With the end-of-year holidays approaching, it is important that security is not forgotten as the food, drinks and parties become a priority. So, as 2020 comes to an end (thankfully), here is our gift to you: 12 tips to keep you in the merry spirit long after the holidays.
1 – You got a USB mug warmer as a holiday gift? Exciting. But be cautious of what you connect to your computer.
Inconspicuous devices are not as innocent as you might think. If it can be connected to your device, it can be used as an attack tool. Don’t underestimate the furtiveness of bad actors – they put in a lot of effort to hide themselves and their attack tools from you, and might even use something as unassuming as a mug warmer as their disguise.
2 – Trust. One of the most important qualities one would look for in an employee. Make sure that you trust the devices they use as well. Cybersecurity training and awareness for employees is a key factor in your cybersecurity posture.
Careless/uninformed staff are one of the greatest threats to organizations’ cybersecurity. Just because employees have good intentions (well, at least we hope they do), it does not mean that they cannot unwittingly cause a major cybersecurity incident. A lack of employee training on good cyber hygiene could have perilous consequences for your organization. Staff have insider privileges that make attackers’ lives easier and these bad actors often target employees and the devices that they use without the victim knowing.
3 – You’re only as strong as your weakest link. Think you have cybersecurity sorted? Think again. How secure are the vendors in your supply chain?
Imagine having CCTV covering all perimeters of your house, a high-tech alarm system, and burglar bars on all your windows to protect against intruders, but then leaving the door open. All your security measures are essentially useless. Now apply this to cybersecurity: comprehensive cybersecurity software enforcement and stringent regulations are essentially useless if your supply chain is not as protected as you. When organizations are heavily secured, including government agencies, bad actors seek to target third parties which are easier to infiltrate. Hardware attack tools, which require physical access, might be implanted in the supply chain with the intention of it being used in the target organization. Alternatively, since third parties often have access to a certain amount of the target organization’s information – which might include sensitive data – an attack on a supplier could provide perpetrators with access to such material without having to actually infiltrate the target enterprise.
4 – Are you a frequent user of airport charging ports? Proceed with caution – you might just be giving away all your private information…
Known as “juice-jacking”, this tactic is extremely alarming due to the trust we give to airport charging ports. Nothing is more attractive than a charging port when our device is about to run out of battery and we are getting ready to board a long-haul flight where entertainment is necessary – and in the 21st century, entertainment is synonymous with technology (what ever happened to books?). But society’s addiction to the need to be connected at all times brings more downfalls than meets the eye. Attackers are exploiting this vulnerability and manipulating public charging stations in an attempt to access private information stored on the device that you connect. With many personal devices today also having some sort of work-related information stored on them, bad actors are taking their attacks out of the office and into the big wide world; and where better to do that than the airport? Just as you are taking a well-deserved vacation, the attackers are coming with you because, hey, they want a break from the office, too.
5 – IoT might seem great, but more devices mean more entry points for attackers. Make sure all your devices are covered.
IoT devices bring a number of cybersecurity risks to an organization due to their need for a network connection. In connecting to the network, the IoT devices become an entry point for attackers. With the proliferation of internet-connected devices, there are consequently more entry points for attackers. Furthermore, many of these IoT devices are part of our daily life, meaning that they are used both in the office and in less secure environments, in which the latter it is easier to conduct an attack. The more IoT devices that you are using without sufficient protection, the bigger the holiday gift that you are giving attackers.
6 – You do have your data backed up, right? Ransomware attacks are on the rise so regular backups are crucial.
People are not the only thing that can be taken hostage; your data can as well. Data is fundamental to all organizations, and many enterprises also possess intellectual property that is invaluable to their operations – and to attackers. Ransomware attacks, if successful, give perpetrators immediate financial benefits which can often be in the range of millions of dollars. However, organizations are advised not to pay the ransom because this does not guarantee the recovery of the encrypted data. Instead, it is best that organizations take proactive measures and regularly backup their data to better protect themselves in the first place. Although there are cybersecurity measures in place that can reduce an enterprise’s vulnerability to a ransomware attack, there are no actions that provide complete protection. Hence, regular data backups can offer that extra layer of security. And, if all organizations do this, ransomware attacks will be less effective which will hopefully reduce the overall appeal of conducting such attacks, giving cybersecurity teams just one less problem to worry about – Merry Christmas to you, cybersecurity teams!
7 – Would you leave your wallet on a table at a Starbucks while you go to the bathroom? Hopefully not. So why would you leave your laptop on a coffee shop table where it is vulnerable to an attack?
To a thief, an open wallet left on a coffee shop table is like candy cane to a child; to a hacker, the candy cane is an unattended laptop. Hardware attacks require the attacker to gain physical access to a device or network, and a coffee shop is the perfect alternative location when it is too challenging to access the enterprise’s offices. Coffee shops are also, to some, the perfect place to work – especially since the COVID-19 pandemic has encouraged work-from-home policies. So, you are at your local café, doing that ever-so boring company report that your boss is nagging you for, and you have plugged a USB phone charger into your laptop (because you are cybersecurity aware and do not want to plug your phone into a public charging port – smart). But then you run to the bathroom, and in the time that you have left your laptop exposed, the fellow espresso drinker sitting next to you has switched out your USB charger to one that is spoofed, known as a USB Ninja Cable. When you return, you are none the wiser because it looks identical to your original device and it is still charging your phone. However, this device can covertly conduct perilous activities that put your organization at risk of a data breach. So, no, do not hold it in if you need to go to the bathroom, but rather put your laptop away because those few short minutes that you leave it unattended could be the opportunity that an attacker grabs to initiate an attack.
8 – Did BYOD make your life easier? Well it made attackers’ lives easier too – don’t let an attack on your personal device ruin your holiday vacation. Don’t neglect cybersecurity in favor of simplicity.
BYOD brings many benefits, including a rise in employee satisfaction due to workplace flexibility, and reduced costs for the company as a result of not needing to provide as many devices. However, BYOD devices typically have fewer security measures in place in order to enhance the user’s experience. Great for the user, extremely perilous for the organization. “Fewer security measures” are the three words that any cybersecurity team does not want to hear. Contradictorily, and understandably, these words are music to the ears of bad actors. Depending on the organization’s BYOD policies, it is likely that these devices contain, or have access to, sensitive information even when they are used out of the office. Do not let your festive period be focused on remediating an attack. Make sure all your devices are protected, including those that you use for both work and personal purposes because, in all honesty, it is not just the enterprise’s data that you should want to protect; do you really want an attacker accessing your Netflix account? They make enough money from their malicious activities, they can afford their own subscription.
9 – New IoT coffee machine for Hannukah? How secure is that device? Is it only making your coffee? Remember that IoT devices can be easily hacked.
More and more everyday devices are now operating as IoT devices, such as refrigerators, coffee machines, watches and door locks, to name a few. The vulnerability in this is that these inconspicuous IoT devices are not perceived as a risk to cybersecurity and therefore are often not provided with the necessary security measures. It is important that every IoT device is given the same cybersecurity attention because those that are neglected might just be the ones that run rogue and act as a vector for an attack. Your new IoT coffee machine was not just a gift to you, but also to a bad actor searching for a vulnerable device to target.
10 – Do you have a hardware usage policy? Maybe. But it will only be effective if everyone in your organization is aware of it and, most importantly, follows it.
Although employees’ awareness of good cyber hygiene is important (mentioned in tip 2), it is not enough on its own, and organizations need to enforce cybersecurity policies to ensure greater protection. Importantly, hardware attacks go undetected so organizations need to ensure that they do everything they can to limit their chances of becoming victim to one. Hence, a hardware usage policy is essential. But this policy will only be effective if employees actually know about it and, more importantly, follow it. In understanding the policy and complying with it, the organization can greatly reduce their vulnerability to these perilous attacks.
11 – Researchers, pen testers, and vendors are constantly revealing device vulnerabilities. Make sure that you are not buying known-to-be vulnerable devices.
Devices, even those manufactured by recognized and reputable brands, can be produced with vulnerabilities. Researchers, pen-testers, and the vendors themselves are constantly revealing such vulnerabilities in order to help organizations protect themselves. It is therefore important that enterprises make themselves aware of such revelations to avoid the mistake of buying these vulnerable devices. With so many covert cybersecurity risks and threats out there, do not leave yourself, and your organization, exposed to the ones which have been disclosed.
12 – With only a few more days left of the year, make sure you have hardware security in place to avoid spoiling your New Year’s celebrations.
It might be the festive season, but attackers are not taking a vacation. In fact, with people focused on the various holidays that December has to offer, offices are emptying out as employees take some time off to celebrate the festivities with their friends and families, making it prime time to carry out a hardware attack. As these attacks require physical access, empty offices mean fewer prying eyes, providing bad actors with the perfect opportunity to stealthily implant a Rogue Devices in the target organization. The consequences of a hardware-based attack are perilous and require a tedious clean-up procedure – something which no-one wants to be doing during their holiday celebrations. 2020 has already brought more challenges than anyone could have anticipated, do not let a cybersecurity breach be this year’s holiday gift to you – stay protected.