It seems almost weekly that we read about the latest network security breach, capturing customer credit card details, email addresses, social media logins, or even political party emails. You would think that, by now, such organizations would have learned their lesson and implemented policies to protect the data.
The truth is that, in most cases, good advice has been paid for and given, but not implemented. Sometimes it is simply complacency; the belief that this cannot possibly happen so close to home. After all, there has not been any breach previously. Additionally, in today’s world, reliable network security can be expensive, and many organizations simply cannot afford to implement the recommendations.
That does not mean that organizations shouldn’t take, at least, some basic steps to protect against external attacks, which can come in many forms:
- Denial of Service (DoS) – Unlike many attacks, this isn’t designed to breach a system in order to steal information. Instead, a DoS (or often DDoS – Distributed Denial of Service) attack is designed to bring down a system by overloading it with requests.
It’s amazing how simple it can be to implement these attacks. While large-scale attacks are carefully orchestrated and very sophisticated, almost anybody can implement something similar. For example, there are websites available that allow you to “stress test” your system; checking whether it can stand up to a few thousand simultaneous visitors. It’s not difficult to use such a system on another target’s website.
There’s a huge variety of DoS attack types, including degradation of service, denial of service, ICMP flood, peer-to-peer attacks, and so on. Fortunately, there are protection measures that can be taken. They all require some element of time/cost to implement, but it’s worth it, especially if you have any reason to expect a DoS attack because of your popularity, out of revenge, or through activism.
- Viruses – A computer virus is the most common form of infection that people think about when a system is breached. Variations of this include Worms, Trojans, Adware, and Malware. Not all viruses are fatal to systems, many simply being an annoyance that needs to be cleaned up, though some can be serious causing the corruption or loss of data.
The first form of virus defense is knowledge. Make sure your staff know not to open email attachments from people they don’t know, or unknown attachments from people they do know. Don’t click email links unless you know exactly where it will take you. And, take care when surfing the web. If you do find yourself on an unknown site that looks unsafe, try ending the browser task.
The second form of defense is to install a solid antivirus system. There are free options available, or you can invest in a paid service that will probably pay for itself in reduced maintenance. Yes, it’s an expense, but it’s probably a lot cheaper than cleaning up infected systems.
- Hackers – This is where an individual or organization breaks into a system by exploiting a weakness. Sometimes this will be a security loophole in the system – this is one of the reasons that OS suppliers, such as Microsoft, are constantly releasing new patches to their software. Other times it will be something as simple as a weak or missing password – you’re not still using “password123” are you?
- Again, this is a fairly simple threat to protect against. The first line of defense is education. Make sure that all staff are using sensible, secure passwords. Make sure they’re not writing it on a post-it that they still on their screen! Perhaps enforce password changes on a regular basis – something many software systems allow as an option. Secondly, make sure that you have policies in place to ensure that software is updated with the latest patches.
There are many other forms of attack that we could talk about, though most will only be of concern to larger organizations. Hopefully, I’ve covered some of the more common security issues and shown that it does not have to be expensive to protect yourself.