This month marks five years since Target announced the data breach that exposed 70 million customers’ credit card numbers and banking information.
Target had to endure years of slumping sales and spend millions of dollars to regain customer trust following the attack, which started with a successful phishing attempt on one of the chain’s HVAC contractors. Once the bad actors gained access, they had free rein.
However, the Target breach wasn’t the only cyber threat to slip through traditional security filters. In 2017, hackers breached a casino’s defenses by gaining access through a fish tank with an IoT sensor.
How to identify the ‘easy way in’
It is no longer a far-fetched idea that a hacker might enter a bank’s network through the in-house food service system or steal patient data through a hospital’s gift shop inventory program. MSPs need to be continually monitoring IT ecosystems for the “easy” ways in.
John Krautheim, who spent 13 years working for the Department of Defense in the CISO’s office and now works as an assistant professor of cybersecurity at Augusta University’s Cyber Institute, explains, “The things that get in are the ones you don’t think about. The hackers don’t care how they enter; they are just looking for the easy way in. If parts of your system, such as HVAC, are not as secure, they’ll go in that way, and that allows them to possibly make the jump over to where the crown jewels are.”
Krautheim notes that a system’s “weak spot” could be a smart lightbulb or a climate control system. Krautheim observes that most companies, especially SMBs, remain more susceptible because they haven’t learned from high profile breaches.
There’s irony in that the many bells and whistles that enterprises add to make them safer — like security cameras or IoT sensors — can actually have the opposite effect.
“They are adding these devices to make their businesses safer, but they are weakening their information security because of a lackadaisical approach to securing the devices,” details Krautheim. This includes unmonitored IoT devices and unremoved default passwords. MSPs need to be vigilant about what devices get connected and do their due diligence.
“One of the most important things MSPs need to be able to do is understand what makes up these systems and what is connected. You should be aware of the vulnerability of the devices,” advises Krautheim. That includes performing routine system tests, making sure devices are correctly configured, checking for default passwords, and closing unused accounts.
“The MSP should be doing all that for you, and if they are not you are going to be exposed to some risk,” Krautheim says.
Don Heier, program director of the Master of Science in Cybersecurity program at St. Mary’s University of Minnesota, echoes Krautheim’s concerns about small and medium businesses being especially susceptible to “weak spot” breaches.
The Large enterprises have the deep pockets to fortify more of their defenses, but the local dry cleaners probably doesn’t.
“I am more concerned about smaller businesses who often don’t have the resources to pour into their security operations,” Heier says, adding that a hack could range from a minor inconvenience to a devastating impact on a company’s reputation.
Krautheim recommends that MSPs should consider splitting an enterprise’s network into two. One handles more sensitive information like money, medical, or intellectual property, while the other processes the nuts and bolts like food service, HVAC, and inventory control.
“There are some systems out there that you know when things connect, so having a good internal network security monitoring device is important. You may not be able to prevent something from occuring, but if it occurs, you can quickly figure out what happened and why it did,” explains Krautheim.
Another often overlooked area is system integration when one business buys another. Krautheim pointed to the merger of Marriott and Starwood in 2016. By 2018, 500 million records in the Starwood database had been accessed by hackers.
“If you buy another company you are also getting all of their problems. If one company has good security in place, but they buy another that doesn’t and try to integrate, that new company can cause breaches that spill over into other systems,” Krautheimer describes.
However, after fortifying the defenses of the building’s thermostat, cafeteria deep fryer, or inventory management system, the most significant hazard is still human.
Employees need to have a ‘security first’ mindset
“You could have the strongest system in the world, but thanks to social engineering and phishing, a single employee can do far more damage than the external hacker could ever dream of doing,” Krautheim warns. “People surf the internet and click on things they shouldn’t.”
“That’s why it is important to focus on security awareness training as much as possible, and get employees to think about ‘security first’ with everything they do,” Heier shares. “Build a sense of ownership among employees by involving them as much as possible in our security planning.”
MSPs have a big role to play in education and building that essential sense of ownership. Otherwise, you could be one click away from someone in maintenance or food service compromising the entire company.
Photo: George Sheldon / Shutterstock