Can your employees be a threat? Yes, quite possibly, but in the main unwittingly.
I wrote recently on the statistics which highlight the biggest source of WordPress vulnerabilities.
However, another sizeable constituent part of your infrastructure is equally vulnerable, if not more so, and which we all too often overlook – our users – who are being targeted directly by the bad actors out there.
Table of contents
- Lessons we can learn from the CIA
- Why the attacks? What are they after?
- From where, and how are they gaining access?
- What can I do about all this?
- What can we learn from the CIA approach?
- Education, training
Lessons we can learn from the CIA
Phishing and Pretexting are two of the most favoured tactics employed by cybercriminals. These social attacks tempt your users into giving up their login credentials along with other personal information. These details are then used in hacking attacks, breaching your security defences, accessing your web applications, your systems, your data.
Just ask Twitter, T-Mobile, Marriot, Amtrak, or the Ritz Hotel, amongst a whole host of others. Whilst it is the recognisable brands that get all the headlines and attention, it is alarming to note that over one in four (28%) small businesses are directly targeted, and successfully compromised.
These are some insights to come out of Verizon’s research. Their Data Breach Investigations Report (DBIR) for 2020 throws a detailed forensic searchlight bright on the mendacity, the motivations, and the malicious actors’ methods. They are clearly after one thing – your data.
But it also gives us an understanding of how we might plan our defences to mitigate against such cybersecurity breaches.
Why the attacks? What are they after?
The simple answer is that the attackers want something you have, and which is of value– data. Almost one in nine (86%) of successful system breaches are motivated by financial gain. Of these, the majority (55%) involve organised crime groups, defined in the report as ‘a criminal with a process, not the mafia’.
“86% of breaches were financially motivated”
“Organised criminal groups were behind 55% of all breaches”
“70% perpetrated by external actors”
“30% involved internal actors”
In common with others, your business holds various data given to you in goodwill by customers, suppliers, partners and employees, etc. to facilitate smooth electronic business processing. Much of this data is, of course, private and sensitive.
Credit card and other payment details, personally identifiable information such as Social Security details, email addresses, telephone numbers, home addresses, etc., can be harvested, used, and monetised. Remember that this is not a game for them.
You have a duty to ensure that this data remains private and protected. You also have privacy legislation and industry regulatory compliance obligations, such as the GDPR, which demands that you demonstrably take all measures possible to safeguard data.
Therefore, any security response plan put in place has to focus on protecting data.
From where, and how are they gaining access?
The criminal actors out there know that if they can get their hands on your users’ credentials, then their job is made much easier. Therefore, it should come as no surprise that they expend great effort in ever more sophisticated phishing and pretexting attacks, attempting to get your users to give up their system login details and other personal information.
“Phishing accounts for 22% of all successful data breaches”
“Social attacks: “Social actions arrived in email 96% of the time.”
Your online web applications are the most common attack vector, and attackers gain entry by using the lost or stolen user login credentials, or brute force attacks (exploiting weak passwords).
“Your web applications were specifically targeted in over 90% of attacks – over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials.”
What can I do about all this?
Thanks to Verizon, who have done the analysis for us, we are better positioned to understand the threats and methods. We can now begin to take an informed, measured, and logical approach to strengthen our security responses, stymie these attacks and mitigate any damage.
What can we learn from the CIA approach?
Alas, we are not talking about some new world-beating technology supplied by the Central Intelligence Agency here, which we can use to beat out the bad guys. We are talking about an elegant and flexible framework that you can use which focusses on protecting your threatened main asset, your data, which is what this is all about.
The CIA framework comprises three core foundational principles designed to mitigate accidental and malicious access to, and the modification of, your data, these are:
Confidentiality asks us what measures you can take to ensure the security of the data you hold—restricting employee access to only the information required to enable them to perform their roles.
Remember that over 80% of successful hacking breaches used either lost or stolen user credentials, or brute force attack to exploit weak passwords such as ‘admin/admin’, ‘user/password’, ‘user/12345678’, etc.
There are several actions that you can take to ensure the confidentiality of your data:
Start by strengthening the login process
Implement two-factor authentication. 2FA adds an additional security layer by incorporating a physical device into the user account login process.
A unique, time-limited, one-time PIN will be required by the login process, in addition to the standard username and password credentials, to permit access.
So, even should the login credentials be compromised, without the attacker having access to the physical device, just the act of requiring the PIN will be enough to thwart the attack.
Enforce strong password security & policies
Over 35% of user accounts will use weak passwords which can easily be cracked by brute force attack tools.
Therefore, strong password security and policies are a must. Implement password strength policies, but also password history and expiry policies. These strong passwords that you have now enforced will be required to expire on a timely basis.
So, should your users’ credentials indeed be compromised, they are only useful as long as the password is valid. Changing the password will, therefore, frustrate any future malicious actions.
Together with the two-factor authentication method, strong password implementation makes for a considerably robust defence.
Identify and classify the data stored as to their privacy attributes
Undertake a review of current access control lists for each role, and then assign the required data access privileges appropriately, using the principle of least privilege.
Access to private and sensitive data should be restricted on a need to know basis and required for an employee to fulfil their role.
For example, your Customer Support Representative may need access to order history, shipping details, contact details, etc. Do they need visibility of customers’ credit card details, Social Security Number, or other sensitive, or personally identifying information?
Or ask yourself, would you provide general employees with the company’s bank account balance and details? Or the company’s current, and historical, financial accounts? We’ll take that as a no then.
Integrity asks us to consider what steps we can take to guarantee the data’s validity by controlling and knowing who can make changes to the data, and under what circumstances. To ensure the integrity of your data:
Limit the permissions & privileges
Limit the permissions of your users, focussing on which data items that may require modification.
Much of your data will never, or very rarely, require modification. Sometimes called the Principle of Least Privileges, it is one of the most effective security best practices, and one which is commonly overlooked but easily applied.
And should an attack successfully access your system accounts, by implementing restrictive permissions on the data, any data breach and any resulting damage would be limited.
Keep a log of user changes
If changes were made to the existing data, how would you know what changes, when, and by whom? Could you be sure? Was the modification authorised and valid?
Having a comprehensive and real-time activity log will give you full visibility of all actions performed across all your WordPress systems and is fundamental to good security practice.
Also, archiving and reporting on any, and all, activities, will help you comply with privacy laws and regulatory compliance obligations in your jurisdiction.
Availability forces us to focus on keeping our data readily and reliably accessible. Thus ensuring that business continues uninterrupted, enabling employees to perform their duties, your customers place their orders, and you can fulfil and ship those orders, in a secure manner.
Downtime is not just about the potential loss of revenue but also about the erosion of confidence from your users, subscribers, customers, partners, and employees, resulting from your systems being unavailable.
Backing up your data
Back up your data regularly, consider also having these backups stored offsite. Here is a good article that develops this theme and discusses the Security Risks of Storing WordPress Backup Files & Old Files Onsite.
Plan for failures
Review the infrastructure components that your business relies upon; networks, servers, applications, etc. and have a remedial action plan, so if any of these integral elements, either individually, or collectively fail, you can quickly recover.
You may well be using a hosting company on which you house your WordPress website, and who will handle many of these tasks on your behalf. However, it is essential to ask the relevant questions to ascertain the processes and levels of service that they do provide to you and if they match your business requirements.
For example, try to restore your WordPress backups, test your security systems and simulate a disaster recover process.
Security threats to your data availability
From a security perspective, the #1 threat of all incidents recorded in the report is that of a Distributed Denial of Service (DDoS) attack, designed primarily at disruption, and not an attempt to gain access (hacking).
Many of the WordPress hosting companies provide adequate defences to these types of attacks. Still, it is always prudent to investigate what perimeter security services they offer and whether these measures are sufficient or whether you should bolster your defences.
Maintenance plays a crucial role in Availability, ensuring that your WordPress website and associated plugins are updated in a timely, ideally automatic, manner to fix any existing known vulnerabilities, resulting in more robust security defences.
As Benjamin Franklin once remarked ‘one ounce of prevention is worth a pound of cure’, which is as true today as it ever was.
And educating your users about the potential pitfalls and identifying the threats that do exist, is a critical preventative measure.
- Instigate relevant training for employees, educate them on the importance of the prescribed security policies, and why the company has implemented such policies.
- Help them understand the security risks, with a particular focus on social threats such as Phishing and Pretexting that we discussed. They will thank you for it!
It may seem a lot easier to give users access to everything, which does ensure that they will always have access to the information they need and much that they don’t. This level of permission is often granted to users to head off potential requests to change access rights and privileges. But that is missing the point.
By implementing the CIA recommendations, you will go a long way to mitigate and limit any damage in the event of a system breach by restricting any access (confidentiality), and the modification (integrity), to private and sensitive data. And help you meet your legal and compliance obligations.
- Strong Passwords; reduces the success of brute force attacks.
- Two-Factor Authentication; hampers the use of stolen credentials
- Principle of Least Privilege; restricts access to data on a need to know basis, and limits the modification of such data.
- Activity logging; keeps you informed, of any access, modification, and system changes.
- Ensure that all systems and plugins are kept up to date automatically.
And finally, I would like to take the opportunity here to thank the team at Verizon for all their endeavours in compiling their annual Verizon Data Breach Investigations Report (DBIR).