#10: Tweet some vicious insults about Kim Jong Un.
North Korea’s hack of Sony, which destroyed about 70% of Sony’s IT infrastructure, was motivated by the publishing of a movie that was critical of North Korean leader.
Recommendation: Be very careful what you publish online, and start taking your privacy seriously.
#9: Go ahead and use that Russian anti-virus software
Kaspersky Labs, a very popular anti-virus software manufacturer was providing access to millions of computers worldwide to the Russian government through its anti-virus software. This has become a popular technique for introducing malware into the wild. Compromise a piece of software that everyone already trusts.
Recommendation: Realize that anyone or anything handling IT security can become compromised. This is the reason why prevention can’t be the only goal. Detection and remediation are really important components of your overall IT security framework.
#8: Open every piece of email sent to you, especially the ones with links to view invoices, documents, etc.
By last year, Spear Phishing had become the most effective method of delivering malware and stealing credentials. Last month, we dealt with an issue for one of our customers that cost 85K. They were purchasing product from overseas with a new vendor, and the owner’s (of the vendor) office 365 mailbox was compromised. The hackers waited for the email requesting wire instructions, and responded as the owner (of the vendor) with fake wire instructions. More work was done to delay the discovery through the email hack.
Recommendation: Consider adding a Spear Phishing service and training to your IT budget. It’s cheap $2.00/month/user.
#7: Free flash drive. Awesome!!!
This particular technique worked against the US Government.
Recommendation: Free stuff (USB Drives, software, is rarely … free. There is software that will lock down USB ports on desktops and laptops that makes this a non-issue.
#6: Comrade, can I borrow your phone. My battery is dead.
Most people these days use their phone to access email, the bank, and dual-factor software (google authenticator).
Recommendation: Lock and secure your phone. Carriers provide new procedures for locking the transfer of your phone. Eventually, you will lose a phone.
#5: I Use abc123 for all my passwords, that way, it’s easy to remember.
You would be very surprised to find out how easy it is to break simple passwords.
Recommendation: 8 characters, upper-case, lower-case, number + 1 symbol. SSO (Single Sign On) also resolves this problem.
#4: We will test our Disaster Recovery solution the next time we have a hurricane.
Over this past weekend, I sold 2.5 bitcoins to a small engineering firm in South Florida to purchase a decryption key for a ransomware virus. This company had backups, but their backups were encrypted as well. These cybercriminals are sophisticated, and know how to hit you so that you don’t have a choice but to pay the ransom.
Recommendation: If you haven’t tested your DR solution, do it. If you don’t have the time, pay someone.
#3: My laptop was stolen out of my car. Good riddance to that piece of crap. Now my company will buy me a decent laptop.
Portable devices generally have really valuable information sitting on them (think outlook OST files), stored passwords, financial documents, PCI or HIPAA information, etc. Consider what a pain it is to change laptops. That is all of the stuff on the laptop.
Recommendation: Use whole disk encryption on portable devices so if they are lost or stolen, they are useless.
#2: I do a lot of research on the internet. I know Google checks all of their links.
Content filtering software is probably the single most effective method of preventing malware and breaches.
Recommendation: Add content filtering to your firewall or DNS service.
#1: We don’t have the time or the money to deal with IT security.
Too many organizations still look at IT strictly as a cost center. IT Staff is rewarded for reducing budgets and “saving” money. We work with new CIO’s, VP’s, and directors who think they are going to make their bones by reducing expenses through staff reduction
Recommendation: IT and security budgets should not be considered fixed costs, but variable costs tied to the revenue and / or size of the organization. IT budgets should AUTOMATICALLY grow alongside the organization.
For those of you not familiar with the SANS institute http://www.sans.org, the SANS Institute was established in 1989 as a cooperative IT security research and education organization that today reaches more than 165,000 security professionals around the world. It is a tremendous resource for everything related to IT security, and I highly encourage any organization or individual serious about IT security to visit the website and examine all that SANS has to offer.