Mustard IT Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

Mustard IT

Employee Security Risk

GUEST BLOG: From employee to security risk – How to protect your business

 960 640 Stuart O'Brien
By:
0
0

By Alex Viall, Director, Mustard IT

As businesses become more aware of the threat of cyber-attacks, technical defences are becoming stronger. It’s far more difficult to hack into corporate networks than it used to be. Because of this, hackers are creating new methods of accessing secure data. These efforts are being directed at the new weakest link in corporate cyber security: employees.

Hackers are using social engineering methods and phishing attempts to convince employees to click on impersonated links, open malware-loaded attachments, or even give away confidential data. If a networked computer is accessed, data mining or ransomware attacks can occur very quickly.

This is not a small-scale issue. As recently as August 2017, over 700 million email accounts were manipulated to send malicious emails loaded with malware (that were designed to scrape computers for sensitive data). In many cases they were able to mimic official corporate email addresses, and appeared to be sent from legitimate servers.

In addition to this primary risk, some sophisticated hacking teams are planting employees within large corporations in order to gain access to data first hand. In other instances, disgruntled employees are acting individually to enact malicious damage to company networks, data or reputation.

What can be done to reduce this internal cyber-attack risk? It’s a combination of systematic training and awareness campaigns, consistent engineering of employee behaviour and investment from the top of the company down. Here is a list of actions you can implement in your business to help reduce employee related cyber-attacks.

Employee risk awareness and training

Assess the culture of your business. Is there a high awareness of cyber-security issues? How is training currently conducted? Is it effective? Understanding how your employees think about security will help you to position the rollout of the following action steps. Training programs can be tailored to your environment, and could range from conference style sessions to gamification methods (or a combination thereof).

Training must be relevant and cover the most common ways employees are exposed to cyber-attack risks. Importantly, this training cannot be a one-off initiative. As hackers create new methods of attack, employees must be kept up to date and be reminded of their crucial role in protecting the company from incursions. Make information readily available for staff to access at any time after training is conducted.

Control for risk

A thorough risk assessment will be required in order to identify potential weaknesses and entry points for malicious software. Implement controls at every point a hacker could have contact with your systems. For example, a hacker may impersonate a corporate email, gain access to a genuine employee account, execute transactions, create further phishing emails, and install malware. Update these controls and test them frequently.

Strategic use of analytics

Periodic analyses of network use should be run to identify unusual interactions with the system. The following activities may be red flags for deliberate malicious activity or for hijacked accounts:

  • An employee is accessing company networks out of hours,
  • A poorly performing employee is spending time accessing secure or sensitive information without apparent cause,
  • Unusually large files being downloaded, or
  • Any other out-of-character actions being recorded.

Identifying these digital trails early can alert employers to attacks that had otherwise gone unnoticed. It may also provide a chance to sharpen employee focus on appropriate use of employer networks.

Accountability and modelling behaviour

Taking a top-down approach to cyber-security is critical to ensuring employee engagement with the issue. If management is seen to value proactive security, it’s more likely to filter down to departments and staff. This could manifest as allowing a larger budget for training and processes, or regular company-wide communications. In addition, a single manager should be ultimately responsible for cyber-security at the company. The chain of accountability should be clear. Depending on the size of the company, this could be a full-time role or an additional responsibility for a manager. In either case, cyber-security should be an absolute priority role.

Engineer employee behaviour

Even the best training programs and behaviour modelling cannot protect against natural human error, or the apathy that can surround particular security issues like password changes. In the case of passwords, it is best to ask system administrators to force password updates every 3-6 months. Employees can be guilty of using a generic password across personal and work accounts. This means a breach of personal cyber-security can lead to a corporate level cyber-attack.

Use other behaviour change strategies to encourage employees to engage in more considered and secure behaviour.

  • Connect education and training with a charitable goal (‘for every engagement with this training video, the company will donate a pound to X charity’).
  • Implement brief, timed delays before sending emails or downloading links.
  • Publically acknowledge proactive efforts to identify threats or report issues.

Implement physical controls

Data security can also be weakened by employee’s physical behaviour and choices. Consider implementing some or all of the policies below:

  • Do not use private USBs on company devices (or company USBs on private devices) as malware is commonly transmitted through this technology,
  • Do not remove physical company documents from the office,
  • Do not connect company devices to unsecured Wi-Fi networks,
  • Do not connect personal devices to the company Wi-Fi network (a guest network can be established with no access to company servers).

If you ensure your technical cyber-security protocols are up to date, along with training, behaviour modelling, and smart use of analytics, you will build a comprehensive multi-tiered protection shield against hackers.

bluetooth

GUEST BLOG: Everything you need to know about Bluetooth security

 960 640 Stuart O'Brien
By:
0
0

By Alex Viall, MD, Mustard IT

Bluetooth technology has been around since 2000. It’s become a seamless way for professionals to connect devices and it can be deployed for a variety of uses – from diverting voice calls through car speakers, to providing the freedom of wireless mice, headphones and more. The question now however, is how safe is Bluetooth technology?

Has the ubiquity of the technology created complacency regarding Bluetooth network security? Everyone is aware of the risks involved with using the internet for business, but have you thought about the impacts of a breach of a Bluetooth connection?

This article will explore how Bluetooth actually works, where the Bluetooth security vulnerabilities are, and how to reduce your Bluetooth security risks, both on the go and from an organisational perspective.

What are the security issues?

Bluetooth is extremely convenient, but it can leave users vulnerable to Bluetooth security risks if it’s not used safely. If you have email, social media, banking apps or confidential files on your device, you are at risk.

It’s vital that devices used for business in particular are protected from attack. Once we understand some of the many ways hackers can wreak havoc on your systems using Bluetooth vulnerabilities, we can learn to protect ourselves.

Viruses and worms

Smartphones and tablets are vulnerable to viruses often downloaded from reputable looking apps. Smartphone keyboards are prone to typing errors, which can lead to mistyped web addresses. Misspelling a common website name by one letter can lead to malware and other damaging files can be installed on your devices. As smartphone screens are smaller, counterfeit websites can be more difficult to spot. Once a virus has been installed, it can open up the device to Bluetooth security vulnerabilities and other issues.

Bluesnarfing

If a hacker gains access to your device (by connecting without your permission) they can steal personal data from calendars, email, images, contacts, messages etc. This could compromise any amount of sensitive information. Does Bluetooth use data once it’s been hacked? No, it remains limited to radio waves.

Denial of Service Attacks (DDOS)

This is a malicious tactic sometimes used to inconvenience or intimidate a person. If a DDOS attack is launched on your device, it will become overwhelmed with nuisance instructions and freeze up. Calls can’t be answered, data is (sometimes permanently) inaccessible and chews up battery power.

Bluebugging

This is also known as Bluetooth eavesdropping. Just as virus websites use a misspelled address to trick users, hackers set up common looking device names (‘printer’ for example) and trick you into pairing with them instead of the actual device you were seeking. These are an unfortunate factor of Bluetooth security vulnerabilities.

As you pair with them, they gain access to your entire device – they can hear and record calls, track your location on GPS and use your contact list.

If you have connected to a headset with a microphone, hackers can even listen in to conversations that are happening around you. As with bluesnarfing, you wonder does Bluetooth use data when it’s been hacked and the answer is no, so that’s one less thing to worry about.

How to reduce risk – update your Bluetooth versions

The level of Bluetooth security involved depends on which Bluetooth versions the devices use. We’ll explain each of the versions below. It can sometimes be difficult to tell which Bluetooth versions your devices have. If you’re unsure, contact the manufacturer directly. No matter which version you use, Bluetooth multi connect won’t be available, but it may update with newer releases of the hardware.

Level One

If you have level one devices, it means they will ‘pair’ (connect) without requiring any Bluetooth passkey or verification. This can be very risky – it is essentially an open door, where anyone can pair to your device and access what’s stored there.

Level Two

This is the most common Bluetooth security setting. The devices pair together, and then ask for security codes to be exchanged to verify the connection. The short period of time between pairing and verification can create a security vulnerability but the risk is minimal.

Level Three

Devices with level three security offers strong Bluetooth protection against unwanted intrusions. These devices must authenticate (swap security codes) before pairing, which means the gap found in level two devices is completely closed.

Level Four

These devices have the most stringent authentication protocols. They act like level three devices and authenticate before pairing. The authentication process is more complex, making it extremely difficult to penetrate, reducing the Bluetooth security risks significantly.

Accessories

A final point on hardware – it may be worth researching common Bluetooth enabled accessories, such as headsets or headphones. Some brands have additional layers of encryption available. It is worth paying more for extra risk reduction, and helps to answer the question: is Bluetooth safe?

How to reduce risk – behavioural change
Once you are confident that you are using the most appropriate version of Bluetooth on your devices, you can begin to focus on behavioural change.

Because proximity is critical to connecting, a lot of harm can be avoided by doing the majority device set up in a secure location (like the office).

Implementing these changes will see a huge boost for your Bluetooth network security.

Connect devices in secure locations

The biggest opportunity for hackers to access a device through Bluetooth vulnerabilities is the moment between two devices pairing and trading authentication codes.

This gap can be only a second long but it’s long enough to be a risk. To avoid exposing yourself to this risk and increase Bluetooth protection, pair devices at the office or at home.

You only need to do this once for each coupling. Once the connection is authorised the gap is closed. Connecting privately reduces the risk of Bluetooth eavesdropping.

If your devices do become unpaired (it happens), resist the urge to reconnect them in public, even if you are on the go.

When you can’t return to the office, remember the 50m proximity rule and find somewhere isolated to reconnect.

Hide your connection

If Bluetooth is enabled on a device, it will automatically broadcast its presence to every other device within range. This is called being set to ‘discoverable’. It’s necessary to be discoverable when you’re trying to pair with another device of course. If you are not actively seeking to connect to a device, change your settings to ‘undiscoverable’ to avoid Bluetooth eavesdropping. You can still use your Bluetooth but no-one else can find your device on a list. If you’re not using Bluetooth, turn the function off completely until you do need it to provide additional Bluetooth protection.

Reset the PIN

The authorisation code used to couple devices is commonly a preset 4 digit PIN. If you have the option to change this, do so. Extend the code from 4 to 8 characters, and make the code an alphanumeric scramble. Treat it with the same respect as any other password.

Lock down your smart device

In today’s mobile business environment, a smartphone is the most likely device to broadcast information through a Bluetooth connection. Add passwords, codes and authorisations on any account that’s linked to business data. That way if hackers do access the device, there may be little for them to see, reducing Bluetooth vulnerabilities.

How to reduce risk – policy change

It’s possible that your staff are completely unaware of the risks they can bring to the business by using Bluetooth in public places. Depending on the size of your workforce, you will need to educate them on the risks and make some changes to company devices are managed.

There are changes that can be made with Bluetooth network security on the individual behavioural level and also in cooperation with your IT and cyber security teams.

The following suggestions centre around smartphones and tablets, because they are common data hubs and most likely to be paired in public areas.

When a new device is deployed:

  • Install encryption software
  • Install mobile anti-virus software
  • Enable password protection (using voice recognition and fingerprint scans if possible)
  • For all accounts connected to the device, use randomly generated passwords
  • Turn off on-screen notifications. This stops confidential business related messages and emails displaying on screen for anyone to see

Use digital hygiene:

  • Connect to company networks using SSL VPNs only. This scrambles access for opportunist hackers.
  • Do not save passwords on the device (either as autocomplete options or as a note). Autofilled passwords are a gift to anyone with bad intentions.
  • Close applications that aren’t in use. It will save battery life and restrict hackers from accessing them without passwords
  • Unpair devices from one-time connections like printing booths or rental cars. Delete your connection from the car if you can.
  • Clearing this data should be routine for company cars due for return from long term leases.
  • Turn off WiFi, Bluetooth and GPS when the connections aren’t being actively used. It’s far more difficult to connect to a device when these pathways are closed. It will save battery, too.
  • Install updates as soon as they are available. Updates are released in response to newly identified weaknesses in data security.
  • Failing to update leaves devices vulnerable to known risks.
  • Back up data as often as practical. This may occur automatically through cloud accounts or need to be done manually on a schedule. Ensure the data storage is secure too.
  • If a device goes missing (i.e. lost or stolen) it must be reported directly. Remove the device from all lists of paired devices to deny access.
  • Do not pair with an unknown device, or accept a digital business card without an identifiable source. Spontaneous pairing requests should always be denied, especially if it requests your Bluetooth passkey. Avoid this by keeping devices set to undiscoverable.

IT department involvement:

  • Issue company devices for staff. There will be an initial cost, however having high level access and control on these devices can provide a huge ROI in terms of cyber security threat reduction.
  • Make use of a company rights management system on smart devices. This allows an additional layer of security before allowing access to sensitive company data. For more information on this or other network security issues read our page on securing your network.
  • Decide if personal devices should be permitted to connect to company wifi networks. This has huge potential for exploitation. Consider establishing a separate, limited network that provides connection but no access to company systems.
  • Install anti virus software onto company devices. Business management apps can also monitor usage, which can feed into security, efficiency and other metrics.
  • Develop a new user checklist to include with company issued devices. The checklist could include information about is Bluetooth safe, instructions on how to pair Bluetooth devices safely, what is the range of Bluetooth, how to connect to the CRM and password requirements, for example.