This is an original article written by Alpine Security.
Protecting your agency or company from cyber crime is critical to keeping your business running smoothly and profitably in the digital age.
What are two of the most likely areas of vulnerability in your cyber defense strategy?
1. PHISHING
According to Phishing.Org, “Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution.”
These posers attempt to gain access to sensitive information such as social security numbers, passwords, or credit and debit card numbers. They intend to use this data to secure access to the target’s finances or to commit identity theft.
In 2004, a California teenager became the first person to face legal recriminations for phishing when he built a duplicate site of AOL and used it to secure credit card information.
Today’s cyber attackers may be more polished, but most of them still use phishing campaigns to get past security. It’s a simple scam that works. Verizon reports that 23% of recipients open phishing emails and 11% click on attachments. Enterprises should routinely test their employees’ responses to phishing scams.
Two important points to be aware of when thinking about protecting yourself from phishing:
- User awareness training, like many phishing tools, can help prevent attacks. Many tools send "canned" messages to users at an organization for training purposes. If the user clicks on the message, he or she is taken to a video explaining why the click was an unsafe choice.
- Most awareness training campaigns do not measure effectiveness, but they should. Realistic phishing campaigns, tailored to the individual organization’s users, are the only way to validate the effectiveness of user awareness training. Real attackers won’t use canned messages, after all. Alpine Security offers an economical way to test the effectiveness of security training.
2. SOFTWARE VULNERABILITIES
A zero-day exploit occurs when a hacker attacks a software vulnerability previously unknown to the organization. Often, the vulnerability is due to some flaw in the software, which the hacker can exploit. It’s called “zero-day” because that’s how many days there are - zero - between the discovery of the vulnerability and the hack. Zero-day exploits are difficult to predict or preempt.
Most attacks, however, do not use an unknown weak point. Instead, they take advantage of well-known vulnerabilities in the software. These kinds of attacks are easy to prevent, but many organizations simply don’t do it. A patching process is usually enough to ensure protection.
Identifying and fixing vulnerabilities in software is one of the best investments of time and money that an organization can make.
To prevent exploits of software vulnerabilities, companies can conduct an internal vulnerability assessment and an external penetration test to validate the software. There is almost no point doing an internal penetration test. At Alpine Security, we are 100% successful with internal penetration tests.
What are the best solutions to phishing and software vulnerabilities?
Avoiding or preventing a data breach or other information security liability is the best option. Defending your network isn’t complicated. It does, however, require consistent and focused work.
Phishing Testing
Did you know that about nine out of ten successful data breaches start out as phishing hooks? Staff members who hold no malicious intentions can open a phishing email, and your entire network gets infected. Can your employees recognize these scams?
Find out by conducting a manual or realistic phishing test. You can show employees the results to let them know if they’re phishing-prone or not. As a security mechanism, phishing testing relies on behavior change. To get that behavior change requires monthly tests, follow ups with employees, and consistent evaluation. That’s why it can be helpful to bring in an external service provider to conduct tests and review results.
Vulnerability Assessment
Secureworks defines a vulnerability assessment as “the process of identifying and quantifying security vulnerabilities in an environment.” It’s how you evaluate potential weaknesses in your security system so that you can shore up cyber defense in those specific areas and thereby reduce or eliminate the threat of a breach.
To conduct a vulnerability assessment, you’ll need to identify your processes and your hidden data sources, locate your servers, and scan your network. It’s usually best to hire an outside firm to conduct these assessments regularly.
Some people call a vulnerability assessment a “penetration test,” but that’s not quite accurate. A penetration test is much more intrusive but also more informative than an assessment.
Penetration Test
A penetration test is a five-step process in which a simulated attack determines the system’s security. Unlike a vulnerability assessment, it’s not a review of the network. Instead, it’s as close to a real attack as a friendly, white hat hacker can get. In many cases, a penetration test will tell you if your network is already infected.
The five steps in a penetration test are:
- Planning - define the goals of your test
- Scanning - understand how your target will respond to penetration
- Accessing - stage the cyber attack
- Maintaining Access - determine if you can maintain access through a vulnerability
- Analyzing - evaluate the results of the test
Enterprise Security Audit (ESA)
Based on the Top 20 Critical Security Controls from the Center for Internet Security, an ESA is a full IT audit with a focus on cybersecurity. ESA Top 5 (FCH) stops over 85% attacks because the Top 5 Critical Security Controls are based on real attacks and what actually works from a defense point of view.
When Alpine conducts an ESA, they review operational procedures as part of the audit. In fact, they think an ESA is so important, they recommend it to clients as the first, foundational step in a full cybersecurity program.
One more key tip: avoid the “fog of more.”
It’s easy to get lost in the technobabble from vendors or solution providers and to skip key steps. Talk to us about your questions regarding foundational cyber hygiene, and we’ll help you learn more about what Alpine Security can do to keep your data safe.
Final thoughts
Cybersecurity compliance needs regular monitoring and evaluation to stay on track. Let us know how we can help protect your company’s data.
View the original article here.
Defense Contractors - are you prepared to meet the new DoD cybersecurity requirements?
With current and future DoD contracts at stake, compliance is a strategic necessity that contractors cannot ignore. And with third party certification audits to be conducted in 2020, time is running out for manufacturers to reach compliance.
IMEC and Alpine Security are offering a 6-part Cybersecurity Resiliency for Defense Contractors Webinar Series to help you understand the complete requirements for DoD contractors. Register for Session 4 of 6: Cybersecurity Compliance – Real Company Examples, and check out the rest of the series below!
Session 4: Cybersecurity Compliance – Real Company Examples
October 29 | 10:00 am - 11:30 pm
This session will cover:
- How to write policies and procedures – and how are they different?
- What to do and what not to do when working towards compliance
- Examples from manufacturers of what works – and what does not
Cybersecurity Resiliency for Defense Contractors Webinar Series Lineup:
- Session 1: October 8 — Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
- Session 2: October 15 — DFARS & CMMC Overview
- Session 3: October 22 — DFARS NIST 800-171 Compliance Process
- Session 4: October 29 — Cybersecurity Compliance – Real Company Examples
- Session 5: November 5 — CMMC Breakdown
- Session 6: November 12 — Cyber Security: What Are Your Risks?
