According to the WTA’s expert panel, the top five cybersecurity threats to your operation start inside the company and extend outward to the world.
Anticipating Threats To Your Systems
When cybersecurity first became something that people talked about, they didn’t use the word “cyber.” Most of us heard about the topic through a word borrowed from medicine. We heard about computer viruses. In the 1996 film, Independence Day, a virus proved so mighty that — in the hands of the heroes — it literally saved the world.
Ah, those were the days. “Virus” was a good way to picture what we now call malware. Viruses are invisible. They are all around us, literally blowing in the wind or transmitted by touch. And, as long as they stay out there, they are not a problem. It is only when they enter our bodies that the problems start.
Scanning For Victims
For teleport operators, from global companies to those running just one facility, cyber threats are all around. Executives could once take comfort in the idea that providing satellite services was too small and obscure a niche to attract the attention of hackers, but those days are gone. Cyber criminals set automated systems to scan the internet for undefended points of entry to networks. When they find one, they get to work.
In our recent report, Making Cybersecurity Pay Off, we shared the story of an IT manager who set up a new web server and began receiving the first probes from Chinese hackers only 30 minutes later. Big companies can afford robust information security teams, but midsize-to-small companies have to try covering the same ground with far fewer resources. WTA’s cybersecurity series is dedicated to them and offers guidance on making smart choices about what to defend and how.
Which Threats To Worry About
We turn our attention in this article to the anticipation of threats: the five most common forms of cyberattack that affect businesses of all kinds... and teleport operators in particular. Of the five, only two have much to do with technology, while three are the product of human behavior.
That is both bad and good. It is bad because there is no technology fix that can instantly provide a strong defense. It is good because the best defense is doing something you already do — managing people.
Technology will always play a role but the biggest contributor to cybersecurity is a strong security culture within the company. That takes time, effort and knowledge to build, but it doesn’t have to take a lot of money.
The Top 5 Cybersecurity Threats
According to the expert panel, the top five cybersecurity threats to your operation start inside the company and extend outward to the world.
Insider Attacks. Action or inaction by human beings is at the root of an estimated 90% of all data breaches, according to the 2017 Cyber Risk Culture Survey released by Willis Towers Watson. But that headline number covers a big range of what people do in an organization. According to a 2016 Cyber Security Intelligence Index by IBM, 60% of all major attacks on corporations that year were carried out by insiders, and three-quarters of those insider attacks were committed with malicious intent rather than accidentally. The reason that insider attacks are so common is that most employers make it too easy. The security software company Varonis has published statistics based on its work with client companies that have at least one million folders containing data or software across their network. Of these, 88% have 100,000 folders (up to 10%) that are accessible to every employee. Fifty-seven percent have more than 1,000 folders with inconsistent permissions and 30% have more than 1,000 sensitive folders that are open to everyone.
Smart Precautions
The good news is that you can lower your risk substantially by thinking through information security policies for your people and implementing them effectively.
Closely manage accounts and privileges
This is one of those housekeeping functions that is easy to let slip — but it’s equivalent to leaving the front door unlocked in a dangerous neighbourhood. Security policies should determine appropriate rights for each employee on the network, including those working remotely, whose connection to the network must be secured. Third-party vendors and subcontractors require their own permissions. And it is not enough to establish permissions once and forget about them; user permissions must be regularly reviewed and quickly revoked when an individual or contractor stops working for the business. Employee turnover is a time of particular concern and steps need to be taken to make sure that sensitive information does not leave the company.
Conduct proactive network monitoring
____________________________________________
Something Else To Worry About Bloomberg Businessweek broke a story in October 2018 called “The Big Hack.” It detailed how a company called Super Micro Computer, one of the world’s biggest suppliers of server motherboards, was compromised by manufacturing subcontractors in China. At the Chinese factories, workers inserted a tiny microchip, not much bigger than a grain of rice, into the boards, which are found in the U.S. Defense Department’s data centers, the CIA’s drone operations and the onboard networks of US Navy warships. When the server boards were installed and switched on, the microchip altered the operating system’s core so that it would accept external modifications and also contacted computers controlled by the attackers. Almost 30 companies, including banks, government contractors and Apple, were affected. According to Bloomberg, the government’s investigation revealed that the work in China was overseen by operatives of the People’s Liberation Army.
____________________________________________
Tools are available to monitor email and web traffic, track the websites employees visit, monitor instant messaging and social media, and log employee access to all files. You can implement these in-house or through a third-party service provider. The goal is to build a profile of typical behaviour, so that aberrations can be flagged. Is a user attempting to download an application or access files to which they are not entitled?
Are they connecting to the network from an unknown location after hours? Employees may be uncomfortable with this level of surveillance and companies must make a clear and persuasive case for its importance and also establish boundaries on surveillance that employees can trust.
Don’t forget physical security
Controlling physical access to areas with privileged access to systems and vital equipment can be just as important as digital security. Typical technologies include keypads, biometrics and/or PIN codes — best of all, a combination of them. Preventing computers from accessing USB storage devices — typically through software utilities — is another strategy. Like all security measures, it can make employees’ working lives a little harder, but the extra hassle will be worth it.
Employee Errors
Setting aside employees with malicious intent, IBM attributes 25% of all major attacks on corporations to well-intentioned employees who make mistakes. The most common mistakes made by employees include...
• Login credentials. These are familiar sins for most of us: using weak passwords or reusing the same password over and over again; sharing login credentials; or writing them down on sticky notes on the desk or monitor.
• “Shadow IT.” This is the wide range of cloud services and online software that people use in their private lives. When they are used without permission in the work environment, they open the network to potential harm.
• Using public Wi-Fi without protection. Employees who travel on business will inevitably use public Wi-Fi networks. When they do it without protecting their computers, they are open to very destructive forms of hacking. The best practice is to have remote workers a virtual private network (VPN), and this is something something all companies should make available.
Make Employees Smarter
The standard response is to carefully vet employees before they are hired to filter out malicious actors and to provide and enforce employee training on the risks and responsibilities of cybersecurity. Once provided, employee training needs to be refreshed regularly, which can often be done through inexpensive online courses that include testing.
Before settling all the blame on employees, however, managers should take a look in the mirror. Really solving the problem of employee errors means making sure that employees have the right tools. If they need a cloud storage solution or a password manager, for example, the company should provide them before they turn to shadow IT solutions. The quality of training also matters. Training that uses familiar terms, situations and analogies is likely to be more useful than technical jargon and detail that goes beyond the user’s needs. The time put into finding a good training resource — one that you wouldn’t mind using yourself — will pay off handsomely.
Social Engineering
As a famed cryptographer, Bruce Schneider, wrote in 2000, “Only amateurs attack machines; professionals target people.” Today’s hackers are far from being amateurs. They are more likely to be “pfishermen.”
Pfishing is the term for sending email, purportedly from a trusted source, that contains links that download malware or direct users to compromised websites that automatically download it. You have certainly received them, whether they appeared to come from a friend, from your bank or your boss. According to Trend Micro, 91% of external cyberattacks begin with a pfishing email. As one of our cybersecurity experts said, “I know as much about pfishing as anybody and I still click on links sometime.
Unlikely as it seems, another common tactic for hackers is to leave USB drives and other plug-in devices in public areas where employees find them and connect them to check out the content. It’s so easy and convenient — what could possibly go wrong? As mentioned above, software utilities can prevent computers from accessing data on USBs.
Giving Permission To Report An Error
Social engineering works because it plays to our natural impulses as social creatures. This is an area where training really is the only solution. An important element of that training is to make sure employees know what to do after they have made a mistake and don’t fear that they will be punished for it. A call to tech support right after that mistaken mouse-click can make all the difference between a major incident and a quick fix.
Remote Access Attack
Remote work and the outsourcing of IT-related work has become commonplace in business. According to Global Workplace Analytics, the number of remote workers grew 150 percent from 2005 to 2018, while 70% of professionals now work remotely at least one day per week. As the cloud and virtualization technologies expand, the outsourcing of specific functions is rising at an accelerating rate.
Organizations still have work to do when it comes to security practices to support remote access. In 2018, the U.S. FBI issued an alert about a significant rise in cyberattacks that exploit remote access methods. As noted above, the typical way to protect remote access is with a virtual private network (VPN) — but the VPN alone does not offer complete protection.
The problem with VPNs is that once a remote user successfully connects, that user gains access to the entire network. They can access compromise identities, steal login credentials and inject malware into the system.
Get Specific. The best ways to protect your network against remote access attacks are some of the same tactics that protect against insider attacks and employee errors:
• Ensuring that access to network resources is specifically assigned to users through security policies that define identities, access rights and privileges shared by groups of users.
• Users should also be granted access to specific resources needed to do their jobs. For example, if an outsourced IT provider is contracted to maintain an Oracle database, access can be limited to that single resource.
• Such basics as multi-factor authentication, which sends a text message to the user’s mobile phone to confirm identity, can offer additional protection.
Denial-of-Service Attack
Denial-of-service (DoS) attackers essentially turn your own digital infrastructure against you. They work by flooding your network server with requests that have a fabricated return address, which misleads the server when it tries to authenticate the requestor. As the junk requests pile up, the server is overwhelmed, which denies access to legitimate users. Really large networks can be targets for distributed denial-of-service (DDoS) attacks, in which the attacker has previously hijacked a set of interconnected devices — from computers to baby monitors — and commands them to flood a target with service requests. Both the hijacked devices (“botnets) and your network are victims of the attack.
The symptoms of a DoS or DDoS are slow network performance, the unavailability of a particular website or inability to access any website. Detection requires monitoring network traffic through a firewall or intrusion detection system, or an alert in your network management system that detects unusual traffic loads.
Reducing the impact. There is no way to completely avoid becoming the target of a DoS or DDoS. But you can take proactive steps to reduce the impact on your operations. You can enrol in a third-party DoS protection service that detects abnormal traffic flows and redirects traffic away from your network. It filters out the DoS traffic and passes legitimate traffic to your network. Whether or not you go down this road, it makes sense to create a disaster recovery plan to speed communication, resolution and recovery from the attack.
Which Pain In The Neck Do You Prefer?
The steps required to deal with the top 5 threats to a teleport’s network probably strike you as a pain in the neck. They certainly are. They force employees to jump through new hoops just to do their jobs. They make it harder for the team to access information it needs, and they require constant vigilance on the part of managers throughout the organization, not just people working in IT. They make nobody money except security vendors whose services you have to use.
On the other hand, the cost of a successful cyberattack can be massive: operational and productivity loss, service disruption and negative customer experience. Recovery can be very expensive — so much so that smaller businesses can face bankruptcy as a result. That is a pain in the neck of an entirely different dimension. So, for the leader of a teleport business, it really comes down to a choice.
Which pain in the neck do you prefer? That one that keeps your business humming as the digital world grows ever riskier, or the one that hurts less in the short term but may hurt infinitely more in future?
This article’s contributors...
This report was researched and written by Robert Bell, Executive Director. World Teleport Association, plus thanks a group of cybersecurity experts for contributing content to this report and reviewing it for accuracy:
Miguel Angel Molina Cobos, Programs and Business Development Head, GMV — GMV is a privately-owned technology business group founded in 1984, sto serve the space and defense sector in fields like mission analysis, flight dynamics, control centers and satellite navigation. Its Information Security practice is based on international standards and cutting-edge cybersecurity technologies.
David (Tat Wee) Tan and Shing Ping Loi, Trustwave, a unit of Singapore Telecommunications. — This company supports more than three million subscribers in 96 countries from five global operations centers and delivers security and compliance services globally from its TrustKeeper portal. It also operates the Trustwave SpiderLabs ethical hacking and threat research team.
Since 1985, the World Teleport Association (WTA) has focused on improving the business of satellite communications from the ground up. At the core of its membership are the world’s most innovative operators of teleports, from independents to multinationals, niche service providers to global carriers. WTA is dedicated to advocating for the interests of teleport operators in the global telecommunications market and promoting excellence in teleport business practice, technology and operations.