If a city focuses on information security, they likely focus on securing servers, computers, laptops, and network equipment. However, hackers are smart, and their attacks are ever-changing. Like a thief, cybercriminals will look for weaknesses in places you overlook. If you’ve locked your doors, the burglars will try an unlocked window. If you’ve locked your doors and windows, the burglar may try to enter by posing as a trusted guest—and so on.
In cyberspace, cybercriminals apply the same tactics—and their tactics grow more sophisticated with time. According to an article in Help Net Security
, “Trend Micro Research analyzed forums in the Russian, Portuguese, English, Arabic, and Spanish language-based underground markets to determine how cybercriminals are abusing and monetizing connected devices. The results reveal that the most advanced criminal markets are Russian- and Portuguese-speaking forums, in which financially driven attacks are most prominent. In these forums, cybercriminal activity is focused on selling access to compromised devices – mainly routers, webcams and printers – so they can be leveraged for attacks.”
Part of a thorough information security plan includes securing overlooked items with vulnerabilities. Here are five common risks you need to address.
1. Printers and copiers
Because printers and copiers have simple functions compared to servers and computers, it’s easy to think of them as simple machines. However, they are connected to the internet and, like anything connected to the internet, can be hacked and exploited. Referring to research by NCC Group, a spokesperson for the company said the following in a recent Mashable article
: “These flaws could be used by criminals to gain long-term backdoor access into companies for possibly years on end, allowing them to come and go as they please, undetected, stealing sensitive data. What’s more, criminals can spy on every print job and even send documents being printed to themselves or other unauthorized third parties."
Do you like the idea of a hacker easily seeing everything you print or copy? You probably print and copy a lot of confidential and sensitive material. A city should take steps to lock down, secure, and monitor printers and copiers. Default printer and copier configurations, passwords, and security settings may not be enough security for your city.
2. Wireless routers
Two different mentalities around technology exist for non-technical people. First, there is TECHNOLOGY—sophisticated, complex stuff that only IT professionals know how to handle (such as a server). Second, there is technology you buy for fun at a retail store and set up yourself at home.
This distinction is important because it affects how city employees treat technology. While a server or computer is more sophisticated and left to the “IT guy,” a wireless router may be seen as something you can buy during your lunch break, bring back to the office, and set up for everyone. Then, you’ve got wireless access!
The problem: You are not an IT professional. Misconfiguring a wireless router can leave open gaping security holes. We wrote an article a few years ago that goes into more detail about wireless security
, but the main points included:
- Securing and locking down all wireless devices.
- Removing physical wireless access hardware from the public or unauthorized employees.
- Applying patches and upgrades to wireless devices.
- Using appropriate wireless hardware and configuring it appropriately.
- Monitoring and maintaining your wireless network for security breaches.
3. Social engineering over the phone
Social engineering has become an important tactic for cybercriminals. Think about it. You can have the best digital security technology and tools on the planet, but if a cybercriminal tricks a city employee into providing remote access to a PC or gets them to wire thousands of dollars to a criminal’s account, then all the digital security tools you own mean little.
Criminals use multiple methods to hack into your information. If they can get a password over the phone from you, then they can break into a server or someone’s account to access confidential and sensitive information. Cities needs processes to help them deter criminals over the phone and limit the information shared, even if someone sounds convincing. For example, even if you are 100 percent sure you know it’s an employee or an IT support person on the phone, you should never give out a password. Never, never, never provide someone your password. Period.
4. Unauthorized software
What starts out as employee stubbornness or rebellion leads to security risks and breaches when unauthorized software enters your network. Examples include employees who take brief breaks to blow off some steam by playing games, taking fun quizzes, or watching videos.
Each download, installation, and use of this unauthorized software increases the risks of viruses and malware sneaking in through a backdoor. We wrote about this subject in more detail a few years ago, but a few immediate questions to ask include:
- Where did this software come from?
- Who is patching and updating the software?
- How do you know you haven’t downloaded a virus or malware?
- What happens if your employee needs helpdesk support?
- Are you sure that your employee isn’t breaking the law?
- What happens if you lose data?
- Do unauthorized people have access to data?
- What happens when software conflicts with the employee’s machine or device?
5. Mobile devices
It’s smart to limit how much city business information a person’s smartphone can access. According to some research reported earlier this year in ZDNet, “Malware attacks against mobile devices -- and Android handsets in particular -- have rocketed this year, with hackers increasingly turning their attention to attacking smartphones with credential-theft, surveillance, and malicious advertising. Researchers at Check Point examined cyberattacks in the first half of 2019 and found that those targeting smartphones and other mobile devices have risen by 50% compared with last year.”
You cannot rely on city employees to secure their own smartphones. It’s good practice for cities to either issue city-owned smartphones that are locked down, secured by IT professionals, and used only for city business, or to limit access to city data only through city-owned or city-issued desktop and laptop computers.