Roofing contractors and others in the construction industry increasingly are being targeted by malicious hackers for financial gain or competitive advantage. I'm guessing many Professional Roofing readers have accounts set up with Home Depot. Are you aware there were an estimated 56 million credit cards stolen from the company during 2014? The cost of recovery for Home Depot has been estimated to be upward of $10 billion during the next decade.
Cybersecurity affects everybody and every industry regardless of their levels of dependence on technology. This became shockingly clear to me when my 2-year-old received his first data breach notification letter in 2015. He had never been online, never had a credit card, etc., but as a victim of the Premera BlueCross data breach, my 2-year-old will live out his entire life with a compromised Social Security number. I share this story routinely when speaking at conferences because one of the most common questions I am asked is: "Do I really need to be concerned about having my identity stolen?"
Who is getting hacked and why?
It is becoming more difficult to ignore the fact that cybersecurity compromises are becoming the norm. From Home Depot and Target to Anthem and Premera BlueCross, it is clear every industry in every sector is at risk. But it isn't just the big companies with high-profile data breaches who are falling prey. Companies of all sizes are being targeted by malicious hackers around the globe.
Small businesses make attractive targets to those looking for new organizations to victimize, and the roofing industry is no exception. Although contractors and small businesses tend to have less revenue and sensitive information that may be stolen compared with large global companies, they also tend to have a lower level of maturity regarding their cybersecurity programs. Budget considerations lead decision makers to err on the side of saving money versus proactively spending on initiatives to secure their information technology (IT) enterprises and sensitive information.
Many organizations still are running the old playbook with regard to securing sensitive data. These operations fail to keep up with emerging trends and believe the dated technical controls of antivirus, patch management and traditional firewalls will keep them safe. They fail to recognize new threats can bypass these controls with minimal effort.
How are companies compromised?
Malicious hackers usually gain unauthorized access or are able to enumerate sensitive data from a system by using one of three attack vectors:
Vulnerabilities within the IT enterprise may allow attackers to gain access by compromising unpatched applications and services as well as through configuration errors. All the devices, including servers, printers, network routers and switches, laptops, desktop computers, smartphones and other mobile devices connected to your network, may create openings to sensitive information.
Configuration errors encompass the second set of vulnerabilities within the network. Often, an IT department will roll out databases, printers or firewalls and fail to change the manufacturer's default password. This allows for unauthorized access by anyone who is able to find the misconfigured system and can lead to deeper compromises within the network. Hackers are known to pivot from one IT resource to another to gain further access in the network they have compromised. Once they have gained initial access using default credentials, they may be able to move to other systems in the protected network environment.
Vulnerabilities found in website and mobile applications pose multiple risks to an organization's sensitive data. Often, organizations experience theft of sensitive data through their web applications without realizing the systems have been compromised. SQL (programming language for managing data) injection attacks commonly are used by criminals to hijack a web application's backend database. Once they have discovered vulnerable parameters, attackers can issue SQL queries or database commands of their choosing, ultimately giving them full access to the data.
We also see cases where SQL injection is used to gain control of the underlying operating system itself. This allows criminals to gain administrative-level privileges on the server. After they have gained this level of access, other sensitive files such as spreadsheets or documents may be enumerated, as well. With full administrative privileges, they also may further compromise your environment by installing viruses or files to maintain access, explore trust relationships the server has with other internal network systems, add keystroke loggers to monitor users of the system and more. At this point, the attacker basically can do anything to the server your IT department can do. There are many other ways to compromise a web application, such as cross-site scripting and command injection, but SQL injection is one of the more prominent attacks we see in practice and serves as a relevant example of the risks your organization may face.
The third and most common way organizations have their data compromised is through the use of social engineering. These are nontechnical techniques criminals use to exploit your employees. These attacks include email phishing, pretext phone calls, use of rogue media or storage devices (such as USB drives dropped on your organization's doorstep), trash bin diving or other places where people make mistakes regarding securing sensitive information.
You could have the best technology in place configured correctly with a team of security experts monitoring it 24/7, but if a malicious individual is able to persuade one of your employees into disclosing his or her username and password, company systems can be compromised without raising any alarms. The ease of successfully conducting such operations has been so effective, we see more than 90 percent of data breaches using a phishing email as their initial entry into the environment.
How to improve cybersecurity
The best way to improve your security posture is to implement a formalized cybersecurity program. This will include not only refinement of IT-centric policies, procedures, training and technology testing, but also be complemented with the creation of a cybersecurity governance committee. The committee is critical to ensure continuity when the inevitable happens: The person responsible for your company's IT decides to move on. The committee should meet quarterly or as is appropriate to maintain awareness of security initiatives. Stakeholders meet to ensure the security program is adequate for the organization without overburdening the operations with time and cost requirements.
For the network environment, unpatched programs running on devices may enable an attacker to gain control by exploiting vulnerabilities. This is why all major software vendors from Microsoft to Apple to Adobe routinely release updates and patches. In most of the network assessments my company conducts, there typically are 5 to 10 percent of systems within the network environment that failed to be patched even when automated patch management solutions have been implemented. The patch level of network devices should be validated through routine vulnerability scanning and penetration testing. This serves as a "second set of eyes" to verify patches deployed are getting applied system-wide.
For securing your organization's web applications, my company recommends a few proactive steps to ensure you are following best practices and have an adequate level of awareness regarding your security posture. A simple first step is to install a web application firewall (WAF) in front of your internet-facing web servers. This serves to filter out known attack strings.
Although a WAF provides a quick win toward protecting your websites, the emphasis should be placed on remediating vulnerabilities in the application's source code itself. These deficiencies typically are uncovered through automated vulnerability assessments and manual penetration testing or ethical hacking.
My company recommends organizations conduct penetration tests against the network environment and web applications annually or whenever major changes are made. My company's security team works closely with IT departments or outsourced IT providers to help ensure security controls and remediation of vulnerabilities discovered during testing are effectively implemented.
Your best defense against social engineering attacks is by educating employees about the social engineering threats they may encounter. All employees—from the CEO to the temporary administrative assistant—with network access should participate in a security awareness training program. Security awareness training should include topics addressing sensitive information at your organization and how to report suspicious incidents, as well as comprehensive discussion about specific threats employees may face.
Finding the right cost-benefit balance can be challenging when it comes to cybersecurity, but proactive spending will always be the better alternative than reactively responding to a data breach.
Steve Fox is CEO of Security Pursuit LLC, Denver.