Ground rules of cybersecurity

There are three ground rules for Cyber Security:

1. Update.
2. There is no “minor” vulnerability. Vulnerability is vulnerability.
3. Don’t trust anyone.

Update

More than 99% of all the attacks were possible through the vulnerabilities that were already patched by the vendors [1]. In most cases the fixes were available for half a year or more, but end users didn’t install them.

But updates are not just the security patches and newer versions of the software, updates are much more.

1. Update policies: take the periodic look at all your policies, starting from the access policies up to email and various communication policies.
2. Update passwords. The hacks may take months to be fully executed, from exploiting the first breach in the security till the final move. The password rotation and update policies help to prevent deeper hacker’s penetration. Important to take into account is the consistency and synchronization of the activities
3. Update protocols. I’ve seen recently the company hosting their own intranet web-service that was accessible via insecure HTTP and is available for the employees from all over the world. Another recent finding, the simple encryption used by locks vendor, likely they updated to the more secure TLS encryption [2]. The point is, update the communication protocols to the newer and more secure counterparts.
4. Update “employees” : update and execute basic security trainings for your employees. This is probably the first and the most critical part. Bring and keep up to date the awareness to your employees.
5. Update each and every piece. Do you use discontinued Windows Phone devices, old Android phones or WiFi network hardware that was not updated after 2016 [3] in your organization? All this is a security threat, every end consumer device connected to the network might be the vulnerability unless updated.

Periodic deep audits of the whole IT landscape are the must for large organizations and should be considered as the first measure to ensure the corporate security. The penetration testing and the vulnerability scanning is only the additional measures and should never be considered as the single security “insurance”.

Vulnerability is vulnerability

The average attack is a long sequence of exploiting the minor (as many would think) vulnerabilities. Thus, there is no such thing, as “minor” vulnerability, vulnerability is the vulnerability. That said, there is no such thing as “enough security”.

This rule applies to each and every layer in your company, from the Board of Directors and CEO to intern, from the data center to the paper note on the desk. That said, the most critical and the most vulnerable link in any organization is people. Be faster than the hackers and bring the social awareness to your employees, educate them on the security principles and rules, teach them the responsibility. Every person and every position matters for the company, for both the success and the security.

Last but not least, is, of course, the IT in the topic vulnerabilities. Invest in your experts, either the professional training, conferences or certifications. At the end of the day, your experts are the ones, who build the IT core of your organization, services or products. These are the people, who define the right architectures, right policies, monitoring, and proactive activities.

Do not trust anyone

It might sound so simple and so clear for everyone, but scammers and hackers are still exploiting the human trust every time. There are extreme and unexpected situations where we are just being shocked and do not think clearly. We just focus on what happened without questioning ourselves.

Few years ago one of the european Road Assistance services brought to the attention the scammers painting their towing vehicles the same color the “legit service” and installing the mobile signal jammers. Imagine you have a road incident and the minutes later you see the road assistance truck from your company expecting everything to be cover by your insurance plan. You can’t make the call cause you are in the middle of nowhere. At the end of the week you receive a few thousands bill.

The same happens within IT everytime. Scammers and hackers exploit the human nature every time, either with uniform, shocking situations, distractions, carefully faking the real things and so on. Be careful, suspect everything, double and triple check.

Don’t trust me as well. Question your self if this makes sense, reach out to me to check if I’m real or just to say hello.

Read on LinkedIn

1. https://www.csoonline.com/article/3075830/data-protection/zero-days-arent-the-problem-patches-are.html
2. https://tech.slashdot.org/story/18/09/03/1335217/googles-doors-hacked-wide-open-by-own-employee
3. https://en.wikipedia.org/wiki/KRACK