We have all heard it, this widget will protect your organisation from the digital baddies. Install this and walk away you will be safe. I was reading a recent article about an undiscovered exploit that was not included in the FireEye system. We have heard that FireEye is one of the best and most secure technical solutions on the digital world.
What it showed is that Digital security is a reactive process. Digital security can only be reactive.
The discussion around technology being the only way to protect your organisation is finally being realized as sales hype.
Ask Hacking Team, Target, Sony and Ashley Madison how all that technology is working for them.
All of these organisations, when it comes down to the investigation of what happened had a number of similar problems.
Default passwords used – hardware and software systems that were installed with default passwords. These passwords were not changed at any time. This allows an attacker to gain a beach head into the network. Like all beach heads, this allows an attacker to target systems within the organisation.
Passwords of insufficient complexity – all passwords no matter what their use should be
- longer than 8, 10 is better,
- complex, using all components of a keyboard (letters, numbers, symbols and punctuation and capitals) and
- They have to be unique for every application or area requiring one.
In addition to this, passwords for administration should have additional length.
No segmentation of network. – A flat network allows an attacker to gain additional insight into data within the network. By segmenting your network to additional levels means that more important data is harder to access.
Insufficient patching – patching is such a strain on the administration department but it is an essential security profile. When patches come out apply them in a timely manner. Some systems require manual interaction for download and installation of updates. This needs to be woven into the DNA of the organisation.
No pen testing – to prove that you are secure, you need to test the systems. From a basic vulnerability scan to a full blown red team test, all systems including users’ needs to be checked regularly.
These are large organisations who had sophisticated technology, well trained people and management who understood the problems of cybercrime. They still got it wrong! They got it wrong because they are arrogant.
Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework. He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.