Where securing critical infrastructures is concerned (and with apologies to J.K Rowling), “Defense Against the Dark Arts” is actually a very real thing.
The awareness of risk in an IT environment goes well beyond casting a Patronus charm at a problem and hoping it works. The term “Threat Ignorance,” as reported by our friends at Tech Target, is a trend in Information Security in which the Security mavens and gate-keepers make a determination as to the level of vulnerability or exposure to threat an organization (or user) might be facing that would keep the likes of Severus Snape on his toes. The notion of Threat Ignorance stems from not being completely aware or informed as to what basic security precautions that may be available to the end-user, leading to compromise by the Dark Lords and dementors who solemnly swear that they are up to no good.
While the ways in which an IT infrastructure may be compromised is becoming as crowded as a banquet dinner at Hogwarts, three areas of risk may be considered as targets for Threat Ignorance:
- Phishing & Spear-phishing Attacks: This is defined as being the “fraudulent practice of sending emails allegedly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.” Our friends at KnowBe4 and Trend Micro report that “a whopping 91% of cyber attacks and the resulting data breach begin with a spear-phishing email. This conclusively shows that users really are the weak link in IT security.” [Unless we remain ever-vigilant of those random email messages from wealthy foreign princes!]
- Credential Theft: Users often resort to easy-to-read passwords for the sake of convenience. And while you don’t have to think like Hermione Granger to cast a strong password, just remember: If it’s easy to use it’s easy to break! And once your password is identified, the entire system and any data that you have access to can be compromised. The idea of building a strong password may require rethinking about how to structure a passphrase, which tends to be stronger while still easy to remember.
- Email Spoofing Attacks & “Whaling”: Spoofing emails are sent with fake email addresses made to look like they originated from someone we know and trust [This is sort of like seeing that clown in the rain gutter offering candy and thinking it safe to accept!] A more specific example of this is CEO fraud, when an attacker impersonates an important member of an organization to gain the trust of an unsuspecting user, which is commonly referred to as “Whaling.”
Five Best Practices to do Today
While the concept of a lack of good IT Security hygiene is not new to an organization, our objective is to reduce the footprint of “Unawareness” so that we can expand our locus of influence across a greater market base. Here are the top five strategies and tactics we might want to consider as we look at reducing our threat footprint:
- Look for obvious threats to our business infrastructure. The first order of business (and usually the least expensive), is expanding the in training efforts for both in-house staff as well as for the purpose of extending the message that awareness of a risk is the first step in deterrence.
- Remain current with patches and system updates! The tools can’t work if they’re obsolete.
- As a Security Assessment is delivered to the organization, be part of the solution to addressing the findings.
- Strong Passwords keep safe computing environments (most of the time). If you don’t already, consider using “Pass Phrases.”
- Work toward establishing multi-factor authentication as a mandate. That can impact the risk for compromise through false identity.
We can all contribute to defending against the “Dark Arts” of threats by staying on top the latest attacks and practicing good security habits. Organizations have safer systems when each user considers themselves an active participant in maintaining the company’s security. Most of our clients have or incorporate some level of security protocols, but many do not frequently train their respective employees in these protocols, or strongly enforce them. Let’s do our part to help keep everyone practicing safer security.
Today’s Word of the Day: Vigilance!