Continuing last week’s discussion of “Foundational cyber hygiene,” let’s look at the first five “Critical Security Controls” proposed by the Center for Internet Security (CIS). A good understanding of these controls is important to your safety on the Internet.
The first things to get in place are a list and an understanding of exactly what you have. It’s pretty hard to buy parts for your car if you don’t know what make and model you have. CIS calls these the “Inventory of Authorized and Unauthorized Devices” and “Inventory of Authorized and Unauthorized Software.”
What devices do you have, and what software do you use? I ask people these questions all the time. What brand computer do you have? What model is it? Do you have desktop, laptop and tablet computers? What are the brands and models? How old are they? Do you use a fancy, specialized mouse or graphics tablet? What about printers, scanners and sound systems? Have you added anything to or removed anything from your systems since they were first purchased? It’s tough to fix a Ford with Chevy parts. What do you have?
A knowledge of your software is important, too. What operating systems do you use? Are they up to date? What browser do you use? What antivirus programs are installed? Do you use a word processor or spreadsheet program? What about accounting and tax software? Do you play games on your computers?
A knowledge of unauthorized devices and software is based on what is “authorized” to be there in the first place. Have new programs, icons and home pages appeared and you don’t know where they came from? Have you ever checked to see what devices are actually on your wireless network? Have any “mystery” devices appeared? It is a sad, but not uncommon situation for a business to discover an employee has connected a “rogue” wireless router to the company network, thinking it will fix poor wireless coverage in the office, when what they’ve really done is create a gaping security hole that exposes the entire company network to the outside world.
From CIS: “Attackers, who can be located anywhere in the world, are continuously scanning… waiting for new and unprotected systems to be attached to the network. Attacks can take advantage of new hardware that is… not configured and patched with appropriate security updates. Even devices that are not visible from the Internet can be used by attackers who have already gained internal access and are hunting for internal jump points or victims.”
“As new technology continues to come out, BYOD (bring your own device) — where employees bring personal devices into work and connect them to the network — is becoming very common. These devices could already be compromised and be used to infect internal resources.” Think about that, business owners, when you let your employees connect to your business wifi network with their personal phones, tablets and laptops.
The document continues: “Attackers continuously scan… looking for vulnerable versions of software that can be remotely exploited. Some attackers also distribute hostile web pages, document files, media files, and other content via their own web pages or otherwise trustworthy third-party sites. When unsuspecting victims access this content with a vulnerable browser or other program, attackers compromise their machines, often installing backdoor programs and bots that give the attacker long-term control of the system. Without proper knowledge or control of the software deployed in an organization, defenders cannot properly secure their assets.”
Next week, Critical Security Control #3: securing your computers and software.