This is the second article in a four-part series this month celebrating National Cybersecurity Awareness Month. Click here for last week's article, 17 Simple Steps to Online Safety.

It’s 11 a.m. on December 23rd and everyone is wrapping up before the upcoming holiday when, suddenly, all computers in the call center freeze. What could it be? Hung application? Perhaps an outdated driver was accidentally pushed to the devices yesterday evening? Or, maybe it's...MALWARE!

Yes, employees visited websites embedded with malware capable of freezing both Windows and Apple computers.

Sound unlikely? Not so fast… in November 2016, Windows PCs were struck with a bug in the software language HTML5, causing web browsers like Google Chrome and Firefox to display a fake help-support webpage that could not be closed and would not allow the user to open any other programs.

Then, shortly thereafter in December, Mac PC users found themselves in a similar boat; people visited a website via their Safari browser which loaded malicious code onto their computers, causing their computers to freeze and a fake help-support webpage to be displayed.

Picture12In both cases hackers executed a distributed denial of service (DDoS) attack, mostly deployed via phishing schemes, which overloaded an online service with internet traffic, causing the service to become inaccessible.

If that weren’t enough, security engineers were also confronted with the Mirai and Bashlight botnets, which were facilitated by poorly secured IoT devices. As recently as August 2017, as the winter holidays are fast approaching, the WireX botnet is impacting some Android devices, taking advantage of default administrative passwords and enabling remote admin controls, starting out as a simple click-fraud but growing in sophistication over the last month.

So, by now you may be asking yourself: What can my company do so we are not impacted by these known exploits? It’s simple (at least to say)!

  1. Ensure that default passwords are not used for any accounts, especially administrator account. Do not allow password re-use or sharing by admins, and create timed logouts for highly privileged admin accounts.
  2. Review your vulnerability scanner making sure it is assessing every device with an IT address on your network, no matter what it is or who owns it.
  3. Conduct regular penetration tests of your systems, processes, and people. This should be an ongoing program since no penetration test will be able to find every vulnerability, and threats evolve continually. Use the results of the penetration tests to fix vulnerabilities and shore up lax processes.
  4. Make sure all your internet-facing devices have the latest patches… always. In situations where patches cannot be installed timely, or at all, it is important to conduct a threat analysis to determine the level of exposure and document alternative in a security “exception” form with compensating controls described (and tested). The longer you take to deploy a patch, the more time bad actors could take advantage of your devices.
  5. Maintain web and email filters to restrict which sites and applications are accessible. This way, even if an email containing malware passes through the email filter, the web filter will not allow for the exploit to be downloaded.
  6. Maintain your DLP, IDS, and IPS, updating it to account for changes in your threat landscape.
  7. Keep your ACL up to date.
  8. Monitor all ports on your wired and wireless networks with automatic alerts.
  9. Monitor all configurations with automatic alerts when a configuration parameter is changed.
  10. Monitor all privileged/accelerated access accounts, recording all activities performed from login to log off.
  11. Require security awareness training for everyone with access to your company’s data/information assets. Make sure the training is customized to the individual’s role and that it is frequently enforced through training exercises.

Looking for guidance on developing and delivering your own company program? Look no further than NIST!

  • NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model - an approach to role-based IT security training
  • NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program - How to build an IT security awareness and training program
  • NIST Cybersecurity Framework – Jan. 2017 Draft Update
    • President Trump signed an Executive Order on May 11, 2017, requiring the implementation of The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) by all federal agencies within 90 days.

Interesting in learning more about this topic and others? Attend our upcoming IT Audit & Controls Conference in Austin, Texas in November!