Sep 17, 2015 | Cybersecurity Advice, Network Security
Most system administrators have a rather long to-do list. As soon as one item is cleared, another two seem to take its place. Oftentimes there are simply not enough hours in the day to deal with all of the issues. There are software problems, hardware problems, user problems, and it can be hard to find time to be proactive instead of reactive.
We would like to make your job easier and reduce the number of items on your future to-do lists. With this in mind we have listed five issues that you should avoid to prevent future headaches. They are basic, but that is why many system administrators forget them.
Network Security No No’s
Never host more than Windows Active Directory on a domain controller
Active Directory looks after the identities and relationships of your network. It will allow you to provide all employees with SSO (Single Sign-On) access. However, it is important that Active Directory is isolated and the machine you use is not used for anything else. Don’t mix up your assets, as in the event of one being compromised, anything else hosted on the same machine is also likely to be affected. After all, hackers are likely to have a snoop around and see what else is running on a server they have managed to gain access to. Keep everything separate, and you will be limiting the damage that can be caused in the event of a security breach.
Don’t access a workstation using your administrator credentials
Your administrator login credentials, if compromised, would allow a malicious insider or outsider to gain access to systems where a lot of damage can be caused. If you login to a compromised workstation using your administrator login, you could be giving your access rights to a hacker. Cached login credentials are not difficult to obtain. Github offers code that will allow anyone to change Local Admin privileges to Domain Admin privileges. If that happens, a hacker really can unleash hell.
Don’t ever reuse passwords
One of the most elementary data security measures is to ensure passwords are impossible to guess. In the unlikely event that your password is guessed, or is somehow compromised, it is essential that the password cannot be used to access any other systems, servers or workstations. Setting different access passwords for everything is a pain, but it is an essential security measure.
Don’t leave default logins active
Default logins are often exploited. Many can be obtained with a very quick search on the Internet. This applies for all networked devices, routers, and equipment. It is usually the first thing that will be attempted in order to gain access. How easy is this? Take hospital drug pumps as an example. There have been instances of patients searching online for the manufacturer’s website, obtaining the default login details, and then logging in to up their morphine doses. If patients can do it, it would not be too hard for a hacker.
Never, ever use an open Wi-Fi network
In a business environment, it is not possible to justify using an open Wi-Fi network. The risks that insecure Wi-Fi creates are simply too high. If you need to provide guest access, set up a guest login and password and make sure it is changed regularly. You may get a few complaints, but not as many as you will get when your system is compromised, data is exfiltrated, or heaven forbid, data is deleted or encrypted with ransomware.
Summary
It may be more convenient to share passwords, allow anyone to access Wi-Fi, share servers and use the same login to access everything, but it is a recipe for disaster. If anything goes wrong, and it eventually will, you must ensure that the damage caused is limited as far as is possible. Convenience should never jeopardize system security.
Sep 8, 2015 | Cybersecurity Advice, Network Security, Web Filtering
There has been a lot of talk recently about Social Engineering scams, but what is social engineering?. Social engineering is a term used in social science to describe the psychological manipulation of people into taking a particular action and influencing large groups of people. It is a technique used for good and bad. Politicians and governments use social engineering, and advertisers are known to use social engineering to convince the public to purchase products.
In recent months, most talk of social engineering has been about information security. Hackers and other online criminals are now using social engineering techniques to get Internet users to reveal their sensitive information, such as login names and passwords, and even credit card numbers and bank account details. The majority of large scale data breaches caused by hackers and malicious outsiders are usually discovered to include an element of social engineering.
How can you protect yourself from being manipulated into revealing information? How can you protect yourself and your company from employees falling for social engineering scams?
How is Social Engineering Used by Cybercriminals?
The commonest methods employed by cybercriminals to manipulate users into taking certain actions are detailed below. Being aware of how social engineering is used will help you to protect yourself and your employees from becoming victims of scams and phishing campaigns.
Abuses of Trust:
Online criminals know that if they want to get something from people, it is far easier to get what they want if they pretend to be someone that person trusts. People are wary of strangers after all. If a total stranger came up to you in the street and asked for your PIN number or email address and password, you would naturally not tell them. However, on the Internet it is not always so easy to tell if someone is actually a stranger. Seemingly legitimate reasons are also provided for disclosing such information.
Emails sent from colleagues, friends and family members
If you receive an email from someone you trust, chances are you will be more likely to respond to a request than if the same email had been sent by a stranger. If a family member sent you a link asking you to click, you may not even think twice before you click your mouse.
If your best friend, brother or sister sends you a URL saying, “You have got to see this, it is so funny!” You click the link, you see a video, and you wonder what on earth they were thinking about. The video wasn’t very funny at all!
Unfortunately, the reason the link was sent was not because it contained side-splitting humor, it was because clicking on the link caused malware being downloaded to your computer. The email was, of course, not sent from the person you thought it was, but by a hacker who was pretending to be someone you know.
It is not just “must see” images, jokes and videos that are sent. Many emails are sent that manipulate individuals by taking advantage of compassion or a desire to help a friend or family member in need. Emails are supposedly sent from individuals that find themselves in a spot of bother. A friend traveling abroad has had his wallet stolen and is stuck and can’t get home. He needs money transferred so he can buy a plane ticket to get home. In actual fact he is on the beach, and a hacker has gained access to his email account, not his wallet.
Phishing: Manipulating people into revealing confidential information
There has been a huge increase in the volume of phishing emails being sent in recent years. This is because these social engineering scams can be incredibly effective. They are used to get individuals to reveal highly confidential information that under normal circumstances they would never divulge.
Some of the most common social engineering scams used by online criminals to obtain sensitive information are detailed below. Be particularly wary if you receive one of these emails:
Urgent Charity Donation Required
Nothing brings out the scammers faster than a natural disaster. When people are suffering, have lost their homes, been flooded or hit by a hurricane, criminals take advantage and try to take their share of donations. If you get an email request money to help people in need, don’t respond to the email. Find the website of the charity and make a donation directly through the website or follow the instructions listed on the website. Don’t click the link provided. Criminals do not care about taking money from the needy, hence the huge volume of social engineering scams after a natural disaster.
You have won a prize draw, lottery or other prize
Don’t let the thrill of potentially receiving a large sum cash get the better of common sense. In order to win a prize draw, you first need to have entered. Don’t call the number supplied in the email and do not visit the link. You will need to supply bank information for a transfer (or your credit card details). There will only be one winner, and it will not be you.
Package or mail cannot be delivered
Courier companies do send emails informing you that you were out and they have not been able to deliver a parcel, but are you actually expecting one? Even if you have a birthday approaching or Christmas is just around the corner, do not respond to the email request directly. Use the tracking/consignment number to check, but check via the company website by entering in the URL into your browser. The links contained in emails could take you to a phishing website, and the information you enter will be collected by criminals.
Upcoming Elections – Party donations required
Want to do your bit for the Democrats or Republicans? Does the Green Party urgently need your cash for their campaign? Want to show your support for Labor or the Conservatives? Good on you! Just make sure that your donation goes to the right place. For that, you must find the official website and follow the instructions provided. Never click on a link in an email. Social engineering scams are very common in the run up to elections.
Summary of Good Practices to Avoid Social Engineering Scams
These tips will reduce the likelihood of you falling for social engineering scams. You need to be security aware and always be cautious about revealing any information, opening attachments or clicking on links.
- The first rule to avoid becoming a victim of a phishing campaign is never to click on an email link
- The second rule avoid becoming a victim of a phishing campaign is never to click on an email link
- Stop and think before you respond to any email request
- If you are not 100% sure of the genuineness of an email, mark it as junk or delete it
- If you are at work, and think an email may be a scam, seek advice from your IT department
- If you are asked to reveal login information or other sensitive data, report it. Do not respond
- If you want to respond to a request for a donation, search on google and find the official site. Get information on how to make a donation. Don’t trust the information provided in the email
- Never open an email attachment unless you are 100% sure it is legitimate
- If you have accidentally fallen for a scam (or think you may have) seek professional advice immediately, and change all of your passwords.
