Cybersecurity Prevention Tips

Looking back at the Sony Pictures Entertainment (SPE) attack, we must realize that now is the time, more than ever to take a more proactive approach to cybersecurity to prevent what happened to SPE from happening to your organization. If my analysis is correct then any organization could defend against this attack, in spite of the FBI’s statement that 90 percent of businesses would have been victimized (this is probably true, sadly). To defend against this attack, even though “Usernames & Passwords” was one of the files discovered, with plaintext passwords like the word “password”, that’s not what triggered the attack, changing those passwords would have made it a longer and harder RECON and pilfering period but it wouldn’t have stopped them. It’s very embarrassing for SPE to have used such foolish passwords and file names. But that’s not the heart of the problem—here’s my view:

1. We’re all infected and don’t know it. Assuming you are infected positions you better to proactively harden your systems and remove zero-day infections. With this key assumption, you need to backup all your data files, wipe and reimage your computers and install only legally owned copies of software.
   
2. You can’t let Smartphones and Tablets onto corporate networks (bring your own devices – BYOD dilemma) unless they can be managed. This also means deleting all apps and then starting to install trustworthy apps from sources you know and trust. How many apps do we have installed without knowing if they have backdoors or they, themselves, are not just tools and games but are also RATs in disguise?
   
3. Employees at Sony are not trained like employees at Coca Cola. This company hasn’t had a breach or lost a secret formula in 100 years. Cyberarmies could attack Coke for the formula and most likely would never succeed in getting it, using the means they used on Sony. Why?  Because Coke practices Employee Training (for social engineering), has frequently tested and updated security policies (including physical security, people security and network security) and they don’t leave the secret formula out in the open – they practice COUNTERVEILLANCE
   

So if you want to avoid a major breach in your own organization, you might consider following these cybersecurity best practices tips:

• Train Employees Better
• Harden Systems  
• Detect and Removing RATs
• Deploy Full Disk Encryption and Real-time Backups
• Defend Against Phishing Attacks
• Manage the BYOD Dilemma

Of course it’s easier said than done. The biggest weakness at SPE was their employees and if you can’t train them to behave better and understand phishing attacks, proper password management and leverage full-device encryption, storing important information always encrypted and frequently backed up, then what can you expect but another successful breach from the inside out.
I would suggest we all start writing emails as if everyone in the world can see them. Sony Pictures executives have learned this lesson the hard way.  But, again, that’s not what caused the breach, that’s data that was stolen and used against them – that’s just throwing salt in the wound.  The real issue is that all employees need better security training.
How Do RATs Travel Behind Corporate Firewalls?
While most folks think it’s the phishing attack (through the email port – the front door) as the only and key point of entry, you need to start assuming that most of your smartphone or tablet apps are creepware – malware that spies on you and your online behavior – many free apps are RATs. Do you really need them? Delete all of the apps you aren’t using that often. Replace those apps that take advantage of too many of your privacy settings like GPS, phone & SMS logs, personal identity information, with similar apps that don’t. If you don’t manage this bring your own device (BYOD) dilemma then expect RATs on your portable devices to invade your corporate network.
Coca Cola Practices Counterveillance – You Should Too
How old is the Coca Cola recipe?  Has it been hacked or stolen in over 100 years? So what is Coca Cola doing better than everyone else? They are taking the above suggestions, and frequently checking and rechecking their security posture. If you don’t have a plan, expect to be a victim in the Year of the RAT.  If you can make the important information “invisible” to the malware – the RAT, then they can’t steal it.
Practicing Counterveillance, like Coca Cola could be the most important thing you do for privacy and security. Think about it. If you could be invisible, no one could see you. They wouldn’t know when you are browsing the web or using your smartphone.  If you could make all the private information about yourself become completely invisible, no one could every steal it.  That’s right – your personally identifiable information (PII) could not be stolen if no one could see you or your data.  It’s so simple – it sounds too good to be true. Right?  If you could make yourself invisible, if you could hide your PII from prying eyes, you would be practicing counterveillance. That’s right – you would be countering surveillance.
What makes the US B2 Stealth bomber so unique? 
It disperses its radar signature so that it becomes invisible to traditional radar – the design of the ‘skin’ of this aircraft is a counterveillance technology. It is possible to become nearly invisible but you’re right to think it’s very challenging – many would say nearly impossible. However, if you start out with this as a goal ‘how do I make my data invisible to criminals and hackers?’ then each day you should be working to reach this goal – to build your own B2 Steath bomber – a more secure and encrypted database, better password management, real-time backups, defense against RATs and phishing attacks and ultimately better trained employees who realize that ‘loose lips sink ships.’