Network security has more to do with smoke and mirrors than actual security at many companies today, according to Corey Steele, network security engineer for local voice and data network solutions provider High Point Networks.
The self-taught cybersecurity expert gets paid to test companies’ networks and says the days when firewalls, data backup and antivirus programs provided sufficient protection are over.
“A network that’s protected just by a firewall, antivirus and backups in this environment is really akin to taking a super carrier from our American Navy today and dropping it into World War II. It would be a similar battle,” Steele said. “The threats are so sophisticated and so capable that you can’t just protect with those three controls anymore.”
Steele says the No. 1 threat to a company’s network security today is its employees. It’s been his experience that “breaking into a network is much more difficult that breaking into a person.”
“Trust is very deeply ingrained into our psyche. The easiest way for an attacker to get into a network is to break that trust,” he said.
He has found two scenarios particularly successful.
One is where he poses as a telephone company representative and tells an employee he is there to check phone lines in the basement. Most let him in with no question. Once inside, he is able to pull out a wireless access point, plug it into the network and later get remote access from the parking lot.
The other is where he calls an employee and says he is working with the company’s IT department. He proceeds to convince the employee to log into a remote help desk session with him. Once in, Steele explains “the fix” may take a while and suggests the employee take a break. Once he or she is gone, he is able to install malicious software.
Employees clicking on corrupt links or downloading attachments is another big threat. He said it’s important that employees “trust, but verify.”
“I tell people, if you get an email from someone with an attachment and you weren’t expecting it, don’t open that until you verified they actually sent it. At the end of the day, if I’m in your network, I can send email as anyone I want. It doesn’t have to be from who it says it is,” Steele said.
Steele’s concerns were echoed by other cybersecurity professionals who attended last week’s HiPoCon event sponsored by High Point Networks.
Tim Sanden, vice president of information technology at Cass County Electric, said the biggest security challenge he sees is the combination of email phishing and uncontrollable human curiosity. Phishing is an email fraud method where a victim is duped into revealing personal or confidential information the scammer can use illicitly.
In attempt to prevent this from happening, Sanden said Cass County Electric employees are required to participate in online information security training. A few weeks after the training is complete, the company launches an internal phishing scheme meant to test employees.