FutureScot, 28 April, 2016 2 | Page 6

6 FUTURESCOT CYBERSECURITY 28 April 2016 A hacker’s step-by-step guide to how you can beat the hackers The six cyber security steps to protect your business from harm: from an ‘ethical hacker’ whose Facebook password is 125-characters long BY KEVIN O’SULLIVAN How do you best protect your enterprise from cyber-attack, a threat that is growing and costs business £34bn a year, according to the Centre for Economic and Business Research? Well, why not start by asking hackers themselves? In this case, Michael Jack, who is in his second year ‘ethical hacking’ course at Abertay University and works part-time helping businesses stay safe with the Scottish Business Resilience Centre. Here are Michael’s top tips for avoiding that embarrassing and damaging moment when you have to tell your customers their private data has been breached. l UPDATES Always run your patches After vulnerability scanning your network, the first thing to is to make the software you use is patched (updated) with the relevant security, bug fixes and improvements. As Michael says: “If you’re like the nice people at Mossack Fonseca who are running content management systems that have not been patched since 2013, that’s easy pickings for people like me.” Larger businesses should have IPS (intrusion prevention systems) and an enterprise-wide YARA signature for detecting bugs like Shellshock and Heartbleed. Smaller firms will rely more on patches or the latest Windows Hotfix or critical open-SSL update. “Just by being on the latest version of the operating system (Windows 10 or OSX 10.11) you’re mitigating a lot of the common attack threats that are out there,” says Michael. Older operating systems like Windows XP are no longer supported so are at risk; Windows 7 support is due to end in 2017, and Apple only support the two versions previous to the current version (OSX 10.10 and 10.9). The same applies to smartphones: make sure the IOS is updated on Apple, and with Android. l DATA PROTECTION Back up your data, and back up the back-up! “I promise you your back-up strategy will save you money,” says Michael. “It will save you money on really expensive data recovery people with fancy scanning electron microscopes and big magnets.” Backing up data saves time and money and can defeat ransomware. If you have backups and you get attacked by CryptoLockers (a ransomware trojan) you can wipe your hard drive and restore from back-up within hours. Michael cites the example of an LA private hospital which had to pay millions of dollars in Bitcoins to get its data back, because it didn’t have a back-up sufficiently isolated from its main system. Weekly back-up is probably the minimum if you’re looking to avoid aggravating the business and always keep another offsite, in case of fire or similar catastrophe. It’s advisable to encrypt the onsite backup and keep it in a safe. If it’s unencrypted it could fall foul of PCI-DSS (Payment Card Industry Data Security Standard) and ISO (International Standards Organization) standards. l ENCRYPTION Encryption is not just for terrorists! “If data is exfiltrated from your network and it’s not encrypted, once it’s left your perimeter the data has long gone,” says Michael. You should encrypt as much as you can – but be conscious of who needs access to what in the business. Therefore, internal controls should allow for individual document encryption, especially important financial information. Full disk encryption is available through Mac OSX (FileVault) and Windows (BitLocker/Drive Encryption) “If you can encrypt everything, encrypt it, but if you think you’re going to forget the password please don’t encrypt without writing the password in a book and locking it in a safe. The look on an average person’s face when they tell you they’ve enabled FileVault (Mac OSX) and then forgot the password, it’s a special sight to behold but not one you really want to see that often,” says Michael. Smartphones, if supplied to employees, should also be encrypted – in Apple IOS it’s advisable to set up the erase data function; in Android encryp- tion can be found through the security settings. l PASSWORDS Size does matter! Hackers can machine generate quadrillions of combinations of characters to ‘guess’ passwords, so the longer the better. Turn four words into a ‘pass phrase’ of 15 characters or above. These are much harder to crack than eight or nine-character long passwords, which can be cracked by ‘brute force’ methods. If you can’t remember your password, get a password manager like One Pass or Last to generate long, random passwords for you, and back up, enabling two-factor verificatio