Every few months the U.S. government, or one of its many departments and divisions, releases numbers and reports on the current state of cyber security or new cyber threats. At the beginning of this month, the Homeland Security’s Industrial Control Systems Cyber Emergency Response Team released one such report about the number of security incidents or threats it had become aware of in 2011 from U.S. energy corporations, public water districts, and other infrastructure facilities. According to this 2011-DHS release, 198 suspected cyber incidents occurred, which ended up being more than four times the number in 2010. Sophisticated attacks against the most highly critical systems are a real threat, but we shouldn’t forget that most security breaches are more mundane in character and much closer to home.
Private companies of all sizes are targeted far more often than infrastructure networks. While a water control system may be the target of a terrorist, or someone malicious enough to go after such a target, a corporation has a far wider range of potential attackers: corporate espionage, disgruntled employees, unhappy customers, or hacktivists with a point to make. A typical server facing the Internet gets attacked by automated bot nets on a constant basis, while even internal networks aren’t safe from security holes or a lack of proper security controls. But too often, when security measures are put in place, they don’t address the most likely problems.
Being targeted by an organized cybercrime ring, or a shadowy group in a remote country is a possibility, but it’s one of the least likely to happen against your business. To avoid these possibilities, you make sure your web server is fully patched, your Internet-facing systems are updated, your firewalls are well-configured, and your internal network is fully separated from the Internet. But in reality, the threats come from many more angles than just cyber attacks. One of the most likely causes of a security incident or data loss is actually your own users. In the vast majority of cases, it’s not an attacker in a foreign country that managed to find a hole in your external security, it’s one of your employees, either maliciously, like a disgruntled employee might do, or through mere cluelessness.
One of the fastest growing threats resides in unknown devices that employees bring to work. The concept is nicknamed BYOD, or “bring your own device” - an array of smartphones, tablets, laptops, and even portable access points, that aren’t authorized on company networks. The worse part is that most companies don’t have any policy regarding these devices, and no way to know what extra device the employees have brought in. Having someone bring an unpatched laptop and connecting it to an Ethernet jack, or worse, bringing a cheap router just so they can use wi-fi during the breaks, is a very common occurrence in many businesses. As you may imagine, that can bring a host of security risks. Adding an unknown device to your carefully monitored and patched network can cause huge problems, and it can be hard to detect.
There are things you can do however, such as configure your network switches to only allow specific MAC addresses to connect. Each device and computer has a unique address, and if you inventory each one and add them to a white list, that will stop most problems. Of course, if it’s a malicious act, then there are ways to spoof that. Another way to prevent unknown devices is to use Network Access Protection, a feature available in all modern server systems, such as Windows Server 2008. This will allow any unknown device to be automatically scanned, and quarantined if it doesn’t meet your security policies.
Other big security threats related to your own users is a lack of proper security training and not enforcing strong security practices. Setting reasonable password and acceptable use policies, and communicating all of the policies clearly will help to create a security-aware workforce.
Finally, don’t forget about the most basic methods using the social element, like social engineering and phishing schemes that dupe users into giving out sensitive information or even allowing physical access to facilities and equipment. One recent exploit in the news is the practice of some attackers who go to business parking lots and leave a few infected USB keys lying around, in hopes that an employee will take it up to his or her office and plug it in, unleashing malware on to the network. We all spend a lot of money buying the intrusion detection systems and corporate firewalls, and those are crucial to guard against external attackers, but in reality, potential security threats against our corporate networks are often within our own walls.
Take the poll below, and let us know what kind of attacks you’ve experienced in the last year or so, if any. Feel free to explain in the comments.