Monday, February 1, 2016

Improving your Security Posture

-----BEGIN PGP SIGNED MESSAGE-----
Everyone, including the author, has plenty of room for improvement in regards to computer, network and operational security.  As people become more computer savvy (or your adversaries know someone that is) users are more exposed to computer security related threats.  There are many tools that make hacking your systems easier for the less skilled, and with very little skill, thieves can access stolen hard drives in minutes.  We rely on computers for everything from banking, commerce and running entire businesses. Laptops contain enough processing and storage to hold years of client and other confidential data.  


One of the biggest problems comes from malware, and the fact that virtually any website or email attachment can silently put your computer under the control of criminal gangs, usually in other countries.   Often these gangs are from Russian speaking countries with sketchy cybercrime enforcement.  These gangs make billions each year compromising the computers and bank accounts of unsuspecting users all over the world. Most business owners are unaware of a compromised system.  If that system is used for online banking, hackers drain the business account which has fewer of the protections afforded to consumer accounts.  This can kill a business and cause personal financial ruin overnight.  Dave <last name redacted>, a security expert in San Diego, has a small document on how to prevent this scenario provided below in the “operational security” section of this.


This article is applicable to everyone but if you are a small business owner, it’s wise to take a look at this article and get your security house in order.  According to a 2012 report from Symantec, the largest growth area for targeted attacks were businesses with fewer than 250 employees, acounting for 31 percent of all attacks targeted.  In some cases, it may become a legal issue if a business isn’t conducting some basic due diligence in regards to security.  If a business isn’t taking what may be considered basic precautions to protect client information, that attorney, accountant, or social worker may have significant legal exposure.



Unlike other articles on the net that offer 15 different software choices, I will provide you just a couple that I can stand behind.  If I’m recommending a software product or approach, I’ve tried it and in many cases, I’m using it.


I feel I need to apologise up-front for such a long article.  This really is a multi-topic post but I felt it was better to approach it as a single subject.  The main topic is huge.  Some large companies have hundreds of employees dedicated to computer security.  My focus here it to keep it simple and help you get started doing the basics.  


Use the executive summary below to get a brief overview.  After the summary, drill into the areas of interest below to get more detail.  I’ve also created a “do’s” and “don’ts” summary under each section to help summarize key recommendations.  


Executive Summary

The following is ordered from highest priority to lower.   


  1. Use strong passwords or “passphrases”.  This applies to all of the computing devices  in your office and especially to admin passwords on PCs, servers, and network equipment.  This should be the easiest to implement.
    A weak password is like having no password at all. (see the section below on how to create strong passwords)  In addition, install a password manager that will keep track of all of your passwords in a database.  This gives you the confidence to create strong & difficult to remember passwords knowing you never write them down on paper.  Just don’t forget the password to your password manager.  See notes on setting up and using keepass or Lastpass (described below).
  2. Backup your systems.  There are multiple reasons why, but from a security perspective, if your system is hacked and destroyed you’ll have a way back.  There is a lot of ransomware going around that locks users out of their system until the extortionist is paid.  Backups thwart this extortion.  Consider using a cloud based backup solution that is secure and automatic (iDrive).
  3. Install virus protection.
    This protects your system from the number one threat, computer virus, worms and other nasties.  Don’t use a new PC until you complete this step.
  4. Install personal firewall.
    This protects your system from attempts to access your system via the network.  This is your first wall of protection when connecting to a public network. This should be installed on all PCs, especially laptops that leave the office.  Personal firewall software is normally bundled with virus protection.
  5. Ensure that you are purchasing and installing updates on all of your software, especially virus, personal firewall, and operating system.  Also check your WiFi / internet router to ensure that it has the latest update installed.   Ensure your router password is strong while you’re at it.  Most system penetrations into systems are via vulnerabilities that have been found and fixed a long time ago but the owner never installed the updates to close the vulnerability.
  6. Use whole disk encryption.
    If your laptop, server or other computer is stolen, thieves can pull off all of your data in minutes unless you use encryption.  Use Microsoft Bitlocker described below to make your hard drive useless to thieves.   If you lose a PC or server, you have potentially released all of the data on those systems to the public.
  7. Enable 2-factor authentication on any cloud service that you use (eg. gmail, Evernote, etc).  Google calls this 2-step verification.
    If your password is stolen, the thief still can’t gain access to your account without your mobile phone.  People stealing your e-mail, contact list, etc is now a thing of the past.
  8. If you have a office file server or network attached storage, ensure that you have set permissions appropriately on all of the files.
  9. Use cloud applications like gmail, Evernote, ZoHo, and others in place of local software.
    Cloud applications are more secure because they are always kept current with security fixes.  As a bonus, you can use most cloud apps from any device as well as collaborate with others in the office or around the world.
  10. Use VPN software when accessing the internet from public networks like Starbucks.  I recommend a service called PIA.  If you have a mobile phone, turn off WiFi while at a public WiFi hotspot to force the phone to use the carrier network avoiding the public hotspot networks.
    VPN software protects your computer from people on those free public hotspots that can see some or all of your internet traffic or conduct serious hacks. You don’t know what lurks on public WiFi hotspots (bad actors or infected laptops). Use  “virtual private network” service that, when started, encrypts ALL of your network traffic and feeds it to a trusted router.  Try out privateinternetaccess.com (PIA).  You can also install PIA on your mobile.
  11. Use a strong password on your office WiFi and admin account on your router and don’t allow guests to use your office WiFi or wired network.
    Keep your local network clean and free of unknown devices.  Devices on your network should adhere to your policy of using virus protection (with updates) by people that you trust.  Many WiFi routers offer the ability to setup a second WiFi network that firewalls traffic on that network from your secure office network for guests. See the networking section for a list of other suggestions.
  12. If you have clients, partners or other contacts that you need to have secure communications with as well as verify authenticity, use GPG encryption software.  Consider installing Signal on your phone for secure instant message communication.
  13. Have a plan for when you think you think you have a security breach.  
    Don’t wait for things to go wrong and then start hunting around for a computer security expert.  Do some light research and and get a few names and a plan.
  14. Apple mobile devices tend to be more secure than Android.  According to research, 97% of all malware is directed at Android.  Regardless, make sure you have installed all the latest OS and application updates from your vendor. If you have an Android phone, only get your apps from Google Play to improve security.
  15. Be aware that copiers, FAX and other office equipment contain storage devices in them.  Remove the storage device from your copier, FAX, printer or other office equipment before it is sent in for maintenance or returned as part of a lease.
  16. Use a clean computer for business banking.  See Dave’s recommendations below for establishing a secure computer for banking transactions to keep thieves out.

Table of Contents

Introduction

In this article I’ll cover some very basic security practices that readers should implement.  The intended audience for this article are small business owners or home users, not geeks (who may already know this stuff).  I’ll try to keep the techno babble to a minimum.  The protections and  recommendations below are some of the basic approaches to resist security attacks that come from the millions of amature to medium skilled hackers.  If you become the focus of persistent attacks by pro-grade hackers, or hackers working for nation-states, you’ll need to apply a lot more effort in addition to what is outlined below and use a security expert.  I’m going to cover some easy to implement basics that I expect all of my clients to implement.  I’ll cover workstation security, server security, network & communications security, and operational security.  


If you have a small business or just want to improve security a little, read on.  If you want to dodge the NSA, do a Google search on Snowden and security and spend a few years studying... (Don’t bother with protection from the NSA by the way, unless you are ready to disconnect from everything and everyone).


I’ll focus mainly on the PC computer but everything below applies to any device you use to conduct business.  Smartphones (really a small PC) should not escape any of the recommendations below.  If you adopt a particular security posture on your PC, then the same should apply to all of your devices.


A word about  Encryption

You will see “encryption” mentioned a few times below.  Don’t let this scare you.  When you hear the word encryption, the first thing that might come to mind is that it’s something only techies or geeks would understand, or use. In reality, the idea of encryption isn't that complicated. Encryption is a system of mathematical algorithms that encodes user data so that only the intended recipient can read it.  You use encryption every day, you may just not realize it.  Every time you have “https” in the browser URL, you are using public key encryption to verify the site is who it claims to be, and scrambling the main chunks of data being sent and received to/from that web site.  I will talk about encrypting “data at rest” and “data in motion”.  All of this will be done in a way that is easy to understand and implement with what you have today at a very low cost.  

Computer Security

PC client security

PC client security is all about protecting your personal computing device.   

Virus protection

For starters, at a minimum, personal computer protection starts with virus protection.  Computers are vulnerable from the time you pull them out of the shipping box.   


Install some sort of virus protection software as the first act of using your new computer.  Nothing is foolproof, but you have to have something.  I recommend ESET, AVAST.  Many of these come with “personal firewalls” or “PC firewalls” (discussed below) as part of a bundle.  Install the software and immediately and run a virus scan.  There are hundreds of articles that review anti-virus apps and provide advice on what to look for.  Stick with the ones above you’ll be OK.


PC Firewall

The term “firewall” in computer terms comes originally from devices that companies install at the edge of their network to control what can come into the company and what can exit.  Personal PC firewalls do the same thing but at the network port of the PC.  This is needed because our computers aren’t always behind a professionally operated enterprise class firewall.  If you are at Starbucks using their WiFi, then you need this.  This sounds complicated but it’s as easy to install as virus protection and is normally part of an all -in-one deal with many vendor’s virus protection package.  Vendors use use terms like “personal firewall” or  “internet security” when referring to this software.  At the core of this software is locking all of the doors for traffic coming into your PC.  There are 1000s of doors that most users don’t use, so these are locked by the software, closing possible vulnerabilities.  Some of these packages also inspect the traffic coming in to detect if it is malicious as well as notify you about applications that are trying to connect to the internet.  In addition, some packages notify the user you if the browser is about to connect to a web page belonging to a site known to distribute malware.  Try not to become overwhelmed by the marketing of some of the big brands.  They may want to sell you “identity protection” other software that “protects your children”.  That’s not what I’m talking about here.


Whole Disk Encryption

Disk encryption is referred to “encryption of data at rest”.  By using whole disk encryption, you are protecting  yourself from having your business & personal data escape into the wild if someone get’s physical access to your PC.  This happens by accident when you leave your laptop at the restaurant, or when it is stolen.  Most thieves really just want the hardware and will resell it for money, but you don’t know who it will end up with.  Without encryption, ALL of your data, internet browser history and possibly stored passwords with access to banking are vulnerable.  If you are running a business, do you really want to take this chance?  If you lose your laptop and it doesn’t have good encryption, you might want to shop for a good lawyer before looking for a new laptop.


The most popular and easy to use whole disk encryption is from Microsoft (enterprise editions), BitLocker.   Once installed, as long as you’ve chosen a strong password, loosing control of your PC won’t be a major disaster.  Go HERE to learn how to install it.  There are other options from Norton and other vendors if you need an alternative.  Use FileVault on the mac to encrypt your boot volume.  It comes with OS X Lion or later,.  A free option, TrueCrypt, was recently taken off the market but recent analysis shows no vulnerabilities. It’s still floating around out there if you want to pull it down but its not as simple as integrated solutions from Microsoft.  


NOTE regarding whole disk encryption:  
Whole disk encryption for PC or server provides protection when when users need to return a disk or need to send the PC to the shop for repair (like a screen replacement) or if the computer is stolen.  It’s all about physical access.  It does NOT protect you from unauthorized access via software or malware.  Think of whole disk encryption like you would locking the main door to the office building.  Once the office is open for business and the main door opened, people come in and work normally.  Inner locks are needed to keep people out of individual offices.  Similarly, with whole disk encryption, users unlock their disk on boot-up but good passwords and file permissions are still required to provide security while the PC is running.  If it’s a server, you still need to implement good permission systems to keep people out of the files they shouldn’t get into.  Also, if you are infected with a bad virus, whole disk protection doesn’t protect the server.  


One other issue with whole disk encryption is that it can make data recovery more difficult should a PC become unable to boot.  When drives start to fail, a lot of times they just won’t allow the PC to boot.   If the disk is encrypted, recovery may become impossible depending on the level of damage.  All of this is mitigated by backups (You backup right?).  Read the backup section!  Lastly, losing your encryption password or key means bye bye data.  If you have a propensity to forget things like this, tell your spouse the password but don’t write it down (more on passwords later).  Enterprise IT shops have a centralized key recovery mechanism and I’m not sure what the options are for small business or home users.


Purchase software maintenance

Buy software license updates or subscription for your software.  This is especially important for the virus and firewall protection update service when it comes due (preferably purchase before expiration so that you don’t miss an update).  Without the updates, your PC really isn’t protected all that well.  New exploits are found daily and vendors distribute updates all the time.  Without updates, virus protection software becomes less valuable over time.  


Updating software goes for all of your software AND operating systems.  All software normally receives patches to security vulnerabilities in every update.  If you use cloud services for email, documents and other services, this work is done for you by the cloud vendor and updates are normally applied more often.  


A lot of people get the updates but don’t install them because it’s inconvenient or just a pain in the ass.  Not installing an update is one of the leading causes to a data breach.  Very few attackers use a brand new attack vector, rather 99.999% break into systems using well documented, previously discovered, and unpatched software vulnerabilities.  Keeping your software up to date improves reduces your exposure to a data breach.  Not installing updates is like like pissing off the Klingons and not raising your shields.  


Another piece of software that you have that you didn’t even know about is the router software at your home or business.  A WiFi/router is nothing more than a dedicated computer with router software on it.  Because it’s your first line of protection from the internet, make sure you keep the software up to date.  That means you have to check it once in awhile.  Updates for home routers are normally free.  If you purchased something a little more robust, like a Sonicwall, buy the updates.


Use a decent internet browser

Use Google Chrome browser instead of Internet Explorer.  There have been too many severe security vulnerabilities found in IE for me to recommend it, and it takes Microsoft too long to get a patch out to customers.  There are many sites that only work with IE so it will need to stay in your toolbox for now.  

Do

  • Install virus protection on your PC.
  • Install a personal firewall on your PC.
  • Use whole disk encryption.
  • Never give out the password to your PC (more on passwords below).
  • Keep all of your software and operating system software up to date.
  • Update your router software.
  • Use chrome as your browser instead of IE

Don’t

  • Don’t  use a new PC without first installing virus protection.
  • Don’t use a  new PC without first installing a “personal firewall”.
  • Don’t Connect your PC to the internet directly.  The cable coming into your house from the cable or DSL modem is designed to let everything in.  Install a WiFi/router and plug into that.  Most home routers (or WiFi / routers) block a good amount of inbound traffic, stopping a lot of attacks and scans at the door.  See the network section below for more details


OK, take a break right now and check to ensure that you have updates on your security software and routers.  You can look at the other software that you have later.

Server Security

If your office uses a file server, treat it like your PC.  If you can, install virus protection, on the server or network attached storage device (NAS).  Although your PC virus protection can detect viruses that you try to access on the file server, having an extra layer of protection won’t hurt.


Access Security

Because file servers are used by a group of people, you will have the added burden to ensure that access is setup correctly.  For a small office this won’t be difficult and many offices make the files open to anyone that works there.  Some network attached storage (NAS) devices don’t have a lot of options for virus protection but you can always control file permissions. Remember to think this through and consider your legal and contractual obligations to clients in regards to confidentiality.  


Server Encryption

Implement whole disk encryption for servers.  Whole disk encryption for servers may be more important because of the amount of data servers contain.  If the entire server walked out the door of your office, how much confidential data would you loose?  How much damage would there be if that confidential information were posted to Facebook?


I’ve just built a custom NAS server and installed FreeNAS (free being the operative word).  Not only does it have enterprise features, it supports encryption out of the box.  Servers that have an encrypted storage device ask for the key or passphrase every time they boot up.  Rebooting restarts this process.  This is the same protection you get for an encrypted PC that is stolen.  It doesn’t guard against malicious software but whole disk encryption is protecting data that is on a stolen hard drive.


Remember, every time the server reboots, you will need to supply some sort of credentials so that the server can finish booting and mount the storage.  Normally this isn’t a problem for PCs but for servers that may be a bit painful if you experience power outages or you need to be able to supply credentials remotely.  Areas that are prone to power outages should have their server plugged into an uninterruptible power supply for multiple reasons.  Some NAS units (like FreeNAS) make reboots a bit easier if you have remote access since the server comes up to a point that is accessible remotely (see VPN access below on how to securely remote into your office).


Do

  • Install virus protection on the server.
  • Encrypt  the data on the server using whole disk encryption.
  • Have very explicit controls on who has access to the data and administrative access.
  • Physically secure your server.
  • Have your server plugged into a power conditioning UPS to avoid unnecessary failure due to brownouts or spikes, which may ruin hardware and possibly destroy data.
  • Ensure ex-employees have privileges removed from your storage device on the day of termination.

Don’t

  • Don’t expose your server to the internet.  It’s possible to do this for file sharing but don’t. There are much better solutions for sharing files available via cloud services that won’t expose your entire company.
  • Don’t blow off access permissions.  


Backups

Backing up is another area where most people fall down on the job.  I consider backups part of a security plan because if I am hacked a lot of malicious actors will nuke the data.  It also nullifies “ransomware” that locks you out of your data until you pay the extortionist.   


Because this is another place where data is at rest, backups should be encrypted or the media stored in a safe.  You can purchase software that encrypts the backups.  Encrypting the server disks and leaving backup tapes laying around unencrypted is a real waste.  Also, rotate back media off-site.  For off-site storage, larger companies use a service for this (think of it as diaper service for backup media).  You can achieve the same thing by taking the media home with you.  Off-site storage also protects your data from fire and theft.  


I strongly recommend looking at cloud based backup service.  This is because most people are terrible about remembering to backup, and at times, they don’t because it’s just too painful a process.  For PCs I strongly recommend iDrive or Crashplan cloud backup service.  Both companies support encryption before it leaves the computer so that even if the off-site location is hacked, the data is still secure.  Using a cloud based service ensures that backups happen daily (as long as the PC is turned on).  Both companies mentioned support continuous backup as well (files are backed up within 15 minutes as long as you have an internet connection.  Another nice feature provided by cloud backup services is “versioning”.  Versioning means that you can go back one or more versions of a file if you need to.  


For small businesses with a NAS, I recommend iDrive on the PC, because it supports the ability to backup remote storage servers. (Crashplan doesn’t support this).  


There are tons of options when it comes to backups and I’ve written multiple articles just on backups.  You will find them HERE.


Do

  • Have a minimum daily backup of your PC and server.
  • Use encryption on backups for the same reason you encrypt your server.
  • Store your backups off-site to protect against fire & theft.
  • Try using cloud backup solutions that support encryption (iDrive & Crashplan), especially on PCs and laptops.


Mobile phone

As I’ve said before, all of the recommendations for PC security apply to mobile smartphone where possible.  


From a security perspective, iPhones have been shown to be less of a security concern that Android.  The fears of a  “closed system” from  Apple have not come to fruition but it has delivered better security.  Research has shown that 97% of all mobile malware is directed at Android.  While Android suffered an onslaught from hackers, iOS users came off relatively unscathed. However, the report's authors warned that iOS threats were growing, despite only four attacks targeting jailbroken version of Apple's mobile operating system.  A quick search of anti-virus for Android turned up an article on the 15 top ones from androidauthority.com).  I found a couple for iPhone that really do purport to protect you from malware but it took some searching.


It was reported last year that a over half of Android flashlight apps were malware.  Although not foolproof, Apple and Google Play inspects apps before they are posted to the app store for malware.  The problem is that not all Android apps have to be deployed on Google Play.  According to Symantec’s latest Internet Security Threat Report, “17 percent of all Android apps (nearly one million total) were actually malware in disguise.”  The recommendation is to obtain your apps from a trusted source, like the Google Play Store.  According to Yahoo Tech, Google does a good job of keeping malware laden apps out of the store.


Apple and Android vendor Google have found security vulnerabilities in their operating systems.  The difference is that as soon as Apple releases a fix, users can install it immediately.  Android users may not have access to the fix for months and possibly never.  This is because Apple doesn’t have to contend with 1000s of variations of hardware AND different implementations of the software.  Android users sometimes have to wait months to get a fix for their specific version of Android from the manufacturer or carrier.


Zach Epstein from BGR explains it best: “When Apple releases an update for iOS, the overwhelming majority of iPhone and iPad users have access to it instantly. When Google releases an update for Android, years go by before that new software version makes its way to the majority of smartphones and tablets.

Stop for a moment to consider how crazy this is: Apple released iOS 9 in September 2015 and by January it’s already on 75% of iOS devices. Meanwhile, the most widely used version of Android at this very moment was released more than two years ago in 2013.”


Using an Android for anything important is like raising your kids in a war zone, when you have the option to live in a safe neighborhood.


Network Security

Firewall

Network security starts at the edge and then works in.  Most homes have internet access via DSL or cable modem also have a router with built in firewall.  Routers are just PCs running software that does network routing.  Most home and small business WiFi/routers also provides some firewall capabilities.  The firewall’s job is to look at all of the traffic that is trying to come into your network and deciding if it can or if it should be blocked.  If the traffic is allowed, the router routes it to the correct destination.  Most routers block a large portion of “ports” (think of these as doors to your PC) and provide a great deal of protection.  In addition, many companies only allow certain kinds of traffic outbound to protect against malware trying to contact the mother ship.


Plugging your PC directly into a DSL or cable modem that has direct inbound routes from the internet is a very bad idea.  A study published about 15 years ago showed that with no firewall between the internet and a PC, the PC comes under attack within about five minutes.  I conducted a test with software to monitor this years ago and my PC was being scanned in under a minute.


If you have a router from the network service provider, consider putting in a router that you have full control of so that you can lock it down the way you want and can apply the latest updates to the router software.  Paul Wagenseil wrote an article for tom’s guide suggesting you throughout your consumer class router and get something like a Peplink Pepwave Surf small business class router.  The reasoning is that it allows users more control over security features and won’t come with some of the classic security holes found in many consumer grade routers.  This is a bit drastic in my opinion but depending how serious you want to get, installing a better router will improve your security posture.  I’m told Sonicwall routers are also a good option for small businesses.

Network Access & Protection

Most people don’t think about access to their network but it’s just as important as who can access your computers.  As I’ve mentioned above, your firewall / router is just another computer with specialized OS and software (and a bunch of ports).   The router / firewall is your first line of defense which means that it’s on the “front lines”.  The router is connected directly to the internet which means it can come under attack from millions of sources.  If your router is compromised, you are open to multiple attacks.  For example, if your router is “owned”, the attacker can redirect you to what looks like your banking site but isn’t, allowing them to learn your username and password.  There are several other nasty things that can be done but here’s the rub, the password for the router should be extremely strong (more on passwords later).


  1. Change the admin password from the default username and password.
  2. Check for router updates on a regular basis!
  3. Change the network name or SSID from the default from “Netgear” or Linksys” to something else.
  4. Enable WPA2 wireless encryption
  5. Disable Wi-Fi Protected setup
  6. If you have a WiFi access point (most people do), always put a password on it at a minimum.  Also enable the encryption setting for WiFi communications.  Setup a separate an access point for guests and clients.  
  7. Many WiFi access points now support having two wireless networks using one device.  The guest access point  (that you still should password protect) normally has very limited access to your office network with the main objective of allowing guests access to the internet If your router supports it, setup a separate wireless.
  8. Disable remote admin access and disable administrative access over Wi-Fi
  9. Disable PING, Telnet, SSH, UPNP and HNAP if possible.
  10. Change the router’s Domain Name System (DNS) server from the ISP's own server to one maintained by OpenDNS (208.67.220.220, 208.67.220.222, 208.67.222.220, 208.67.222.222) or Google Public DNS (8.8.8.8, 8.8.4.4).
  11. Finally, use Gibson Research Corp.'s Shields Up port-scanning service at https://www.grc.com/shieldsup. It will test your router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator.


Many offices have open network plugs on the walls in conference rooms and other offices.  Unless you have set these ports up so that they have no access to the rest of your network, never allow guests or clients access to these.  Even though you may trust your guests (even your kids), you don’t know if they have installed virus protection.  Allowing guests direct access to your network opens computers on your network to multiple unknown attacks.  I strongly recommend disconnecting any unused ports in waiting rooms or unmonitored spaces.  


Another approach for network access is to configure your office router to only allow computers that have been registered.  This would allow you to leave sockets around the office open with less risk.


Traveling? Use your phone network or VPN

What do we do when outside the office, and we need to use the internet.  Most people say “use my mobile phone” or “Go to Starbucks for free WiFi”.  Connecting to a public WiFi or “hotspot” exposes us to spying and hacking attempts or worse.  You have no idea who is on that public network or who controls and manages the router.  Therefore, we have no idea how secure the network is and we are taking the chance that your network traffic can be completely hijacked.  In addition, you are possibly vulnerable to attacks and spying by other computers on that network (intended or not by the owner of the PC at the next table) or hackers that have taken over the router.  


Turn off WiFi on your phone when in a business that has a public hotspot.  This will force the phone to use the carrier’s network, closing off an avenue of spying and hacking.


If you have wireless via a hotspot on your phone or dongle on your PC, I recommend using that instead of a public network. You may already have it through Verizon or AT&T.  


If you need to use a public WiFi or hotspot, the first level of protection in this case is the personal firewall that you installed right after you opened your laptop (You did that right?).  This will give you some protection against direct attack but it doesn’t protect data from leaking out to spies watching the network.


All of your network activity is still be visible to others.  If you are using a commerce site or something like gmail (which defaults to https), others won’t be able to see the data that you are pushing and receiving (unless the router has been hacked) but they will see the URLs.  This bit of data along with other non-secure web traffic is a leak that you may prefer that others can’t see.  For example, try going to Amazon.com.  Unless you are paying or loggin in, a good amount of the traffic is not secured at all.  Even if it is secured, the URL in your browser is visible to others.  For example, a search on amazon.com is right in the browser URL for all to see (Example: http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=you+can+see+what+I%27m+searching+for).  Looking at the URL above you can tell exactly what I entered into the search box.


If you want to seal off all of the network traffic and stop the leaking, use a VPN (virtual private network).  VPN software connects your PC to a remote router that you trust and encrypts 100% of the traffic between your laptop and the VPN gateway router, hiding everything that you do.  Think of it as Harry Potter’s cloak of invisibility.    Many home routers and almost all business routers come with VPN capability but it’s difficult to setup.  In addition, to use your personal router, it must have a publically accessible IP address.  In some cases, you have to pay extra for this.


I recommend using a VPN provider.  There are public VPN providers that offer this service, delivering a more secure environment.  Implementations range from adding a app on your pc to just logging into the provider’s web page to activate the encrypted tunnel.  Examples are privateinternetaccess.com (PIA), and spotflux.com.   PIA was voted #1 starting back in 2011 and is still on top.  I used PIA. It’s cheap and simple to use.  PIA also works on mobile phones as well, just install the app.  PIA is also one of the few top provider that allows you to bridge into your office network.  Last I checked, PIA costs $30/year if you buy a 2 year subscription.


If you can, the bonus of using your the VPN solution on your office router (or via PIA) is that once activated, it looks to your PC like you are sitting in your office.  You can have direct access to all of your office storage, print and other capabilities while on the road, all wrapped inside of an encrypted tunnel.   This is what most large companies setup for workers that are at home or on the road.


Do

  • Install firewall software on your PC (as mentioned in the first section)
  • Set strong passwords and encryption on your WiFi access points
  • Setup a separate guest WiFi network
  • Use VPN software to securely connect when using public internet access points.
  • Disconnect unused network ports in public or unmonitored areas
  • Use internet e-mail that enforces https, like gmail.
  • Check for updates on your firewall


Don’t

  • Don’t allow guests to use your office WiFi network
  • Don't’ allow guests to us your office wired network unless it is separated
  • Don’t use a cheap firewall to save a few bucks.  Routers from a well known company have a much higher chance of staying current.

Communication Security

For most people, communication security mainly revolves around e-mail.  It use to be that a business needed to setup it’s own email server for email.  Thankfully this is no longer the case, nor is it really needed.  I recommend using a cloud service, like gmail instead of trying to manage your own mail server.  I’ve covered this in other cloud articles but let me do a quick recap.  
  • Gmail means no server to setup, secure, update, backup, or manage
  • Cloud providers are better at weeding out the junk and phishing e-mail.
  • It’s available from anywhere and any device.
  • It may be more reliable than any solution that you could afford to build.
  • It supports custom business domain routing so it still looks like your company email, not Google. (for a small fee).  


Although I’ll cover this later, enable “two step verification” on gmail if you use it.  If you don’t know what this is, look at the two-factor authentication section below.  


The next obvious step in secure communications is encryption.  Unfortunately after all these years, using it is still difficult.  PGP, and now GPG are the best and most trusted in the market. The bonus is that GPG is free.  The downside is that it’s not easy to use. There are tools however that improve the usability but you still need to have some basic understanding of how to implement, and securely use.


Public Key Cryptography

Implementing GPG for secure email is outside the scope of this article but let me cover the basics.  Unlike the “symmetric encryption” that was used when you were a kid (where you feed in a secret key and it scrambles the message until someone entered the same key on the other end, we now have “public key” encryption.  Public key encryption (crypto) is now the standard of the Internet.  It’s actually what is used in SSL (secure http on your browser).  The breakthrough of public key crypto is that you don’t need to exchange keys via a secure way in order to communicate with another person or computer..  


When you generate keys with public key crypto systems like GPG for the first time, it creates a secret key and public key that are mathematically linked.  The secret key is kept close to you,  and secured with a difficult password of your choosing.  You never give anyone your secret key and maintain full control over it.  The public key is provided to anyone who wants it.  The key is normally placed in a public directory or you could send it to someone.


How public key crypto works

When someone wants to send you an encrypted message, they use your public key.  Once encrypted, the only key in the world that will decrypt the message is the matching secret key.  This allows someone whom you’ve never met to encrypt a message to you that only you can open.  


The reverse is also true.  By encrypting something with the secret key, only the public key can open it.  Digital signatures are created by using this reverse scheme.  To sign a document, I calculate a mathematical hash of a message or document and then encrypt that hash with the my secret key.  If the receiving party can decrypt the hash number using my public key it means that the only person that could have encrypted the data is the person that owned the mathematically link secret key, mine in this case.  In addition, if the hash value matches the value that you calculated for the message or document, it means that the message wasn't tampered with.  This simple concept is how most of the world's communications are secured when encrypted.  The details are a bit deep but in general, it depends on extremely large prime numbers that are fantastically difficult to figure out if you don’t have both keys.


The software isn’t hard to use, it’s just currently inconvenient so it’s not used.  Until it is built into email systems by default, it won’t thrive.  Also, for the most part, both parties need to be using the same crypto software.  Edward Snowden used GPG to communicate with the people that published his findings regarding the NSA.  Again, it would take a full article to go into a little more depth on GPG to ensure that you know how to verify that you have the right public key for someone as well as other security measures.  If you need help, research it or reach out for help.

Things to remember about email

A few other things to remember about Email
  • Emails that you receive may not be from the person you think it is.  Its easy to forge the from address.
  • Always look at the actual URL in an embedded link on emails to see where they actually go.  (take this one step further and just don’t click on them ever).
  • Don’t open attachments from people you don’t know
  • If you receive an unexpected email from someone you do know with a link or attachment, don’t click, think first.  This scheme has been used zillions of times to gain people’s trust, just enough, to launch malware onto their system.
  • Banks will rarely send you an email or call asking for your password.  
  • Don’t click on a link when reading emails from your bank or other service provider.  Enter it manually in a browser and login.  Many times the message looks legit, complete with logos and other artwork (and possibly it is legit).  Be careful, users can be tricked and sent to a different web-site that looks like your bank, but isn’t.


Think about what goes into e-mail

Once data is sent to another person, it is no longer secure.  Assume this and then rethink what you are going to say.  The other person could have implemented 10x better security than you but you no longer have 100% control over what happens to that data or what the person says or what that person’s employees might do.  


Do

  • Use email systems (servers) that are secured (local or gmail)
  • Ensure your connection to the email server is secure (https in the browser)  Gmail does this by default now.
  • Use encryption for highly confidential e-mail
  • Remember that once an e-mail is sent, you lose control.  All the litigation in the world doesn’t help you once information is released into the wild.
  • When you read incoming email, always be on the lookout for links that could send you to the wrong place or attachments that you are not expecting.

Cloud Computing

I’ve written multiple articles explaining the benefits of cloud computing and why cloud computing is MORE secure than what you can afford to do locally.  Here is a quick recap from a security perspective.
  • Most cloud computing service providers have a lot at stake so they are willing to spend millions on staffing, tools and custom tools to secure and monitor their service.
  • Because of scale and the broad view of the computer security landscape, they can address security issues much faster than even large companies.  
  • They can afford the compute cycles that do nothing but look for issues
  • Because of their scale, they can provide security services (like phishing protection) for free.
  • Cloud software always the latest security patches because this is part of the service of cloud computing.   Vulnerabilities are fixed much faster than on-prem software solutions.


Do

  • Select companies that have two-factor authentication
  • Understand the security and privacy rating of a cloud vendor before you sign up.
  • Review cloud vendor security policies, and history in regards to security.


Operational Security

Operational security (or OPSEC) are things that you do to improve security.  OPSEC is the process of protecting little pieces of data that could be grouped together to give the bigger picture.  In the context here, I will focus on your behavior, treatment of keys, people, and what you say.  The focus is on changing behavior just a tad to improve security.  Change how software is evaluated for business.  For example, if you need a file server, buy one that supports encryption.  If you are considering a web based accounting system, require that candidates support two-factor authentication.


Passwords

Choosing good passwords

Password cracking programs have been around for years and are used by attackers but also system administrators looking for weakness in their systems. These programs first try a huge dictionary of words (including names and common lexicon like “foobar”), ordered by the most common and then move onto more difficult twists that people might use.


The most secure passwords are long strings of random data but these are the most difficult to remember.  Said another way, the most secure passwords are the ones you can’t remember.


The more mixed-case, numbers and punctuation the more difficult the password will be to crack. Use the following guidelines to create difficult to crack passwords.  Better yet, use a password manager (described in the next section) to generate and save strong passwords.


  1. Don’t use a single word as your password that is in a dictionary.  Use a “passphrase”, not a single word. It should be a minimum of 12 characters if you want it to be strong.  The longer the better.  (example: “thecharGersSuck@golfff”).
  2. Use mixed case and punctuation.  (some punctuation may be reserved or not allowed like the semicolon)
  3. Use a different password on each site/system.  Remember, if one site is hacked and you use that password on other sites, all of those sites are at risk.
  4. Mispell passwords to make them more difficult to crack (this comes naturally for me).
  5. Be careful when using the trick of substituting numbers for letter and then using a common word (like “1” for “i” or “l”, “3” for “e” or “b”.  Password cracking programs test all of these.
  6. Don’t use anything that can be tied to you (eg: Name of  wife, kids, university, sports team name or dates like anniversary).  Oh, and don’t use names as a password




Two-Factor Authentication

Two-factor authentication is a simple mechanism, when enabled, help ensure online accounts are never broken into by stealing or guessing your password.  This is a key feature that I look for when choosing a cloud service provider.  Gmail, PayPal, Evernote, ZoHo and many others have added this feature mainly because of user demand. (Read enabling “two step verification” on gmail).  


In order to log-on using two-factor authentication schemes, you need to know a password and have some device (normally a cell phone or a mini one time password device).  When using two-factor authentication to enter gmail and other services, users are prompted to enter their username,  password, and then the one time code sent to them via SMS, or displayed on a special app on their phone or other device.  Entering this one-time code is the second factor.  Actually the second “factor” is the phone or device that tells you the one time code.  If your password is ever stolen, an attacker still can’t get in because they don’t have the second factor, your phone.  In summary, two-factor authentication is a combination of what you know (your password), and what you have (your cell phone typically).  
ALWAYS ENABLE  two-factor FEATURE IF IT IS AVAILABLE!


Managing your passwords


Now that you’ve started creating different passwords on different systems and making them very complex, you need to remember all of them.  As users  jump from one web service to another for work, play and ecommerce, this becomes an almost impossible task.  As a small business owner you are also the IT person, and therefore have to remember all of the critical administrative passwords as well.  This is where the password manager tools come in.  I’ve been using these for years to keep my sanity and preserve some memory so that I can find my car keys in the morning.


Password managers are small databases that you use to store your username and password for each system.  All of the data is stored in an encrypted file where you use a “master key” to unlock it.  If the password manager is a good one, it allows you to setup two-factor authentication as described above to get to your keys.  In addition to keeping your passwords safe, some of them install a small shim that fills in the username and password for you out of your database when you visit a web page that is asking you to authenticate.  For new sites, you can ask it to generate a random password for you with the desired length.


I currently recommend two options:

Keepass

Keepass is a free application that is installed on your PC, Mac, Linux system or phone to manage (remember) your passwords.  It secures all of your data in an encrypted file, keeping one of the most important files you have secured.
  • It is a free application
  • Runs on Mac, PC, Linux, and mobile devices.  
  • It can generate random passwords for you.
  • It has plug-ins for the popular browsers that automates the work of pulling up the right password as well as saving new passwords from the web.
  • Support for two-factor authentication by using a master passphrase and a key file.  Many users put the file on dropbox and then put the second factor (a special data file) on all of the devices they want to access the password database from (or store it on a USB stick).
  • The application is “open source” so it allows multiple experts to look for security flaws.  It has been on the market and supported and improved since November 2003.
  • Keepass is considered the most secure solution since you have total control over the database.


Lastpass

Lastpass is a web service that allows you to run the application on all of your devices and keep your store of passwords synchronized.  You have to pay $12/year, but it has some very nice features.
  • Passwords are stored in a “secure vault” that is searchable.
  • Local-only encryption means that all data is encrypted and decrypted at your device (PC or mobile).  This means that if Lastpass service is ever hacked, the hackers still can’t get to your data.
  • Lastpass supports two-factor (or multifactor) authentication.  Users enter a password and then are prompted to enter a one time password from a SMS message, Google Authenticator app on the phone as well as support for other methods.  
    PLEASE USE 2-FACTOR AUTHENTICATION FEATURE!
  • Access via the web, phone and support for local file.
  • Plug-in for the most popular browsers that fills in authentication dialogs, make using difficult passwords super-easy.
  • Easily generate random passwords for new accounts.
  • Auto change passwords.
  • Support for “secure notes”.
  • Allows offline access.
  • It will perform a security audit to not only tell you how good your master password is but all of the passwords in your database.
  • Continued improvements since it’s introduction in 2008.
  • Allows you to run a scan against all of the web sites that you use.  If one of them has been hacked, you’ll be notified.
  • On install, it pulls all of the user/passwords stored in your browser (that are stored insecurely) and stores them in Lastpass.  This is a huge time saver for new users.


Establishing a secure computer(s) for banking transactions

Most business owners are unaware that if their PC gets compromised, and it is ever used for online business banking, hackers from another country can drain their business bank accounts — with none of the protections consumers enjoy.   This can kill a business, and cause personal financial ruin, overnight.   Running a separate computer for a really small business might be pricy — in that, case, use an iPad.   They are 99.99% impervious to the current threat landscape of mostly Russian speaking criminal gangs using PC malware.  While Macs and PCs are theoretically just as insecure, in practice, the actual incidence of malware each year on macs can be counted with the fingers of one hand.   Anti-virus software easily keeps up with this rate.  On the Windows platform, over a million malware variants are automatically generated each day.   There is no way antivirus software can keep track of the vast numbers.
Here’s Dave’s recommendation for setting up a clean computer for business banking.   


  1. This computer should be a Mac, not a Windows PC.   While Macs are not hack-proof, as of 2012 (Still true in 2016), the overwhelming majority of malicious software targets the PC platform, and will not run correctly on a Mac.  This is especially true for criminals targeting bank account fraud.
  2. The Mac should be running the latest OS.  The later OSs incorporates the latest anti-exploitation features, such as ASLR, DEP, and whitelisting.   These features make infection more difficult.
  3. The banking computer should be dedicated to online banking only, and [ideally] should be put on a special network segment with a small firewall configured to only allows this computer to access to banking sites, and updates to the operating system and browser, and also to protect the computer from direct network attack.   This is to prevent infection by malware via compromised web sites.  [Personal firewall is OK too.   The important thing is no email, and no other web use beyond the bank sites.]
  4. The banking computer should not have email software installed.   This is to prevent infection of malware via email.
  5. Banking transactions should use 2 factor authentication (e.g. involving one time passwords), [see explanation of 2 factor authentication above] preferably using external tokens if the bank offers them.  This is to prevent exploitation of static passwords.   Two factor has been defeated by hijacking legitimate sessions, so this control, while important, is not sufficient by itself.
  6. Banking transactions should have a call back verification feature, and this should reference the receiving account for major transfers, not just the amount.   Some recent fraudsters have taken advantage of call back schemes that only reference the amount by changing only the recipient, not the amount.
  7. Any insurance the banking institution offers to cover electronic banking fraud should be utilized if feasible.
  8. The Mac should have the latest recommended antivirus.   While antivirus is only marginally effective on the PC with millions of unique viruses each year, the Mac platform only has a handful of viruses, so it is a "defensible" platform.
  9. If an out-of-band (non internet based) communications option is available, that is worth considering.   Even with all the controls above, there are still "theoretical" risks.   Today's theoretical risks are often tomorrow's actual cyber crimes.    For instance, even the Mac described above can be hacked, and malware could be installed from the bank's own web site (by DNS spoofing combined with web site injection).


These controls should be reviewed and updating regularly.


I recommend talking to your banker on how to “firewall your money” to help prevent or limit your exposure to online criminal activity.


Sharing what you do

Operational security includes what you tell or expose to others.  Don’t blab how you secure your office, just like you don’t blab in a crowded restaurant where you hid the key to your front door.  Even small bits of information helps attackers narrow the scope of their attack.

Who can see your screen

  • Be careful with what you do if you are in a public space, especially an airplane.
  • Be aware if there security cameras in the Starbucks you are using (where are there not security cameras).  Some cameras are good enough to read your screen and or see what you are typing when prompted for a password.

Be careful what you share on social networks

Facebook, linkedin, twitter.  


Backups

Own your backups!  Ensure some media is off-site and secure. Regularly test your backups by doing a restore.   There is an operational aspect to this as well.  As much of a pain as it is, you need to check the logs once in a while to ensure that your backup plan is healthy.  Business owners need to think about the entire office.


General Sanitation

  • Change the password you gave to the maintenance guy
  • Revoke privileges from old employees
  • Check system  logs for security violations.  A sudden spike in failed login attempts at night might indicate you have a hacker infestation.
  • Know who is working on your equipment and what they can access.
  • If you need to replace a disk, make sure it is properly destroyed.
  • If someone is working on your computer, have someone stay with the tech or remove the storage device.  


Physical Security

Don’t make things easy for attackers.  Lock the room your server is in.  If your server needs a USB key to boot up, don’t leave it in the server


Look around the office and think like an attacker.  
  • Can people see the administrative assistant’s keyboard in the reception area?
  • Is the receptionist or anyone else sitting under a security camera?  
  • When non-employees come in, do they have access to the whole building or just parts of it?
  • Set up surveillance
  • Set auto-lock timeout on all office PCs
  • Lock laptops to the desk
  • Escore non-employees


While physical security normally refers to securing your building, also think about network.  Think about network access.  Do you let clients or guests use your WiFi or network?  Rethink this if you have not setup a specific “guest network”.  (see network above)  Keep an eye out for strange looking boxes plugged into network jacks.

Employees

Employees are one of the biggests security threats that you have.  There is tons of data on this as well as articles on the net about what the individual threats are.  I’ll touch on just a few key ones.
  • What level of access to your company does an employee have.  If you need to grant this user broad access to highly confidential company and client info, it may be worth a quick background check.  Re-think your access strategy.
  • Don’t allow employees to plug into your network without the basics (virus protection).
  • Find a quick computer security training program for your employees and require them to take it.  These tutorials cover things like “phishing”, virus protection, social engineering, and other threats that your office might come into contact with.


Have a security plan

  • Have a set of tasks that are performed by someone on a regular basis
    • Check security logs
    • Validate that patches are current for all software, servers, and routers
    • Did someone bring a new laptop into the office.
  • What will you do if you think you are hacked
  • What to do if a co-worker or partner is hacked


Miscellaneous

This is the section dedicated to a few little things to keep in mind if you are really interested in your security.
  • Don’t use a wireless keyboard.  I have no idea how well the communication between a wireless keyboard and your pc is protected but I’m guessing it’s not great.
  • If you think you might have a problem, call a security expert
  • Consider running a penetration test.
  • Surprise!  Your copier may have a hard disk in it.  Today’s office equipment is wired for the web, allowing employees to quickly scan and send documents via FAX or e-mail.  Remove the storage device from your copier, FAX, printer or other office equipment before it is sent in for maintenance or returned as part of a lease.  


Do

  • Create strong passwords.
  • Always use two-factor or multifactor authentication if an service supports it.
  • Use a password manager, it will give you the confidence to create better passwords
  • Be disciplined about what you share.
  • Protect your backups
  • Be aware of people and cameras around.
  • Pull storage devices out of office equipment before it is sent in for repair or lease return.


A Final Word

Computer security is one of the fastest growing areas of the IT business.  I’ve tried to cover the basics but know that even the experts with years of experience are willing to toss in the towel at times.  Nothing is foolproof.  It it was, there wouldn’t be 1000s of people working on it.  My hope is that by implementing the basics, you are now 100 times more secure than you were before.  I don’t consider security one of my expert areas.  I’m happy to help you for some things, but if you think you may be under a persistent attack or even compromised, stop using your computing device and get a security professional to help out immediately.


There is a lot here.  Don’t become overwhelmed.  Make a list of the things you want to do, and start ticking them off the list.  Once you are done,  give your security posture a little love on occasion.

Reference



-- Chris Claborne

(aka Christian for you googlers)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWsF8+AAoJECV88MvUE0/X4GIH/3Cfyrn60xghlyhHkX6m8/EI LMpGhw2M9YK05CWgpk3vPmuZ5u0cLkytbcq0DtPFtsry9LU3BZaEtRK3WZLb9G99 Mv4vu+uENPKiwGezdGEirbi5Z0bHu4et/UjI7D4iqA5IanMeWhyAL5GLRw6lebAK X/OEcWXDIxxuVR1mRM2tzamzEcclu3E7ZLwrNCgxbojPLT20K9ECYXcG44F8VhGw JMYIeSaq6jxzK9fWb+3Up6eYa/nq3zqjubdHSvYn3dOvTuUi2vSZzg+UjDUVj0jN 6xQCQ1wCi+qqeXl20giUtoxo30QAVrtlwanDmOVud6jyCF3rD3X9BxdDejgpLto= =TtEr -----END PGP SIGNATURE-----

1 comment:

  1. I've used AVG protection for many years, and I would recommend this Anti virus to everyone.

    ReplyDelete