Vulnerabilities & exposures
Welcome back for this second episode of “Cyber security basics for non-IT professionals”. The first part of this series of articles was stressing out the importance of the employees’ security awareness in an holistic approach of e-safety in companies.
Today we are going to focus on vulnerabilities and exposures and how to avoid them.
Once again, this article is targeted at people who are not tech experts. As a small business owner or manager you will find here a few tips, easy to follow, that you may find useful to avoid putting your organisation at risk.
First, let’s define what vulnerabilities and exposures are. According to the reference in this matter, MITRE’s CVE:
- What is a “Vulnerability?”: An information security “vulnerability” is a mistake in software that can be directly used by a hacker to gain access to a system or network.
- What is an “Exposure?”: An information security exposure is a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
To make it even shorter, they are holes in the walls of your IT systems that can allow bad guys to harm your company.
In 2019 only, more than 17,000 new vulnerabilities were reported in the Common Vulnerabilities and Exposures database. And these are only the known weaknesses in our common software, hardware and services.
There are also many unreported issues, that security experts are absolutely unaware of but that might already be actively exploited by cyber criminals. They are called zero-day vulnerabilities.
As a non-IT professional, there is not much you can do against these zero-day vulnerabilities. But what you can do is protecting yourself against common flaws with a few simple steps.
Patch your devices
If you read my previous article, you know that I dedicated a long paragraph on the importance of updating your devices and applications regularly. Well, believe it or not I will do it again!
Truth is, on a standard computer, one may find dozens of applications serving different purposes: office suites, web browsers, image processing tools, mail clients, media players, various business tools etc. And I am not even talking about our mobile phones and their countless apps.
Well, guess what? ALL these applications have to be updated on a regular basis. All of them, yes! Otherwise, over the time, they become hidden doors to your data, vectors of malware attacks, and why not transform your computer into a server for criminal activities!
There are several tools on the market that can be set up to monitor software updates for you and make sure your applications run with the latest available versions.
Maintain your website
Updates are not limited to your computers, phones, tablets etc… They also need to be done on your website.
Most websites today are structured around a CMS or Content Management System. The most famous and popular being WordPress. This tool is powering roughly a third of all the websites globally.
Being popular also means that you become a target. The vast majority of cyber criminals only want one thing: money. To make sure that they maximise their chances to spot an easy target, they will focus on popular systems and frameworks. This is why, according to the security firm Sucuri, in 2018 WordPress represented 90% of the hacked CMS.
Doesn’t sound too good, right? Well good news, there are solutions. For WorPress as well as for most of the popular CMS on the market (Joomla, Magento, Prestashop etc.), there are regular updates developed to keep you safe. And they are really easy to apply on the fly, just look for tutorials on the web, there are many. Or just ask for help, this will probably cost you only a few bucks and avoid you a lot of trouble…
Configure your firewall properly
I will get more into details about firewalls in next article dedicated to infrastructure and processes. For now, I will just focus on the risks of using a misconfigured firewall.
First of all, a quick reminder. What is a firewall? It is an electronic mean for controlling the data exchange (aka traffic) between your local network and the outside world. Firewalls can be hardware or software. They are an essential piece of your electronic security but they have to be fine tuned with sometimes hundreds of specific rules.
You need to be aware that an improperly configured firewall is sometimes more harmful than no firewall at all in the sense that it gives its owner a false impression of security which decreases vigilance.
In a recent famous data breach which targeted the financial corporation Capital One, a hacker successfully gained access to more than 100 million users accounts and credit cards applications. She simply used a mistake in the firewall configuration. Not only did this hack seriously harm the reputation of the company, but also generated a cost of hundreds of millions of dollars. This could have been avoided with just a tad more vigilance…
So please, if you are unsure about how to properly configure your firewall, just ask a pro.
Use https encryption
I have talked a bit about https in my previous article. The main purpose of this communication protocol is to encrypt data between a server and a client. Typically, in most scenarios, it makes sure that nobody is trying to watch the “dialogue” between a web browser and a website.
Everyday life example: let’s say you have friends coming over for diner and there is a digicode to open your building’s door. Every time a new guest rings downstairs, you just yell the code through the opened window, pretty confident that no burglar is around. Isn’t it is a safe and friendly neighborhood after all? Now imagine doing the same with your social security or credit card numbers, bank account credentials etc. Not so safe, right?
Well, this is exactly what you are doing when you are connecting to a website not protected by an encrypted connection (the little logo in the address bar of your web browser 
). You are basically yelling information, just hoping nobody is listening!
And this is also what you are asking your clients to do if your website or web applications do not use an encrypted connection.
It is very easy though to add an SSL certificate to your website and start using https protocol. And it can even be free thanks to the non-profit organisation Let’s Encrypt. Just contact your web hosting company and they will help you put that in place.
Ask professionals to do your developments!
I have seen so many applications or websites that are just nasty sieves. Developed without any proper process or documentation and no respect of basic security rules.
I once had a client whose website was so poorly designed that I noticed over 30 visible hacking attempts. And I suspect that at least half of them were actually successful and led to the theft of his customers’ personal data.
Of course you want to be able to exchange with your customers with any possible mean of communication. Of course it is exciting to deploy an e-commerce platform and receive your first orders. It is also gratifying to be able to provide your clients amazing electronic tools that exist nowhere else!
What is less amazing is to be responsible for the theft of your customers’ details. Or have your company paralyzed by a ransomware like 35% of SMB in 2017.
Real pros are following development standards like encryption of personal or sensitive data in the databases, countermeasures against SQL injection or XSS attacks, processes to avoid data disclosure, methodologies for application testing before release etc.
It is really capital that you have all your developments done by experienced and rigorous professionals. Well conducted projects take time and methodology. Don’t fall for “dream deals” with amazingly shorts delays and cheap costs. Do not hesitate to request quotations from multiple vendors and question them on their methodologies and processes. If they can’t explain what they are going to do because “it’s too technical”, run away…
And a lot more…
These are really the basic measures that you can start to implement to avoid common vulnerabilities and exposures. But there are many other things to watch for, like connected objects (smart TVs, security cameras, doorbells, baby monitors etc.), cloud services, network storage etc.
There is no such thing as risk zero but if you are concerned about your e-safety, you could start with a security audit to have all the information needed to make smart choices. The bad guys will often choose the easiest target and you don’t want that target to be you…
Thant’s it for today, let’s meet again in a couple of weeks and check what else we can do to mitigate our risks…
Sources: CVE, Wikipedia,Wordpress, digital.com, CNN, MalwareBytes, Zdnet