September 19th, 2019 Read Time: 3 minutes
The Electric Helpdesk is comprised of experienced IT Professionals with the knowledge and expertise to solve any IT Support question one may have.
Subscribe to our blog and stay up to date
The idea of hacking invokes fear and uncertainty. While it may seem mysterious, inevitable, and unpreventable, it’s not. And protecting yourself against hacking isn’t an elusive process either.
“Security isn’t magic,” said Alex Foley, Electric’s CISO, during our recent “Defense Against the Art of Hacking” webinar. “Security is diligence,” he added.
During the chat, Alex walked us through some common types of hacks, and provided tips on how to defend yourself and company against them.
Alex began the lesson with a type of hack anyone, technical or not, could understand — breaking and entering. Examples of “physical hacking” include:
So what can companies do to fight these low-tech (but very common) hacks? Alex recommended implementing compensating controls that would discourage nefarious behavior. These include:
Next, Alex jumped into the topic of “real” hacking, beginning with the Amazon Web Services (AWS) root key vulnerability.
AWS root or access keys give “god level” access to an AWS account. Anyone with root user credentials has access to almost all of a company’s servers storing terabytes of sensitive data. This vulnerability poses a significant risk because many companies have built their entire digital infrastructure on AWS.
Alex detailed an example of this problem involving an organization he consulted with in the past. Root keys that had been generated in 2015, but had never been disabled were accessed by an external group. Luckily, all the hackers did was mine cryptocurrency. There was no evidence that accessed any sensitive data.
What to do:
AWS Security Hub recommends users do the following:
“If you’re not looking at vulnerabilities, then you’re not able to understand where the issues lie,” Alex said while talking about network security vulnerabilities. He recalled conducting a network security assessment on client and observing the following problems:
This behavior is particularly dangerous if any of your company’s devices access the public internet, which Alex likened to the zombie apocalypse. “There are just people attacking you all the time,” he said.
What to do:
That zombie apocalypse stuff was a bit frightening, but Alex followed up by offering the following security tips:
The web is a major external attack surface for many companies. Web vulnerabilities, along with configuration issues, are often the cause of data breaches that have been happening more frequently. According to Alex, issues the most common web-related hacking issues are API abuse, cross-site scripting, and SQL injections.
What to do
We often think of security in the realm of the business, but we also need to think about how individual actions can put a company at risk.
Before ending the webinar, Alex emphasized the last point an additional time. “Two-factor everything,” he said. “Two-factor yourself. Two-factor your business. Two-factor every account you can.