Author: alekalakala

We’ve all read and heard about compromised social media accounts and the subsequent effects, such as; account takeover, impersonations (Catfishing) and a more recent trend, Phishing.

However, whilst many of us are equipped with the knowledge of good online security hygiene, there’s still a fair number of users that fall victim to such attacks, due to a lack of rudimentary security control implementation and solidifying that with consistency across all online platforms.

As we’re on Linkedin, the social network for professionals, I thought it’d be fitting to take a look at a few basic but mature controls you can apply to better safe guard your account.

Change your password often – Whether we like it or not, most of us still re-use passwords for varying online platforms and for that reason, I’d recommend that if you do, change your password often. If one of your accounts unfortunately gets compromised, then a password being used on many accounts, effectively becomes the key to your online kingdom. (Having trouble remembering all your passwords? Then get a password manager. There are some good ones available – for free).

Remember to log out – When using shared or public devices, remember to sign out of the account and log off the device.

Only accept ‘Connection Requests’ you trust – It’s really easy to fall into the habit of accepting every unfamiliar connection request that comes your way(a lot of people do), but have you ever thought to consider; who the person is, why they’d like to connect and what you’ll both gain from being Linkedin connections(because it is a two way street after all). If in doubt carry out some small due diligence (online searches etc).

And in closing, the mother of them all: Implement Two-Factor Authentication aka 2FA. Two-Factor authentication is a method in which a user is given access only after successfully presenting two or more pieces of evidence to an authentication mechanism: You’ll be required to provide any two of the following:

1) Something you know. (i.e a Password) 

2) Something you have. (i.e an SMS verification code)  

3) Something you are. (i.e a Form of biometrics)

LinkedIn have provided a relatively short and sharp overview of 2FA and how to set it up. The steps are easy to follow and won’t take up more than five minutes of your time.

The Linkedin resource can be found here: https://www.linkedin.com/help/linkedin/answer/531/two-step-verification-overview?lang=en

If you haven’t enabled 2FA by now, I’d recommend you do so. (While you’re at it, why not review your other online accounts and their security controls).

And please, safeguard your online presence – it is your brand after all.

Whilst it’s my view that Insider Threat isn’t new to business, and has been around since, well since a business hired an employee and trusted set individual or group with their intellectual property.

What’s different in 2019 is that we’ve been privy to a new variety of Insider Threat. So much so, that many businesses who do get affected, would rather its kept internal, than become headline news on the front pages. Whilst I get that, I’m a firm believer of honesty and transparency, which in turn enables others to learn from those mistakes or failed controls. 

So, what is Insider Threat? There are many descriptions, but here’s one that sits well with me: Courtesy of our friends at Wikipedia: An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data, computer systems and misuse it knowingly or unknowingly.

So here comes the drama…

Remember Edward Snowden and the Intelligence Secrets, Jiaqiang Xu, the former IBM software engineer who stole proprietary source code and more recently, the former Third-Party Vendor(Amazon) employee who hacked Capital One.

What do these cases all have in common? Well; all misused their power, betrayed trust, were at some point or another disgruntled and believed they completely had every right to carry out their mission.

Stats by the Ponemon Institute, shed more light on the issue, but I’ve selected my top 3:

1)     Employee or contractor negligence is responsible for two out of three insider threat incidents.

2)     Negligence-based insider threat incidents cost organisations an average of $3.8 million per year.

3)     55% of organisations say that privileged users are their biggest insider threat risk.

So how can we mitigate the issue?

1)     Develop an Insider Threat program.

a.      I’d recommend an Insider Threat assessment and Corporate Policy.

2)     Staff Training and Awareness.

a.      It’ll help encourage an open and vigilant culture.

b.      Assist staff to identify and report suspicious activities, behaviours, or circumstances symptomatic of insider threats.

3)     Privileged Access Management (PAM).

a.      A solution that helps organisations restrict and control privileged access.

4)     Entitlement reviews.

a.      Periodic reviews are essential to ensure that only the right people have access to the right data.

5)     Data Loss Prevention (DLP).

a.      A solution that detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, and or blocking sensitive data from leaving the corporate network.

Unfortunately, there isn’t a silver bullet, or a one-size fits-all fix to this issue. Insider threat is and will continue to be a constant and complex issue for businesses world-wide. So, do businesses implement massively stringent and draconian controls on staff? Or do they continue to trust staff to abide by AUP’s and honour the privacy of company secrets? You tell me, what do you think?

I was recently asked about the organisation’s most high-risk Cyber-attack vectors and whether we were well prepared to handle them in event they’d occur. I of course responded with a measured but honest answer to both the delight and dismay of the Business Head.

Never the less, the conversation ended well, with some action points on my behalf and a confident business owner, comfortable we’re proactive in our approach to Cyber Security.

As a result of the conversation, I’ve decided to highlight my top 3 cyber threats, that any business should have covered and how to mitigate them. If not, I’d recommend at least understanding what your organisation’s risks are and then implementing controls to mitigate them.

Ransomware – Has been rife and had a massive resurgence this year, especially in the US as of late. Targeting federal, state and municipal agencies. Let’s not forget the healthcare and educational institutions too.

•        Employ anti-virus and anti-malware protection, ensuring that it’s maintained.

•        Keep your applications, operating and hardware systems up-to-date.

•        Well managed and consistent data backups will allow you to recover from most ransomware attacks. And remember to regularly test your backups.

Phishing – Continued to further establish itself through other platforms such as; Social Media Apps, Websites and SMS, which has made it more widespread than ever.

•        If it sounds too good to be true it probably is.

•        Be suspicious of unexpected messages and trust your gut.

•        Make use of Anti-Spoofing protection, Spam filters and DMARC checks on your corporate email environment.

Insider threat. – A topic I’ve solely discussed in a previous article I wrote. The moment an organisation employs staff, whether permanent, on a contractual basis and with the occasional system access for 3rd party vendors, opens up the possibility of a data breach, whether intentional or unintentional.

•        Excuse the incoming cliché but my number one recommendation is ‘Education education education!’

Educate all staff members to be alert to suspicious behaviour and encourage open communication.

•        Provision access to data on a ‘need to know’ basis. Principles like ‘least privilege’ and ‘separation of duties’ are a great basis.

•        Implement controls around the use of portable storage devices, online storage platforms and the use of third-party email.

All-in-all its important to note that; a well-informed Corporate governance structure, an evolving technology strategy, effective processes and procedures and consistent staff training will provide a great foundation to mitigating the aforementioned threats.

The reality that today brings, is that businesses of all sizes should protect their digital assets the same way a mother would protect its young – ‘at all costs’. It’s not a matter of if but when.