为什么员工是你的头号风险

在应对大大小小的安全事件超过15年的经验中, the actions of a user have contributed to the overwhelming majority of incidents I have been involved with.

我们都知道, 人为错误是妥协最常见的原因之一, and their actions can circumvent most every security control you have invested in. 数据泄露可以说是企业最大的威胁, security awareness training is critical to prevent your users from being your number one risk.

We’ve watched big name companies pay millions of dollars in settlements after security breaches and lose customer confidence. The most notable of these hacks from a credit card perspective being Target in 2013 and Home Depot in 2014.

When retail giants are hacked, we’re suddenly all aware that it could happen to us, too. 如果黑客能拿下这么大的企业,还有什么是他们做不到的呢? 我们烦恼了一段时间,很快,我们就忘记了. 那就是我们让漏洞从裂缝中溜走的时候.

不幸的是,黑客们正在等待这一刻的到来. 一旦我们放松警惕,他们就知道了, 他们可以发送网络钓鱼邮件, 发现漏洞, 或者使用暴力或喷雾攻击明升体育app下载密码.

快速防御列表

为了保证贵公司的安全 机会主义和针对性攻击,我们编制了一份快速防御清单.

1. 启用双因素身份验证.

增加的安全层总是一个加分项. 双因素身份验证 由两种不同形式的标识组成. 一个因素可以是:

  • 你知道的东西(密码、PIN码或安全问题)
  • 你有的东西(电话、钥匙卡或卡片)
  • 你是什么(一个生物特征因素,如指纹或声音识别)

This second level of authentication strengthens any login and gives you more peace of mind.

2. 使用VPN.

A VPN (virtual private network) is a great way to avoid possible attacks while using public WI-FI. 网络充当中间人,保护你的数据并更改你的IP地址. You’ll browse on public WI-FI without fear of hackers using the opportunity to steal your information.

vpn是远程工作或经常出差的员工的理想选择. vpn有免费和付费两种版本. 花点时间研究一下最适合你公司需求的社交网络.

3. 安装安全更新.

没有失败, security update windows pop up right in the middle of that important project you’re working on. The remind-me-later button is nearly a reflex, making sure it doesn’t slow you down. 毕竟,当你完成时,你会记得更新. 你不?

我们都是人. 不幸的是,这意味着我们都很健忘. 当弹出窗口回来的时候, 我们又要谈重要的事了, 如此循环往复.

你的电脑安全, 最终是你公司的安全, 取决于简单的漏洞被修复. A hacker could take the most insignificant vulnerability and turn it into a serious security incident.

花点时间保存您的工作并安装更新.

4. 使用强而多样的密码.

这可能是五个建议中最简单的一个. A 强密码 有助于保护您免受黑客猜测您的凭据. We tend to use passwords that contain words easily found in a dictionary or maybe our pet’s name. 这是可以理解的,因为我们喜欢选择我们知道我们会记住的东西.

就像它让我们容易记住一样, this method makes it even easier for a hacker to guess your password and access your personal and work information. 更糟糕的是, 如果他们猜出了密码, 而且你在多个账户上使用同一个账号, 他们现在很容易接触到大量的信息.

5. 培训员工.

问题不是“你的员工会不会被黑客入侵??而是“你的员工什么时候会被黑客入侵??” While employee actions can circumvent almost every security control you have invested in, security awareness training is critical to prevent your employees from being your number one risk. 用户通常是网络防御的最后一道防线, and there is no patch for people wanting to be helpful or wanting to do the right thing. 

在本期播客中, I explain why ongoing employee security training is crucial to ensuring employees know how to spot a hacking attempt, 最终保护您的组织免受潜在的网络攻击. 

现在收听我的播客 

关键外卖: 

  • 为什么员工常常没有意识到他们在这个过程中有多重要 
  • How not enabling multi-factor authentication on remote access to email allows hackers to easily access employee email accounts 
  • 为什么91%的网络攻击是从鱼叉式网络钓鱼邮件开始的 
  • 为员工设置强密码的重要性 
  • 为什么备份数据是防止网络攻击的必要手段 

订阅 网络安全意识播客在iTunes上. 

HITECH回答文章-“你的员工如何让你被黑客攻击。?”

The HITECH Answers article covers some very good points of conversation to help support (or gain support) for your user awareness training initiatives.

  • 懒惰—Employees often feel that it’s not their job to worry about security, or that IT will protect them. 不幸的是,他们往往没有意识到他们在这个过程中有多重要. 许多组织经常缺乏足够的IT安全资源, 特别有能力应对来自国家的更复杂的攻击. Employees need to know they are the target for cyber-criminals to enable their ability to obtain sensitive information. Therefore, it is their responsibility to help the organization identify and thwart these attacks.
  • 不受保护的电子邮件电子邮件黑客攻击仍然是最流行的网络犯罪之一, 有数百万甚至数十亿封被盗邮件, 以及随后的邮件凭证, 在暗网上出售. 最近的攻击,比如DNC,很快就浮现在我的脑海中. Employees often do not have multi-factor authentication enabled on their remote access to email, allowing hackers easy access to those email accounts if they have the stolen credentials. This is one of the most prominent attacks we are currently seeing in our incident response practice. 一旦黑客进入了那个邮箱, 他们可以自由访问可能存储在帐户中的任何数据, 该个人身份信息(PII), 信用卡资料, 以及其他登录凭据, as well as the ability to send “trusted” email from that account to others to continue the attack to other organizations. 在大多数流行的电子邮件平台中,多因素验证是可能的. 启用多因素验证后, 一个代码将被发送到员工的手机上, 这样一来,网络罪犯就无法访问那个电子邮件账户了. Outlook web access is a place I strongly compel you to consider implementing multi-factor.
  • 网络钓鱼电子邮件——来自网络安全公司PhishMe(现为Cofense), 91%的网络攻击始于鱼叉式网络钓鱼电子邮件. 在这些钓鱼邮件里, hackers design the email to look authenticated so the employee thinks it is coming from the real source it’s claiming to be, 有时, 它实际上来自一个合法的来源. These phishing emails may appear to come from credible companies’ customer support departments, 比如微软或谷歌, 或者甚至可能是来自他们的老板或同事. 在很多情况下, 一旦员工陷入网络钓鱼骗局, 他们的电脑/移动设备感染了恶意软件, 或者他们向攻击者提供他们的公司凭证.
  • 糟糕的密码-SplashData报告称,目前最常用的密码是123456. 这不仅是一个非常弱的密码, but people are often reusing their easy-to-crack password across multiple sites and accounts, 也可以和同事分享. One part of most all our penetration tests is to use password spraying but gathering usernames and slowly trying common passwords for each, 避免检测. 我们为什么要这样做? 它经常结出果实.
  • 没有备份—There’s a good possibility that at least one employee in your company isn’t backing up the data he or she is supposed to be, 哪个是主要问题. 这主要是由于重要数据在移动设备上的本地存储. 由于技术问题,不仅存在文件丢失的风险, 将这些文件丢失给网络罪犯也很危险. 在勒索软件攻击期间, a cyber-criminal locks the user out of their account and denies them access to their files unless a ransom is paid. 即使付了赎金, 不能保证文件将返回给用户, 使备份文件至关重要.

关键的外卖

  • 用户通常是网络防御的最后一道防线.
  • There is no patch for people wanting to be helpful or wanting to do the right thing.
  • 简单地说,就是训练他们:
    • Pre-texting
    • 网络钓鱼
    • 培训
    • 引诱
    • 追尾

引用:

Your preparation could be the difference between smooth sailing and a huge financial and reputation loss. 你可以快速使用这些策略来加强你的防御. 有关该主题的更深入资源,请访问明升体育app下载免费指南, Breach: A Guide to Network Security, Best Practices for Prevention, Detection, and Response,可供下载.

内容由LBMC专业人士Bill Dean提供.

我们可以帮助您的企业免受黑客攻击. 联系LBMC网络安全 今天了解更多!