How do you inspire mistrust of the Internet when your colleagues routinely ask it to pay their bills, deliver groceries, and check in on their mom? The bottom line is you can’t, or at least to do so might become counter-productive as we need innovative ideas to move our agencies forward, not cynicism and fear. But in the face of increasingly damaging ransom ware and phishing attacks, how do we safeguard our vital data vaults from the innocent employee mis-click or well-disguised but malicious lures? This is one place where building a proper wall not only makes sense, but doesn’t cost much and won’t significantly inhibit the workflow of your team.
The first part of this wall does require a bit of awareness reform. Assumptions about the safety of certain links and files need to be upended, and then replaced with a better understanding of how to identify threats independently. If the end user is the weakest link in your security grid, then building up the end user’s defenses makes a lot of sense.
We did this at Foothill Transit by piggybacking on National Cyber Security Awareness Month, which is every October. The Department of Homeland Security provides a free, well-crafted tool-kit designed to fully inform your team about myriad cyber security issues ranging from social media and using public WiFi, to scam tactics, and phishing. Supplementing regular email tutorials with face-to-face Q&A sessions can drive home the good habits you need people to emulate.
Safeguarding access to the network comes next. Usually entry is governed by a user ID and a password, with the password usually created by the end user. If it’s just one word or a name, it only takes a hacker 1.37 milliseconds to breach it, less, if the word is only one or two syllables. If the word is intentionally misspelled, add nine minutes. Add a capital letter? Now we start to see some traction. A capital letter on a three-syllable word can take a month to breach. Add a number and you start getting into years. Add a symbol like “!” or “@” and the predictions get into decades or even centuries, but we can expect those estimated times to reduce significantly over time as hackers get more savvy and as technology evolves. The point being that right now in 2017, requiring end users to complicate their passwords by just a couple of symbols can create a nearly impenetrable barrier at what is potentially a serious weak point. The cost? A few emails, maybe some well-written protocols and policies, and a little creativity.
The Department of Homeland Security provides a free, well-crafted tool-kit designed to fully inform your team about myriad cyber security issues ranging from social media and using public WiFi, to scam tactics and phishing.
In the end though, relying entirely on your end user to buy into policies and procedures still leaves a few gaping holes. Human error and routine being what it is, it makes sense to install another form of authentication outside of end user control that narrows network access even further. At Foothill Transit, this came in the form of randomly generated codes with a short shelf life. Codes could be accessed on a small key ring fob or via an app on a cell phone, only last 60 seconds, and are required prior to entering a personal password. This coded entry point is the gate before the gate, and self-destructs if not used in time. Team members with direct server access add another layer of authentication in the form of a PIN.
All of this adds up to, what we hope, is an unbreachable network — at least for now. In a few months it’s entirely possible that one or all of these tips will be upended and new tactics will have to be employed. In which case keeping isolated in the server room can cripple you as easily as a bad email link. Staying on top of this constant evolution, in the form of training, conference attendance, and sharing strategies and ideas with other security minded professionals isn’t optional and should be baked into your team’s culture and workflow. This can be difficult when the helpdesk piles up. Network wellness is only as robust as the people working it, so make sure you’re paying attention to their needs as well as the network’s.
Donald Luey is the IT Director for Foothill Transit.