5 counterintuitive ways to protect against hackers
It's a dangerous and scary time to run a business. Hackers are becoming ever more sophisticated in their attempts to steal valuable information, and the threat of attack feels ever more present, with several large companies and their customers falling prey to the whims of aggressive cyber criminals.
"It's as dynamic a threat environment as I've seen," says Bryan Rose, managing director of Stroz Friedberg, a computer forensics firm. "Companies are getting hit from all sides."
How can you protect yourself, your business and your clients? The best advice might surprise you.
Focus on reacting to a breach, not just preventing one
No cybersecurity expert is going to tell you that you shouldn't try to prevent an attack on your company's system. But they likely will tell you that no matter how hard you try, someone, sometime, is going to get in anyway. That's why you have to be ready, on the lookout, and prepared for the worst.
"The reality is, you are going to be breached at some point," Jason Bevis, global director for deployment and integration at network security company FireEye said at a recent panel on hacking. "The key is how quickly can you react?"
Bevis and others recommend that in addition to having prevention software in place, every business should also have a trained IT staff proactively hunting for attackers in their networks by looking for traces of an infiltration, known as "indicators of compromise."
"It's not uncommon to go into these situations where people have been in the network for extended periods of time because companies weren't prepared enough to identify an attack -- especially where there are motivated and persistent adversaries," Rose told CBS News.
The much-publicized Sony breach is a prime example of a highly motivated and persistent adversary working within the system for a long time before releasing a damaging assault.
Yisroel Hecht, New York City's associate commissioner of IT security, says that in addition to prevention and detection, organizations need to focus on resilience, or the ability to recover from a security breach should one interfere with daily operations.
"What happens if you to have to refigure every hard drive on every computer in your network?" he queries. It's crucial to have a Plan B.
Downgrade your equipment
The natural instinct when faced with the threat of a cyberattack is to upgrade to the cutting edge of technology. But Richard Danzig, vice chair of the Rand Corporation, which consults on security policy, says that companies could benefit from just the opposite.
Speaking with CBS News, Danzig expounded on the ideas he described in a July report published by the Center for a New American Security called "Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America's Cyber Dependencies," in which he argues that less state of the art technology, not more, could help keep companies and organizations safer.
He gave the example of an all-in-one printer, scanner, copier and fax machine. Devices like these seem like the utmost of convenience, but they offer a lot of things that companies don't need, and these added features create entry points for hackers.
For instance, all-in-ones have built-in memory that records a certain number of its recent transmissions. While an employee is highly unlikely to need to access the file of something he printed a week ago, this could be valuable information to a cyber intruder.
"Don't go out there an buy something because it's nice to have these bells and whistles," Danzig cautions. Instead, opt for a more basic model that does only what you need and doesn't store your data.
One caveat: You might have to pay more for something that gives you less, because device makers can cheaply integrate attributes you don't want into many mainstream products.
Another approach is to have your IT department selectively disable the features that pose a security risk, for instance either shutting off a printer's memory or regularly wiping the storage.
He sees Edward Snowden, a former NSA systems analyst who leaked details about government surveillance programs, as an allegory of the problem of too much tech: "I can see why Snowden as a system administrator had access to large troves of documents," he said. "But why did he have the ability to copy them to a drive? Why did they buy a machine in the first place that had that attribute?"
Give executives less access to information, not more
William Pelgrin, president and CEO of the Center for Internet Security, says that access to sensitive data should only be given to those who have a business need for it, regardless of where they fall in the organizational structure.
That means the executives shouldn't be able to get into any part of a company's system just because they're at the top of the org chart. To the contrary, that's a most dangerous proposition.
"In many cases, the attackers will target CEOs, CFOs, CISOs and other high-profile individuals within an organization, attempting to access the 'crown jewels,' so to speak. Once they have compromised that single account, they can then move laterally throughout the organization's network, potentially compromising many more accounts," Pelgrin told CBS News.
Executives should not have access to a company's human resources database, for example, which contains sensitive, personal information about each employee. This access should be limited to the human resources department and database administrators. If the CEO needs information, he can go through them to get it.
"It's not a matter of high-level staff vs. low-level staff having access; it's a matter of making sure that anyone with access has a legitimate business need for it, and knows how to protect those accounts and information," Pelgrin says. "We use this approach at CIS. The principle of least privilege is an industry best practice that should be increasingly implemented, as it helps reduce the potential attack surface and minimize risk."
Put the onus on people over machines
All the best technology in the world won't save your company if employees don't practice what experts refer to as good security hygiene. That means everything from assessing potential security risks, to controlling the flow of data within the organization, to something as simple as changing default passwords on computers or ensuring that individuals create strong network passwords for themselves.
Everyone knows you're supposed to have a strong password and not reuse the same password for different sites and devices, but the common wisdom too often falls on deaf ears.
Justin Cappos, an assistant professor of computer science at the New York University Polytechnic School of Engineering, says, "Companies are not doing anything remotely approaching best practices," which leaves them open to preventable password breaches.
"It's like the bank left money on the counter and someone went in and filled up a duffle bag," he laments.
"We need to focus on people-centric security," says Hecht. "It's no longer about locking and protecting, it's about enabling and empowering people to make good decisions."
That means training -- and enforcing -- good hygiene and smart practices.
Hecht goes so far as to show employees at New York City's department of information technology and communications exactly why they should be wary of clicking links in emails. He brings them into the computer lab, where he instructs them click on a malicious link and see for themselves what happens.
Accept that all information is not equal
"It used to be that companies treated all data the same," says Rose. "It was all about how high you can build the castle walls."
"But once someone broke the perimeter," he continues, "there was no emphasis on securing sensitive data."
Companies need to take stock of what they have, identify their most critical assets and structure their networks in a way so that security around them is strongest. This could mean keeping customer information, credit card numbers, R&D data or trade secrets in a restricted area of the network to which only certain administrative accounts have access.
"Think of it like a safe room in your house," he says. "It's about building up and really focusing on critical assets and how to protect them if someone gets in."
But what do you do if your company can't afford to build up security, then build it up some more?
"It may be, ultimately, in a world of limited budget, that rather than invest in the latest firewall tool, you use that money to protect those critical assets," he allows. "You have to think very carefully about the prioritization. If you have customer credit card numbers, you have to think about that priority. And there are things which you would not have originally classified as assets that, if stolen, could be damaging."
And example of this, as Sony learned the hard way, is email containing sensitive information.
But Rose points out that this can be less of a tech (and therefore money) issue than one of policy. If you have a company policy not to include potentially damaging information in emails, then potentially damaging information won't get out in the event of a leak.