In one of our previous posts, we wrote about the top 5 ways to get hacked that were extremely popular last year. This post is about the top 5 ways to protect yourself and your customers that companies could benefit from but they don’t.
1. Two-factor authentication
The simplest way to radically increase security is stubbornly ignored by many companies. The “authentication factor” literally means “multiplier”. That is, by adding a second factor (say, a one-time code generated by a mobile application) to the password, you can hypothetically increase the complexity of system hacking by the factor of two. Even infamous one-time SMS-delivered passcodes, when used together with regular passwords and not instead of them, add a tremendous amount of security for a fairly moderate price. And the vast majority of applications and services, especially corporate ones, have long been allowing users to enable the so-called two-step verification. But of course, these exercises are too complicated for ordinary users. And our clients will immediately run away to a competitor who doesn’t make their life so hard by forcing them to enter one more value into the web form once every 6 months or so. Let me tell you more: the OWASP Leaders mailing list, which features OWASP chapter and projects leaders, had a lively discussion a couple of weeks ago debating whether or not to force a second factor in this organization’s Google Apps domain. If there are people in the OWASP who question the need for 2FA, what do we want from normal people?
2. Ability to paste from the clipboard into the password field
This is what happens when security decisions are made not by managers but by programmers. It is a disgrace, but in 2019, some banking institutions’ websites still require users to enter the password manually. Password managers? Never heard of them. Instead of generating a complex and unique 20-character password and automatically inserting it into the form at logon, the client should suffer. They must create the password themselves, keep it in the head, and type in every time they visit the website. In doing so, the customer will miss the keyboard layout or press the wrong key, lock their account, and have to bring their government-issued ID to the bank office to unlock it. Because this is what the programmer’s perception of security looked like.
3. Phishing protection
Two simple steps to protect employees from phishing: enable anti-spoofing emails (by sessing up a few DNS headers) and mark all incoming email messages as EXTERNAL in the Subject field. This will make it more difficult for attackers to fake emails as if they came from your corporate domains, and external phishing from improvised domains and free email services will attract more attention. As a social engineer, I argue that these actions can protect your staff from phishing attacks by about 95 percent, with the remaining 5 being closed via training and “incident practice”. Unfortunately, it is much easier for many organizations to accuse users of stupidity and to threaten them with punishment for each clicked link.
4. Separation of users from admins
It is difficult for me to imagine the conditions in which in a business environment users may need administrator rights in applications and the operating systems. However, in many organizations, the users are often given at least local admin privileges on their working machine. Of course, this makes everyone’s life much easier: admins can relax and focus on “the real work,” and users can always install the software and drivers they needed. But this simplification can cause complete company infrastructure compromise due to the hack of just one workplace. And I am not aware of cases where users were deprived of high privileges before such a total incident occurred. Because all the top managers are local admins on their laptops, so who’s to blame?
5. Separation of networks by destination
All organizations start building their networks not by following the principle of business necessity, but for the reasons of territorial distribution. That is, Kyiv, Lviv and Kharkiv offices, and not the different departments and business functions, get specific subnetworks. This may seem logical, but in fact, it is another way of least resistance that leads to compromise. After all, different units perform different functions, have different relationships with the outside world, and put the organization at different levels of risk. For example, the IT department selects a new IT solution provider for a long time, then tests it in a virtual lab for months, then deploys it on an isolated network and then gradually opens it to other departments. While the software development department should be able to deploy a new development environment from a template within 10-15 minutes and connect it to its own network, the client’s network, and the wild internet. Of course, when a less secure network gets compromised and there is no reliable access control policy between it and the other subnets, the incident quickly spreads in all directions and the business stops. While in the case of proper segmentation, the effects of any penetration can be limited to just one business function. I hope these lines will inspire someone to reconsider their attitude to these issues and change something. But I must admit that the probability of that happening is very small. At least until the next global network virus pops up and puts down half of the Internet. Take care.