In an age of increasingly sophisticated cyber attacks, security awareness among businesses is growing. Indeed, the sheer scale of the WannaCry ransomware that hit the NHS and other organisations last year has left companies of all sizes on high alert.
But staying ahead of security threats is not easy. As well as avoiding increasingly common ransom-based cyber assaults, companies need to safeguard themselves from new types of attacks. So, how can businesses manage in today’s complex threat landscape?
It is true that today’s wireless cyber threats span multiple vectors, but many have been around for a while. Take, for example, the Internet of Things (IoT). Many businesses are already using IoT or machine-to-machine (M2M) devices in their day-to-day work. But IoT security is often ignored in the rush to get devices to market quickly.
So much so that as the number of devices grows, the UK government has this year introduced new measures for IoT manufacturers. Developed in collaboration with the National Cyber Security Centre, the government’s Secure by Design review lays out plans to embed security in the design process, rather than it being bolted on as an afterthought.
Partly to blame for the security risks within IoT is the trend towards agile development, says James Bore, a cyber security expert at a telecoms company. He says agile development and so-called ‘DevOps’ are the “enemies of security”.
“If you want cheap and functional, you don’t usually get security,” he points out. “But if security is embedded in the development cycle from the beginning, it’s more effective: there are less attacks and it reduces the effort of maintaining security.”
Yet all too often, firms don’t want to spend money on ensuring their products are secure. “The problem in preventing security vulnerabilities from the start is, it takes a huge amount of effort, planning, design and thought – and people want to get products to market,” says Bore.
Adding to the risk, IoT endpoints are “soft targets”, says Leigh Moody, UK managing director at SOTI. Therefore, Moody says it is imperative that enterprises “consider their own networks, endpoints and data security”.
“Companies should use endpoint management solutions to control data access, including biometric and two-factor authentication,” says Moody. “They should also ensure full storage encryption so sensitive company information on IoT endpoints in the field is as secure as data in an office-based environment.”
In addition, says David Noguer Bau, service provider director at Juniper Networks, firms can identify abnormalities by looking at the network traffic. For example, he says: “Is it normal that your smart light communicates with the gateway? Yes, but if it communicates with your CRM (customer relationship management) system, it’s not.”
WPA3: A secure update?
IoT devices are often connected via Wi-Fi – which itself suffers from multiple security vulnerabilities, says Ryan Orsi, director of product management at WatchGuard. “This is by far the most vulnerable wireless attack surface and should be a priority,” he says.
Part of the problem is that Wi-Fi devices have been using the same security protocol for over a decade. But in 2017, a major issue was found: researchers discovered the key-reinstallation attack (KRACK) was able to decrypt WPA2 sessions in the air.
The industry is already moving to fix this vulnerability. The Wi-Fi Alliance, which oversees Wi-Fi standards adoption, is beginning to certify products that support WPA2’s successor, WPA3.
WPA3 contains a change in the way client devices establish encrypted sessions with access points (APs) – via what’s known as a “handshake”, says Orsi.
He explains: “WPA3 introduces something called ‘simultaneous authentication of equals’ (SAE) into the client-AP handshake process to ensure the KRACK attack can’t be used.”
Yet there are still other weaknesses in WPA3. Some experts point to the risk of so-called ‘timing attacks’, which see adversaries passively observing the timing of handshake messages to deduce encryption keys.
Open Wi-Fi networks such as public hotspots have long been criticised by the security sector as a risk. For this reason, WPA3 also offers some additional security through Enhanced Open, which adds opportunistic wireless encryption.
“It provides each client with a unique encryption key between themselves and the AP, without requiring a password,” says Orsi. However, he adds: “Although Enhanced Open will make sniffing unencrypted traffic out of the air more difficult, there is no protection against an Evil Twin attack: when the AP is controlled by a nearby attacker who is simply broadcasting the same SSID.”
Indeed, this type of attack was recently used by Russian agents snooping on their targets’ Wi-Fi from a vehicle parked a few feet away. “The attackers stole sensitive information by using the same or a similar SSID that victims’ devices were connected to inside their offices and hotels,” says Orsi.
It is with this risk in mind that he says firms should ensure they have the right technology to automatically detect Evil Twin APs and block devices from connecting to them.
Cellular network security
In contrast to Wi-Fi, cellular networks are seen to be relatively secure. But experts point out that there are still ways to attack them: for example, a hacker can make themselves appear to be a mobile base station.
It’s possible in 3G and 4G, and this ‘man in the middle attack’ will still be available in 5G, says Bore. However, he adds: “5G is more secure than the other standards.”
Yet at the same time, 5G verticals such as connected cars also increase the attack surface – and the results could be catastrophic: a connected car could crash if its data is interfered with.
Of course, cellular network security relies on standards. But these are often too slow to adjust when a new attack happens, says Bore. He thinks the solution is a more flexible standard-based system, which can be updated as it evolves.
Network security is a key area, but it is important not to forget user devices in the workplace. The bring-your-own-device (BYOD) trend shows no signs of slowing down. Attackers are realising this; among the security risks, Moody points to the fact that mobile ransomware is one of the fastest-growing categories of malware.
“Once you have created a corporate mobility policy to establish guidelines around the assignment and use of mobile devices and apps within your company, it is a good idea to deploy a solution to enforce it,” Moody says. “This allows you to control the device security, manage who gets what apps and content, and fix problems remotely.”
In addition, Moody thinks it is important to keep ahead of current mobile security trends to establish practices that will prevent and mitigate threats.
Moody also advises using real-time location services, such as geofences and location tracking, to “minimise the impact, and improve the chances of recovery of lost or stolen devices”.
At the same time, Moody thinks it’s a good idea to use antivirus software built into or integrated with a mobility-first solution to prevent malware in files and apps from being downloaded or installed on a device.
It is also important to get the basics right: deploy a secure document manager and enforce complex passwords. This is on top of using encryption and separating personal and work data to protect corporate apps.
In addition, says Lee Johnson, director of global marketing at NetMotion Software: “Organisations need to ask whether the types of devices they use will change in the future. Finding an enterprise mobility management (EMM) solution with universal support can be trickier than it seems: vendor support for different platforms varies.”
AI: innovation or hype?
Artificial intelligence (AI) is an area of great potential in cyber security, with advocates saying it gives firms the ability to better detect and mitigate attacks. However, critics point to the fact that cyber criminals are also starting to use AI against businesses.
At the same time, experts say today’s AI in security is not that “intelligent”. It can’t detect new threats, instead flagging abnormalities such as an increase in network traffic to alert a human security analyst that there is a problem.
The use of AI is not a solution, it is a way to gain expertise to free up security analysts for more complex tasks, Bore says.
However, says Kamal Bechkoum, head of the School of Business and Technology, University of Gloucestershire, AI is of questionable value if not used optimally. “Currently, AI offers the promise of additional security. However, often it generates a series of distracting false positives that prevent overstretched security teams from seeing real threats.”
It demonstrates that the human element of cyber security is still important. Humans bring the skills to get one step ahead of adversaries – especially if they are able to think like an attacker.
But humans also make mistakes, so employee training is essential, says Raghu Konka, vice-president of engineering at iPass. He points out that most organisations treat security as “a checkbox” and only undertake a “quick programme to train users once a year”.
This is a mistake, he says. “Engage the user and don’t treat security as an afterthought. Use gamification and profile your users’ online behaviour. Corporations need to understand what users are doing.”
Adding to complexity is the EU Update to General Data Protection Regulation (GDPR), which stipulates huge fines for those businesses that fail to protect customer data. As well as highlighting the importance of user training, this places the onus on firms to add more security controls.
Overall, to ensure wireless security, Bechkoum advises businesses to first determine the functional requirements for the network. “This may impact decisions on what kind of security measures should be deployed. For example, if guest access is required, security best practices should be considered to facilitate this safely.”
A good virtual private network (VPN) will offer protection, says Bore. But he warns firms to avoid “weak VPNs”.
In addition, Bechkoum advises firms to develop a strong wireless security policy. It also helps to stay on top of developments in Wi-Fi standards, he says. “Since the 802.11 standard was first introduced, enhancements are continuously being made to strengthen data rates, signal range and wireless network security. Keep track of these developments as they appear, particularly when purchasing new equipment or acquiring wireless services.”
Cyber security is always going to be a challenge, but it’s one that can be overcome by being proactive. If firms are aware of the latest threats, implementing adequate security controls and training staff, it’s possible the worst can be avoided.
Security top tips
- Principle-led policies are important. “It’s saying you have to encrypt sensitive data; you have to use a VPN,” says Bore.
- Training should be ongoing. According to Konka: “Don’t treat it as a once-a-year issue, make sure you constantly train users and educate them – do it quarterly, or even monthly.”
- Implement strong passwords. The National Cyber Security Centre (NCSC) says password policies need to change – and that passphrases are better than passwords. “They are much easier to type out and use,” says Bore.
- Enforce security policies. Moody advises: “Enforce multi-factor authentication for device enrolment, certificate-based authentication for access to corporate Wi-Fi and mandate VPNs to prevent hackers from gaining access to resources.”
- Ensure visibility into IoT deployments. For very large deployments it is important to understand whether security is built into devices and make decisions based on privacy and security, says Noguer Bau. He points out that leaks of sensitive data can result in big fines under GDPR.
- Principle-led policies are important. “It’s saying you have to encrypt sensitive data; you have to use a VPN,” says Bore.
- • Training should be ongoing. According to Konka: “Don’t treat it as a once-a-year issue, make sure you constantly train users and educate them – do it quarterly, or even monthly.”
- Implement strong passwords. The National Cyber Security Centre (NCSC) says password policies need to change – and that passphrases are better than passwords. “They are much easier to type out and use,” says Bore.
- •Enforce security policies. Moody advises: “Enforce multi-factor authentication for device enrolment, certificate-based authentication for access to corporate Wi-Fi and mandate VPNs to prevent hackers from gaining access to resources.”
- •Ensure visibility into IoT deployments. For very large deployments it is important to understand whether security is built into devices and make decisions based on privacy and security, says Noguer Bau. He points out that leaks of sensitive data can result in big fines under GDPR.