Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Any business with an online presence (and few businesses today don’t have an online presence) should be thinking about its security and specifically, increasing that security. This shouldn’t be treated as an incidental, background matter to be addressed on a rainy day – the loss of a website, even for a few hours, could result in loss of business or, at the very least, damage the business’ reputation.
Less obviously, but even more insidiously, a simple mistake by a staff member could result in their machine being compromised, and from that initial beach-head an attacker could get access to other machines on the business network.
So what can you do in a single working week to significantly improve your organisation’s security levels? We can advise!
 
1) Train staff to spot phishing attempts
Let’s start with the ultimate cyber security “quick win”. Any staff whose work involves using the internet, and that includes answering emails, should be trained to spot deception and attacks, in particular ‘phishing’ attacks.
A phishing attempt is often delivered in email form. An organisation or individual will receive an email, often claiming to contain a refund or an invoice. Either a hyperlink to a web location will be given, or possibly a file will be enclosed, and the recipient invited to follow the link or open the file. The result of this will be similar – once the link is followed or file opened, malicious software will initiate a connection to the attacker, who will then have command line access to the email recipient’s machine.RBS Phishing Email
Some things to be aware of here are:
If the link is followed / file opened, it may seem that nothing has happened and that 'everything is OK'. This is not necessarily the case.
This attack may allow a hacker to install keylogging software on the recipient's machine which would then allow for the harvesting of various passwords.
A skilled attacker may be able to spread their control from the email recipient's machine to others on the organisation's network.
So what should staff know in order to spot these phishing attempts?
1)      Perhaps surprisingly, the first thing to look for is simply poor spelling and/or grammar.
While genuine grammatical and spelling mistakes do occasionally happen, professional emails should have been checked for these before sending and they are a good indicator that the email may not be genuine
2)      The second thing to notice is the exact manner in which the email addresses the recipient.
If it is “Dear Customer” or “Dear Supplier”, or especially “Dear Valued Customer”, these should be considered red flags. A legitimate sender would usually know the name of the recipient and simple courtesy would cause them to use that name. Obviously this may not always be the case, but certainly common-sense should be applied. If in doubt, telephone the company the email purports to be from and confirm that they sent it.
3)      Look at any links in the email by hovering the mouse cursor over them without clicking. The link destination should show either as a small window or, if you are in a web browser, at the bottom of the screen. If a link doesn’t end in your country’s Top Level Domain (in the case of the UK, this would be .uk) or in a generic Top Level Domain suffix such as .com or .org, this may be an indication of a phishing attempt – after all, why would a UK company want you to visit a link with a .ru suffix, indicating a domain location in Russia?
Also, a common trick is for the link to look genuine but to not actually link to the location shown, so a link to https://mybank.co.uk/ (assuming that is a legitimate bank address for the purposes of illustration) may actually go to a similar but different location such as http://myibank.co.uk/ (spot the subtle but significant differences).
4)      Beware of emails that request personal (or in fact, any) information. Always ask yourself “Is it logical and reasonable that this organisation wants this information?”.
5)      Don’t assume that the email is genuine just because it looks like it has come from a genuine domain or is well-designed and features a company logo or address – phishing scammers sometimes put time and effort into getting these details accurate.
Phishing attempts are sometimes also found on websites rather than emails. Your staff should understand that they should never visit websites or click on any links at all which are untrusted.
 
2) Implement a strong password policy for your organisation
This is another relatively “quick win”. Passwords are problematic: they are essential for the security of accounts, but people have poor memories and do not want to make the effort to remember long or complex passwords.
Unfortunately, hackers know this and have lists of words to attempt. These lists are sorted so that the most commonly used passwords are at the top of the list and so they are attempted first.
A strong password policy for all accounts used by the organisation, not only online passwords but also Windows user accounts and any software used by the organisation, is essential. Passwords should be at least 12 characters long, feature at least one uppercase, lowercase, numeric and special character (such as @) and be changed at least every 90 days.
Passwords should not be words found in the dictionary (either English or another language) and should ideally be a set of random, nonsense characters. They should not include any personal info such as birthdates and should not feature keyboard patterns such as zxcvb or qwerty.
Rather than simply trust your staff to follow these rules, they should be set up using the administrative settings of the relevant software.
 
3) Ensure that software versions, software drivers and operating systems are up-to-date. 
Outdated software and drivers are common attack vectors for hackers, and these should be updated as soon as possible. If available, auto-update features should be enabled on software and operating systems. While the auto-update wanting to restart a machine in the middle of a workday is irritating, the consequences of a security breach caused by a coding error in an old driver, which could have been solved with a quick update, would be even more irritating.
Go around and ensure that software is up-to-date. If some piece of software is outdated but the out-of-date version is completely business-critical and so cannot be updated, seriously consider moving to an alternative piece of software – vendors should be providing updates to software which do not impact on functionality.
 
4) Be aware of insider threats and limit all staff access and privileges as much as possibleIn an ideal world your staff should be 100% on your side, but the reality is that this is not always necessarily the case. For a variety of reasons, staff may become disgruntled, and it is possible for a staff member with even moderate technical skills to steal key business information or otherwise severely handicap an unprepared business.
Staff should not, under usual circumstances, be running administrator accounts on their machines. Knowledge of administrator passwords should be kept to a select few so that these can be deployed as necessary by management but must not be known to the staff at large.
This philosophy, known as the ‘principle of least privilege’ should also be extended to services used by the company in the cloud – only those with a genuine need to know should have access to, say, the company’s cloud storage account password, and the company PayPal account, et cetera.
This also applies to third-parties accessing company data. If a third party requires an account to access company information, ensure that this has the most restricted privileges possible, and ensure that the account is terminated once the third party’s work has concluded.
Before hiring new employees, background checks should always be done. This does not necessarily mean an expensive and time-consuming criminal record check: a simple Google search for the individual and a reconnaissance of their social media activity, combined with a conversation with their previous employer, is actually a good way of getting a feel for a potential new employee.Admin Access
 
5) Set up a cloud backup system without delay
In the event of a cyber-attack which results in data being lost, or even in the event of a fire or other physical disaster, your data should already be backed up safely, automatically and off-site.
Do not rely on a standing instruction to a staff member to manually back up data daily. And do not back up purely to physical media which are then left on-site. As already noted, staff can act against the company or can simply forget to do a backup, and physical media can be lost or stolen, and physical media stored on-site do not constitute a useful backup in the case of an event which damages the site itself, such as a flood or a fire.
There are a multitude of reasonably priced cloud backup services on the market, and no business should be without this absolutely critical service.
 
Good progress on all the above can be made within a single working week. While focussing on these measures for a week may appear to be taking time from other business projects, the cost in time, money and reputation from a successful cyber-attack would be many times greater, and the organisation will benefit greatly from the time and effort spent.
Do you think your organisation can put these changes into practice? Are there any other actions you feel could be taken during the work-week to improve your level of information security? Leave us a comment on Facebook to let us know!