A whitepaper by Quartet Service Inc.
www.quartetservice.com
Introduction
This whitepaper highlights the often overlooked weak link in cyber security- your staff. You will learn about the issues, the statistics and the solutions. Let’s start with a real security nightmare from one of our clients.
The Big Cheese’s Moldy Passwords
Sometime they are intentional, but most times they are mistakes or simple lack of knowledge.
Our client, “ABC Inc.” is a very profitable 50 person financial services firm. They were founded 20 years ago and have an enviable reputation. We’ve been
serving them for years.
It all started this past Labour Day. It was 11:15pm when our Account Manager received an understandably frantic email from ABC Inc.’s CIO. The CIO “Phil”
had been alerted that they were missing critical business data from their file servers. The missing files were highly sensitive- In fact only ABC’s CEO and
“Phil” had access to them. They included client data, financial results and more. It was also discovered that almost 70,000 of the CEO’s emails were
missing (accumulated within his inbox and send logs over a decade). A nightmare scenario.
Our Account Manager and Sr. Systems Engineer went into immediate action. We took the file servers off line, isolated the IP and replicated the servers.
Because the infrastructure was well configured, we were able to recover all the data as of the previous day. By 9:30am Tuesday, all the lost data was
restored and the servers were fully functioning with almost no staff downtime. We were also able to restore the CEO’s Exchange folders and individual
messages within a few hours.
But the very large elephant in the room was “how did this happen?” We started by isolating the servers, and then built a Splunk server and examined the
hundreds of thousands of security logs. Our investigation was soon complete and the security logs were conclusive.
The data had been accessed and then deleted from the CEO’s home computer. This led to many more questions as the CEO wasn’t home at the time! At this point
we didn’t know if this was a virus or an intruder.
We dug further into the records and discovered that the “weak link” was the CEO himself. He used the same password for many things, including access to
these files. He also had disabled the password change requirement. In fact, he had not changed it in over 10 years. During those 10 years, a lot of people
were given that password for trouble shooting issues and other reasons. Over the years of many people coming and going, at least one of them appears to
have left disgruntled. It was as simple as that. An aging password that was over used and never changed. If not for the infrastructure we had in place,
this would have been a disaster.
This begs the question; what do you do when you are the problem? Most of us have similar inadvertent holes and the challenge is how to find them and manage
them. Where are yours?
Why are “We” the Weakest Link?
No matter what your size, information is likely your company’s most important asset. Anyone with access to any part of the system, physically or
electronically, is a potential security risk. The main security breaches caused by employees are:
1.
Generation X and Y grew-up in the Internet age
– where an infinite volume of information is as close as the nearest Wi-Fi hotspot. There is an expectation that digital information is readily available
and free. This culture of carelessness is a real security threat. These generations’ digital habits risk devaluing information as a proprietary resource.
Problems arise when employees treat data casually, sharing widely, sharing on social media, and taking valuable information with them when they leave.
2.
Same Staff- More Devices-
IT staff are each dealing with about the same number of employees. However, the number of devices has tripled or more. This is as a result of the
smartphone and tablet explosion and the BYOD (bring your own device) phenomenon. The complexity of handling these “additional” devices has opened security
holes that are often exploited.
3.
BYOD-
When you have a BYOD policy, there is the obvious risk of an employee leaving with your data on their device. What many organizations don’t factor in is
that mobile apps for personal use may unwittingly allow third-party access to corporate information stored on their devices. These apps may also be
pre-infected with malware, which might be instructed by hackers to steal information from the device without alerting the users. As well, should employees
connect to open Wi-Fi networks, the corporate data stored on their devices might also be exposed.
4.
Lost and Stolen Devices-
In their “Billion Dollar Lost Laptop Study,” independent research firm Ponemon Institute concluded that the average
cost of a stolen laptop came to over $49,000—and topped $56,000 if the device didn’t include adequate safety measures (which the majority in the study did
not). The cost of the hardware and software replacement are just the start. The real costs are the recovery costs and legal fees. The study showed how
these devices were lost:
a. 43% were lost off-site (a hotel rooms, off-site business functions, etc.)
b. 33% were lost in transit or travel
c. 12% were lost in the workplace
d. 12% were completely unaccounted for
5.
Weak Passwords-
Too many of us use very weak passwords. These passwords are frequently attacked. However that’s not the only issue. We’ve all used the “I forgot my
password” button where you’re either sent an email or prompted to answer a few personal questions. Unfortunately, the security of the password reset
function is often weaker than the password, making these functions attractive targets. Social networking sites have made it easy for bad guys to guess the
answers to common “personal security questions” such as your maiden name, location of honeymoon, pets name, etc.
6.
Phishing-
Is one of the most common security scams, whereby the opening of email attachments launches a virus. Individuals will send infected files incorporated as
attachments with a catchy subject line in the hope that recipients will open them. The bad guys employ a number of ways to entice unsuspecting users into
opening e-mail attachments, from pornography to phony security warnings and advice. Phishing schemes customized for individual targets are the latest
trend.
7.
Size Doesn’t Matter-
Many SMB’s think they are immune because they are small. “Why would anyone go after us?” They are wrong. SMB’s constituted 31% of targeted attacks in 2012,
according to the National Cyber Security Alliance. SMB’s may have smaller pockets, but those pockets are much easier to get into. The bad guys always look
for the “easy score” and avoid the hard ones. Remember the old story of out running the bear. You don’t need to be faster than the bear. You need to faster
than the guy next to you.
• A phishing attempt sent to just 10 employees will gain access to your information over 90% of the time.
• 23% of recipients open phishing messages, and 11% click on attachments.
• Over 20% of cyberattacks are phishing attempts, and this trend has been growing since 2011.
• 75% of attacks spread from victim 0 to victim 1 within 24 hours.
• With the rise of BYOD, 68% of organizations have experienced a mobile security breach.
Phishing Facts
Phishing for Dollars $$
Sometimes the employee can be the security flaw, and sometime they can be the hero! In this story we have both. Another Quartet client with over 1,000
employees was recently targeted by a very sophisticated hacking attempt. This Financial industry client stores sensitive client financial data making
security a major priority for them. Their extreme care to security paid off.
Our client uses a type of two factor authentication with RSA tokens. Getting access to data is based on two factors — something you know (a password) and
something you have (an authenticator/token such as a USB token, smart card or key fob). When a user attempts to access a protected resource, he is prompted
for a unique passcode. The passcode is a combination of their user’s password and the code that is displayed on the authenticator token at the time of log
in. Without both access is denied.
As we said, this hacking attempt was sophisticated and well planned. They first used an email Phishing scam to convince an unwitting employee to give up
their password. The hackers got one half of the authentication with their phishing scam. At this point the hackers called the client pretending to be from
tech support. Their story was that some of the tokens were malfunctioning. This employee was asked to provide the token number to verify if the one they
had was defective or not. Lucky for our client this employee knew not to give up the information and the scam was put to a halt and all passwords changed.
However if the employee had given in the hackers would have had the ability to transfer money from the firms bank accounts. A disaster they may not have
recovered from.
How well trained are your employees in not giving up their passwords? Does your firm need or use two factor authentication?
1. Phishing scams
Employees should be trained to scrutinize e-mails to determine whether they are legitimate. Do they:
• Come from someone they know?
• Come from someone they have received mail from before?
2. No weak passwords
• Passwords should not be easily guessed. “123456” is still the world’s most common password, even outranking “password.”
• Create at least an 8-character password with characters, numbers, uppercase
• Don’t reuse the same password
3. Ensure you have and explain BYOD Security Policies
• Which employees are eligible for access?
• Should you require data as well as app or device restriction?
4. No downloading of unauthorized software
Many system threats are disguised as programs that are free to download on the Web.
5. Social Media Policy
It will seem like common sense, however it is startling how often it happens. Ensure your staff know where to draw the line in what
they share socially.
Educate your Employees on…
How to Defend your Organization from Itself
Modern security programs don’t come out of the box. They are an ongoing combination of technical protection and management of people. It’s the management
component that is most often the weak link. To avoid becoming a target ensure your organization is doing the following:
1. Standard Technical Protection- Firewalls, antivirus, active threat monitoring etc. Most companies have these. The biggest flaw we see
is that they are not always kept up to date. The base level of protection here is not just technical. It is also the managerial process of the up keep.
2.
Educate, then Educate again, then again-
It’s critical to get your employees to understand the risks involved and to then follow simple procedures. Repetition is key, as old habits die hard.
Training needs to be memorable and impactful. This is not a do it once and your done project, best practices will change, people will forget and new staff
will come in.
3.
Standardize Processes to Minimize the Human Factor-
Companywide standardize polices will help. Advancements in technology also will. Don’t get stuck in old ways of doing things. Look for ways/technology that
will automate processes such as updates, storage and monitoring.
4.
Be Humble, it will happen-
People are people, mistakes will happen. Ensure you have a plan in place for when it does. Are your devices encrypted, can they be wiped remotely, how
regular are your backups? Prepare for the worst and hope for the best. Also ensure you test these measures. We have seen many strategically brilliant
disaster recovery plans not work when needed.
One Last Security Tale of Terror
It’s not always just your employees who are the weak links. It’s also your vendors, contractors, consultants and more. This last story is a short one. It
involves a firm involved in foreign exchange. It has a large list of clients and handles a significant amount of sensitive financial data for those
clients.
This firm was working with a number of vendors (with full NDA’s and other standard contracts in place) on various projects. One of these was a consultant
who, for all the right reasons, had a large amount of sensitive client data on his laptop. While travelling for business he rented a car. The car was
broken into. The laptop was gone.
This situation was unavoidable. But what wasn’t were the security procedures in place to be able to remotely wipe the hard drive of that laptop as soon as
it was turned on. Without that in place the firm had to go into immediate action- informing clients, working on PR and getting legal involved. When the
dust settled the total cost of the incident was over $2 million dollars. Luckily this firm was able to move on despite the financial loss. Smaller firms
would not have been as fortunate.
How much sensitive data do your vendors and contractors possess? How good is their security? What would you do if a laptop with sensitive info was lost or
stolen?
Summary
Get Started! It’s the 80/20 rule. You will get 80% of the benefit from 20% of the work. The sooner you start the sooner you’re protected.
Firewalls, antivirus, cyber-security policies, active threat scanning and network monitoring; these are just some of the tools Quartet uses with our
clients to help protect our client’s data. However in our experience organizations can perfect all this but in the end the weakest link is often the human
element.
This is because just about every technical countermeasure that brilliant engineers devise to protect systems and data can be accidentally or intentionally
circumvented by the end users. The human being remains the weakest link in almost every information security chain.
There is no 100% guaranteed solution to this. However, technology is advancing to slowly make security “human being proof”. Through innovations such as two
factor authentication and Quartet’s own service Pure Desk™, we can start taking the human element out of the security chain.
Stakeholders within organizations need to start asking themselves serious questions beyond the quality of firewalls and antivirus. Are your staff sensitive
to how important your information and data is to the organization? Can they sniff out hacking attempts? Do they have proper passwords? What scale of
protection do you need? Your exposure risk will be vastly different is you are a manufacturer vs. a hedge fund.
These questions are just the start. There is always much more to explore and delve into. Quartet can help. If you have any questions or need further
information we’re always an email or phone call away.
416-483-8332 – info@quartetservice.com – www.quartetservice.com
About Quartet Service Inc.
Quartet specializes in IT services for mid-sized organizations. We invest in people and technologies on behalf of our clients, bringing them economies of
skill and scale they could not otherwise achieve. We have an exceptional value proposition that our 18 year track record is testament to. We customize IT
products and services (primarily infrastructure management) to suit out clients’ needs and budgets.
Services include; hosted server and telephony infrastructure, user support, project management and consulting. All services are designed to bring IT
agility. For example, upfront costs are rare, small development projects are common and most clients have unlimited service, flat fee support contracts.