Desktop security risks are an unfortunate constant in any environment. Not a year goes by where we don’t hear about a high-profile cyber attack or data breach. Target, Home Depot, Adobe… the list of high-profile targets is large and growing. And we’ve all heard about threats like Wanna Crypt and Bad Rabbit.
Although threats like Wanna Crypt and Bad Rabbit make major news, any one of them accounts for just a small fraction of the data breaches that occur daily. Many times, cyber security risks don’t even come in the form of hackers actively trying to gain access to a system, but from more passive sources: People “listening in” over unsecured connections, data leakage through unauthorized use of cloud apps, and so on.
That’s why the biggest security risks to enterprise-level organizations we see today have more to do with failing to cover the basics than they do with specific, identifiable threats. It helps if everyone, including organizational leaders, understand what these are (and not just a select few in the IT department). For that reason, we’ve come up with an list of the top 10 security risks we’ve seen this year, explained in plain English, so larger organizations can start forming a plan to address these basic desktop security risks:
#1. Failure to patch. Failure to patch appropriately deserves first place on this list. Any piece of software is likely to have security gaps or holes that require patching. As more holes are discovered and/or exploited, new patches come out that close those holes. But the patches need to be acquired, tested, and installed if they are to do anything. Failure to patch means leaving the gates wide open, so to speak. (This is why we focus so heavily on patch management when we offer managed services.)
#2. No encryption on hard drives. Most desktop systems allows a user to parallel boot off a thumb drive or network connection. This is handy if the machine fails and becomes unbootable; a troubleshooter can boot off a thumb drive and run diagnostics. But it also means that someone with bad intentions can boot a machine off a thumb drive and gain access to all files on the hard drive. Simply encrypting the hard drive takes care of this.
#3. No two-factor authentication. In two-factor authentication, something beyond a username and password are needed for a user to gain access to a website or network–something only that user knows or has immediately to hand (like their smartphone). This is important because passwords alone can be brittle. Most passwords are too simple, easily guessed by hackers and their tools; but even complex passwords can be intercepted by keyloggers. Two factor authentication, along with basic password rotation, helps keep devices and accounts secure.
#4. Malicious emails and spam. One of the oldest ways to gain access to a network is to have someone on that network open a file that implants piece of malware. That malware can then log keystrokes to get passwords (keyloggers), open a backdoor to the system, or act as ransomware (for example, threatening to wipe a computer unless a ransom is paid). This malware is often embedded in seemingly innocuous files and opened by an unsuspecting employee or volunteer. Most malware can be avoided if users are properly trained to spot it, and attachments are routinely scanned as a matter of policy.
#5. Social media links. People love using social media, for work and play. Cybercriminals have figured out several ways to leverage social media to cull information on users and get malware onto machines. For example, some cybercriminals create fake Facebook updates offering free merchandise to anyone participating in (and then forwarding) a survey…and of course, that survey contains a piece of malware. Free vouchers with malware, quizzes that access a person’s profile information, and fake accounts used for phishing are other common tools used by criminals online.
#6. Lack of post-breach analysis. Even when organizations are cautious, breaches do happen. The most important thing to do after a breach is to figure out what happened — to get to the root of the issue. Only then can you take steps to fix it. I am always surprised by companies that discover a breach, but then take a “wait, watch, and see” attitude rather than figure out how the breach happened, and where the breech spread in the network.
#7. Failure to whitelist applications. In any environment with many users, it pays to have a list of trusted applications that are OK to install on any endpoint — and restrict installations to just those applications on the list. Without a whitelist and appropriate safeguards, users will download all kinds of sketchy applications, many of which will contain malware.
#8. Bad processes or workflow for escalating desktop issues. Security practices don’t do any good unless they are embedded in appropriate workflows to start. For example, suppose a user tries to download and install an application that’s not on the whitelist. When he or she fails to do so, the user assume it’s a technical problem and calls the helpdesk. If the helpdesk simply allows the installation it defeats the purpose of the whitelist. Instead, the helpdesk should inform whoever is responsible for security and make them aware of the situation.
#9. Data leakage to the cloud. There has been a huge movement to the cloud over the last few years, both for data storage and for hosting apps remotely. As apps pass data to and from the cloud, some of it can leak if it ends up on an unmanaged device, or device pretending to be another user device that was subsequently hacked. The risk is even worse if users have downloaded apps not on the whitelist (see #7 and #8), or are using unauthorized services.
#10. The users themselves. It’s the very nature of cybersecurity that people focus first on the technology. But all the technology in the world won’t help if it is used incorrectly or maliciously. There is a human element to security, and training for that human element is one of the most important parts of a good cybersecurity plan. Likewise, a failure to train end-users only multiples the above security risks.
Roadmap for Minimizing Desktop Security Risks
Each of these security risks also recommends its remediation step. Patch regularly. Encrypt hard drives. Train your people. And so on.
These steps are like brushing your teeth or walking the dog. They are not sexy, or profitable, but they must be done regularly to avoid certain consequences. Think of it this way: No company gets richer by mitigating their security risks. But plenty have lost their shirt by not doing it.
Many of the services we provide here at Model Technology help enterprise-level organizations do just that. We’ve spent a significant amount of time figuring out, for example, how to automate patch management in a number of environments. This way, an organizations can ensure that this part of their cyber-security plan is being faithfully executed while freeing up internal IT resources to work on more interesting (and profit-generating) projects.
So use the list above as your roadmap for developing a cyber-security plan. When you are ready to discuss using managed services to automate the essential steps, contact us and we can help.