News this week has been full of the latest ‘crypto’ attack, with big corporations and government agencies reporting that operations have been disrupted by the hackers. Following on the heels of the much reporting ‘Wannacry’ ransomware attack last month, companies really need to consider the impact that such an attack would have on their businesses, as the likelihood of being targeted increases.
It's easy to panic when the news is full of cyber attacks targeting big corporations such as the NHS and major airports. But there are few simple steps that anyone can take to keep your machines safe and users protected.
Keep your machine and operating system up to date
The majority of recent attacks have targeted vulnerabilities in the operating systems on machines that are not kept up-to-date or have gone out-of-support. Most PC's and laptops run on a Windows operating system, with the most modern machines running on Windows 10. However, Microsoft still provide support for machines back to Windows 7. If you ever need to check Microsoft always releases the support dates for all different versions of Windows. If your machine is operating on Windows Vista or XP, these are no longer supported by Microsoft, and they've stopped issuing patches or updates for these systems. That means that they are extremely vulnerable to attack and you should look to upgrade to supported version of Windows as soon as possible. But just because you are running a more modern machine, doesn't mean that you are automatically safe from attack. You know those annoying pop-ups reminding you to update your machine (usually popping up at a most inconvenient time!)? You really should pay attention! Attackers continuously work to identify new vulnerabilities, and find a new way in so Microsoft releases patches and updates to close down those gaps. Most computers are set up to automatically look for updates as they are published - but do check your settings to make sure this is the case.
Mac users shouldn't assume they are immune from attack however. With the growing use of Apple products, there will be an increasing number of attacks targeting these machines. Again, users should make sure that they are on the most up to date OS for their machine. If however you don't want to run latest version of the Mac OS X do remember to keep updating the one you have. Apple haven't got an official statement of support available but their process so far was to support its latest, penultimate, and ante-penultimate named releases. That means that if you run Max OS Yosemite (10.10) you will not be receiving updates beyond Autumn 2017.
Companies should be running updates across all their machines automatically, on a regular basis, and you should check with your IT service provider (whether in-house or external) what measures they have in pace to carry this out. Of course for most businesses there are important considerations when it comes to updates, especially with legacy applications. However, sometimes it's better to replace legacy applications then keep running outdated and not supported versions of operating system that can expose you to many more risks.
Passwords are key
We know that passwords are often the weakest point of a security system - and are often the last line of defence. But we also know how difficult it is to maintain secure passwords, when there are so many different requirements and especially when systems require regular password changes. Worryingly, nowadays it's easy to download password crackers from the web, which run high volume and brute force attacks. So here are a few tips on how to develop and maintain the most secure passwords:
- No personal information - it goes without saying that personal information is often the easiest to guess or work out. You should avoid using names, dates and details like nicknames or the name of the family pet!
- Don't use dictionary words or foreign words. These are the easiest to crack using online tools.
- Don't fall into the trap of substituting symbols for letters - these are often the easiest to guess!
- A strong password involves a degree of complexity - so consider random collections of letters, numbers and special symbols. One way to do this is to perhaps use the first letter of an easy to remember phrase, remembering to use at least one capital letter, as well as numbers.
- The longer the password, the more secure it is! Whilst it might be more difficult to remember - a longer password is much more difficult to crack. Do consider using a sentence as your password.
- If you struggle to remember your passwords, consider using a password manager, such as LastPass, KeyPaas, 1Password.
Wherever it's possible do use Multi Factor Authentication - most of mail services, Facebook, and many others allow you to setup 2nd factor of authentication which provides a significant additional layer of security. It typically extends the authentication from something you know (your password) to something you have as well (usually your phone). Normally either an SMS is sent to you during login or a code generated by a smart phone app is required to be entered. They won't necessarily prompt you for the 2nd factor every time, but it will provide additional security whenever it's needed, for instance when signing in from a new computer for the first time. Considering that a lot of people sign up to many 3rd party services (such as Uber or Just Eat, which hold payment details alongside other personal data) using their Facebook, Twitter and Google accounts, it's not just your holiday pictures, tweets and search history that are at risk when someone compromises your social media accounts.
If an email looks suspicious - it probably is!
Phishing or Trojan Horse emails are becoming more sophisticated, to it's important that you always sense check emails you receive. Banks and online payment sites (such as Paypal) should never ask you for your personal information - and if an email asks you to click a link to log-in, it's best practice to ignore it and visit the site in a new browser window, using the log-in details you regularly use. You should also be hesitant to download any documents sent - even if they are from someone you know. Attackers often 'clone' accounts and can send Trojan Horse viruses or similar under the guise of a user you might regularly hear from. It's always good to have a healthy suspicion - and double check with the sender that the document is safe before opening it.
Keep your anti-virus software up-to date
Firstly, you really need to have a good anti-virus protection software. But like the Windows updates, it won't be effective unless it's regularly updated! Microsoft users are in privileged position here, since Windows 8 all systems have Antivirus installed by default. I(t's a good system (Windows Defender), but you are free to replace it with many good options like McAfee, Symantec Norton, or Avast (Free) to mention few. Here is a good comparison of all available systems - and another one (Section 508 accessible).
As a business you should invest in a centrally managed Antivirus solution, it will provide you with a single view of your estate, will highlight any systems that are out of date and vulnerable as well as any quarantined items. Additionally as a business you might have a specific requirements or policies that can be very easily controlled from a single console. Make sure you check with your IT service provider (whether in-house or external) to confirm an appropriate system is in place.
At the end of the day - users are the weakest point in any information security system. By exercising caution, you'll avoid loss of data, loss of confidential documents and loss of confidence.