The Big 4 – Prevent Data Breaches & Ransomware Attacks
When I speak to people about cybersecurity, I reference the Big 4. I have also presented seminars and webinars on the Big 4. The Big 4 is a term I use to describe the 4 easiest and most common paths into a business for cyberattacks. It’s often how data breaches and ransomware attacks occur. The Big 4 account for almost every data breach reported.
As a society, we like to believe that successful data breaches and ransomware attacks are the results of mastermind hackers but in reality, often it is one or more of 4 avenues utilized to gain access to a business’s IT infrastructure. That’s not to say there aren’t high-level black-hat hackers who are working diligently to gain access to a company like Microsoft or Apple but as you will learn those companies and other companies with a similar mindset spend a lot of time and money training their people to address the Big 4. 85% of all data breaches involve a human element at some point during the process of the data breach.
Another common misconception is small businesses cannot afford cybersecurity. My company has many very small businesses as clients, and they all have the best protection from attacks. If you don’t take measures to protect your business, you’re going to find it harder to obtain certain types of insurance.
The State of Connecticut incentivized the adoption of a cybersecurity framework in October of 2021 further highlighting how serious it needs to be taken by businesses of all sizes. The language in the statute includes words like sole proprietors and single-member LLCs. Get the hint? Very small businesses are not excluded from having to implement a plan to address cybersecurity risks.
A proactive cybersecurity plan addresses the Big 4. As part of any cybersecurity framework, you will need to assess your overall risk, prioritize the exposures you uncover, and address the risks you found based on priority. If any of the Big 4 are on this list, you will have to treat them as very high risks and fix them immediately. I can almost guarantee if you’ve never done a risk assessment in your business before at least 1 of the Big 4 will be included in the results.
Let’s look at this from another perspective. Most businesses have at least some client information. Many businesses hold some personally identifiable information (PII) and any business associated with healthcare will at least have access to Protected Health Information (PHI). Even if there were no rules and regulations around storing and protecting PII and PHI you owe it to your customers to make the best efforts to ensure their data isn’t exposed. Fixing vulnerabilities you find during a risk assessment will go a long way towards accomplishing that.
You’re probably wondering by now what the Big 4 are. I thought it was important to first point out no matter the size of your business you can better protect it. The notion that a small business cannot afford to have the same protection as a larger business is a fallacy. You might not be able to invest tens of thousands into a server, but you can afford to protect your business and client data.
I also thought it was important to point out that federal and state governments are taking data breaches more seriously. Almost daily it seems another task force was formed, another plan was put into place, or laws were created or updated, to encourage businesses of all sizes to act. It is no longer acceptable to remain on the sidelines while ransomware gangs and cybercriminals jiggle the handle on your business’s virtual front door to see if it’s locked.
If you consider both points then you are already on your way to better protecting your client’s sensitive data, your proprietary information, and your business reputation.
The Big 4
No, it’s not the next NBA super team. The Big 4 are the four most commonly exploited channels into businesses of all sizes. They might surprise you. I certainly hope they don’t, but I suspect if you’re reading this you will be stunned to learn what they are.
Without further ado here are the Big 4.
- Phishing – This is what it sounds like. An attacker casts out bait to attract an unsuspecting person into performing an action they wouldn’t normally do such as download a file, click a link, or call a phone number. The goal of a phishing attack is to install malware, steal credentials, or steal money.
Phishing is a form of social engineering and comes in lots of different ways such as text or phone but more than 90% of phishing attacks happen through email.There are also lots of different types of phishing attacks. The reason phishing attacks are successful is because they typically play on people’s emotions, usually fear.
- Unpatched Operating Systems & Software – Operating System (Windows, Mac, Linux) and Software updates are released for one of 2 reasons. The first one is relatively harmless (although not always). Feature updates are usually improvements to the user experience of the software or operating system being updated.
The second one is to address known vulnerabilities. Sometimes the vulnerabilities are already being exploited actively before the update is released. Almost always the vulnerability is actively exploited after the update is released and the vulnerability is made public.
There are lots of other concerns with patching and updating software, the hot topic of late is supply chain attacks, but we will get to that later. Outdated software and unpatched operating systems can be exposed for vulnerabilities and allow attackers into your network. And yet attackers routinely exploit years-old vulnerabilities that the vendor has released updates for.
- Weak Password Policies – Eventually passwords will be a thing of the past. If you are in the Microsoft ecosystem you may have already noticed this. A few other platforms are doing similar things. You enter your username, and the platform or application sends a notification to your phone for you to approve the login.
Until then you should have a password policy in place. That policy should require a minimum password length. Some sources say the minimum length should be 8. I disagree. I think the minimum should be 15. Your password should also include UPPERCASE, lowercase, numbers, and special characters. And you should NEVER reuse a password.
If you decide not to use any of the above information (big mistake) by all means turn on two-factor or multifactor authentication. 2FA/MFA adds another layer of authentication to your accounts. Turn it on anywhere you are required to log in. The amount of easy to crack or guess passwords that are still in use today is astonishing. The amount of bad advice around password policies is equally as shocking.
- Unprotected Windows Remote Desktop – Microsoft Windows includes a powerful tool that is very useful, especially during and after the COVID-19 pandemic. It really is a great tool. The problem is not the tool itself but rather how it’s configured and used. Publicly facing remote desktop (RDP) servers without protection have been exposed time and time again. There are several ways to secure Microsoft RDP to prevent a bad guy from getting in through your open window (pun intended).
There are tools available to anyone on a free-to-use basis. One such tool, Shodan, allows you to search different protocols and ports to see what is exposed to the internet. I searched Remote Desktop Protocol when COVID-19 first moved most of us to work from home and it revealed over 1,000,000 public-facing Microsoft Remote Desktop Protocol servers in the US. I ran the same search as I wrote this, and it revealed 688,567 public-facing Microsoft Remote Desktop servers. Combine that with weak password policies (see number 3) and you have a recipe for disaster.
I don’t want to paint Windows RDP as the only remote software to be careful with. It’s not the only remote connection tool that can and will be used for unauthorized access. Managed Service Providers tools have been used to get into businesses. Other remote connection tools have been used to sneak into a business as well. Once the attackers get in they have free reign and will try to move laterally across the businesses through the other devices on the business’s network.
This is the first in a series of blog posts about the Big 4. We’re going to get into a lot more detail about how each of the Big 4 is used by attackers, and how you can mitigate the risks to your business. Education is a critical component of any cybersecurity plan. Reading this is a good start.
If you want to know whether or not your identity and/or data are at risk click here for a free dark web scan.