Cybersecurity. The science of securing IT infrastructures. Firewalls, access lists, passwords, encryption, penetration testing, intrusion detection, etc. A crazy sysadmin once told me that the only way to completely secure a computer network is to unplug it. At first that statement seems over the top. Yet the more you think about it, the truer it gets.
There is always a flaw. It’s impossible to secure everything. All you can hope for is to add extra time for an attacker to find or accomplish what he set out to do. Regardless of the data that you are trying to shield, if somebody is willing to pay for it, hackers will steal it. No one is immune. I’ve established that much in my previous blog post “Stealing data is easy”.
Control is an illusion. Accept that you have no control. All you can do is be prepared for when attacks hit and limit the damage. Chances are you’ve already been breached, and you will be breached again. The concept of a “breach” is often misunderstood. The school janitor who accidentally sees a student report card on an unlocked computer while cleaning a classroom is technically considered a breach. Albeit accidental and meaningless, it still consists of a breach of confidentiality. Leaving a post-it note with a password on your monitor is the equivalent of leaving keys to a warehouse full of inventory by the doorstep. An unlocked computer is akin to leaving that warehouse door wide open.
Biological viruses attack the weakest links in an organism; hackers attack the weakest links in an organisation. If a kid wants candy they’ll know exactly which parent will bend first. One of them is always weaker. Exploiting the weak link is something that has been going on in society forever and the cyber world is no different.
Employees are the weakest link in a company’s cybersecurity plan. In fact, a whopping 95% of cyber-attacks and incidents exploit unsuspecting and uniformed employees according to IBM’s X-Force Threat Intelligence Index. With the aid of social media, a black-hat can easily find out who’s working at a target company. They can then find their hobbies, birthdays, vacations, etc. You can obtain an abundance of details about an individual within minutes. Attacking that company then become child’s play. Imagine now if they could plug in your local area network, or worse…. connect to your wireless infrastructure from the parking lot. Armed with all those details about key individuals there is no stopping them. If your users are unaware, all the firewalls in the world won’t matter. If there is no one to firmly enforce IT policies, they mean nothing.
So, what to do while you wait? Fortunately, it’s not all doom and gloom. Raising awareness to these concepts could be included in your company’s orientation package for instance. Get your users to complete security awareness webinars or subscribe them to a cyber risk evaluation service like Security Aware which is powered by Beauceron Security. Don’t give them anything easy. If you get a flu shot you might still get the flu, but you are protected against certain variations. Use analogies like that to help raise awareness in your organisations.
Does this article induce paranoia? If so mission accomplished! I’ve made you aware. Now go out there and figuratively unplug that network before they get you!