Written by Neil, Software Developer at Panintelligence
We invest a lot into ensuring our product is robust from a security perspective (training for staff, penetration testing, and security tools), but we also need to think about making sure the company itself is protected from malicious threats.
We can break the process down into three areas, and I'll cover them below. These techniques can be applied to any company, large or small, and are all points to consider if you’re not already implementing them. Depending on your current level of security maturity, they could significantly improve your level of protection.
We have run several internal sessions for Panintelligence employees, providing guidance on staying safe, both in a personal and professional capacity. An example of this is the session I ran on how passwords are compromised and what can be done to defend against this.
We regularly attend security conferences to learn about the latest trends and improvements we can implement. Anything learnt at external training is passed on within the company so others can benefit.
As well as having penetration tests conducted on the product for the benefit of our customers, we have penetration tests run against the company. This is initially for our benefit, but this also acts to protect our customers.
Penetration tests such as this can involve many aspects such as:
• Attempting to compromise company networks
• Attempting to compromise end-user devices
• Attempting to successfully execute a social engineering attack on users
If you’d like to read a thorough explanation of penetrating testing the product, you can do so here.
There are several tools and techniques everyone should be using to protect themselves against the most common threats today.
Nothing will provide an impenetrable level of security, but the items below will significantly harden you against an attack without introducing too much difficulty. Friction (difficulty) is the enemy of security because, if something is not easy, people simply won't do it).
One of the single most important things you can do to protect yourself is UPDATE! All too often, updates are put off for one reason or another, yet large-scale malware infections are nearly always achieved because updates have not been installed.
The WannaCry outbreak in the NHS and elsewhere this year spread using a known vulnerability, for which a patch was already available.
Turning on multi-factor authentication means that you need to provide an addition time-based token when logging in. This means the full set of credentials you provide (username, password, and token) are only valid for a very short period of time.
At this point, the severity of any disclosure of that set of credentials is greatly reduced, because they cannot be used again to log in. Mobile apps make it very easy to manage your MFA tokens and a large number of online services now support MFA.
Password vaults are an ideal way to facilitate using secure passwords. Rather than having weak passwords which you store in your head, you can have many strong passwords in a vault, protected by a single strong password.
Password vaults also make it easy to login to services because they can enter the credentials directly into the web page or app.
One additional advantage of password vaults is they help protect against phishing because they are not fooled by the tricks used by phishers (which do work on humans) and they will only fill the details into a site matching the original URL.
It goes without saying that everyone should be running some form of antivirus software. A lot of security breaches occur from users being tricked into installing malware that is then able to access information on the internal network.
It's very important to detect and remove any malware as quickly as possible. Once inside a corporate network, malware can often traverse to other machines in the network with known vulnerabilities.
Identity verification is very important; if you receive instructions from someone within your organisation via email, how can you be sure they are legitimate?
CEO fraud is a big threat now; which is an email crafted to look like it's from the boss, asking you to do something such as a bank transfer.
There are various techniques that allow emails to be signed and/or encrypted, and this step should be considered to provide a level of trust in the communication.
This is quick summary on some of the most important ways to protect yourself or your company. Hopefully this is a useful pointer to things you might wish to consider.