noun_Email_707352 noun_917542_cc Map point Play Untitled Retweet Group 3 Fill 1

10 things you need to do to prevent cyber attacks

Cyber criminals are becoming more and more sophisticated, but so too are ethical hackers, who can help you to close down vulnerabilities before criminals exploit them.

Aleksander Rasmussen / October 03, 2022

Cyber criminals are becoming more and more sophisticated, but so too are ethical hackers, who can help you to close down vulnerabilities before criminals exploit them. Security work must not be a question of just throwing everything at an issue when something happens, but of hard, targeted work.

“Customers are becoming less and less surprised by and more aware of their own security flaws. Customers are also more and more willing to spend money and resources on security. However, we do unfortunately still see customers that do not take security seriously and sweep flaws and risk under the carpet”, explains Aleksander Rasmussen, a security expert at Tietoevry.

Having worked for many years as a security expert and pen-tester, Aleksander knows what he is talking about. He now works at Tietoevry as a security consultant.

Pen testing is the term for the service consisting of an IT security company tasking one of its ethical hackers with attempting to find vulnerabilities and flaws in a customer’s infrastructure and services.

Watch out for the Netflix trick

One of the biggest cyber threats you may be exposed to either in your capacity as a private individual or an employee of an organisation is what is known as phishing. Alexander uses an example from Netflix to explain how hackers work:

“You might receive a message containing a fake Netflix log-in image that asks you for your email and password. Given the busy nature of everyday life, it can be easy to click on such an image. If you look closely at the image, you will see that the web address it points to is not Netflix but a fake site set up by some hackers in Brazil, for example.”

In order to stop people from falling into this trap, he recommends that organizations use a two-factor log-in process. In addition, a good security culture in your organization and a healthy degree of skepticism are important. It is important to read who is the sender of the information in your browser to ensure you identify phishing.” He adds that if you are in doubt, contact someone who has expertise in the area.

Hacking is a race against time

Aleksander uses a number of methods to get inside customer systems.

There are more and more hackers, and they know what the weakest points of businesses are.

Many hackers succeed by targeting ‘end-of-life’ services, which is to say services for which security updates are no longer offered by their provider. Another typical point they look for is whether insecure passwords or standard passwords that have never been changed are being used.

“Organisations need to pay close attention to obvious vulnerabilities and to close them immediately. The more time goes by, the bigger the risk that attackers will get inside.

You must always ensure your house is secured with a proper lock. The longer you leave your house unlocked, the more risk there is of unwanted visitors”, adds Aleksander.

The most obvious things an ethical hacker checks are whether the company is using services with known vulnerabilities or insecure configurations such as old crypto algorithms and certificates.

A slightly more advanced method is to look for openings in administrative services that are directly exposed to the internet. Examples of this are SSH, TELNET and RDP.

Aleksander Rasmussen says that it is important for him as an ethical hacker to stay ahead of malicious hackers. He knows their methods and ways of thinking.

But there are no magic tricks. Security work is not a question of just throwing everything at an issue when something happens but of hard and targeted work. Organizations need to think holistically about security from a life-cycle perspective and to build security from the very start. In order to stay one step ahead, Aleksander recommends following basic security hygiene such as patching and testing services. It is also important to monitor the current threat situation by following security blogs, podcasts and other sources of news.

People are and will always be the weakest link

It goes without saying and is something that is imprinted on the mind of the ethical hacker: hackers succeed because people fail to follow procedures and make mistakes. Examples include people failing to install updates or patches and people not complying with security procedures. Ethical hackers also test whether it is possible to physically enter a business and thus gain access to critical equipment and technology.

“Create a good security culture internally so that employees never give out their username and password and are careful about downloading software. Awareness-raising activities and knowledge about digital threats and vulnerabilities are important, and managers need to lead by example”, explains Aleksander.

The pitfalls of cloud services

While cloud services have helped make many businesses’ day-to-day activities safer, this must not become a reason to relax, warns Aleksander.

“One challenge with the cloud is not having control over the infrastructure and surrounding services, and third-party container programs are one such example. It is a known issue among hackers that this type of cloud infrastructure can contain vulnerabilities. The same applies to third-party code templates”.

SolarWinds and Kaseya created a lot of concern in 2021, and we should expect more attacks of this type.

“It is important to map all the data that is processed in a system or business process and to have control over how this data is stored.”

Vulnerabilities in software

Ethical hackers look for vulnerabilities in software, and there are a number of loopholes in software that it is important to close.

Aleksander is of the view that businesses need to monitor and set requirements for software suppliers.

He highlights three challenges:

  • Suppliers that do not take security flaws that are reported to them seriously and do not do anything with such information.
  • Suppliers that take legal action against security experts who report security flaws.
  • Suppliers that use software or services for which support or maintenance is no longer offered.

A checklist for identifying vulnerabilities that need to be closed in the fight against hackers

  1. Services with known vulnerabilities
  2. Services with insecure configurations such as old crypto-algorithms and certificates
  3. Services with insecure or standard passwords that have never been changed
  4. Insecure services such as TELNET or FTP (File Transfer Protocol)
  5. Services that are ‘end-of-life’ for which security updates are no longer released.
  6. Administrative services are exposed directly to the internet

Measures

  1. Create a good security culture internally so that employees never give out their username and password, and are cautious about downloading software
  2. Check all links in your cloud service value chain
  3. Look into software providers to ensure they follow best practices in their security work
  4. Ensure you have good physical security for critical areas in your technology environment

 

Take control of your cybersecurity with services based on your business needs. Read more here.

Aleksander Rasmussen
Senior Consultant

Author

Aleksander Rasmussen

Senior Consultant

Share on Facebook Tweet Share on LinkedIn