Protecting Your Small Brantford Business with a Cyber-Security Framework
Understanding how profoundly a hack can affect your small business is something that we often underestimate – until it’s too late. The recent Dropbox hack illustrates how even high-tech platforms are at risk and how the experts at Brantford’s SecurIBC can protect your data and systems from cyber-security concerns facing the smallest businesses to the largest.
Important takeaways from the recent Dropbox hack.
The Dropbox Security Team has recently posted about an intrusion into their systems where attackers gained access to the login credentials for some of their developers. The article highlights the real-world effectiveness of several key items that IBC typically implements via our customized NIST based Cyber Security Framework (CSF).
Cyber Security is never about that one thing, that one single product, or system that you’ve put in place. It’s always the sum of all of the different layers that you have in place. Let’s take a look at several layers and how each affected the outcome for Dropbox.
Vendor Risk Assessment
Your supply chain has incredible access to your business. It is highly important to evaluate the security of your vendors and identify issues which might allow them to be leveraged against your systems. In the Dropbox example, a software code delivery platform provided several core services. Failure to assess this vendor was the initial entry point for the attacker.
DMARC Email Security
DMARC is a feature of email systems, which can prevent malicious actors from spoofing your email. This allows companies to reject emails which are not coming from the sender’s approved mail servers. In the Dropbox incident, the third-party vendor was not using DMARC. This means that the attacker was able to send Dropbox employees’ emails that appeared to come from the third-party code delivery platform.
Proper and up-to-date training of employees is imperative. Arming your staff with the knowledge they need to detect and isolate phishing threats is one of the strongest layers of security you can implement. Dropbox employees received phishing emails from what appeared to be code reviews from the third-party vendor. Once they clicked on these and logged in, it effectively handed off those accounts to the attacker!
Multi-factor authentication can be incredibly strong, however not all of these solutions are effective. Dropbox used hardware-generated One-Time Passwords for employees to log in, the problem being that these were not time-based and worked for a period of time after generation. This allowed attackers to re-use the credentials and One-Time Password data entered via phishing employees.
Every good security management process includes providing secure compartmentalization of key data. For example sales executives do not have access to accounting data and vice-versa. In this case, the data accessed by the attacker was not sensitive core software for the Dropbox service, its applications or other core components. Most likely it was storage for common libraries or the likes. This layer was the FIRST effective layer in preventing the Dropbox hack from becoming a nightmare scenario.
Least Privilege Access Controls
Highly granular compartmentalization aims to further minimize the amount of exposed data across the network. The concept is that data is only accessible by those who actually need it. In the event that an attacker does get access to data – it will be quite limited.
If Dropbox had not implemented proper compartmentalization and access controls, more than likely the attacker would have had access to the code that drives the Dropbox ecosystem including the desktop and mobile applications and all of their users’ data and devices. Small unnoticed software changes over time would have given the attackers full admin access to millions of user’s computers.
You can see how the various layers were compromised and that an effective cyber security framework could have thwarted it at the source.
Thankfully, IBC offers a NIST based Cyber Security Framework where all of these and other layers are planned, implemented, tested, and reviewed.