Employees are weak link in company cyber attacks

Mark Burnette, For The Tennessean 11:11 p.m. CDT April 29, 2015

Today’s companies face a truly daunting task when trying to protect their computer systems and sensitive data from compromise. Attackers are better coordinated and more sophisticated than ever before, and their tools are easier to obtain and use.

While there are many security issues for businesses to be concerned about (some of which are covered in other installments of this series), an all-too-common problem at companies of all sizes is attacks directed at the computer users themselves. The vulnerable users are workers in the company who have user accounts and passwords and use desktops, laptops, tablets and other devices to interact with a company’s data and network. Hackers and other bad guys target these users because they have access to sensitive data and systems, their account passwords are typically easy to guess or crack, and they are often willing to open a malicious file, click on an emailed link or even willingly type their password into a bogus site.

Protecting your company against end-user attacks requires a two-pronged approach: 1) train your users to help them be more aware of how end-user security attacks occur and 2) configure your systems to make it harder for the bad guys to successfully get in if a user slips up. Here’s a list of steps you should take:
•Keep up to date with security patches provided by software vendors for end-user machines. In addition to operating system patches, be sure to patch application software such as Adobe, Java and web browsers, as older versions of those tools have well-known vulnerabilities that are frequent vectors of attack.

•Provide spam filtering for every machine, with sensitivity controls turned up. One of the most common tactics attackers use to make initial entry into a company’s network is enticing end users to click on a spam email link that installs malware. While this won’t stop every phishing attempt, if you can filter out even one, that is one fewer opportunity for an unsuspecting user to click a bad link.

•Remove local administrator rights from end-user machines. Local administrator rights give a user more power to make changes to a computer, and if an attacker gains control of a machine with those rights, damage to the network can be much more significant.

•Make sure there is up-to-date anti-virus/malware protection installed on every machine.

•Require IT personnel to use different passwords when they work on servers. Even IT administrators can fall victim to email phishing attacks when they are working on their own computer. If they click on a bad link while logged in as an administrator, attackers can gain big-time access to your network using their privileged credentials.

•Develop a security awareness program for all personnel to help them understand their responsibilities when using a company computer system and/or handling sensitive data. This training should also teach users how to create good passwords (ones that are easy to remember, but difficult to guess).

•And perhaps most importantly, require “two-factor authentication” for users logging on to the network from a remote location. That means that a password alone is not enough to gain access; another form of authentication is needed. That could take the form of such things as a fingerprint, a token (a physical device that generates a code that is entered on the machine) or a digital certificate. If two-factor authentication is in place, an attacker who successfully captures a user’s access credentials still won’t be able to remotely connect to the network without the second factor (the token).

Taking all these measures will not completely eliminate the possibility of a successful attack, but it will greatly reduce your exposure to this common attack path, which just might make a potential attacker move on to a more vulnerable target.
Mark Burnette is a partner in the Security and Risk Services practice at LBMC, the largest regional accounting and financial services family of companies based in Tennessee, with offices in Brentwood, Chattanooga and Knoxville.