Weekend trends: beware the Monday morning blues

Statistics show that cyber-crime activity waxes and wanes with the activity of employees, dropping at night and increasing during the day, but that's no excuse to drop your guard at the weekends, says Stuart Reed.

Stuart Reed, senior director, NTT Com Security
Stuart Reed, senior director, NTT Com Security

Cyber-crime is one of the biggest issues facing organisations in the UK today. While it's easy to get distracted by the nature, scale and repercussions of the latest high profile breach, it's evident that attacks can affect any individual and business at any time. That's why organisations need to have a strong grasp of what is happening on their network at every time of day.  

We wouldn't necessarily expect the days of the week to matter for attackers who are targeting websites, e-commerce sites, applications and systems which operate 24/7. In fact, one could go so far to assume that companies would be at their most vulnerable – and therefore most attractive to attackers – at weekends when there are less staff and fewer monitoring processes in place. 

The reality is somewhat different.  

The 2015 Global Threat Intelligence Report analysed over six billion security attacks in 2014, which included an assessment of the number of Flash, Java and Adobe exploit attempts in the same year. It identified spikes in such attempts that could be put down to a combination of overlapping events.  These would occur where alerts were triggered by new vendor signatures on old vulnerabilities, unproven signatures which tended to produce false-positive alerts, and some genuine new vulnerabilities and campaigns.

What is particularly interesting however is when these exploitations occurred.  Activity regularly dropped during weekends and holidays – when employees weren't typically working and corporate end user systems were either turned off or not being accessed.

This level of activity was also reflected when it came to the data for internet-based attacks. Again, attacks tailed off over the two day break.

Malware traffic spikes would then peak during the early days of the working week, which is when systems are re-booted and devices re-connected to the corporate network.

This regular pattern of events clearly suggests that users play a key role in an organisation's level of vulnerability.

What it doesn't suggest is that every employee has malicious intent in mind, proactively searching out weak spots in the network for unscrupulous means. The common, and most worrying, fact is that employees are often completely unaware that they are effectively leaving the back door of the company open. And it'll become more commonplace as more and more users access the computing and application resources they need anywhere, anytime and from any device.

With this in mind, it's important that organisations have sufficient processes in place to ensure optimum protection at all times and help avoid a worst case scenario event. These include:

  • Maintain an active and current anti-virus / anti-malware solution on all end-user devices which have access to company networks or data. Although this is a simple control, properly maintained anti-virus does detect 40-50 percent of malware
  • Consider extended endpoint protection including file integrity monitoring, endpoint encryption and event monitoring
  • Minimise the number of administrator accounts being used.  Instead, users should be logging on to systems with individual user-level passwords which will provide them with the minimum about of network access needed to do their job. 
  • All work computers should be required to access the internet through the company VPN, whether they are at work or not. Enforce safe browsing habits through the VPN connection including blacklisting websites and actively monitoring security on portable laptops at all times so that the organisation is more likely to detect an attack or compromise
  • Provide an active security awareness and training programme which includes training on attacks designed for end-user systems.  This should include social engineering and phishing awareness in the organisational training programme so that employees are less likely to actively initiate attacks
  • Maintain offline backups of end-user data to help minimise the impact of localised system compromises, malware and ransomware
  • Implement and monitor proxies and content filtering capabilities to help ensure users have access to relevant, trusted web content and in turn support the reduction of web based attacks

With high-profile attacks continuing to hit the headlines, one thing is certain. A company's security environment should never wind down for the weekend, even if the employees that have the potential to cause so much damage do.

Contributed by Stuart Reed, senior director, NTT Com Security.

Sign up to our newsletters