In the ‘Cyber Security Threats and Vulnerabilities 101’ post we discuss cyber security risks that can potentially impact your employees and the continuity of your operations. Although your Cyber Security and Information Technology departments must secure mobile and desktop devices and the data on them, the survival of your business can be put at risk if your organization is attacked. Successful cyber breaches and attacks can instantly become business continuity issues.
Unfortunately, I have witnessed organizations tighten up their desktop security but leave mobile and more recently, IOT device security wide open to the bad guys. People intent on doing harm, even with low or no-level technical skills, can easily get access to programs that can severely impact your organization.
In addition to desktop and mobile devices (phones, tablets…) the popularity of Internet of Things (IOT) devices takes risks to another level. There will be billions of IOT devices riding the Internet in the next few years. All kinds of sensors, cameras, motors… are being connected to the Internet. These devices can very much help our programs.
I have connected sensors and alarms from trusted vendors to the Internet. These devices benefit employees and our ability to understand our environment in real-time. Unfortunately, IOT security is not the first concern for some vendors selling IOT devices. The last thing we want is rogue sensors and robots adding risk to our infrastructure. These devices can change the way we do business for the better, but we must implement the proper security controls.
Perhaps, your organization has all your device security and IOT controls in place. I hope you have robust cyber security policies. If you pick out even one or two tips from this post, it will be well worth the short read. Venturing beyond your immediate Business Resilience duties and making helpful security suggestions to IT and management will help you in many ways.
The security controls and practices described below are a starting point – not a comprehensive list. I tried to map them to the threats and vulnerabilities we discussed in the threats and vulnerabilities post. They are consistent with studies and guidance from NIST, FTC, FCC and DHS along with my experiences. Some of the information below originates and is used with permission of the GAO from their report – Report to Congressional Committees – Information Security, ‘Better Implementation of Controls for Mobile Devices Should Be Encouraged’.
General Security Best Practices – Mobile Phones, Laptops, Tablets and Desktops:
(This is not a comprehensive list. You should partner with your Cyber Security and Information Technology Experts to Implement a Holistic Information Security Program)
Tip – Partner with your IT and Cyber Security experts and analyze the vulnerabilities that can compromise your organization.
Tip – Advise employees of mobile and desktop best practices. You can use information in this post and the preceding ‘Cyber Threats and Vulnerabilities’ post in your in-house newsletter or in your in-house blog if you wish to.
Tip – Your Cyber Security and/or Information Technology experts must implement the latest security safeguards, anti-virus software, patches and timeouts. They must do it in a timely manner. No excuse for delaying this is acceptable!
Tip – A corporate policy, with teeth, must be in place making it a violation to save critical / sensitive / unencrypted data on laptop local drives or mobile devices.
Tip – As we discussed in the post on cyber vulnerabilities phishing is a rapidly growing problem. Create awareness with all employees that they should never click on links unless the know the source of the message.
Discuss doing a series of ethical phishing tests with your IT and cyber security experts. Most likely a large percentage of employees will click on an unknown link.
You can then follow-up with them and explain that clicking on such a link can enable a virus, worm or ransomware attack. It can also lead to criminals stealing the employee’s personal information. I believe as your series of ethical phishing tests take place the number of employees that click on links from an unknown source will significantly decrease.
Tip – USB thumb drives must be encrypted! They are able to store gigabytes of data and are too easy to lose. We have all read horror stories of sensitive data being stolen or lost and seriously impacting the survival of an organization. Do not let this happen to you.
Tip – Data must be encrypted at rest AND in-flight. Even with a policy in place, people will still copy data to their local drive, if it is available. Laptops have a way of getting stolen or lost (read the post ‘Your Laptop Has Legs…’). It is the loss of sensitive data that is the bigger risk than the loss of the hardware. Laptop hardware is relatively cheap and can easily be replaced. Losing sensitive data can cost your company many millions of dollars and the loss of executive jobs at the highest level of the organization.
Tip – Make sure any vendors that have access to your data are encrypting it both at rest AND in-flight.
Tip – Office laptops should be physically secured when left on desks. In many organizations, it is too easy for someone intent on doing harm to surf in behind an employee and swipe unattended laptops. Even if you have security cameras, good luck in catching the thieves before they are long gone. It happens all too often.
Tip – Do not let your laptop, tablet or phone out of your sight at airports or any other public places. They should be with you always or they will ‘walk’. If you do store data on the device make sure the data is encrypted, just in case the device disappears.
Tip –Do not text or chat sensitive information unless it is encrypted at rest and in-flight. Often these types of communications are sent in clear text. Only send in clear text if you do not mind everyone reading it.
Tip – Do not write your log-in credentials on a sticky note and stick it to you keyboard or desk. Oh, you haven’t seen this type of thing at least once?
Tip – Do not keep your steaming-hot filled coffee cup next to your devices – we’ve all done it or seen it so you’re not alone. Come on, admit it. I will be the first to admit it, it happened to me twice in one morning, yikes.
Tip – Do not provide login information to callers. Social engineering is rampant and an easy and effective way to infiltrate a network. You are giving them the keys to the network. No technical skills are required. Warn your employees.
Tip –Do put policies and procedures in place to address all areas of risk including the ones I listed above.
Tip – Do provide mobile device security training.
Tip – Do include mobile devices and IOT in your risk assessments.
Enable user authentication:
Tip – Configure mobile devices to always require passwords or PINs to gain access just as you do with your desktop devices. In addition, the password field should be masked to prevent shoulder surfing, and all devices should have active idle-time screen locking to prevent unauthorized access.
Tip – Your organization needs a policy on desktop and mobile passwords – length, alpha-number-character, special characters, forced changes after a certain period of time.
Tip – Speak with your IT department about active directory and single-sign-on to control and reduce password maintenance complexity and risks.
Enable two-factor authentication
Tip – Two-factor authentication is important when conducting sensitive transactions on mobile devices. Two-factor authentication enables a higher level of security than traditional passwords. Two-factor is an authentication system in which recipients must authenticate using at least two different “factors” (pieces of information) before being granted access. You are probably already familiar with two-factor authentication, as most of the popular websites use it.
Tip – Mobile devices themselves can be used as a second factor in some two-factor authentication schemes used for remote access. The mobile device can generate pass codes, or the codes can be sent via a text message to the phone. Two-factor authentication is especially important when sensitive transactions occur, such as mobile banking.
Always verify the authenticity of any downloaded applications
Tip – Understand where the application came from. Check digital signatures. When in doubt, block, quarantine or filter the download.
Install anti-malware capability
Tip – This one is a ‘no-brainer’. Malware is rampant on the internet. You definitely do not want it in your network. It encompasses ransomware, viruses, worms, botnets and spam. It will make your life miserable and can seriously impact your organization.
Install a personal firewall:
Tip – A personal firewall can protect against unauthorized connections by intercepting both incoming and outgoing connection attempts and blocking or permitting them based on a list of organization rules.
Disable lost or stolen devices remotely:
Tip – Remote disabling is an important feature for stolen or lost devices that either locks the device or completely purges its contents remotely. Locked devices can be unlocked subsequently by the user if they are recovered.
Use automated device scanning software:
Tip – Software tools can be used to scan devices for compromising events (e.g., an unexpected change in the file structure) and then report the results of the scans, including a risk rating and recommended mitigation strategy.
Implement a virtual private network (VPN):
Tip – A secure VPN is very important if employees need to securely access your intranet from remote locations. If you are designing work-from-home recovery strategies, you need VPN access.
- Sub-tip – Stress-test your VPN to insure everyone can connect during high demand. I have witnessed VPN connection and latency issues during major events such as snow storms and hurricanes when thousands of employees try to connect. VPN’s by design may have only one or two entry points into an organization. You must validate that there is sufficient bandwidth for all employees to connect. You do not want to discover latency or the inability to access your network during a widespread disruptive event.
Tip – Regularly do penetration (PEN) tests on your network and systems. Ethical tiger teams can test their ability to penetrate your systems and provide you with results. Your IT and cyber security teams can then focus on closing all vulnerabilities. If you need a recommendation on a particularly good company that specializes in phishing tests and can even help you with implementing cyber related policies please contact me.
Adopt centralized security management:
Tip – Centralized security management enables organization-wide control of devices including remotely disabling devices. It also includes management practices, such as setting policy for individual users or a class of users on specific devices. This is very important for scalability, patch management, hardware and software audits.
Turn off or set Bluetooth connection capabilities to non-discoverable.
Tip – When in discoverable mode, Bluetooth-enabled devices are “visible” to other nearby devices, which may alert an attacker to target them. When Bluetooth is turned off or in nondiscoverable mode, the Bluetooth-enabled devices are invisible to other unauthenticated devices.
Limit use of public WiFi networks when conducting sensitive transactions:
Tip – Attackers may patrol public WiFi networks for unsecured devices or even create malicious WiFi spots designed to attack mobile phones and penetrate your network.
Public WiFi spots represent an easy channel for hackers to exploit. Users can limit their use of public WiFi networks by not conducting sensitive transactions when connected to them or if connecting to them, they should use secure, encrypted connections. This can help reduce the risk of attackers obtaining sensitive information such as passwords, bank account numbers and credit card numbers.
Minimize installation of unnecessary applications:
Tip – Users can reduce risk by limiting unnecessary applications. Once installed, applications may be able to access user content and device programming interfaces, and they may also contain vulnerabilities. Your cyber security department should control this.
Do not click on links sent in suspicious email or text messages:
Tip – Be very careful – often these links look like legitimate sites, but they can lead to malicious sites and ransomware attacks.
Limit exposure of mobile phone numbers:
Tip – By not posting mobile phone numbers to public websites, users may be able to limit the extent to which attackers can obtain known mobile numbers to attack. Do some Internet searching to see if you have exposures. It is scary how many companies have private spreadsheets and documents on the public Internet. I do mean scary!
Maintain physical control of your devices:
Tip – Always know the whereabouts of your devices. Do not leave them in any public areas where they can and will ‘walk’! Please read thepost, ‘Your Laptop Has Legs‘. It applies to mobile as well.
Delete all information stored on a device prior to discarding it:
Tip – The device should be returned to your company and all data should be purged and wiped clean at a low level before discarding it. Simply deleting a file often just marks it for deletion but it can still be un-deleted. Be careful. You should also can remotely disable the device and delete data in case it is lost.
Do not modify mobile devices (jailbreak):
Tip – ‘Jailbreaking’ devices will expose them to security vulnerabilities and can prevent them from receiving security updates. It can also impact the warranty. Never jailbreak.