Securing our Digital World
By Danny Timmins
While today’s global marketplace is heavily technology dependant, and we all rely on technology for business and personal activities, the human factor is still the biggest risk to any person’s, company’s or organization’s digital security, and the bad guys know it.
As a result, the people who want your information are engaging in social engineering tactics to target system users, many of whom fall prey on any given day.
Recent statistics tell us that phishing accounts for 90 per cent of all data breaches, and that close to four per cent of the population will click on an attachment or link, no matter what the circumstances.
Perhaps this is due to simple curiosity, or a lack of training, but the sophistication of modern phishing and social engineering emails has made it considerably more difficult to detect fraudulent attempts to infiltrate our digital worlds.
I am part of a team of security experts that has the ability to craft a phishing campaign that will achieve, on average, a 35 per cent hit rate of an organization’s employees clicking on a link.
Of those who click, anywhere from 10 to 15 per cent will usually provide us with credentials – their user names and passwords.
In a real situation, this is all the hackers need to download malware and gain access to an organization’s system without the user being aware that they have opened the cyber door for them.
Similarly, phishing via public Wi-Fi is a proven way to target users to gain access to an organization.
Why the LAX View?
The main reason why so many people and organizations do not place the necessary emphasis on cyber security, is because it is not a physical affront.
Psychologically, if we feel that something is going to happen physically, we feel vulnerable. In the cyber world, everything is silent.
Imagine the vulnerability you would feel if your passport was physically stolen. Now consider how you would feel if you had scanned your passport to book a hotel, and then that hotel’s email was subsequently breached.
The level of vulnerability we feel from our passport information being in the wrong hands does not impact us the same, but the risk of someone using that information to steal your identity is the same.
Since we perceive the physical and the cyber world differently, it becomes a challenge to have users consider the risk in the same way, but it can help to test your team and conduct cyber awareness training so that the intrusion feels as real as a physical affront.
When we participate in training seminars and conferences, our team has been known to test for this – so that those attending may experience the impact first hand.
We’ll set up a soundalike free public Wi-Fi system, and when an attendee connects to what they believe to be the correct Wi-Fi, they’ll happily type their LinkedIn or Facebook pass- word to access our rogue Wi-Fi system. They think nothing of it, but that is all that a hacker needs to take over that person’s account.
Cyber has come out of its infancy. Over the next few years, we are going to see it mature. Commercial customers are going to be asking their third-party vendors – including the companies who are servicing their building systems – about their own cyber security maturity. Will you be ready?
Did you know?
With the ever-increasing reliance on technology, there is a higher risk of you or your customer experiencing a cyber breach than of having a fire on premises. And yet our business resiliency and continuity plans outline exit plans and recovery for fires. Perhaps we should now be preparing for cyber threats to our businesses.
What is the risk?
There are a number of reasons why a company should be thinking about security, but the simple reason is to protect your company’s data.
This data may be proprietary information, client databases or financial information, and it is all ultimately linked to your brand and reputation.
And not only would a data breach negatively impact how others perceive your company, an infiltration could also open your organization up to litigation by those whose information has been stolen.
Protecting your Customers
There are a number of high-profile examples of security breaches where a company has been accessed through a doorway used by its vendors. In one highly publicized breach in the U.S., a major retail firm was infiltrated through an invoicing structure used by its contracting service providers, including its HVAC service provider.
The concern a business should have is that if their vendor or service provider is infiltrated, then any access information the vendor has is also in the wrong hands. As an organization, we need to make sure our contractors are taking the best precautions.
If I am a building operator and I have three or four different vendors – HVAC firms or elevator firms – and they have access to my building automation system, I should be asking them questions like, “What kind of security protocols are you using?” and “How are you protecting our building?”
I recommend business owners to request stipulations in their contracts, as well as evidence that the vendor is not opening the building systems and other data to risk
What to do when infiltrated
Getting ahead of a potential break-in is always better than reacting after the fact. Ideally, an organization should have a Cyber Security Incident Response plan in place in case of a breach
Of course, whether you have a plan ahead of a breach or after, the first move is to contain the breach. Time is of the essence, and having a plan in place will help outline the action(s) you should take to stop the breach. See The Cyber Security Incident Response plan on the next page.
The Cyber Security Incident Response plan
When putting together a response plan, there are a number of protocol steps that are advisable, as well as a number of questions to ponder so that the response addresses the specific details of the incident.
Here are a few items to address or consider in your plan:
- No one is to post about the breach on social media unless approved to do so;
- A decision-making procedure to decide if you require a forensic record of the breach;
- Information of who to contact if legal advice is likely to be needed;
- Insurance policy information and contacts;
- A detailed communication plan, including who will serve as spokesperson;
- If it involves a privacy breach, the company must contact the Privacy Commissionaire;
- Details about the team that will stop the breach, clean the systems and record what happened;
- If the breach affects one or more of your clients, you will need to communicate with them;
If they choose to work with you, and/or implement their own incident response plan;
- A copy of your action plan so that any other affected party knows what it looks like; and
- When all is settled, conduct a lessons- learned exercise.
Changing Your Password
When an organization has been breached, we often find that the strength of a password, or lack thereof, is a contributing factor.
For example, there might be one password for everyone to use on the system. This can make it difficult to prove who accessed the system.
Equally shocking is how simple some people’s passwords are. The most common ones we run into when reviewing an organization’s security are Password1, Password12345 and, because
we are on a qwerty keyboard, QWERT123.
So, what makes for a good password? We recommend that people use a 12-character password. Perhaps taking the first letter of each word in a phrase, so that it is easy to remember. By substituting numbers or special characters for some letters or vowels and adding an exclamation point or special character at the end of it, it makes it that much more difficult to crack.
Of course, most passwords can be broken in time. Using a 12-character password with special characters makes it much more difficult for cyber criminals to compromise your account than the accounts with weaker password protections. The aim is to not be the easy target.
For even better protection, we highly recommend an additional layer of security, using a multi- factor that requires an extra verification step before the user is granted access.
This could be having a randomly generated access code sent to the user’s phone, which would then need to be inputted after the password, or it could simply be a USB key that needs to plugged in for the password to be accepted.
Best Practices with IoT Devices
Many of the IoT devices that are used in building automation systems put a focus on the performance of the device, rather than on system security. As such, it is not always possible to ensure the highest levels of security are employed.
That said, when an IoT device is compromised, we often find that the default password is still being used. This is simply user error. A device’s default password is easy to find online, so at the very least, upon installation, it should be changed to a unique password with 12-plus character credentials.
At some point after the initial installation, each device will also need to be upgraded or updated. This can take a considerable amount of time, especially when there are a large number of devices across a building or complex.
In the IT world, it takes an average of nine months for the full installation of updates to systems at organizations once an upgrade is required.
For IoT devices, it could take even longer. Hackers are aware of this vulnerability, and know that they have a potential nine-plus month window to exploit security flaws that these patches are intended to fix.
There is some good news on the technology front though, and that comes from the world of AI, or artificial intelligence.
Often referred to as machine intelligence or learning, AI is the use of technology for behavioural analysis. AI essentially puts eyes and ears on activities that might be difficult for IT professionals to easily identify by sifting through data logs.