by Peter Burgess, Senior Information Security Consultant
Hackers are constantly looking for new ways to access an organisation’s data and sometimes they succeed. One of the more bizarre approaches recently was by using a fish tank. The hackers attempted to access and steal data from a North American casino by accessing a fish tank connected to the Internet as reported in the Washington Post.
Sensors in the fish tank were connected to a computer that regulated the temperature, food, and cleanliness of the tank. By gaining access to the computer that regulated the fish tank, the hackers then gained access to the network(s) that machine could access. It was reported that 10 gigabytes (GB) of data was taken in this hack and sent to a storage device based in Finland.
The vendor in question was a refrigeration, heating, and air conditioning subcontractor. It was said that the vendor had remote network access to the HVAC systems of several stores to routinely monitor energy consumption and temperatures in the stores.
Once the HVAC system was compromised, the hackers were then able to gain access to the store network. Once they had access, they were ultimately able to upload card-stealing malicious software to several credit card swipe devices attached to the registers. Once they had the hack in place, they just sat back and let the customer data and information come to them. Every transaction completed after the hack sent credit card detail and customer information directly to the hackers until the hack was discovered and shut down.
Unfortunately, this problem is only likely to escalate due in part to what is called “The Internet of Things”. This is an industry term used to describe how different types of devices connect to the Internet in today’s environment. This includes but is not limited to refrigerators, home security systems, thermostats, baby monitors – and more.
As more products with the ability to connect to the Internet become available, opportunities for hackers to access data through unique and interesting methods have risen.
A US based company that makes smart children’s soft toys has recently been investigated for leaking 800,000 user account credentials. The data was exposed and on unprotected servers, meaning that hackers were able to access it easily, lock it and hold it for ransom. The toy is designed to allow a child to send messages through the stuffed animal to family that live in distant locations. To accomplish this, the company would gather information about the child and family members the child wanted to communicate with (parent, grandparents) including names, addresses and other personally identifiable information (PII).
It eventually came to be known that the company saved all of this PII in a database that was not protected by a sufficient firewall or other password protected network of devices. Then a group of hackers gained access to the database and held it for ransom. The fish tank incident referred to earlier was just one of nine unique threats mentioned in an annual report by a company (Darktrace) that reports on innovative hacks.
Some of the other threats mentioned included hackers using company servers to acquire bitcoin (a digital form of currency) and former employees using their old login credentials to steal company data to sell to rival companies for revenge and profit.
Many businesses, in particular small to medium ones, often do not consider that they could be targeted by cyber-crime. The reality is that small to medium businesses are now very much being targeted by cyber criminals as many are unprepared and not aware that their PII and customer data is valuable too.
Hackers are approaching the security of an organisation and small to medium businesses by thinking outside of the box to come up with unique approaches to compromise network security. In today’s world where hacking is cheap and more known, it is important that companies take the same approach to protect themselves through staying vigilant in protecting company and customer data. Below are a few suggestions of how your organisation or business can dramatically reduce the likelihood of sensitive data being compromised:
1. Network segmentation – ensure that ALL internet-facing devices and systems are segregated from your core network (which may contain sensitive data) by using firewalls and access control lists (ACLs) to direct and control traffic between those externally facing systems and the core network. So even if the externally facing system is compromised, it will unlikely lead to further access.
As an additional step beyond network segmentation, consider creating a “DMZ” zone in the network to set up an additional layer of network security for inbound network traffic. Also consider limiting access to the critical information to only the users who have a business need to access it.
2. Ensure that strong passwords and secure access control methods (such as multi-factor authentication) are used – especially for access to sensitive information. Multi-factor authentication (something you are, something you know, and something you have) should always be used for remote network access and administrator network console access.
3. Make sure that employees who leave the company have all network and systems access disabled immediately. The best practice for this is to have HR alert IT a few days before a person is terminated so that IT can disable access a short time before the terminated employee is alerted.
4. Keep all production operating system and application patch levels up to date to minimise the effect of any exploitable vulnerabilities. The best practice is to use a team of technical resources to research incoming patches to implement as soon as possible. Also, tools such as WSUS (Windows Server Update Services) and SCCM (System Center Configuration Manager) can help this process through automation.
5. Regularly perform vulnerability scanning (quarterly for both internal and external scanning) and penetration testing (annually).
6. Maintain good physical access controls such as closed-circuit TV cameras and access restriction through radio frequency ID (RFID) badges.
7. Ensure all third-party vendors have restricted access to systems for only the time period required. This can be accomplished by creating a vendor access start date/time and a stop date/time when access is granted. Further, ensure the vendor is aware of their responsibilities in terms of security.
8. To prevent attackers from exploiting any in-house wireless connections, perform periodic wireless scanning tests to identify and shut down any rogue wireless access points. This can be accomplished through third party wireless access point scanners or manual testing performed by the IT team.
9.Require that all internal employees attend security awareness training at least on an annual basis. The security awareness training should cover all possible methods of attack, include detail to help both technical and non-technical employees understand the risks involved and ensure they are aware of their role in preventing a data breach.
The bottom line is… ANY externally facing device or system may provide an entry into your network and lead to the compromise/breach of sensitive data. Vigilance and strong barrier controls are essential to strong organisational information security practices.
Sysnet has extensive experience in compliance and security. Our passion for pragmatic and innovative solutions when it comes to addressing Cybersecurity problems allows us to be the thought leaders in the market when it comes to addressing such multi-layered and complicated challenges related to security.
The Sysnet Information Security team can also help you in designing, implementing, and documenting appropriate security controls, procedures, and policies to meet your obligations.
We will help you create a holistic cybersecurity framework that considers all other applicable standards and regulations that are required and appropriate for your business. If you have a query about this article or wish to learn more about how Sysnet can assist your organisation and your customers request a callback or email email@example.com
If you are a merchant that requires technical or PCI DSS help, please click here