Rick Kamal prefaced a list of cybersecurity tips with some advice from the annals of history. Ancient history.
The CTO at Harvard Business School invoked Galen, the Greek physician of the second century. Galen served as the personal doctor to several Roman emperors, and his discoveries influenced medicine, physiology and anatomy for 1,500 years. His teaching about maintaining good health was simple: A little prevention goes a long way, Kamal explained to an audience of IT executives.
“Yes, you can treat an ailment, but the most powerful thing to do is have good hygiene and do the right things: Exercise, eat well, avoid intoxicants, have friends and family,” Kamal said at the Argyle 2017 Information Technology and Security Forum in Boston on Thursday. “And if you do something like that, your quality of life, instead of starting a steady decline after the age of 40, is pretty good till about your 80s — and then you get a sudden decline, and you’re dead.”
Through a burst of laughter, Kamal kept a straight face. The reality is, he said, most people don’t follow Galen’s common-sense advice on health. Similarly, organizations don’t take measures that are within their control to ensure better cybersecurity: Massive data breaches at Yahoo and credit-reporting agency Equifax and the covered-up hack at Uber a year ago were all preventable, Kamal said. He enumerated a list of cyberattack prevention tips that can help organizations eliminate most threats.
“There are a lot of products, a lot of solutions out there in the security space — I’m not saying don’t look at them,” he said. “Before you go for some nichey, interesting, shiny-penny solution, first address prevention. It will get you 99 out of 100 miles there.”
A little work, a lot of benefit
The first measure companies need to take to protect their data from malicious, prying eyes is “trivial,” Kamal said: Upgrade and patch your OS. So is the second, upgrade and patch your applications.
He recounted the reasons for this year’s Equifax data breach. The point of entry for hackers was Apache Struts, open source software for developing web applications. The Struts team uncovered the vulnerability, released a patch and advised users of the software to apply it. Equifax didn’t — and they aren’t alone in neglecting to follow such simple advice.
“I’m sure many of us may not be doing it on a very deliberate and diligent basis,” Kamal said. By upgrading and patching systems, “you’ve gotten rid of about 60% to 70% of vulnerabilities.”
Next, whitelist applications, Kamal advised — to make known the ones that should run on your servers. Many organizations install virus and malware detection software, and that’s good, Kamal said. But that’s a “blacklist approach”: A compromise is identified, quarantined and then deleted. Whitelisting is different.
“It’s where in the operating system you say, ‘This is my server — I only expect applications X, Y, Z to run and processes A, B and C to run,” Kamal said. “If anything else tries to run, it just can’t.”
Applying this approach, he said, would essentially head off every ransomware and malware attack possible.
Keep it complicated
Kamal then flashed what looked like a toddler’s jabber on a screen: “dadada.”
“That’s somebody’s password. Can you guess whose password that is? Any guesses?” Kamal asked. “Actually, it was Mark Zuckerberg.”
The Facebook co-founder and CEO coined the password after he became a father and used it on several social media sites, including Twitter and Pinterest, which were breached last year.
Lots of people less technically inclined than Zuckerberg use weak passwords. In fact, some of the top used passwords of 2016 were “123456,” “qwerty” and “111111,” according to an analysis done by password management company Keeper Security. And as Zuckerberg did, many people use the same passwords to unlock accounts on multiple sites, as an analysis of the 2014 Sony Pictures hack showed.
“Now think about this: Your employees, who are accessing your sensitive systems, are doing the same thing,” Kamal said.
Those practices allow for credential stuffing, a type of cyberattack that starts with a stolen username and password — think the Yahoo data breach of 3 billion email accounts. It unleashes bots on a slew of websites and tries to log in, testing thousands of combinations.
“They only have a 0.1% hit rate,” Kamal said. “But guess what? Point zero percent of a billion is a million.”
The moral of this story? Use strong passwords, Kamal said. And use password vaults, or password managers, software or services that generate, store and access hard-to-crack passwords. And IT leaders will bolster cybersecurity by encouraging the use of multifactor authentication, which requires users to provide several pieces of identifiable information to prove they have authorization for a site or service.
Then, encrypt your data, Kamal said — encode text that others may find and use into an unreadable format. A lot of the data made away with in the Equifax breach was either encrypted poorly or not encrypted at all. “And it was sensitive information,” he said.
All it takes is a simple configuration or a little bit of work to encrypt data, Kamal said. But if using encryption keys — bits of code designed to scramble and unscramble information — practice proper key management. “Do not put the keys right next to the data on the same server.”
And also encrypt your keys so if someone finds them, they can’t be put to use.
Finally, secure points of entry. Ports on servers that aren’t being used should be closed to prevent unwelcome visitors. Many don’t do it, Kamal said, citing a recent analysis that found more than 80% of major organizations have open ports, “which is like leaving windows and doors open for folks to come and start poking at you,” Kamal said.
Jeffrey Cunningham, director of enterprise architecture at Thomson Reuters in Boston, said following Kamal’s advice depends partly on the amount of technical debt an organization is dealing with. An example, Cunningham said, are legacy applications at companies that have grown through acquisition, as Thomson Reuters has.
“It’s more, How do you implement it? How much tech debt do you have that prevents you from doing those things?” Cunningham said. The advice itself, he noted, is common sense. “Everyone needs to be self-aware. I mean, you need to be aware of what you’re doing and not get yourself in trouble.”