Hackers Tell All, A Microsoft Modern Workplace Webinar
Filmed Dec 12 2017
Link to webinar: https://products.office.com/en-us/business/modern-workplace/webcast-series
We understand you are busy people. We wanted to put together 10 top take aways from the show for you and your organization to use to better protect your digital assets. Thanks again for watching!
1) The best most successful company practices are set from the top down. The leadership in the organization must be the ones to set the tone. Security culture comes from great leadership. Once management determines what it is to protect, you can design the protection around what you “absolutely must have secure” to stay in business.
2) Spend your money on people before technology. There is a lot of technology out there—some of it is open sourced, free, or proprietary. But there are no open sourced teams. You can’t get good “free” talent; like you can technology. Don’t get placated on the big technology brands that claim to keep you secure. They can and always will be bypassed. Besides, relying on the tech along still requires you to train someone on the team: it’s like buying a fighter plane with out a pilot.
Invest in your team, and then decide what products you need.
90% of the security work, can be done in house. Companies can always hire outside help or buy another “security tool” to keep doing business. However, the company absolutely must have a solid team to implement the security strategy or else all the best most secure IPS, IDS, firewalls and encrypted drives won’t protect an organization.
3) Its not personal.
The Internet is full of robots—they are checking everyone; so when you are hacked, you aren’t singled out. 90% of attacks are bot related. The safest route is to assume that you are always under attack. Not because you are being singled out; but because you participate online. Our lives are online. Its one of the natural transactional costs of doing business online.
4) Keep it basic. If we can do this, we are already three steps ahead from where we were yesterday. None of these things are overly technical. They are procedural.
They aren’t sexy.
The three most boring security protocols:
a) Patching and up to date.
b) Strong passwords.
C ) 2 factor authentication.
5 ) Asset inventory: Understand what is it that you own and what can you control? Especially with everything up in the cloud. Its particularly important to remember that cloud based solutions, and enterprise cloud storage , hosting etc is going to be so transformative in the next ten years. If we think so much of our lives are online—just wait until everything is up in the cloud. Whatever kind of company you are in, whether its tech or big pharma , you are going to be doing your business in the cloud. So while your business may be a “global business”, because so much of its data is up in the cloud, ( a computer somewhere else), it still has this area of centralization. Understanding the security risks with that asset inventory stored in that cloud is key.
6) Have a strong “Plan B” – including strong encrypted back ups. Test these back ups. “We went to the back ups and they failed.” Don’t let this happen to you.
7) GDPR: No negligence allowed. It will be interesting to see how companies will either utilize these rules or find ways around holding EU data. Either way, the onus is now on the organization to take care with all identifying data.
8) Think like a hacker. It’s about a “skill set;” and not one that is easy to train. Most of the best innate “skills” a hacker can achieve are instinctual. Companies should absolutely apply a “hacker mindset” approach to a problem. And if they don’t have someone to think like their adversary, they should hire someone. Consultants are not the same thing. Consultants are in the business of keeping companies insecure. Hackers are in the business of breaking something apart to put it back together, better and more secure. The hacker community is really good at information sharing and harnessing information to make a better solution. Industry and law enforcement could learn a lot from the “hacker culture.”
An example of where hackers move industry forward is showcased perfectly when the manufacturers came out with all the medical devices- insulin pumps, pacemakers, etc. They all said that everything was “unhackable.” But then again it took the hackers to point out the problems. Its happened numerous times over the years with smart cars, smart phones, ATMS, and electronic voting machines. Over the last 20 years the manufactures will say “this is not possible” and then the hackers demonstrate on how it is possible. And then the industry has to come in and adjust.
Its an interesting point to be made because when you stop to think about it, who are going to tell you the problems in software, hardware or all these readily available and convenient devices we all love to plug and play with in our homes?
Manufactures have no incentive to tell you. They just want you to buy more product. It’s not the criminals or nation state attackers who are not going to share information.
Its academics and the hackers are the ones that are going to tell you what the actual risks are. And then if the companies are paying attention, they will make informed decision on what to do with those vulnerabilities.
9) When hackers think about their own personal security they get very inventive with ways to protect their digital assets. Most of them think, what would be most embarrassing to me- losing control of my banking? OK well I need a separate lap top for my banking. So it’s a physically separate computer.
Segmentation of networks is another key element to safe internet. Keeping devices separate across various networks is another great way to ensure that even if one network is compromised, information is spread out in a way that all wont be lost.
10 ) What are the top rules for companies to follow?
Check out the Centre for Internet Security top 20 hygiene Rules.
Top 20 Rules
1. Inventory of Authorized and Unauthorized Devices.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software.
4. Continuous Vulnerability Assessment and Remediation.
5. Controlled Use of Administrative Privileges.
6. Maintenance, Monitoring, and Analysis of Audit Logs.
7. Email and Web Browser Protections.
8. Malware Defences.
9. Limitation and Control of Network Ports.
10. Data Recovery Capability.
11. Secure Configurations for Network Devices.
12. Boundary Défense.
13. Data Protection.
14. Controlled Access Based on the Need to Know.
15. Wireless Access Control.
16. Account Monitoring and Control.
17. Security Skills Assessment and Appropriate Training to Fill Gaps.
18. Application Software Security.
19. Incident Response and Management.
20. Penetration Tests and Red Team Exercises.
Further explanation of the rules can be found at the following site: https://www.cisecurity.org/controls/
Cyber Essentials
https://www.cyberessentials.ncsc.gov.uk/advice/
1. Use a firewall to secure your Internet connection.
2. Choose the most secure settings for your devices and software
3. Control who has access to your data and services
4. Protect yourself from viruses and other malware
5. Keep your devices and software up to date
Further explanation of the rules can be found at the following site: https://www.cyberessentials.ncsc.gov.uk/advice/