It’s Cyber Security Awareness Month and now, more than ever, Australians must be vigilant to cybercrime. On average, cyber attacks on Australians are happening every 8 minutes, according to the Australian Cyber Security Centre. PROTECT+ Senior Security Consultant and Penetration Tester Anthony Jones looks at the “low hanging fruit” of common cyber security mistakes, and shares the simple pragmatic steps your organisation can take to address them.
With news related to the recent major cyber-attacks coinciding (somewhat ironically) with the beginning of Cyber Security Awareness Month, we are reminded of the importance of basic cyber controls to avoid common cyber security mistakes. In fact, it’s still the cyber basics that often get overlooked and can lead to the most catastrophic of consequences.
There are definitely a few simple steps we can all take to protect ourselves, whether you’re an organisation of 10,000 employees or 10 – taking pragmatic steps and being proactive is essential to protecting yourself and those around you. We recently visited the Northern Territory to talk all things cyber security at the AISA Darwin Cyber Conference – here are some of the top tips we shared!
Common cyber security mistakes – the low hanging fruit
Having passwords and usernames in a cleartext (unencrypted) format is near the top of the list when it comes to bad cyber practices. Cleartext refers to data that has not been encrypted, and is easily readable to the human eye. While it’s a ridiculously common mistake made by users and administrators alike, it can lead to some disastrous consequences. They are one of the first things an attacker will look for and can provide a trivial means for an attacker to access your data and networks, or to further escalate their privileges and perform more devastating attacks.
Take a look at the recent Uber hack. According to the hacker, once inside Uber’s network they didn’t need to perform any complicated privilege escalation techniques to elevate their privileges and further compromise them. They simply found some clear-text admin credentials contained in a PowerShell script in a network share. These credentials effectively led to the hacker obtaining privileged access to several of Uber’s core systems, such as their AWS and GSuite accounts, DUO and Onelogin.
So, what can you do to check if your active directory environment has any passwords lying around? My first tip is to start by checking common cleartext password locations for both Windows and Linux, and performing a variety of searches to identify any others. Once located, remove all the passwords, but be sure to check what they are being used for first, so you don’t break anything.
RELATED CONTENT: Cyber hygiene: 4 easy tips to keep your data safe
Over-reliance on MFA
Multi-Factor Authentication (or MFA) is a fantastic control that is essential for protecting your networks, accounts, and data. These days, most consumers use MFA to access their online services such as email or social media, too, so it’s become way more common and familiar. However, one of the most common cyber security mistakes is thinking MFA is infallible.
Since MFA was first implemented, attackers have been devising ways to bypass it, and several methods currently exist that enable attackers to do so. It is also important to remember that not all MFA is created equally and that phishing resistant MFA provides increased protection against various social engineering attacks.
One such MFA bypass method is an MFA fatigue attack, which was how the attacker bypassed MFA in the recent Uber hack. This attack is when adversaries bombard a user’s authentication app with push notifications in the hope that the user will eventually get sick of it and approve the access. This type of attack on MFA (and many others), is far more likely to succeed if your employees have not been trained in what MFA is for, and the common attacks used to bypass them.
So what are some simple ways you can reduce the likelihood of a hacker getting past your MFA? Your organisation can perform security awareness training for all staff that includes the safe operation of MFA, how to identify and prevent common attacks, and how to avoid basic cyber security mistakes. My third tip is implementing a phishing resistant type of MFA, such as those that adhere to the FIDO2 authentication standard.
RELATED CONTENT: What is the most secure multi-factor authentication method?
Tip to remember
When it comes to protecting your digital assets, pick the low hanging first. They’re the easiest for both you and malicious actors to reach so putting in the right protections is essential.
You can find more information on common cyber security mistakes in our cyber tip series on our website.
Kinetic IT’s PROTECT+ cyber security solution is here to help. Want to know how PROTECT+ can work for you? Get in touch with us.