6
FUTURESCOT
CYBERSECURITY
28 April 2016
A hacker’s step-by-step guide to
how you can beat the hackers
The six cyber security
steps to protect your
business from harm:
from an ‘ethical
hacker’ whose
Facebook password is
125-characters long
BY KEVIN O’SULLIVAN
How do you best protect your enterprise from cyber-attack, a threat that
is growing and costs business £34bn
a year, according to the Centre for
Economic and Business Research?
Well, why not start by asking hackers themselves? In this case, Michael
Jack, who is in his second year ‘ethical
hacking’ course at Abertay University
and works part-time helping businesses stay safe with the Scottish Business
Resilience Centre.
Here are Michael’s top tips for avoiding that embarrassing and damaging
moment when you have to tell your
customers their private data has been
breached.
l UPDATES
Always run your patches
After vulnerability scanning your network, the first thing to is to make the
software you use is patched (updated)
with the relevant security, bug fixes
and improvements.
As Michael says: “If you’re like the
nice people at Mossack Fonseca who
are running content management
systems that have not been patched
since 2013, that’s easy pickings for
people like me.” Larger businesses
should have IPS (intrusion prevention systems) and an enterprise-wide
YARA signature for detecting bugs like
Shellshock and Heartbleed.
Smaller firms will rely more on
patches or the latest Windows Hotfix
or critical open-SSL update.
“Just by being on the latest version
of the operating system (Windows 10
or OSX 10.11) you’re mitigating a lot of
the common attack threats that are out
there,” says Michael.
Older operating systems like Windows XP are no longer supported so
are at risk; Windows 7 support is due
to end in 2017, and Apple only
support the two versions previous to
the current version (OSX 10.10 and
10.9).
The same applies to smartphones:
make sure the IOS is updated on
Apple, and with Android.
l DATA PROTECTION
Back up your data, and back up the
back-up!
“I promise you your back-up strategy
will save you money,” says Michael. “It
will save you money on really expensive data recovery people with fancy
scanning electron microscopes and
big magnets.”
Backing up data saves time and
money and can defeat ransomware. If
you have backups and you get attacked
by CryptoLockers (a ransomware
trojan) you can wipe your hard drive
and restore from back-up within hours.
Michael cites the example of an
LA private hospital which had to pay
millions of dollars in Bitcoins to get
its data back, because it didn’t have a
back-up sufficiently isolated from its
main system.
Weekly back-up is probably the
minimum if you’re looking to avoid aggravating the business and always keep
another offsite, in case of fire or similar
catastrophe.
It’s advisable to encrypt the onsite
backup and keep it in a safe. If it’s unencrypted it could fall foul of PCI-DSS
(Payment Card Industry Data Security
Standard) and ISO (International Standards Organization) standards.
l ENCRYPTION
Encryption is not just for terrorists!
“If data is exfiltrated from your network and it’s not encrypted, once it’s
left your perimeter the data has long
gone,” says Michael.
You should encrypt as much as you
can – but be conscious of who needs access to what in the business. Therefore,
internal controls should allow for individual document encryption, especially
important financial information. Full
disk encryption is available through
Mac OSX (FileVault) and Windows
(BitLocker/Drive Encryption)
“If you can encrypt everything,
encrypt it, but if you think you’re going
to forget the password please don’t encrypt without writing the password in
a book and locking it in a safe. The look
on an average person’s face when they
tell you they’ve enabled FileVault (Mac
OSX) and then forgot the password,
it’s a special sight to behold but not one
you really want to see that often,” says
Michael.
Smartphones, if supplied to employees, should also be encrypted – in
Apple IOS it’s advisable to set up the
erase data function; in Android encryp-
tion can be found through the security
settings.
l PASSWORDS
Size does matter!
Hackers can machine generate quadrillions of combinations of characters
to ‘guess’ passwords, so the longer the
better. Turn four words into a ‘pass
phrase’ of 15 characters or above.
These are much harder to crack than
eight or nine-character long passwords, which can be cracked by ‘brute
force’ methods.
If you can’t remember your password, get a password manager like
One Pass or Last to generate long,
random passwords for you, and back
up, enabling two-factor verificatio