PALO ALTO, Calif.—How safe is your company from malware attacks and security breaches? As the technology and methods behind cyber-attacks are constantly evolving, it’s virtually impossible for any company to accurately say it’s completely safe, but there are steps you can take to minimize threats.
Ganesh Krishnan, who runs security at the popular job site and social network LinkedIn, shared some of the lessons he’s learned over a 20-year career in security, including stints at Intel and Yahoo. His “tech talk” was part of a meet-up here this week at online payments firm WePay.
The first point he emphasized is that security teams are by definition outnumbered. “There are a lot more hackers than security people. Security has to be everyone’s responsibility,” he said.
This maxim extends to both technical and non-technical employees, as both are needed to help defend against a growing range of threats including so-called phishing attacks. Phishers use social engineering, email and social media to gain access to corporate networks. For example, a phisher might contact a relatively low-level employee under false pretense (e.g., pretending to be an authorized outside contractor), guess the employee’s password and get into the network.
In another example, the massive security breach at Target in 2013 was traced back to an HVAC service provider whose credentials were stolen, allowing the attackers to compromise the retail giant’s network.
“Even [the accounts of] salespeople and non-engineers can be compromised. It’s not hypothetical, it’s happened,” said Krishnan.
Although there have been many high-profile breaches, Krishnan says a lot has changed for the better. For example, it used to be considered a no-no to let someone outside your company test your software for security weaknesses. “Not anymore. Companies are rewarding the people who find vulnerabilities if it’s done ethically and with responsible disclosure,” he said.
But there still needs to be a shift in the mindset of many developers when it comes to software. “Most engineers want to get the software finished and get the features done,” Krishnan said, “but when you write code, think about how someone could abuse it.”
Because that mindset hasn’t been in place, Krishnan says security issues are so pervasive that “if you think you haven’t been hacked yet, you just don’t know it.”
If that sounds dire, Krishnan doesn’t apologize for raising alarm bells, but says a comprehensive strategy that includes not only prevention, but also a strategy and systems to detect and respond to breaches is what’s needed to minimize threats.
His key tips include logging everything and keeping that data for at least a year. This includes firewall, virtual private network (VPN), access and antivirus logs.
“When there’s an issue, having logs will prove to be extremely useful because you can see why you were hacked and take administrative action if necessary,” he said.
How to Prevent Phishing
On the issue of phishing, Krishnan notes it can happen to anyone, but employee training can head off the threat. Rather than simply explain the danger of phishing to employees, he recommends “live training” to sensitize them.
“You’ll be surprised how many employees will give up their credentials” in a pseudo-phishing attack used for training. “And it’s not just a password that’s compromised,” he said. “It’s an attack on the network to plant malware once they can get someone to a bad site or install something.”
Krishnan says the training has proved very useful. “Someone hears person X fell for it, and they don’t want to get caught themselves,” he said.