Top Tips to Boost Your Cyber Defences
We look at the classic security loopholes and weaknesses which are continuing to trip up businesses large and small and share practical tips along the way.
1. Overlooking Your Bricks and Mortar Defences
Cyber-criminals could – quite literally – be walking through your front door to get their hands on your digital assets. Physical social engineering, as the name suggests, is social engineering in person. For example, a criminal bluffs their way into your offices by posing as an engineer. And these types of attacks are on the rise, as attackers deploy increasingly sophisticated tactics to breach bricks and mortar defences.
Late in 2018, we were commissioned by a well-known financial intuition to conduct a mock physical social engineering attack. For obvious reasons, we’re protecting their identity. This household name had invested tens of thousands of pounds in security: controlled barriers, CCTV, uniformed guards and an armour-plated access control system for all internal doors.
Despite this, our man undercover spent an hour in the heart of their HQ, roaming free and unchallenged. You can read how he did it here: A Day in the Life of a Physical Security Specialist.
2. Forgetting the Security Fundamentals
You’ll hear lots of buzzwords in cybersecurity. One thing we always urge our customers not to do is go on a security acronym spending spree. Buying lots of sexy tools and hoping that, collectively, they’re affording enough protection isn’t the best approach.
Security hygiene is one of our favourites; there’s no point adding layers of technology to foundations of sand. Get your basics right; patching, updates, user-authentication. In our experience, it’s often the simplest things that catch businesses out.
Our colleagues at IT Lab company Perspective Risk have penned this helpful blog: Do One Thing Today and Make Your Network More Secure.
3. The Vulnerabilities Lurking in Your Documents
Like most companies, it’s likely you publish documents on your website, such as sales brochures and product catalogues. But have you ever stopped to consider that this ostensibly harmless content could be a way in for cybercriminals? In a nutshell, it’s related to the metadata, which describes the information.
Metadata details can be extremely useful to cyber attackers, for example, by revealing the author’s user name and other personal information. In this Perspective Risk blog, we’ve fictionalised an actual event to protect the identity of a company caught out by a product brochure on their website: What Can Cyber Thieves Do with Your Document Metadata?
4. Storing Sensitive Information as Cleartext
Cleartext is information that can be understood by anyone, meaning it hasn’t been processed to disguise it. You might think that encrypting sensitive data, such as passwords, should be commonplace these days, but you’d be surprised!
Every year we conduct hundreds of penetration tests for organisations of all sizes across the public, private and third sectors. Storing data as clear text is one of the top five security vulnerabilities we encounter. For more advice, hop over to this blog by one of our penetration testers: Common Network Vulnerabilities: Storing Data as Clear Text.
5. Public Information That Could be Compromising Your Security
Phishing is the fraudulent practice of sending emails from a seemingly legitimate source. And phishing attempts are increasing because, despite increased awareness, people continue to be duped. 80% of British businesses and 81% of the UK’s charities are attacked in this way. Other types of phishing are:
- Spear Phishing; an email targeted at a specific individual.
- Vishing: phone calls from people who are not who they say they are.
- SMiShing: a fraudulent text message.
- Whaling – also known as CEO fraud or business email compromise (BEC): where the fraudster impersonates a company boss – e.g. an email from the ‘CEO’ to the finance director with an urgent bank transfer request.
These are all types of social engineering - and it starts with information about your company. One of the ways a criminal will collect this is to look at your website in the hope of scooping up email addresses and direct phone numbers, company boss names etc. After all, why would they bother to purchase this information on the dark web if you’re giving it away for free?
What are you inadvertently sharing with hackers? Perspective Risk’s blog dives deeper into the topic: I Can See You!
6. A Hacker's Gift: Manufacturers' Default Login Credentials
Imagine your company has just purchased a new teleconferencing system. Your IT team diligently installs it, and you’re up and running in no time with the login in details – the default credentials, from the manufacturer. Everyone is enjoying the new system. Fast forward six months and a hacker has breached it using the same credentials. Not only this, but it gives him a potential gateway to your other systems.
Default credentials are another common security vulnerability we see during pentest assignments. For more advice on this crucial topic, over to our pentest team: Common Network Vulnerabilities: Dangerous Default Credentials.
7. Using Unsupported - and Increasingly Vulnerable - Products
The clock is ticking; in 2020, support for a raft of Microsoft products is coming to an end. This includes Windows 7; which almost half of SMEs and enterprises are still using, despite the availability of newer versions. This reliance is creating a security risk, which will only get bigger. Our blog: Microsoft End of Support – What You Need to Know does just this.
We hope this blog has inspired you to review your security afresh and shore up your defences. We understand that the hardest part can be knowing where best to start. We can set your coordinates with a free cybersecurity assessment. Just click the button below, and we’ll be in touch.