Happy New Year! And to a new decade. Many of us are already in the midst of working on our new years’ goals, from eating healthy to better well-being. In business, we’re planning the next year’s goals and ambitions; sales forecasts, marketing strategies etc.
But do those goals include protecting your business (and yourself) from a cyber attack?
Depending on your business you may already have some policies and controls in place, but is that enough? Are you providing your business with the right level of protection and making sure that protection is invested in and maintained? Is it keeping your business legally compliant and can you demonstrate that to your customers and clients?
So let’s kick off with: finding your hidden threats
If I asked you What are the risks to your business? I expect you could confidently answer with a good level of detail: lack of sales, increased competition, a flood at your offices etc. because these are often within our field of vision and common risk assessments include these factors.
If I were then to ask What are the cyber risks to your business? you could again give me a good amount of detail about risks such as Viruses, Phishing attacks or Ransomware. But what if I asked you What are your technical vulnerabilities? would you know what that meant? Could you identify fully all areas of your network or devices that might be vulnerable?
The continually evolving vulnerability landscape
Technical vulnerabilities are weaknesses or flaws in systems, software or processes that an attacker can exploit to gain access to those items. Vulnerabilities are found frequently by security researchers and hackers alike and there’s a continual process of updates and patching that goes on. That’s why patching regularly is so important.
But often enough vulnerabilities creep in through other ways, for example, you may install a new printer with smart print capabilities, but because you are not prompted or told, you leave the default administrative password in place. You were not to know, but you just put a vulnerability in your environment. Or you may have a dusty old PC sitting in a corner that runs your finance database, which always works, but you never give it much attention, it’s plugged into your business network and has internet access, but you never think to check if it’s been patched recently.
Not all devices automatically update either, for example, a recent vulnerability found in Ruckus devices allows an attacker to take control of the devices. The company has fixed the vulnerability in its software, but owners have to manually patch their equipment.
Finally not all software is patched, old and unsupported software is often not patched and vulnerable to any number of flaws. Microsoft, for example, will be ending support for Windows 7 at the end of January, meaning anyone using this operating system will no longer get updates and are recommended to upgrade if they haven’t already done so.
Ok, so how do I find my businesses hidden threats?
There are two common methods to start finding your hidden threats: manually and automatically.
Manually: You might start off with a walk around your office (or depending on your business, your home) identifying and inventorying what’s connected to your network. This will give you a good idea of what sources of vulnerabilities you might have, you may even choose to map these out in a network topology diagram for future reference. Next, you look at the software and apps you have installed on these connected devices and whether they are still supported by the vendor and check against known vulnerabilities. Commonly this involves logging into the device and checking for updates, but remember some systems like Windows or Mac will have Apps and other software, which can have vulnerabilities in themselves so you need to check them all. You can then check common or recommended steps to change default security settings, like passwords.
You may have an IT dept, contractor or provider that supports your environment if so speak with them and check if they continually ensure that all of your network-connected equipment is checked and the latest software patches applied regularly as well as common security steps for securing your devices. Ask them to prove to you how this is accomplished and see evidence to back this up.
The main disadvantage of this method is that it’s quite slow and labour intensive. It also takes a good bit of research and technical skill to accomplish. Lastly, it doesn’t ensure there isn’t a dusty old box or printer that you could have missed in your search. Thankfully there is another way.
Automatically: This approach uses an automated system called a vulnerability scanner. The scanner automatically finds and scans all devices connected to your network and checks these devices for vulnerabilities such as identified weaknesses, default configurations or security settings that are not configured correctly. Vulnerability scanners provide several advantages. They are automated, which saves you time as they will check your devices and software, so no manual research or effort required. Additionally, they give full visibility of what is plugged into your network at the time of scanning, so no dusty hidden boxes or unknown equipment gets missed. Finally, they also provide you with a full report with a list of all devices, vulnerabilities found and recommended steps to resolve them, along with severity ratings so you can prioritise what you fix first.
So why the attention about discovering hidden threats now?
There’s an old proverb, to be forearmed is to be forwarned. If you can’t see where you’re vulnerable, you can’t start to tackle them. Think of this as spring cleaning your businesses cybersecurity ready for the next year.