Are you helping threat actors to compromise your organisation?


James M, Enterprise Cyber – QinetiQ

After working in the world of information security for almost a decade, I’ve lost count of the number of events, webinars and cyber security panels that I’ve attended or been a speaker at. Sadly, I could use the same presentation today that I used in 2013, and it would arguably be more relevant now than ever. We now live in an era with increased regulation, record-breaking fines and ever-increasing budgets being spent on cyber defence.

Unfortunately, I commonly hear post-event feedback such as “It’s a bit security 101” or “I’ve not learned anything new” from seasoned professionals at some of the industry leading expos and more sensitive venues. Despite observations like this, it is regrettably common for well-funded organisations like theirs to become compromised and appear in the news because of failure to do the basics well. A company may invest millions, when all it may take is that one click or that one member of staff to compromise an organisation’s entire security posture.

If some of the largest organisations with their own dedicated security teams and expensive defences get compromised, security professionals in smaller organisations may well think: What are our chances? How can we cope?  Is it a losing battle? 

So, how do we move on whilst we’re still failing with the basics?  

There are seven simple things everyone can do to make life much harder for would-be attackers. These are some of the easy attack paths that QinetiQ’s full-spectrum red team are delighted to exploit when attacking target organisations:

  1. Limit the information about yourself, your specific role and specifics about your organisation online and on social media. Open Source Intelligence (OSINT) gathering data that is freely available about your organisation such as individual staff details, hobbies, family members, friends, the organisation itself, building layouts obtained through planning permissions, press photographs, etc.
  2. Do not click on links or open attachments from unknown or untrusted senders. The OSINT described above allows attackers to carefully craft spear-phishing emails that look legitimate to any one of us based upon data built around you, all harvested freely online and looking absolutely convincing.  This can dramatically increase the chance of you clicking nefarious links or entering communications, with the attacker’s aim of building trust, to then click links or open malicious documents in the future.
  3. Challenge anyone who is not showing a pass or one that doesn’t look authentic in any way. This is particularly important at reception desks, security barriers or doors with electronic locks. Social engineering can be easier and more convincing online than in person, though we have many war stories of the reverse.
  4. Remove staff passes in public, outside of your site locations. That makes it harder to forge them and reduces the chance of you being targeted.
  5. Limit conversations and telephone calls when in public places, which can easily be overheard. Avoid using company names/details.
  6. It can be more secure to Hotspot from your corporate devices rather than joining public Wi-Fi, even seemingly secured, you simply do not who else or what tools are on this available network or whether it’s a rogue access point?
  7. Ensure patching is managed, up to date and carried out regularly.

Watch our full-spectrum red team video to see some of these common mistakes in action.