Last month’s theme from the Lastline Daily Dose program was to help readers understand that cyber security in the workplace is the responsibility of all employees, not just those working in the security or IT departments.
The theme for the last week of National Cyber Security Awareness Month is ‘Today’s Predictions for Tomorrow’s Internet’. Here are the daily doses of advice for October 16-20.
Tip 11: Everything connected to the Web is a possible malware entry point. Secure or isolate IoT devices like thermostats & webcams
Many smartphone users are still getting accustomed to the fact that their phone is now a computer, connected to the Internet, and therefore vulnerable to malware. Now apply that concept to the exponentially larger number of IoT devices.
Unsecured IoT devices – webcams, Web-connected music players like the Amazon Echo, even e-thermostats – present the risk of the device being use to spread malware and infect other devices or launch a DDoS attack. If consumers are paying ransoms now to free their encrypted files, what will they pay when a pacemaker or self-driving car is taken over?
>See also: Nominations are now open for the Women in IT USA Awards 2018
Manufacturers need to improve the security of their devices, and users – businesses and consumers – need to understand the risk and secure their IoT devices.
Tip 12: New malware doesn’t rely on sandbox-able files or links. Security tools also need to detect browser-based attacks
Most malware detection and prevention technologies work by examining files such as downloads or attachments. However, browser-based threats don’t necessarily use files, so conventional security controls have nothing to analyse. Unless organisations implement advanced tools that don’t rely on analysing files, browser-based attacks will likely go undetected.
Criminals are increasingly using vulnerabilities in Javascript, Flash, ActiveX, and other common tools to infect a website visitor’s system, carry out its assigned task, and then remove itself, erasing all evidence that it was ever there.
Learn more in our recently authored article on this topic.
Tip 13: Attacks against mobile devices will increase as security capabilities provided by OS and app developers fall short
Smart phone operating system developers are doing what they can to ensure the security of their devices, but given the volume of apps available on their platforms, they simply can’t vet everything. They need to rely on the app developers to secure the connections and data each manages.
>See also: National Cyber Security Awareness Month – simple steps to online safety
Despite developers’ best efforts, we anticipate that the risks presented by mobile devices will get worse before they get better given users’ increasing reliance on them for an ever-increasing range of activities and engagement.
They simply are too attractive of a target for criminals, inviting their upmost creativity and innovation. Recently a scheme has been discovered where criminals release apps that initially are benign, and then once they get traction and adoption increases, they turn on the malicious capabilities or add them via upgrades.
Tip 14: Outsource Incident Response to ensure the right skills are on hand to respond to increasingly sophisticated attacks
As criminals continue to increase the sophistication and pervasiveness of attacks, your ability to respond – quickly and effectively – becomes critical for mitigating potential loss and avoiding brand-damaging public exposure of a data breach.
>See also: Cyber security in the workplace is everyone’s business
When you’re attacked, it’s essential to have the right skills immediately available, which is not always an option with in-house staff. As a result, many large organisations are now outsourcing Incident Response.
IR specialists, like MSSPs, have the right tools, they have more awareness of current techniques due to their supporting multiple companies, and they have the deep expertise often required. A skilled IR team will ensure you’re prepared for an attack.
This Forbes article recommends 5 security functions to outsource, including Incident Response.
Tip 15: Assume your cloud providers are not security experts and augment their capabilities to security your data.
As you migrate more business functions to the cloud, understand that cloud providers are not security experts. Yes, they provide some level of security, but you have to plan with the expectation that what they’re doing will be inadequate against todays skilled cybercriminals.
>See also: Businesses should support the new National Cyber Security Strategy
To emphasise the point, a recent InfoWorld article highlights 12 specific security risks associated with using cloud-based applications.
The simple truth is that your data is now outside your corporate perimeter, so you have lost some control over how it is secured. Understand your cloud providers security capabilities and know what you need to do to supplement it. Or press the providers to fill the gaps in their security architecture, either on their own or by partnering with and integrating security technologies.
The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate