The holiday season is a time of giving. Tetailers are gearing up for a spike in online shopping, and charities are counting on end-of-year giving through their websites. At the same time, their employees are booking travel and buying the hottest toys and gadgets right from their desks.
However, this is also when cybercriminals actively look to exploit all of this increased online activity and generosity by identifying and picking off the most vulnerable and least prepared organizations. So, in addition to the spirit of good cheer that this time of year fosters, companies need to exercise a spirit of caution and proactive cybersecurity to keep their data safe.
Recent cyberattack tactics
An essential part of any security strategy is understanding your enemy’s latest tactics. For example, because most malware is delivered via email, many organizations have been aggressively addressing phishing attacks through end user training and upgrading their secure email gateway tools.
Of course, counterintelligence works in both directions. Which may be why threat researchers are seeing cybercriminals expand their ability to deliver malicious malware through other means, such as targeting publicly facing edge services including web infrastructure and network communications protocols or actively bypassing ad blocker tools, according to one recent report. But regardless of their motivation, the fact is that organizations need to be aware that cybercriminals are actively leveraging attack vectors that don’t rely on traditional phishing tactics.
During the past quarter, cybercriminals actively exploited vulnerabilities on edge services that enable remote code execution. This enables criminals to deliver malware while bypassing any increased protections elsewhere, such as those preventing phishing exploits. Although the tactic of targeting vulnerable edge devices is not new, changing tactics on exploiting systems where defenders may not be watching as closely can be a successful way to catch organizations off guard and increase chances for success. The lesson is clear: just because you need to shore up your defenses in one area doesn’t mean you can let your guard down for a moment anywhere else.
Keeping your visibility tuned to all potential attack vectors is always challenging; it can be especially problematic during the busy online shopping season where online services experience significantly increased activity.
Seven holiday security tips
Organizations can do seven things to defend against holiday online threats, though they remain valuable the rest of the year as well.
- Teach employees to recognize phishing. Even with all the robust training and education about phishing happening, it still remains the number one venue for delivering malware. Employees must be trained to never open an email or click on a link sent from a stranger. Even emails from known persons must be subject to scrutiny. Some cybercriminals are using a new technique, whereby they hijack an active email thread and then insert a malicious email while masquerading as one of the thread participants. Success rates are very high, so users need to understand that if the message seems out of character in any way, check with the sender before proceeding.
- Use good cyberhygiene. Protect the organization from malware and viruses by installing well-known and well-reviewed antimalware software. Keep it updated and run it regularly. Ensure passwords are strong and changed often. And use security reports to compare current traffic against known threats.
- Regularly update devices. Cybercriminals will go after low-hanging fruit wherever they can find it, which is why they use well-known vulnerabilities that are not patched. In Q3 of 2019, vulnerabilities ten or more years old were targeted just as frequently as those uncovered in 2018 and 2019 — and the same was true for every year in between. Which is why every organization needs to make it a policy to download and run all updates for devices — including IoT devices — and their apps as soon as they become available.
- Use a VPN. For companies with a BYOD policy, consider using a VPN service to protect transactions. Unencrypted data, even if it is just moving a few feet from a device to a local wireless router, can be easily intercepted or compromised.
- Only download legitimate apps. A compromised app can intercept an employee’s financial data or other personal or company information. Train employees to only download apps from legitimate application sites and never allow installations from unknown sources. Organizations may want to create a BYOD policy mandating the use of a security tool from a legitimate app store that scans devices for signs of compromise. Likewise, unknown and unvalidated SaaS applications can introduce real risk. Deploying a CASB solution allows you to establish and maintain control over unknown SaaS applications.
- Secure mobile devices. Malware on personal devices represents 14% of all malware organizations need to deal with, according to Fortinet. BYOD policies can complicate security strategies, so make sure appropriate controls are in place to protect mobile devices – particularly at their wireless access points. This requires wireless access points, mobile security services and MDM solutions to be fully integrated into next-generation firewalls.
- Implement segmentation. Segment IoT devices into secured network zones using customized policies. Segments can then be linked together across the network, with deep inspection, monitoring and protections being applied at critical junctions — especially at access points, cross-segment network traffic locations and even across multi-cloud environments.
The holiday season is anticipated by holiday givers and cybercriminals alike. Bad actors will use all kinds of clever ploys to prey on the goodwill and generosity of this time of year. Organizations can counter these darker angels of human nature by shining the light of strong cybersecurity into every corner of the network.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.