It’s here: the cheat sheet that your business needs on hand to get on top of cyber security. Type ‘business cyber security’ into Google and you’ll get more hits than you can poke a stick at. Who has time to even read through first page of long-winded results that come up, picking and choosing what may or may not apply to your business. But, what choice do you have if you want the important information?
Stanfield IT have taken it in our stride to make your life easier by putting together a cyber security cheat sheet that has everything you need to plan and implement business cyber security in your organisation. Useful links, tools, and our own tried-and-tested tactics make up our cheat sheet – with an emphasis on the notifiable data breaches scheme and the Essential Eight.
What does business cyber security cover?
Contrary to popular belief, cyber security doesn’t just cover the tangible resources (software, firewalls, etc.) you use to prevent hackers entering your systems. The proper education and training of employees is one of the most valuable tools against malicious attack and data theft. Knowledge is our greatest resource! No matter how much you spend on anti-virus software, there will be loopholes hackers will utilise if you employee’s are not across what an attack looks like and how to react to one. Employees not allowing hackers to enter your system will be your business’s greatest line of defence.
Where to begin.
Start off by doing your research. This doesn’t have to be as time consuming as you’re thinking – we’ve put the resources together for you. When it comes to cyber security, there is no denying that you should be following global and national standards—they’re here for a reason. Many small business owners think these standards and recommendation don’t apply to them: that they’re in place for large corporations, government entities, and sectors like heath and education. Wrong! They can also be widely applied to small-to-medium businesses, no matter what industry, niche, and target market is.
If you have not thought about establishing a business cyber security response team and plan, it’s so useful and easy to do (simply have a meeting to allocate roles to employees in — HR, managers, etc — in the case of a data breach. That way, a resolution will be much easier to find. Take a look at how to go about doing this:
Let’s take a look.
The Notifiable Data Breaches scheme has been put in place by the Australian government to make business’s accountable if a data breach occurs that could jeopardise someone’s confidential information:
A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and us when a data breach involving personal information is likely to result in serious harm.oaic.gov.au
Before the Notifiable Data Breaches Scheme was introduced, individuals didn’t have much protection when it came to trusting their information to organisations, big and small—and we often don’t have much choice but to hand over our contact details, medical history, etc., if we want to receive services. With this scheme, organisations must be more transparent with their clients and proactive with security.
We’re here to let you know how to identity if a business (yours!) falls under the NDB scheme. Fortunately, this is quite simple: you must comply with the scheme if your business falls under the Privacy Act 1998. In heathcare? This most certainly means you! The tricky bit is knowing which incidents you need to report and which you don’t.
ANY organisation or agency that falls under the Privacy Act 1998 will need to comply with the Notifiable Data Breaches Scheme. If you’re in healthcare, this will most certainly mean you, as all healthcare providers fall under the Act. However—this is where it may get a bit tricky—not every incident needs to be reported to the OAIC (Information Commissioner).
But you can’t just send the effected person/s an email or voice message and think the incident is done and dusted, that this is the end of your business cyber security incident. It’s your responsibility as a business to provide them with recommendations as to the steps they need to take in response to this incident—they may not know the implications of their data being breached, or, on the other end, catastrophise the situation. It’s your responsibility to let them know what happened, what the outcome could be, and the steps that will be taken next.
What needs protecting?
There are numerous ways your business can be susceptible to a breach of security that results in data being jeporadised… what none of us want! The networks, servers, email accounts, passwords, Cloud services, and prescription services across your workplace all need protecting. Let’s go over the ways in which data can be exposed. This might be a little technical but bear with us.
A cyber vulnerability is where you have the intersection of three factors.
But how do these vulnerabilities access your business data in the first place? There are lots of ways these flows can come to pass; let’s go through some of the most common issues and then, further on, see how we can protect your business against them!
An injection vulnerability can occur in any application that allows a query input that communicates with a back-end database. SQL is probably the most common example of this. This essentially allows the attacker to bypass the intended function of the application, and execute a malicious query. Using the SQL example, the attacker can input a malicious command that alters the path of execution. This can cause the program to retrieve and dump sensitive data into unauthorised hands.
A buffer overflow vulnerability is a common weakness that is frequently present in operating system code. While buffer space and memory layout is generally well-defined, sometimes anomalies occur where you have too much data input. This causes the buffer space to ‘overflow’. It is in this overflow space that an attacker can enter malicious executable code and potentially gain access.
This one is a little more self-explanatory. Sensitive Data Exposure occurs when an application does not sufficiently protect sensitive information from being disclosed to attackers. The attacker could, for example, intercept the data between a server and a browser. This is creatively known as a Man-In-The-Middle attack. The biggest cause of this weakness is a lack of encryption, weak key generation, and algorithms.
This type of flaw is difficult to eliminate due to the variety and number of authentication methods. Each user can employ different methods, and there are multiple ways an attacker can bypass these mechanisms. They could for example, use the aforementioned injection attack to retrieve a session identifier, or reuse an old session token. With that, they could access your online banking, because they’ve tricked the server into thinking you never logged out. Yikes.
This type of flaw is possibly the most common and dangerous of all. Some examples include: running outdated software, applications running in debug mode, running unnecessary services on the system, not changing factory settings (e.g default passwords), and incorrect exception management that allows system information to be disclosed to attackers. Thanks to some ethically-dubious products on the market, an attacker is easily able to identify systems that are not properly configured.
The business cyber security tools we use to do prevent the above vulnerabilities, as per the OAIC’s Essential Eight
- Application whitelisting. Whitelist approved applications and programs to prevent execution of malicious software.
- Patch applications. Keep applications like PDF viewers, browsers, and Office fully up to date to avoid security vulnerabilities.
- Configure macros. Configure Microsoft Office macros from being executed on the Internet to block delivery of malware.
- Application Hardening. Configure browsers to block apps like Flash, ads and Java which are often guilty of executing malware.
- Restrict admin privileges. Frequently revise and update admin privileges as roles require. Admin accounts should never be used for email or web browsing.
- Patch operating systems. Keeping your OS up to date is vital to preventing security vulnerabilities across the network.
- Multi-factor authentication. Additional verification for account access will mitigate most phishing attacks being successful.
- Daily backups. Frequently back up your system with periodic testing to insure your information against any incidents.
- Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
Why: All non-approved applications (including malicious code) are prevented from executing.
Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
Why: Security vulnerabilities in applications can be used to execute malicious code on systems.
Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.
Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Why: Flash, ads and Java are popular ways to deliver and execute malicious code on systems.
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Why: Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.
Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Why: Security vulnerabilities in operating systems can be used to further the compromise of systems.
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Why: Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
Why: To ensure information can be accessed following a cyber security incident (e.g. a ransomware incident).
To wrap it all up
We realise that we have provided you with a lot of info, but it’s all compiled into this one, succinct cyber security cheat sheet, complete with links to more detailed information on the topic you’re reading about. Make a new Bookmarks folder of my of the links about topics that are relevant to your business, or maybe that you’re yet to implement but now have the heads up on. Also save this link for a go-to resource on business cyber security.
If we’ve wet your appetite and you want to get on top of your business cyber security right now, reach out to Stanfield IT for a free cyber security analysis of your business.