For companies and organisations with IT systems, databases and software critical to their operation, almost every employee or contractor with any level of systems access is a potential security risk.
Phishing attacks are the most common way that IT systems are compromised. They are typically executed by duping unsuspecting employees into clicking on a malicious link or file somewhere.
Even generally cybersecurity-savvy individuals can be caught out in a distracted moment or by a particularly sophisticated approach.
Once a computer with access to an organisation’s IT systems has been compromised with malware, these malicious and surreptitious coded schemers usually go to work looking for vulnerabilities.
Even very limited access to sensitive IT and software systems, like a corporate email account, can be exploited by sophisticated malware eg. it might launch a new phishing attack to other corporate email addresses directly from a verified email address from in-house.
That would usually be enough to gain access to other computers with an organisation, or beyond. Ones whose users have more access to sensitive IT systems.
And of course, the deeper the access the user of any infected device has to IT systems, the greater the vulnerability, or threat, they represent to organisational cybersecurity.
Check out our dedicated blog post on IT security to get a comprehensive overview over the most common IT threats and risks, and how we deal with them.
IT specialists are a particularly significant threat to your cybersecurity
If you have IT specialists that actively develop and maintain proprietary software systems or administer infrastructure, these individuals have access deep into the beating heart of your digital lifeblood. If the computers they work from are compromised, you are in trouble.
Even if the number of individuals with access to sensitive data and systems is limited and additional layers of security are in place, IT specialists will usually have deep enough access to represent a heightened risk.
IT specialists pose a cyber security threat on two primary levels:
- Phishing attacks – greater access to sensitive IT and software systems offering more opportunity to malware.
- Scripting (XSS) attacks: XSS attacks can involve injecting malicious scripts into software. This is often achieved by concealing it in pre-fabricated blocks or snippets of code developers use while building software.
Developers and other IT specialists often use chunks of code from libraries, frameworks and other resources such as forums. Major open source code repositories are generally well-policed. But scripting attacks camouflaged within contributions can occasionally slip through.
The risk increases dramatically if code is lifted from less tightly reviewed sources like developer forums or repositories like GitHub.
K&C goes the extra mile on cyber security to protect you when you work with us – our security policy and toolkit
A detailed and strictly adhered-to internal cybersecurity policy and culture significantly reduces the risk of people making the mistakes that most often lead to devices being compromised.
Our cybersecurity policy includes:
- Rules on software permitted to be installed on work devices – must come from a trusted and approved vendor.
- Rules on what kind of files can be opened or downloaded on work devices – must also come from trusted and approved sources.
- Email security policy (closely related to the former)
- Passwords protection policy
- Data transfer policy
- Device security policy
A rules-based cyber security policy is not enough – a toolkit is needed too
But as important as setting strong rules and instilling a security-first cybersecurity culture- is – it is not enough.
Even with the best of intentions, intelligence and willingness, people are fallible. We all make mistakes and as already highlighted, cyber security threats are increasingly sophisticated.
And a security policy that is 99% effective, anyway unrealistic for anything predicated on individuals sticking perfectly to the script, is far too low. Especially when it comes to IT specialists.
There needs to be an automated safety net to catch any slips that are made.
We have two core cyber security tools to provide you with additional lines of defence:
- OpenVPN
- CrowdStrike
We hope they will never be needed. But we’re not prepared to gamble your, or our own, cyber security on that hope.
OpenVPN
All of our staff and contractors must have OpenVPN installed and operating on their devices. None of our company systems can be accessed unless it is active. It can also cover our client’s IT systems.
It uses “an industrial-strength security model” designed to shield against both passive and active attacks. The security model is based on using SSL/TLS for session authentication and the IPSec ESP protocol for secure tunnel transport over UDP.
OpenVPN supports the X509 PKI (public key infrastructure) for session authentication, the TLS protocol for key exchange, the OpenSSL cipher-independent EVP interface for encrypting tunnel data, and the HMAC-SHA1 algorithm for authenticating tunnel data.
It has been rigorously designed and tested to operate robustly on unreliable networks. A major design goal of OpenVPN is that it should be as responsive, in terms of both normal operations and error recovery, as the underlying IP layer that it is tunneling over.
That means that if the IP layer goes down for 5 minutes, when it comes back up, tunnel traffic will immediately resume even if the outage interfered with a dynamic key exchange which was scheduled during that time.
While OpenVPN provides many options for controlling the security parameters of the VPN tunnel, it also provides options for protecting the security of the server itself, such as –chroot for restricting the part of the file system the OpenVPN daemon has access to, –user and –group for downgrading daemon privileges after initialization, and –mlock to ensure that key material and tunnel data is never paged to disk where it might later be recovered.
CrowdStrike
CrowdStrike is the gold standard when it comes to endpoint protection solutions and protects every K&C device. Licenses are expensive and that means a majority of organisations won’t invest to that level. We don’t see it as a choice.
CrowdStrike leverages cutting-edge machine learning to scan any software or documents being introduced to a device for threats. Its big data, AI and cloud-based technology can identify and catch malicious code threats that mass market tools will not.
Beyond that initial, extremely effective first line of defence, CrowdStrike also actively hunts for threats that could theoretically be concealed within devices on an ongoing basis.
CrowdStrike also protects the integrity of the software you are building
Having CrowdStrike installed on a device also protects against the risk, however slight, of malicious code becoming written into software as it is being built.
It would detect anything untoward in pre-written code or script snippets developers or other IT specialists might make use of in their work. Never leveraging pre-written blocks of code would make software development inefficient and expensive on an entirely different level.
Unless you are developing for the highest level of security possible – think national, banking, energy etc. infrastructure – never using pre-fabricated blocks and snippets of code simply won’t be practical.
The inherent risk in such code can be reduced dramatically if strict rules are followed, such as only using trusted repositories. But, again, rules-based policies are not enough. CrowdStrike defends against human error and increasing sophistication from bad actors here too.
As a result, K&C can absolutely guarantee the integrity of any code written on our deployed from company-approved and CrowdStrike-protected devices.
Cyber security is an absolute priority for us, as it must be for you too. If you have any further questions or would like additional details on our cybersecurity policy and tools, please ask.
Adopt a no-compromise approach to cybersecurity, especially when it comes to IT services provided by third parties.