Published on the 21/10/2016 | Written by Anthony Caruana
The basics are still the best for information security…
Cyber security is big business and a complex, ever changing challenge to which company executives must rise. But keeping information secure depends more on getting the basics right than anything else. That much became clear from Rik Ferguson, Trend Micro’s VP for Security Research. His advice to executives includes:
- Understand and enforce good processes
Business email compromise (BEC) has netted thieves in excess of US$3B over the last year with one anonymous company in Western Australia losing AU$700,000 in a single example.
In BEC, someone with financial authority is sent a well-crafted email that looks like it was sent by the CEO or someone senior, instructing them to transfer funds to a bank account. The fraudsters create a false sense of urgency by exploiting information such as executive travel schedules, weekends and personal information found through social media and other means.
“You have to make sure that you and everyone else is fully aware of your processes, that those processes have checks and balances and that everyone is empowered and able to question, particularly financial transactions , anything stepping out of that process,” noted Ferguson.
- Backups are important
“Ransomware is a big deal. We’re seeing ransomware that is going after the enterprise, and not the consumer, that attacks networks shares and even reattaches disconnected shares,” Ferguson pointed out.
Good, reliable, offline backups are one of the best defences against a ransomware attack, he added.
- Education
“Make sure you keep yourself and your employees current on what threats are out there, how they work, and what people should be looking for.”
Education has always been a vexed issue for companies dealing with security breaches. Ferguson did note it was very difficult to teach people what to look for, now that phishing emails and other malicious messages are better crafted, but that it was possible to show people the sorts of messages used by threat actors so that they can become more alert. He advocates a “911” email address people could easily forward potentially suspect messages to.
“Have a system in place that makes it simple to report suspicious incidents and follow up suspicious messages,” he said.
- Mobile devices need to be secured
“One of the great places to do reconnaissance on is in the notes fields of contacts on their desktop or laptop,” said Ferguson. “This is usually synced to smartphone apps.”
And there’s also the rich array of other data people carry on their smartphones and tablets. Ferguson told me that while he was at dinner, during the recent Australian Information Security Industry Association conference, someone left their smartphone at the table. It was unlocked and he had full access to all the data on it.
Setting policies that mandate automatic locking and the use of PIN codes, passwords or biometrics to keep devices secure is important.
- Think about what you connect to
With free WiFi hotspots available almost everywhere, connecting to the internet is easy. But many people make the assumption, said Ferguson, that a password on the network means their data is encrypted.
This isn’t the case. Connection passwords for public hotspots such as those in airport lounges are designed to control access to the network, not to secure data transmissions.
“If you’re carrying out sensitive operations, transmitting sensitive data, worried about eavesdropping – you shouldn’t be doing it on an open network,” he said.
In addition, Ferguson said VPN software should also be employed to protect users from eavesdropping.
