FARGO-Network security has more to do with smoke and mirrors than actual security at many companies today, according to Corey Steele, network security engineer for local voice and data network solutions provider High Point Networks.
The self-taught cybersecurity expert gets paid to test companies' networks and says the days when firewalls, data backup and antivirus programs provided sufficient protection are over.
"A network that's protected just by a firewall, antivirus and backups in this environment is really akin to taking a super carrier from our American Navy today and dropping it into World War II. It would be a similar battle," Steele said. "The threats are so sophisticated and so capable that you can't just protect with those three controls anymore."
Steele says the No. 1 threat to a company's network security today is its employees. It's been his experience that "breaking into a network is much more difficult that breaking into a person."
"Trust is very deeply ingrained into our psyche. The easiest way for an attacker to get into a network is to break that trust," he said.
He has found two scenarios particularly successful.
One is where he poses as a telephone company representative and tells an employee he is there to check phone lines in the basement. Most let him in with no question. Once inside, he is able to pull out a wireless access point, plug it into the network and later get remote access from the parking lot.
The other is where he calls an employee and says he is working with the company's IT department. He proceeds to convince the employee to log into a remote help desk session with him. Once in, Steele explains "the fix" may take a while and suggests the employee take a break. Once he or she is gone, he is able to install malicious software.
Employees clicking on corrupt links or downloading attachments is another big threat. He said it's important that employees "trust, but verify."
"I tell people, if you get an email from someone with an attachment and you weren't expecting it, don't open that until you verified they actually sent it. At the end of the day, if I'm in your network, I can send email as anyone I want. It doesn't have to be from who it says it is," Steele said.
Steele's concerns were echoed by other cybersecurity professionals who attended last week's HiPoCon event sponsored by High Point Networks.
Tim Sanden, vice president of information technology at Cass County Electric, said the biggest security challenge he sees is the combination of email phishing and uncontrollable human curiosity. Phishing is an email fraud method where a victim is duped into revealing personal or confidential information the scammer can use illicitly.
In attempt to prevent this from happening, Sanden said Cass County Electric employees are required to participate in online information security training. A few weeks after the training is complete, the company launches an internal phishing scheme meant to test employees.
"Even though people just went through the training on what a phishing email looks like and here are the red flags, when the email pops up and says 'You're not going to believe what Kim Kardashian did now,' they can't control themselves," Sanden said.
While it's disappointing, Sanden said their employees have a much lower "take rate" than average. Typically, 20 percent of users are duped, but theirs falls between 1 and 3 percent.
A good defense
When it comes to building a good defense, Steele refers to cybersecurity researcher Bruce Schneier's philosophy that it's not about how strong your security is, it's about how well it fails.
"That means you have to assume that you're going to get hacked and that it's going to be bad. It's about making your network resilient and able to fail gracefully. So, if someone is able to get past the first firewall, is that it? Is that the only defense you have in place or are there other layers?" Steele said.
Steele reiterated that cybersecurity training for employees is the best form of defense. In addition, he recommends storing different servers and user groups on different parts of the network, using multiple firewalls, and having systems in place to monitor the network and alert IT of different anomalies.
"If you can do that, then I think you're at least well positioned to respond to an incident even if you can't completely stop or prevent it," he said.