When Uber got hacked this September, many people were shocked.
Yet to those of us in cybersecurity, the most shocking part wasn’t that the transportation technology giant got breached. Instead, we were surprised at how little damage the hacker did to them.
Uber’s public-facing apps and services stayed up. Their customer data was not accessed. Their code base was not tampered with.
Yet even after the attacker got booted off their systems, the company stayed at risk. According to BleepingComputer, the hacker viewed and downloaded all of Uber’s vulnerability reports. If those are out on the black market, then Uber has a lot more work to do before they are out of hot water.
Why This Matters
To the rest of us, Uber’s high-profile attack should be a reminder that every single company out there could get hacked.
All organizations have vulnerabilities. And if a malicious party exploits just one of them, then those attackers might compromise a lot more than just a Slack channel or Google Workspace.
In this article, we will go through:
- How your company could get hacked
- Common security vulnerabilities
- How to protect your business.
Yes, Your Company Could Get Hacked
Any public-facing digital resource has some cyber risk associated with it.
This means that whenever your company goes online in any capacity, you can get hacked. Whatever system is interacting with the public internet can also be exploited by a malicious party, who could then get inside your company’s IT infrastructure.
In fact, most companies have thousands of vulnerabilities at any given time.
Surprising? Not so much when you consider some common vectors of attack:
- Any public-facing web applications, especially those that are custom-built and proprietary
- Public-facing enterprise resource planning (ERP) systems
- Public-facing FTP server
- Cloud file storage
- Cloud file transfers
- Email and messaging applications.
How To Protect Your Business
Given the high risks involved, how can you begin to protect your organization from potential cyberattacks?
Begin with these three steps:
- Identify vulnerabilities
- Prioritize assets
- Plan ahead.
Before you can begin protecting any of your data, you need to understand where your weak points may be.
Start by deploying an exposure management platform (at Pareto Cyber we enjoy using Tenable). This software can work in the background, analyzing all of your organization’s endpoints to pick up on potential vulnerabilities within any services or files.
You can then view reports from each individual device and compile those individual reports into groups for more comprehensive analysis. From that aggregated data, you can figure out the top 5 or 10 most critical vulnerabilities within your environment.
Once you know what parts of your environment are most vulnerable and which devices are affected, you can prioritize key assets to protect first.
Identify which data would carry most business risk if compromised, and work on sorting a hierarchy of those assets according to your organization’s specific risk profile.
Once you know where your systems could be exploited and which data needs to be protected, you can begin resolving vulnerabilities.
Remember: vulnerability management is an ongoing process and defending your data should be a consistent, long-term effort. So to truly lower the risk of a data breach, your organization needs to come up with a comprehensive policy framework:
- Set policies for your data storage and network protection.
- Patch any required applications and set a regular review period for reviewing patches and configurations in the future.
- Blacklist certain risky domains.
- Limit administrator permissions.
- Blacklist risky file types or applications.
- Configure your email gateway.
Protect Your Organization from Cyber Threats
All the above actions are merely suggestions, and your organization’s vulnerability management process can look entirely different.
If you truly want to minimize your risk of cyberattacks, you need to establish a comprehensive security governance program with experienced security analysts.
For those that may not have experienced security talent in-house, our team at Pareto Cyber can help you eliminate and manage vulnerabilities at a fraction of the cost. If you are interested, reach out to our team for a free cyber risk assessment.