Threat Vectors and Software Security: Securing the Organization
The increase in cyber-attacks has led the subject of security to the forefront of software development topics. Formerly benign events like asking users for personal data requires a great deal of trust, which can be hard to regain if broken. You need to ensure you’re protecting that data and that’s a daunting task. The challenge of knowing where to start can seem as intimidating as planning to summit Mt. Everest. This article is the first in a series that aims to break down the critical elements of keeping your software secure, your users happy and reputation intact.
To start, it’s helpful to have some context on how a potential attacker might gain access to a system. These are known as attack vectors. Common attack vectors include malware, viruses, email attachments, web pages, pop-ups, instant messages, text messages and social engineering. An attacker will use as many methods as possible to worm their way in. Consequently, you must be vigilant to thwart these efforts. And general awareness is an important first step.
The idea that your company is too small or too niche for consideration is a common misconception. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 28% of breaches involved small businesses. In CNBC’s article about cyber attacks, “Attackers are getting smarter, attacks are occurring faster, and incidents are becoming more complex,” cautions Justin Fier, director of cyber intelligence and analytics at cyber defense firm Darktrace. “The latest cyberattacks speedily exploit vulnerabilities in computer networks — which [can be infected] like human immune systems, changing thousands of times per second — and can overtake even major networks in an hour and a half.” Modern tools for gaining unauthorized access to a system are automated. As a result, it’s low effort and potential high payout for playing the game.
Components of a security attack
What does a security attack look like? While it can vary broadly, an attacker typically follows some common steps. They include:
- Identifying a potential target
- Applying tools and techniques to gather information about the target
- Creating or leveraging tools to exploit the target
- Getting unauthorized access to the targeted system
As a result, an attacker can steal sensitive data or information about the company, its employees and its customers. Alternatively, he/she can install malicious code to monitor the network and even bog down computing resources.
Tools and techniques used to gather information
There are a variety of tools and techniques at the attacker’s disposal when gathering information on a potential target. One approach is malware, in which an attacker develops intrusive software designed to damage and destroy computers systems and hardware. There are many types of malware that behave differently but all have the same objective – get into your system and cause damage. Another is automated vulnerability scanning. Here, an attacker uses automated tools to look for common vulnerabilities. For example, some common vulnerabilities include cross site scripting, SQL injection, command injection and insecure server configurations.
A more subtle technique for gathering information is a phishing attack. In a phishing attack, an attacker sends an email that looks official. It might look like a familiar application notifying that your password is expiring, and to “click here” to change it. The link, however, sends you to the attacker’s site. There, you enter your old password and… Voila, the attacker has your password.
Some more advanced techniques for gathering information are social engineering and Operation Security (OPSEC). Here, the attacker will attempt to gain knowledge about an individual that they can use to gain access. They might look on social media for information that could be used in security questions, like your dog’s name. Or they might call, pretending to be a bank, and ask you to verify some information. If you receive calls like this, always hang up and call back at the official number on the “caller’s” website.
What does this all mean? It tells us that a potential attacker will use many different methods to gain access. They’ll patiently poke and prod until they find a way in because, once they do, the potential gains will have been worth it. You need to be vigilant in your defense against these threats.
How to get ahead of it
Now that we understand the path an attacker may take to infiltrate a system, what can we do about it? Unfortunately, this can’t be done overnight. Modern infrastructures and systems have many moving parts and vulnerabilities exist at different levels. Everything starts with the organization. And so, if you don’t have policies, documentation and procedures in place, the rest of your security measures won’t matter. Next is DevOps, the processes in which you deploy and manage your systems. Then your environment, which encompasses the security and accessibility of hardware systems and network components. And finally, your actual application, through which users interact with your system and access sensitive data.
In this article, we start off looking at security from an Organizational point of view. The proverbial chain is as strong as its weakest link. And even the most diligent employee can fall victim to savvy attacks. So, good training and process starts at the top and trickles down.
One of the most foundational elements of security is training. According to Accenture’s Ninth Annual Cost of Cyber Crime Study, people-based attacks have increased the most. Phishing and social engineering attacks are up 16 percent and stolen devices, up 13 percent in just one year. Executives polled identified the accidental publication of confidential information by employees and insider attacks as having the greatest impact, second only to hacker attacks in successfully breaching their organizations.
How can employees be vigilant if they don’t know what to look for? It’s important to inform employees of the latest trends. While some of the information may seem obvious and some folks may make light of “security training”, it’s worth the effort. Many people have never experienced a phishing attack. And so, a good one can easily deceive the most cautious worker.
To facilitate strong training, there needs to be clear polices and documentation. A new employee coming onboard compromises the effort of preparing your team. By documenting your policies and processes on security, you can ensure new team members come up to speed quickly and efficiently.
This may seem basic. But some people are “in the know” on all this and some are not. And all it takes is one person making one honest mistake to compromise an entire company.
Auditing for accountability
With training and policies in place, the next step is a system of checks and balances. Internal audits and reporting are crucial to ensuring accountability throughout the workplace. Audit reports should be made available within your company and reviewed on at least a quarterly basis. This enables transparency and comfort by knowing people are following best practices.
There are security standards your team can strive for. A common one is ISO compliance. The International Organization for Standardization (ISO) develops and publishes an array of guidelines designed to ensure quality, reliability, and safety. The ISO/IEC 27000 family of standards, designed for any size organization, aims to provide security for digital information. It’s important to note that compliance standards such as these are heavy and time-consuming to implement. But they’re a great source to draw from for incremental strides in improved security.
There are so many platforms for sharing information, like email and messaging just to name a few. While it’s never a good idea to share sensitive data, like passwords or user information, over these mediums, it happens. It’s easy to reveal seemingly innocent details, like what piece of software a company uses internally or what design a solution implements. These tidbits give hackers insights they can use to exploit vulnerabilities. The less information the attacker has the harder it will be to gain access. Encrypting emails and messages in transit and at rest will help keep data secure.
An easy way to help prevent employees from sharing passwords, keys and other sensitive data is to implement a password manager. Password managers like LastPass enable organizations to share passwords between authorized people. First, the provide a safe and secure place to store passwords. Then with access controls you can provide need to know access to the data. Finally, they provide audit logs so you can review who accessed what information and when. A good password manager will also help detect vulnerabilities, such as weak passwords or passwords that enable access to multiple applications. A break in one app can result in a break to others so it’s best to keep your passwords unique.
Another vulnerability is employee phones and computers. Secure any device in which an employee can access your infrastructure. If a device is lost or stolen, you should rest easy knowing that the contents on the device cannot be accessed and the data on it can be wiped (or better yet, isn’t there). You will want to install security software on devices that leave the office, and these devices should be provided by the company. Prevent personal devices from accessing company resources. Use strong PIN codes to access the device. And, enforce encryption to prevent the readability of potentially recoverable data. Another good idea is to turn geolocation tracking so you can find lost devices. Lastly, you’ll want to be able to block access on a per device level so if a device is lost an unrecoverable it can no longer access your network.
Securing physical workplaces
Lastly, you’ll want to consider the physical security of your offices and workplaces. Physical keys to your doors can easily be duplicated. Consequently, a workplace is accessible to an employee after they’ve been terminated. Keycards allow you to instantly block access to your building. It will also allow you to grant employees access to specific areas based on needs. For instance, HR personnel typically shouldn’t have access to your server room and IT personnel typically shouldn’t have access to employee records.
Other solutions for securing the office include surveillance cameras for monitoring movement through the facility, security guards for monitoring building and grounds, and visitor logs for monitoring guests coming and going. Each of these measures provides additional layers of protection from individuals with bad intentions.
Keeping your system secure is a team effort. Therefore, by having your organization follow some best practices and guidelines, you can ensure a secure environment.
But this is just one layer in an overall plan. In the next article, we’ll look at best practices and common vulnerabilities around DevOps. You can have a great application but if you don’t run a tight ship, your company might be exposed.