
Reduced stress of not knowing. Owners and business leaders will be able to focus on the job and less on the risks of these threats, knowing all is OK.
- Less Risk. Much like insurance, there is less risk of threats to the company.
Back to that client... how was someone able to break into their system in the first place? It was a combination of many of these problems. Passwords were stale, the firewall was not current, and their server was accessible. Alone, each of these problems might not have been enough to open the risk, but combined, they were a ready target. And they were hit. Thankfully they had some good backup solutions in place, but they did experience downtime, and were forced to spend lots of money to recover.