By Jeremy Rasmussen
This is the last in a series of articles to inform multifamily professionals of the current cybersecurity threat-scape and recommend best practices for dealing with these issues. Read parts one, two, three and four.
It has been said that the most secure computer system is the one that is unplugged, wrapped in chains and sunk to the bottom of the ocean. However, it’s not very usable. Whenever humans interact with systems, they introduce errors, which can lead to exploits by attackers. People use weak passwords. People click on links to malicious sites. People give out too much information via email or phone.
In his book Secrets and Lies, cryptography expert and security pundit Bruce Schneier said he once naively thought having a strong enough cryptographic algorithm could solve any security problem. However, he later learned through implementing systems that they could easily be undone by humans – both in coding flaws by the implementers and in operational flaws by the users of the system.
“Security is a chain; it’s only as secure as the weakest link.” Scheneir said. “Security is a process, not a product.”
We especially see this in the multifamily housing industry. We are dealing with sensitive personally identifiable information (PII), customer communications, and financial transactions.
Often times, property managers are sold a bill of good health by an IT service provider – if you just connect to our cloud service, we’ll take care of everything for you. But if you think that, say, a Software as a Service (SaaS) technology alone can solve every security problem, then you don’t understand the problems and you don’t understand the technology.
When our firm advises people on security, we educate them to take a holistic view that encompasses policy, governance, software, hardware, systems, and – yes, people.
For example, a large property management company may have a centrally controlled IT infrastructure for the corporate network. However, often they are managing properties for a number of disparate owners, having a patchwork quilt of computers and networks out at the remote property sites. There is historically high turnover in the property management business, so often there are shared login accounts at these sites. Remote IT help desk support is difficult, thus, there are often times those remote computers are over-privileged (they have administrative capabilities to allow local users to install new printers and software, because that is difficult to manage remotely from a centralized IT help desk). Even though they are connecting into a secure cloud, those remote users and systems are very much at risk.
All of this leads to the perfect storm: lack of visibility into these remote sites, users prone to phishing and social engineering attacks, and a false sense of security because they’re connecting to a “secure cloud.”
The solution to this – besides as we have said earlier in this series about gaining network visibility through Security Information and Event Management (SIEM), intrusion detection monitoring, and active incident response – is continuous cybersecurity training for employees. As our article title indicates, your users offer the first and last line of defense. An untrained workforce can subvert other protections you have put in place. A well trained workforce, on the other hand, lowers risk.
I recently attended the Las Vegas hacking conference DEF CON and witnessed a Social Engineering competition in which contestants would call up a business and attempt to elicit sensitive data from unwitting victims. While the contest precludes any illegal activity, it was amazing to hear how readily people would give up information to an unknown caller – for example, the person’s location, operating system, IP address, and software version numbers. Several contestants got standing ovations from the audience when they were able to capture every flag, even to the extent of convincing their victims to type an address into their browser.
All of this information can be used for attackers to gain a foothold in a system, and then pivot into other systems where they can gain passwords, credit card numbers, and even bank account information. Whenever our penetration testing team is hired to try to break into a system and show them their security flaws, we undoubtedly start with a phishing attack first – it’s always the easiest way into a network.
Clearly, every organization needs a formalized cybersecurity awareness training plan, and a process for repeatedly beating it into employees’ brains! My recommended method is as follows:
- Policy. Develop an Acceptable Use Policy (AUP) for the organization. This should define people’s roles and responsibilities for security. It should outline the do’s and don’ts on the corporate network. This policy document should be readily accessible.
- Initial training. As part of the onboarding process, train new employees on the AUP, to the extent of making them pass a quiz on it, and then have them sign an acceptance of the AUP – all prior to granting them access to any computing assets.
- Ongoing training. Require periodic (say, annual) cybersecurity awareness training – either live in-person sessions, educational videos, or other computer-based training. Make sure this training is concise, engaging, and relevant. Remember, attackers’ methods change often. For example, no one was talking about ransomware five years ago. So, your training needs to be fresh.
- Phishing campaigns. You should send periodic fake phishing emails to your employees, and track their response to them. Those who fall victim to these attacks should receive remedial training. Habitual offenders might require H.R. action – because they are continually putting the company at risk. Note that you don’t have to run these campaigns yourself. Our firm, for example, is a managed security services provider (MSSP) that can configure, manage, phish, and report analytics on a monthly basis for you.
Our experience has shown that companies for which we run continuous phishing programs can reduce their “click-though” rate for phishing emails from 20 to 25 percent initially, down to less than 3 percent. That is a significant reduction in the attack surface of the organization. We can never eliminate all risk in the enterprise, but by making it as small as possible, hackers will move on to lower hanging fruit.
Jeremy Rasmussen is chief technology officer & cybersecurity director of Abacode, a company based in Tampa, Fla., that provides all aspects of cybersecurity for growing organizations and employs global thought leaders and industry experts in ethical hacking, digital forensics and corporate governance.