Cybersecurity & Infosec Blog

AI and machine learning are evolving into powerful tools in the field of cybersecurity. These tools make detecting and responding to threats in real time almost automatic. When used in combination with secure network configuration, these advancements certainly go a long way to protecting a network, data, and devices. However, without training your users to recognize social engineering attacks, phishing emails, and other questionable activity through security awareness training, you are leaving the front door unlocked. 94% of malware is delivered via email, and phishing attacks are responsible for more than 80% of all reported security incidents. Of course, most, if not all, ransomware attacks are carried out via email as well. Nefarious email and social engineering attacks are the cause of stolen credentials, stolen data, stolen identities, and lead to losses of $17,700 every minute. These stats are significant, and with proper security awareness training for companies of all sizes, these stats could be substantially reduced.

Train Your Users

The goal of a security awareness program is to empower employees to recognize, question and act when something does not seem right. This goes beyond a basic understanding of company policies and gives users the knowledge necessary for securing data at work and beyond. When administered correctly, your security team’s phones will be ringing more than usual as users begin to recognize and report questionable activities and email. This is what you want. When to Train Security awareness training should be included during the on-boarding process and advance to on-going training throughout the company on a regular basis. Post-incident, any breach should be communicated to the appropriate team then followed up with focused training to help avoid future incidents. The topics covered by a SAT program can, and will, vary depending on each organization’s security needs. For example, an entity with secure entrances may include a course on tailgating whereas a company without a secure entrance may not see this training as necessary. Test and Reinforce

Each course should be interactive with some means of testing the user’s comprehension and retention of material. Any user who fails to meet the basic requirements of a section should be required to revisit the session and retest before moving on. Depending on the situation, one-on-one counseling may be needed for a user who might struggle with a given section

.

Phish Your Users

Internal phishing campaigns should be included as part of any security awareness training. The goal is to reduce the number of click-throughs on these training exercises and increase the number of calls questioning suspicious email to security personnel. Users who continually fail these campaigns should be counseled on how to spot a phishing attack or questionable email.

In closing, every company of every size should have some form of formal security awareness training for their employees. This training should include an organizations security policies and procedures as well as educating and empowering users to be more responsive to ongoing cybersecurity threats. How do you go about gaining approval for a security awareness training program? Build a business case, which will be covered in a later blog post.

A few of the companies offering security awareness training programs (there are many others):

https://www.knowbe4.com/

https://inspiredelearning.com/

https://www.getcurricula.com/

https://www.securitymentor.com/

As the number of devices connected to the internet increases, so does the number of devices that can be exploited by cyber criminals. You can mitigate this risk by changing the default device admin password, the default Wi-Fi password and ensuring all devices are on the most recent firmware release.

Surprisingly, this issue is not unique to consumers, many businesses have devices on their networks which still have default accounts assigned to them. Default accounts are easily found by a simple Google search. Sites such as Datarecovery.com post listings of known default accounts for hundreds of network devices.

In the home, every device that connects to the internet will have a default administrative account setup. Be it a router, modem, TV, doorbell camera… you name it, and there is a default account that MUST be changed.

So, what’s the big deal? The big deal is that if a cyber criminal gains access to your router, they can watch everything you do on the internet. They would have access to your home Wi-Fi network, which in turn gives them access to your computer, phone, printers, tablets, etc.

A survey done by Brodbandgenie.co.uk in 2018 revealed that 82% of respondents have NEVER changed administrator passwords on their Wi-Fi routers. This is concerning. I have no doubt there are millions of Wi-Fi routers in the U.S. that are vulnerable due to defaults not being changed.

Changing the default password, and in some cases the default administrator account name, is not difficult. In fact, these instructions usually come with the device. Also, instructions on changing default passwords on most devices can be found on-line as mentioned previously.

In a similar survey, Broadbandgenie found that nearly 48% of those surveyed didn’t change default settings because they didn’t know why they’d need to. In addition, 51% said they’ve never done anything to secure any of their internet facing devices.

As the IoT (Internet of Things) continues to grow, so must educating people on the importance of securing their devices. There are some manufacturers that are starting to force admin password changes during device setup and that auto-update when new firmware is available; this is a huge step in the right direction. But, until all devices feature some kind of forced security setup, this will unfortunately continue to be a vulnerability that could easily be mitigated if everyone understood the importance of locking their devices down.

How to change admin password on popular routers:

Netgear

Linksys

TP-Link

AT&T Routers

Additional Reading:

us-cert.cisa.gov/ncas/alerts/TA13-175A

zdnet.com/article/is-admin-password-leaving-your-iot-device-vulnerable-to-cyberattacks/

lifewire.com/changing-default-password-on-wifi-network-816567

bleepingcomputer.com/news/security/survey-reveals-users-have-no-clue-about-router-security/

Every organization needs security policies in place to provide direction for people and the company to improve the entities security posture. These policies must be written in such a way as to work within the goals and objectives of the business as well as reflecting its risk appetite and risk tolerance. Business comes first; security policies can’t be so stringent as to become an obstacle to strategic objectives or to employees getting work done.

So, where to start. You must first be aware of the risk appetite and tolerance of your organization. ISACA defines risk appetite as “The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.” They go on to define risk tolerance as “The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives.”

Risk appetite, then, is the amount of risk the organization views as acceptable as it pursues its objectives. Risk tolerance is the degree of variance an entity accepts. An analogy presented by the Fair Institute helps to better understand appetite vs tolerance: “Given normal weather and other conditions, it is extremely rare to see law enforcement enforce the speed exactly at the limit. Consequently, while risk appetite can be thought of as a line drawn in the sand that helps to set expectations, risk tolerance can be thought of as the variance from appetite that drives day-to-day decisions to operate differently in some manner. Note the operative word here - decisions".

Security policies cover a lot of ground, from acceptable use policies, to router configuration and employee off-boarding when employment is terminated. The number and nature of policies will depend on the entity's risk appetite, risk tolerance and the nature of the business. For smaller organizations who might lack a security committee, an information security manager or a person on staff with knowledge of information security, the task of knowing where to start can be daunting.

One go-to resource for security policy templates that can ease the burden of not knowing where to start is the SANS Institute. Here you’ll find templates that cover almost everything your company might need that are easily modified to fit nearly any entity.

You can find these templates here: SANS Institute Security Policy Templates

It is important to note that security policies are generally part of a larger enterprise security program which covers administrative, operational and technical safeguards. This will be addressed in future posts along with governance and frameworks.