By Scott Ried
It is no secret that we live in a world where cyber-crime has become a serious concern. Practically every day we hear of data breaches and security violations. Even the products we own and use daily have security updates pushed to them no less than monthly.
For this reason, those companies that take on the responsibility for hosting and serving your data and processing platform, along with developers of the systems you use, are bound by several rules and regulations. There are many standards and certifications out there, but the main ones we hear about are GDPR, HIPAA and PCI DSS. I will not go into the regulations of each of them, but there are some high-level ideologies that are considered basic yet effective in combating the digital age of security.
In terms of importance, the first and foremost component to a secure network is a firewall. We all have heard about them but are they all the same? The answer is no. Getting an-off-the-shelf firewall from an electronics store will likely not include the sort of threat management utilities needed to provide proper network security in a business environment. There are many factors to be addressed when selecting a proper firewall.
The next component is your own development structure. You must have the code in place and be able to change it in order to combat some vulnerabilities. And last is the internal process: If you do not have a strategic plan on how you will be notified of potential breach-es or hacks, you will likely not catch them even if they make their way into your network. Below are some of the ways you can be prepared for cyber-attacks.
1 Never Leave your Database Facing the Public
Most of the time, when you hear of a data breech it consists of someone manipulating the written code facing the Internet in order to access backend data. It is not unheard of and is, in fact, standard to leave the page that your users access facing the Internet. It is entirely up to your developers to practice ever-changing processes to ensure that you have restrictions in place for your back-end code. Some of the common practices include limitations for incorrect log-in attempts from specific IP addresses or to a specific account. Alternatively, you can restrict certain characters in the user input fields that would be only reserved for database operations. It is important that your developers protect the database calls and specifics to only characters that a user would need to input to protect calls to the database.
2 Only Allow Secured Connections Through your Firewall
One of the biggest issues over the Internet today is sniffing, which is exactly what it sounds like. Someone will enable a traffic sniffer and pick up packets across the Internet. That traffic can include usernames and passwords. When you allow HTTP and not HTTPS, then you are creating a clear channel of text from your page to users’ computers. When a page is posted back, it will exchange the information between the user and your server, and this information can be used to gain access to the user accounts. When taking credit cards online, PCI DSS requires that all transactions are sent using HTTPS. This is to ensure the browser is exchanging information to the server on an encrypted basis. The related encryption key is only shared between the browser and the server. You then have less of a chance for your information falling into the wrong hands.
So, why not just let the user utilize HTTP instead of HTTPS if they want to? First off, you as a developer or host have a responsibility to keep your users’ data safe and secure. The HTTP protocol is a two-way street: you are sending information to users and they’re sending information back. If you allow a connection to be public, you are then electing to send information unsecured to the user and that can also be used to gain access to an account. A simple code in your application can be used to always redirect HTTP to HTTPS pages.
Also ensure that you have any remote users connecting to your systems use a VPN; these are all required for PCI DSS certification.
3 Block ICMP Replies
It used to be that “ping” requests (also known as ICMP requests) were a staple over the Internet, allowing a debugging layer for IT professionals. Unfortunately, this has also been extorted as a method for hackers to determine what equipment is active and online, so they can then scan your equipment for vulnerabilities. Yes, you might have all the rules in place to lock up your system tight, but if you do not need to allow ICMP then I would recommend you block it. Port scanning can eat up bandwidth on your WAN and thus cause your site to slow down or even become non-responsive if you don’t have the overhead bandwidth to spare. Many hackers have incorporated programs inside other applications that can and will eat up your bandwidth and take your systems down.
4 Enable IPS (if you have it)
An Intrusion Prevention System is key to detecting attacks before they hit your internal network. These typically include attack patterns installed by a firewall MFG as well as Anti-DoS/Flooding protections and Anti-Portscan methods. You typically can enable rules to allow certain traffic through and even exceptions, but it is better to create those rules individually than to create an open, default rule.
5 Internal Web Filtering
Let’s say you implemented everything you can from the outside. To the best of your knowledge, nobody can get in with-out the proper credentials or systems in place. What would happen though if something was inside trying to send your data out? This is where web protection comes into play. By only allowing internal traffic to communicate with a set of controlled rules, you can eliminate data from being sent to a dangerous site over time. This is one of the last protections that you would have in your toolbox to combat any data leaving your control, unattended.
6 Notification and AI Systems
While you never want to have a breach and you hope that you have protected your network for the future, what is the strategic plan for when something does come in by means of authorized user (an employee) or from an open backdoor that you were unaware of? While data can be scooped up and sent pretty quickly, it becomes a lot worse when it’s stolen over the course of days or weeks without your knowledge. That’s like having a house that you leave open and someone coming in and taking one item each day. Had there have been an alarm, you might have known this was happening and have been able to stop it before it got worse. This is where a proper notification system comes into play. This can be on many levels, but the first would include your firewall. You should be getting daily network notifications and if you can develop your own reports and triggers, you will want to be notified when there is activity on a certain server that is uncharacteristic of its normal operation. Similar to how banks work today when you have unusual activity on your credit card, you should be notified when there is unusual activity on your server platforms.
The second is within the applications themselves. If an application runs commands to your database, you will likely have the commands constructed of a certain set of parameters. By putting a monitor in place within your own software for analyzing the commands being sent to the database, you can determine if there is any unusual activity going on with an account. You can also develop processes to detect for large amounts of activity within an account that do not meet general business practices and thresholds. These systems are usually written as variable based on the ability to build a user profile automatically for standard use. While it isn’t necessarily prudent to shut down the account automatically when it is out-side of your thresholds, it is expected that you would investigate each scenario with caution and be able to validate the activity and adjust thresholds as well as artificially intelligent (AI) programs as needed.
Staying safe on the Internet is a two-way street.
If your company has been subjected to a data breach, Reid explains the laws and what a company needs to disclose to its customers. Every state has their own laws on this topic, as it is not federally regulated. It also is largely based on the content of the data that is stored, says Reid. “If you are storing any information that is classified as “identifiable,” you are typically required by each state to comply by their laws in notifying any users that might have been affected by the breach immediately after you have found it,” he says.
He adds though that many companies do business in every state. Often times when a company has a data breach, they might know that something was taken or an intrusion had happened, but they don’t know exactly how much or what exactly was taken in the first place.
“While there are laws in place to protect your data, I think companies should go above and beyond that law and just understand that storing data and de-signing software automatically inherits a responsibility to make sure you are protecting the users that rely on your platform to work,” he said.
He has even personally seen instances where a company has started to store data, and while at first it might have been just an email address and maybe a name, has grown to addresses, social security numbers and credit card information. “They failed to analyze the process in which they stored or retrieved that data from the database. While I don’t know if they were hacked, I will say that they did not use the latest TLS (Transport Layer Security) in some of their connections from one server to another, thus exposing the communications to just about anyone,” said Reid.
AGRR Companies a Target
Owners of Boyd Group Income Fund (the Boyd Group) detected a ransomware attack on a subset of its information technology systems in late June 2019, proving that the auto glass industry isn’t immune to these dangers.
According to Boyd Group, once the attack was detected, steps were taken immediately to contain any potential impact to its data and operations.
The company released a statement after the incident which mentioned there was no evidence that customers’ or employees’ information was compromised.
Similarly, in June 2017, French construction materials company Saint Gobain said it had been a victim of a cyberattack, and had isolated its computer systems in order to protect data.
“Along with other big companies, St. Gobain has been the victim of a cyberattack. As a security measure and in order to protect our data, we have isolated our computer systems,” said a company spokesperson.
The most recent incident occurred with some Novus Glass Franchisees in September 2019.
“It happened so quickly,” said Matt Anderson, Novus Glass Spokane Valley, Wash. owner, of a cyber incident that robbed his employees of their pay-checks.
The incident involved an “unexplained shutdown” that caused payroll issues.
“At first we weren’t aware of any criminal activity that was going on with the company,” said Anderson, of the third party payroll processor his company used. “But when our employees started having issues with their money being withdrawn from their accounts, we reached out to them to help solve the issue,” said Anderson.
For more on this story and its resolution visit glassBYTEs.com and type Novus payroll in the search box.
Users have a responsibility to keep their computers and devices free from harmful material and developers and engineers have a responsibility for creating avenues and processes to keep data and users safe while using their products. Unfortunately, the Internet is a lot like your home: you have the ability to let people in as you see fit, but you also have the responsibility to keep people out that you don’t want inside.
SCOTT REID is a technology expert, technical officer, engineer and developer at Digital Business Controls(recently purchased by MainstreetComputers).
To view the laid-in version of this article in our digital edition, CLICK HERE.