Manufacturers who think their computers will never get hacked need to think again. Alan Johnson reports.
THE hacking of computers of the infamous on-line dating agency Ashley Madison last year made the headlines worldwide, but the idea that the ‘bad people’ of this world only target high profile companies and government agencies is nonsense.
According to the experts in the IT security industry, computer hacking happens far more often than most people think. It just doesn’t get into the media, with no company keen to admit they have been hacked for obvious reasons.
David Higgins, ANZ Regional Director for WatchGuard Technologies, said this belief among manufacturers (particularly smaller companies) that they could never be a target for hackers is a huge mistake.
“We never read about smaller companies being hacked, but it happens all the time,” told Manufacturers’ Monthly.
And according to Higgins the hacking often materialises through downloading innocuous files and PDFs.
“There are still many malforming PDF files circulating, as well as Word and Excel macros with malicious capabilities,” he said.
He said they are generally the older ones, but they are still around, and people still fall for them.
“The problem is there are a lot of signatures out there to catch bad files, but eventually companies have to push some of the older ones off the system simply because they don’t have enough room for the newer ones in their system. The older ones can come around again, and even though we have seen them before, they can reinfest,” Higgins said.
He said it’s very easy for criminal organisations to get hold of legitimate email addresses, and to send a company an email which looks legitimate.
“It’s made to look like it is from someone you know. They might have hacked an organisation and got into their supplier database with email addresses and phone numbers. Then it’s easy for the hacker to form an email which looks like it came from the supplier,” he said.
“Not surprisingly, the manufacturer opens the file, especially as it might mention an invoice from the last shipment, for example. But it’s not an invoice, instead it takes you off to a website, downloads some code and you are hacked. This is very common practice.”
And once companies have been hacked, Higgins said it is too late. And they often only find out much, much later.
He said these bad guys are not about making a song and dance about it, they want to fly under the radar to see what information they can gather.
“The more they can compromise the system, the more information they can gather,” he said.
Response planning
Higgins advised manufacturers to put in place an instant response plan, similar to a fire drill, where everyone knows what to do in the event of an attack.
The first step, he said, is to have some sort of prevention in place, and a detection system in case your company is breached.
“Obviously it’s not as simple as unplugging the PC that has been affected,” he said.
He said manufacturers need to realise how much valuable information they have on their ERP and MRP systems.
“These systems have vital information on their customers and suppliers, plus their manufacturing, reordering and invoicing processes. Manufacturers can be hacked and brought to their knees very quickly by not being able to access these systems,” he said.
“Manufacturers carry out fire drills, but I’m not sure how many know how to make sure they are a tough target and what to do when they are hacked.”
“There are risk management companies who able to do that, however some manufacturers might say it’s too expensive, but I suggest it’s too expensive to be hacked and be off-line for days/weeks, as well.”
However Higgins said manufacturers must realise there is no such thing as 100% protection.
“It can’t be had. But what they must do is put in a good quality security system.”
Protection strategies
Higgins said a good starting point for manufacturers is the Australian Signals Directorate’s website (asd.gov.au) which highlights 36 steps companies should take to mitigate cyber attacks.
The site points out that at least 85 per cent of the targeted cyber intrusions that they respond to could have been prevented by following their top four mitigation strategies:
- Use application whitelisting to help prevent malicious software and unapproved programs from running.
- Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office.
- Patch operating system vulnerabilities.
- Restrict administrative privileges to operating systems and applications based on user duties.
As well, Higgins said, it is vital to implement the critical security patches every time they are released; to protect the company’s vulnerabilities.
“Because it is these unpatched vulnerabilities that the hackers are taking advantage of; to be able to get access and control of a company’s computer system, and basically worm their way through a company’s network,” he said.
He said manufacturers also need to invest in a good quality firewall.
“Firewalls look at the packets of information that come from the Internet. Some just respond with a simple yes no, but others can drill deeper and look at the data inside the email to see if it’s a hack or a virus and block accordingly,” he said.
“That’s on the inbound, but firewalls can also stop people going to insecure websites which are compromised or contain malicious advertising.”
Then if a company does get hacked, Higgins said, some firewalls have the ability to stop the malware attaching itself or calling to a particular command and control website by blocking access to that website.
“We can provide those layers of security all in one box, which is ideal for SMEs,” he said.
Higgins advised manufacturers to regularly patch their Windows products.
“For smaller manufacturers they should just tick the box so Windows is updated automatically,” he said.
“But for those who need to test the patch to ensure it doesn’t affect other applications, they should ensure the patches are implemented within two days of those patches being released.
“It’s the same with updates for Adobe, Java and similar programs.”
He also recommended manufacturers run good quality anti-virus programs, with a different one on desktops and laptops to the program at the gateway.
“That way, manufacturers are increasing their chances of one of the programs catching any bad files attacking their system,” he said.
Cloud computing
Regarding cloud computing, Higgins said there are no real differences when it comes to IT security.
“Manufacturers still need to have a firewall in front of their system sitting in the cloud,” he said.
“People seem to think cloud computing is different to having their IT systems in-house, in reality all it means is that instead of the data sitting in their office, it’s sitting somewhere else connected through the Internet.”
Higgins pointed out that in some ways data on the cloud is far safer and secure than in many SMEs offices.
“These cloud computing data centres have multiple power back-ups, multiple levels of physical security, and multiple security connections in case anything does go down,” he said.
“However, the need to secure the communication to it within an office or somewhere up in the cloud is the same.”
He said users in the office, connecting to the data in the cloud, should still be using a VPN (Virtual Private Network).
“Valuable traffic on there should never be in open or clear text, it should a VPN and the data between company offices, those people out in the field and their cloud system should always be encrypted,” he concluded.