Cybersecurity is not all rocket science, remember the basics…
Nov 30, 2016
Cybersecurity makes headlines: records stolen, systems taken offline, data held to ransom, identities cloned; these are just some of the breaches that business is working hard to stay ahead of – we all read the headlines, no-one wants to BE the headlines.
How do you avoid becoming one of the headlines? As fast as you move, the bad guys can move faster. You need to monitor and protect every surface, they only need to focus on finding a single weak-spot. What can you do? Start with, and maintain your basics, 100% of the time.
Here’s a recent example of where you could argue the basics were not done well
Over the weekend of 26th November, San Francisco’s Municipal Transport Agency (known as Muni) was hit by a ransomware attack demanding 100 bitcoins (about $73,000). This may not seem a lot compared to recent mega-breaches, but this hacker is a regular extortionist with similar amounts – keeping small enables him/her to stay under the radar.
The Muni attack was particularly newsworthy as it
hit the world’s tech capital
impacted public services – a scenario which worries those outside of the tech bubble
The initial infection was from a Windows 2000 Server
Re read, that and think about it
Windows Server was released over 16 years ago, and received it’s final security update from Microsoft over 6 years ago in July 2010. There are good reasons to have old systems still running, but the risks they introduce need to be managed more than ever before
Any device like this should be seen as a massive security risk on a network. It should be isolated, backed up, operating system hardened and assumed that it could be compromised at any time. But instead the server was able to then spread the ransomware to 2,000 of the 8,000 computers that Muni operate
This reminds me of a recent conversation with a security expert who works to protect vital national infrastructure. In it the one recurring theme was that network security is often not about the newest technology from the latest start-up. But it is really about just doing the basics right. Not having end of life operating systems on servers wherever possible is just doing the basics right
Other recent examples of missing obvious gaps or not following best practice include
The TalkTalk hack from October 2015 which was originated via well know SQL injection vulnerabilities on an old server for a Tiscali website, see more here.
Where an old server is needed, it should be locked down so that it has only the network access it needs, and a bare minimum of software and privileges available
Of course, this sounds simple. But, in reality it isn’t. Organisations have thousands of devices, each with hundreds of legitimate processes and applications running on them. To make sure that you’re “doing the basics, 100% of the time” is a job for a skilled project manager with a very keen eye for detail
Technology can also help you get the basics right. At Juniper, we believe you need to move away from the old perimeter security model to one where you enforce security across the whole network. This allows you to
Enforce security on every network device instead of solely at the network edge
Identify suspicious activity within the network, not just at the perimeter
Proactivley block the connectivity of compromised or suspicious devices to stop threats spreading
Use centralised software to control a multi-vendor environment with simple to understand rules