Cyber hygiene is essential for combating the modern, professional hacker, according to Symantec Security Response director of project management Kevin Haley.
“When cyber criminals work in call centers, write documentation, and take the weekend off, you know it’s a profession,” Haley said.
Symantec released a government cybersecurity threat report on April 12, which detailed the dangers to and best practices for public sector cybersecurity. Many of those practices have to do with maintaining strict cyber hygiene.
Haley described the mistake a linen cleaning company made by not changing the default password on its administrative website. A competitor was able to log into their files through this weakness and undercut their sales. Though there are not statistics on how many Federal, state, and local agencies leave default passwords on their systems, Haley noted that the smaller departments within the government are more likely to be targeted because they have fewer IT specialists to check for such weaknesses.
“Sixty-seven percent of attacks against governments are going at small, less than 250-employee, organizations in government,” said Haley. “Those folks who maybe haven’t changed the default password, because ‘we’re so small, why would anybody attack us?’ ”
This can be especially problematic, because hackers can use one weak entry point to rework their code and attack the more secure systems in a department.
“They use that machine to start generating new [malware],” Haley said.
By and large, phishing scams, which typically target individuals through email and attempt to install malicious code onto the network, are a continually popular strategy for cyber criminals. Symantec research found that 40 percent of phishing scams could be prevented by blocking .exe attachments from the email servers. But, as some agencies still send legitimate .exe documents through email, the change is unlikely to happen.
“This is where it all breaks down. The security guy says ‘we shouldn’t be doing that’ and others say ‘well, we couldn’t do our business without this,’ ” Haley said.
Despite such sentiments, preventing employees from ever seeing dangerous email in the first place is an essential cybersecurity practice, as even security-savvy employees can be tricked into opening malicious attachments. In phishing testing with its own employees, Symantec found that 20 percent clicked on the fake phishing link, and they work for a cybersecurity company.
Hayley noted that another cyber hygiene practice that is particularly important for combating phishing is to back up essential files so that hackers cannot hold agency data for ransom by using ransomware.
“The indication for me is that they’re not backing up,” Hayley said of the increasing number of successful ransomware attacks. He also pointed out that it is essential to keep original data and backups separate, or the hacker will likely go for the backup data as well. “Don’t let the client write to your backup,” he warned.
“We really start to get into the actions and the behaviors, rather than the trends,” Rob Potter, Symantec’s Americas vice president, said of the report and its perspective.