IT security is a lot more than just battening down the hatches. It’s as much about thinking like a hacker to identify and outwit every potential breach.
Close-combat instructors call their field “self-defence” for a reason. The first moves any student learns are purely to stop the worst happening. Block that kick, tense that core, keep your fists in front of your face.
But doing the equivalent in data security – locking the doors, patching the applications, educating the people – is just the base layer. To take the fight to the hackers, today’s IT security teams need active defence, or countermeasures.
Countermeasures mean learning how today’s hacker thinks. It’s about pre-empting moves before they are made, actively changing and updating strategies as the game changes, rather than relying on a passive “lock-it-and-leave-it” approach.
Effective countermeasures add tremendous value to the hygiene factors of people and policies. And for what it’s worth, it makes the life of an IT professional more enjoyable and rewarding as well. Here are six countermeasures to set the scene:
Countermeasure #1: Learn how the black market works
The basic driver of hacking is no different to other areas of human endeavour: follow the money. Stolen corporate information – from customer credit card numbers to PowerPoints on strategy – has a value, and that value is determined by the people prepared to pay for it across the dark web and beyond. Which means the right budget allocated to defuse such threats tends to be budget well allocated.
So, how big is this black market in information? As an example, Fox Business recently reported that a single credit card number goes for US$1, rising to $25 if an address and email are included. This means the Equifax hack alone (which involved 143 million credit card details at the end of last year) passed the $3bn mark before even one of those cards was used.
Countermeasure #2: Stay vigilant by thinking process, not event
At the network level, bolstering your IT defences is helped by a simple insight: vulnerability-to-fix is a lifecycle. In other words, it’s series of connected events, not a one-off. That is why IT security experts advise thinking process, not isolated events. A pre-emptive cycle of checking, patching, and penetration testing (“pentesting”) can close many vulnerabilities before they get exploited.
Another benefit of “thinking lifecycle” is it deals with the threat as an ongoing risk into the future. Remember all those malware and ransomware names we all heard about last year, with WannaCry, NotPetya, and BadRabbit topping the list? They’re all still around, mutating into new forms and being used in new ways. Today’s front-page hack is next year’s surprise risk – thinking process means not being caught out in the future.
Countermeasure #3: Don’t let legislation catch you out
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. If you’re in the UK, the complication doesn’t stop there since the law is likely to change again with Brexit. It’s just one of a host of laws that can be just as expensive as a breach if you ignore them.
That’s why it is imperative for all businesses to apply and maintain consistent policies on security if they hold user data on their servers – even if the information isn’t personally identifying. Of course, if they hold credit card numbers or financial data, the risks are even higher.
Countermeasure #4: Keep an eye on your key people
Employee management is a complex process and people leaving the business are particularly relevant for IT security teams. In the UK, the average employee attrition rate is 15% with much higher rates in certain sectors. Many of those people will be IT-literate, some will have left your company under a cloud. And some will bear a grudge.
Nevertheless, just 24% of companies follow a procedure for removing the IT rights and privileges of ex-employees. At a rough estimate, that’s three million people across the UK with access to the IT systems of companies they no longer work for. And it’s not even limited to leavers. Plenty of people switch offices, get promoted, or change job functions without getting a P45.
So another ongoing process to adopt is know who can do what, and plug any holes where bad policies might allow privilege escalation or administrator access. It doesn’t even take a disgruntled ex-employee for things to go wrong.
Countermeasure #5: Know your mobile
BYOD, IoT, and Shadow IT aren’t bad things: they’re huge opportunities. But all those phones, tablets, phablets, and laptops need managing as a fleet just as much as your human resources.
What happens when someone changes their phone? Where did all those employee laptops go? Where is that iPad being used when it’s outside the office, and who has access to it? Compromising a mobile device is among the easiest ways to grab a username or password. And even without knowing someone’s credentials, it’s all too easy for an attacker to plug in a malware-soaked USB key alongside with some legitimate content.
With the range and number of personal devices mushrooming in recent years, it’s important to understand what technology is out there in the workforce, and how (and where) it is being used. Keep lists of what’s “employed” and update it whenever the employee’s role (or the machine’s role) changes. Watch out for Remote Desktop Protocol (letting you log in from afar) and make sure login credentials use strong passwords, two-factor authentication, and compare both device and user against both whitelists and blacklists.
It’ll keep you abreast of matters when something changes – which, in a mid-sized organisation, could be hundreds of times a day.
Countermeasure #6: Secure all physical entry points
Last but never least: with most techs trained principally as software experts, the risk of someone gaining physical access to your most valuable assets can often be overlooked. There’s no point in great network perimeter protection and strong encryption for passwords if a hacker can get a job as a temp in the server room.
That makes physical security – doors that lock, key-card access, strict whitelists and policies for public areas of your business – as important as ever. And you’re not out of the woods if you don’t have a traditional server room; information that is largely in the cloud can also be accessed remotely with the right information.
A sensible approach to countermeasures doesn’t need military budgets, but does need military precision. Most attack vectors are obvious ones; simply applying best practice can stop a huge percentage of breach attempts before they start. Adopting a countermeasures mindset where defence is active, not passive, is now widely recognised as the best way to foil the next attack.
Key takeaways:
- There’s a black market for private information
- Ransomware stay potent long after they stop being news
- Without an eye on legislation, you may be a criminal too
- When people change jobs, change their permissions for security
- Physical security matters as much as virtual