Essentially it’s about the Cyber.

I apologise now for the frequency, or lack of updates on the blog.  I never said it would be THAT frequent however….

Cyber-Essentials-logos

My latest blog is more to help the average IT manager that may find them self working in a business on a UK Government contract.  The government wants to ensure that their supply chain lowers its risk by achieving a badge called Cyber Essentials.  This accreditation is there to ensure that you can deal with at least 80% of the typical Cyber threats most businesses will come across.  Cyber Essentials doesn’t deal with every threat eventuality and it doesn’t go into risk management such as ISO 27001 but it does give you some decent guidelines to work to and any business, big or small, should be working to these regardless whether you want to achieve the accreditation.

Cyber Essentials has two flavours, Basic and Plus.  The only difference from the Plus is that you’re physically audited against the things you declared in the basic self-audit and it also includes a penetration test.

The scheme covers the following:

  • Secure Configuration
    • Building in controls & protection at the installation\roll out stage
  • Boundary protection
    • Putting in protection at the point of entry\exit to the internet
  • Access Controls and Privilege Management
    • User account management, passwords & segregation of duties
  • Patch Management
    • Keeping software updated & eliminate vulnerabilities
  • Malware Protection
    • Stopping known viruses etc from getting in the network

Do these and you’re well on the way to protecting yourself from most nasties.  Consider that there was a failing in patch management that allowed Wannacry to hit the NHS so badly.  The following paragraphs show the key points to consider:

Secure Configuration

  • Identify all key business software –
    • make sure that you keep a register of all the key business software that you use to keep the operations ticking.
  • Remove unwanted\unused software that you don’t use –
    • get rid of any crappy bloatware on laptops\desktops etc that could be a potential source of vulnerabilities.
  • Vulnerabilities are patched before roll out –
    • don’t roll out anything to live until you’ve run Windows updates and have removed any vulnerabilities such as default user name and passwords.
  • Centralised logging
    • Run a centralised system log tool so that logs live off the device and you can build alerting to issues.
    • It doesn’t have to be expensive – Kiwi Syslog is a useful and cheap tool (https://www.kiwisyslog.com/kiwi-syslog-server)
  • Back Up and Restore managed
    • Ensure you’ve identified all your key data and servers and know how to quickly restore them.
    • Test the restore!
  • Use VLAN’s to segregate production & back up networks from higher risk office PC’s
    • I’ll talk more about this later in vulnerabilities.

Boundary Protection

  • Firewall in place at every point of exit\entry from internet –
    • Makes sense. Does anyone not use a firewall?
  • Firewall configuration is reviewed & open ports signed off –
    • Get the config double checked with another pair of eyes so you don’t inadvertently introduce vulnerabilities
  • Change control in place
    • Make sure that you have a process that prevents anyone making off the bat changes to configuration
  • Default users & passwords changed
    • Default user and password is Admin\Admin? Hello bad guy, I’ve just made it easy for you.
  • Access controlled to firewall (suggest by IP) & user access control list
    • Prevent network access by only allowing authorised devices or IP’s and if possible, only from the internal network and not outside.
  • Anti-spam and internet web filter in place
    • The internet is where the bad stuff comes from. Slow it down with a web filter and prevent email viruses coming through with a spam filter.

Access Control and Privilege Management

  • Requirement for staff checks and security training –
    • Not just an IT thing this, your HR department needs to do some basic checks to ensure we’re not hiring bad guys but also, someone needs to train the users not click on dodgy links in emails; that’s best coming from IT as they’ll feel the pain when it happens
  • Manage user accounts and in particular have a starter & leaver process to ensure correct permissions applied & terminated users deleted.
    • Make sure your helpdesk gets notified when someone leaves or has a change of role. What happens to the guy in payroll that moved jobs to the warehouse but can still gain access to his pay?
    • Audit the Active Directory and check for people that haven’t logged on for a while.
    • There’s some really useful inexpensive tools on CJWDEV for the Active Directory.
    • Run an AD report against the HR employee directory and make sure it matches.
  • You know who has Admin access
    • Anyone with Admin access has the potential to do a lot of damage. Make sure you know who including those with Local Admin Access.
  • Elevated Privilege Staff (ie IT Administrators) must have separate accounts for Admin work and day-to-day work
    • The IT department have the biggest potential to really screw up things in the network. Use separate accounts so that if you have to do something that requires Admin access then it’s more than a one-step click to having a bad day. A pain in the arse for the average Admin but it’s a requirement and it’s a sensible one.
  • No local administrators by default
    • Again, as above, if you need admin access then have a separate Admin account.
  • Strong, complex passwords
    • Password = Pa55word or even worse, password1? Hello hacker.
  • No default passwords on the network on any devices
    • As above in boundary protection, anything that has an admin logon on the network needs to have it’s Admin credentials changed before it goes live.

Patch Management

  • Use Vulnerability Scanner –
  • Patch at least all Critical and High vulnerabilities – it’ll tell you there’s a critical Windows patch so run the patch so you don’t get caught out like the NHS did with Wannacry.
  • Non-patchable equipment is on Risk Register –
    • You’ve identified the ones you can’t patch for various reasons so at least keep tabs on them, try and reduce the risk and tell your boss you need investment.
  • Ensure every Windows device receives & applies updates
  • Regularly patch all network equipment (Cisco, etc)
  • Segregate end of life software and prevent access to and from internet such as Windows XP
    • You’re running machinery that you can’t patch anymore so it’s a high risk. Don’t make it easy by allowing access to the internet or email on the device.
    • Use VLAN’s to segregate stuff that can access the internet from stuff that is at higher risk from nasties on the internet.

Malware Protection

  • Use Anti-Spam\Web Filter\Anti-virus software
  • Every device must have anti-virus installed
  • Includes mobile devices and especially Android
  • Must have regular automatic updates
  • Register those that can’t have malware software installed and segregate from internet
  • Most servers shouldnot browse the internet and especially if they don’t use anti-virus!

 

And that’s it. None of this is rocket science but there’s a lot of large businesses that don’t do this and likewise, there’s a lot of SME’s that don’t have structured IT departments and therefore don’t necessarily apply this type of thinking.

All viruses exploit vulnerabilities so do your best to make it hard for the virus writers.

Advertisements

Managing The Risk

ransomwareransomblackmail

On 12th May 2017 a ransom ware attack hit many organisations around the world, some notably large ones such as the NHS and Telefonica, and their operations were hit severely. I pity the IT staff who would have had to work through the night and weekend to restore services.

It definitely could have been prevented or in the very least, reduced to a handful of devices rather than the majority. It appears that those running Windows XP, which went end of life in 2015, were particularly vulnerable as they no longer receive updates and patches. I do have to wonder why so many machines were hit when there are so many easy things a business can do to reduce risk.

Patch It

There’s a reason that vendors produce security updates and these days the delivery and installation is automated. Windows Server Update Services (WSUS) downloads the updates and deploys them from a central location on the network. Use it and take action on Critical and High Priority patches quickly. The bad guys are really good at exploiting vulnerabilities so the quicker you patch the quicker you’ve removed the vulnerability. Remember, it’s not just your Windows devices that need patching.  Everything including network equipment, switches and firewalls, etc need to be patched.

Make sure anti-virus, spam filters and web filters are updated regularly.

Look For Your Own Vulnerabilities

Use a tool such as Nessus to scan your network for vulnerabilities.  It will look for holes in your network, tell you where they are and suggest a way of securing the vulnerability.  It will even look for default passwords or misconfiguration. Run a regular scan and attack the vulnerabilities by priority with the Critical ones first.

Remove Legacy Systems If You Can

If you don’t need to run Windows XP then get rid of it and prevent it from happening.

What If You Can’t Get Rid of Legacy Systems?

There are a large amount of organisations that have legacy systems such as specific business software or manufacturing equipment that are dependent on old operating systems.  It’s either really costly to replace these systems or simply a replacement that works on a later operating system doesn’t exist. This is where you need to manage risk.

This requires you to really understand your IT estate, what you’re using on them and why you can’t move away from legacy operating systems.

Block the Internet

Viruses typically arrive via the internet. They’ll arrive by email or through a download on a webpage.  Usually they are dependent on the internet to perform their job so if you stop the old Windows XP systems reaching the internet the ransom ware can’t check in with the remote server.

Also, remove email from the Windows XP device and reduce it’s day to day usage to just that of the legacy system. Email can sit on newer devices.

Segregate The Network

Split the network up by using VLANs (virtual Local Area Network). This is a great way of controlling the flow of data across the network and prevent one part of it from talking to another.  For example, you don’t want the highest risk PC’s, such as those in the offices talking to the internet or email, having the ability to talk directly to the Windows XP computers that drive your very expensive manufacturing equipment.  Whilst it’s an inconvenience if your office employees can’t use the internet or email for a day or so, imagine the cost to a business if it can’t use its manufacturing equipment to make stuff.

Put all your servers on their own VLANs and stop the ability for them to talk directly to the internet. Create air gaps between key systems so that if a virus or a worm does infect your network they can’t jump across to legacy equipment as there’s no connectivity.

Lock Down Files

You should be doing this however lock down all your files to only those that need access to it.  You don’t want someone in your warehouse downloading ransom ware and then encrypting all your HR or Finance files because they can connect to them via a mapped drive.  The ransom ware takes the files and then changes the state of the file by encrypting it because the user that has introduced the virus has access.  No access then no ability to change the state.

Also, make sure that all key files are stored and backed up on a central server.  No data of any worth should be kept on a local PC. You need to be prepared to lose the data on the computer.

Take Regular Back Ups

I’m still amazed at how businesses do not invest wisely in back up technology.  Back up your data and ensure that access is restricted by a VLAN.  If an office worker can directly access your back ups on the network then the ransom ware worm they’ve just introduced on the network can as well.

Education, Education, Education

To quote a former Prime Minister…education is key.  Educate your users regularly on the risks to the business and how to spot a fake email and the opening of attachments.

Prepare For Infection

Resign yourself that you will be hit so prepare for the day.  Run through scenarios with staff and assign people to tasks that they will perform in the event of a disaster.

It’s Happened, I’ve Been Hit By Ransom Ware

Bugger. Don’t despair though as, if you’ve followed the good practices above then you’ve reduced the risk massively.  Only a small portion of your network has been infected and your legacy systems are happily ticking along.

Don’t pay the ransom and restore your workstations and data. Make it easier on yourself by using various technologies and methods such as virtualisation or online back ups. Make it quicker to restore desktop PC’s using images rather than reinstalling all over again.

Learn from it

If anything, this latest attack will sharpen the mind of board rooms to the issue of cyber security. This is a good thing as it’s not going away and has the ability to severely disrupt availability and integrity of data and more importantly, the reputation of a business.

Photo Credit: The Register

Restricting Everyone But Especially….Yourself!

warning-signs-to-keep-out-dangerous-area-22668050

If you work in IT you would have heard of the principle of Least Privilege.

Least Privilege is only allowing the computer account that you use enough permissions to do the job it needs to do.  You’ll see this at work if you use a corporate network.  Say, for example, you work in the warehouse, then there’s no need that your network account needs access to the payroll or permission to install new programs onto the computer.  The account will need to access the warehouse management system but won’t need access to other things because your role dictates what it needs or doesn’t need. We tend to live with it in the corporate world and recognise why it’s there.

If you’re a decent Sysadmin then you’ll be applying the principle in your daily life and use at least 2 accounts, one for logging on and doing your day-to-day tasks such as reading emails and the other, an administrative account with higher permissions, to make changes to configuration, install and uninstall etc.

Home life is different and I’ll guarantee that just about everyone reading this makes this mistake. 

You’ve just bought your nice and shiny laptop, log on for the first time and create the first account which has administrative rights.  You may decide to create user accounts for the kids so that they can’t install loads of rubbish onto the laptop but you leave your account with administrative privileges so that you can install all manner of programs. Herein lies the problem.

You need to make it hard for the viruses.  Should you click on a dodgy link then, as you’re logged on as the dude with total control over the laptop, that virus is now going to exploit this and it’ll have the ability to do all sorts of things with those administrative privileges. It can rename user accounts, create new ones, delete information, change the integrity of data and worse of all, because it’s got the top privileges going, it can seek out and amend or delete those controls that you’ve put in place against viruses such as uninstalling anti-virus software or deleting your back up.

Treat your day-to-day account on your home laptop or desk the same way that you treat your kids accounts. Give yourself a user account that doesn’t have admin rights. If you need to install a program then choose to install it with the separate administrative account, either by right clicking and running as an Administrator or logging specifically as the administrative account and then logging off once done.

I won’t lie, I’ve been very very guilty of doing this at home but not anymore.  Experience has taught me it’s far better to avoid disaster than to manage  and restore from one.

How Boobs and Curiosity Killed The Cat..and Your Pc

This article is how you can defend against viruses where the best and last line of defence is you.

Viruses are programs designed to alter the state of your data, either to make money or just ruin your day. They’ll delete, encrypt or spy on your data but I would say that you can stop around 99% of viruses by following some simple measures.

Don’t Be Stupid

Simple really. You receive an email about a subject that’s totally random to you and it has an attachment or web link then be careful. Apply these rules:

  • Is this an email from someone you know or have been communicating with?
  • Is the grammar or subject matter what you would expect from this person?
  • Is the email address correct? When you see an email and it looks like it’s from a name you recognise there are two parts to it. You’ll see the name and SMTP address, i.e. Joe Bloggs <joe.bloggs@notherealjon.com> . Emails get spoofed all the time so check the SMTP (joe.bloggs@) bit and see if it’s correct. Chances are it’s a random address created by a hacker.
  • Does the web link look correct? If you hover over the link but the hover shows a completely different web address then they are trying to trick you by making it look like a legitimate website.
  • If you’re a middle aged bloke with a beer gut and you’re being enticed by emails from the young nubile Emily who wants you to click on her web link to chat then don’t. She’s not really going to show you her boobs.

Don’t let curiosity get the better of you. Just delete the email and don’t open the attachment or click on the link. If you do then you’ll unleash hell onto your PC. If it’s a legitimate email then the person will chase it by another email or call you if it’s important.

To be safe, make sure that Macros in your Microsoft Office programs are turned off so that don’t work automatically. If you receive an attachment that asks you to enable Macros then it’s highly likely you’re about to say goodbye to your data.

Patch Those Holes

Viruses typically take advantage of vulnerabilities in your software. These weaknesses are patched regularly by the software vendors hence you see Windows Updates or Adobe updates. Don’t ignore them. They patch the holes to prevent the vulnerability being exploited. If a software requires an update (and this is not limited to Microsoft or Adobe) then update it.

Do The Obvious

It goes without saying but you really need to use anti virus software and don’t think that having a Mac you’ll escape. Hackers are quite happy to go after Apple fanboys as much as they are Windows. Sophos are one of the most trusted anti-virus vendors going and they do a free home network version for up to 10 devices. Well worth it if you don’t currently have software and the link is below.

Sophos Home

Lastly, remember about your back ups. Have at least one back that you don’t automatically access on a day to day basis. If you can easily navigate to it then so can the virus which, at that point, you’re stuffed.

Securing your assets……

And I don’t mean a bra or tight fitting under crackers..
When I think of assets I normally think of stuff I can touch so with regards my personal IT that’ll be the iPad, Samsung phone, laptop and desktop PC but the reality is that it’s actually more than that. What about your data? Your music or 15 years or digital photos of the dogs or the kids growing up? What about all your personal correspondence? What about your online identity or bank account?

In previous blogs I’ve talked about using multiple passwords and 2 Factor Authentication to protect the confidentiality of your data. Confidentiality forms part of the triangle in information security. You don’t want people who don’t need access to your data gaining access. The other two sides of the triangle are integrity and availability. Integrity means that you don’t want someone changing it or corrupting it, for example ransomware encrypting your data. Availability means that it’s always there when you need it and you can gain access to. In terms of the ransomware attack it’s there but unavailable to use.

Have A Different Approach Depending On What You’re Securing

There are many many layers to securing your data so you need to think about the risk and the impact. This then allows you to consider what the best approach is and whether you want to spend a lot or live with the risk.

For example, losing your hard drive on your PC would have a high impact to the availability of your data. You may lose it completely or it may become corrupt thereby affecting the integrity. The risk is probably low to medium if it’s a typical desktop however if you’re using a laptop without a solid state hard drive then it’s a lot higher. I’ve lost count over the years on the amount of laptops that have been damaged purely because they are mobile devices.

Backing up your data doesn’t need to be expensive. You need to consider a 3-2-1 approach; 3 copies of the data, 2 which are local and one that is off site in case the house burns down etc. My approach is this:

  • I have a laptop and a desktop PC. The desktop PC has a second hard drive in it that hosts the majority of my personal data. This means that if the C drive is corrupt then I’m not going to lose the data. Also, my laptop hard drive is encrypted so if that’s stolen then the bloke selling it for £50 in the pub is selling a brick.
  • I use Google Drive and pay a couple of dollars a month for 100 GB of data. This synchronises with the desktop and about 80 GB of my photos sit quite happily in the cloud. They are accessible by all my devices and if my hard drive dies, my memories are still there. In addition, all my CD’s that I collected over the years that were burned to the hard drive of my computer now reside in Google Play
  • I have a 1TB NAS (network attached storage) device that my hard drive synchronises to. This includes all my music and photos. So, with the 3-2-1 approach I have the original copy on the hard drive, a copy on the NAS and another in Google Drive. Google Drive also comes with the ability of rolling a copy back within 30 days so if the original is corrupted and synchronised to the cloud then I can revert back to a decent copy.

So, I’m not too bothered if I lose my photos or music on my hard drive as they’re in the cloud. It’s a low impact as I can download them again.  The high impact bit is the operating system and all my programs that I’ve installed over time. It would take a complete age to restore it all to a working level. I’m not even sure whether I still have all the media or settings to get me back up and running.

With this in mind, another approach I’ve taken is to take a snapshot of my PC at a point in time. I’ve used Acronis True Image to take a copy of the whole hard drive and have stored it on my NAS box. This means that if I need to restore to a new hard drive it restores a lot quicker than re-installing and copying everything back.

Don’t Be Held To Ransom!


Ransomware is one on the increase. This is where you’re infected by a virus that encrypts all of your documents and makes them inaccessible to you. The attackers will demand that you hand over some cash to get the encryption key.

First thing first, don’t hand over cash. Walk away from it. If you can, restore the state of the PC using system restore. If not, delete the encrypted files and clean up the PC using anti-malware software and restore your data either from another local copy (in my case the NAS box) or your cloud service (Google Drive).

I’ll cover more on ransomware in a future blog.

Ok..so I’m using complex passwords so we’re all good, right?

Nah. You’re on the way to being a lot more secure than you were when you were using the same password across all web sites but you’ve not completely reduced the risk.

Add A Little Extra To Your Authentication….

privacy-policy-512769_640

There are two elements that you use to log onto most websites; your username (typically email address) and a password.  So after reading my last blog you’ve changed all your passwords but it’s still possible that someone has managed to get it through a hack or social engineering.  You can add an extra layer to that authentication by introducing 2 Factor Authentication (2FA).

2 FA for most websites comes in the form of introducing your mobile number phone in the process.  You log onto the site using your username and password which then prompts the site to send you a text with a code.  You enter this code on the website to verify it’s you and then the device you’re using is now authorised.

This means that to impersonate you the hacker needs access to your mobile to intercept the text message.  It’s not impossible but it’s a lot harder.  I’m guessing if there is a hacker out there with the technology to get username, password AND text messages then you’re probably James Bond and the Chinese government are after you.

Not all websites use 2 FA but most of the major social media and email accounts do.  For instance, if you’re using Facebook, Twitter and Instagram then I suggest you set it up.  Likewise, if you’re using Gmail or Yahoo email and of course you don’t want anyone stealing your hard earned cash through Amazon.

The 2 Factor Auth List is a great website that lets you know whether a web site utilises 2 FA and also points you in the right direction on how to set it up.

https://twofactorauth.org/

What Else Can I Expect From This Blog?

Over the coming weeks I’ll cover such topics as:

  • Securing your personal information assets through backing up
  • Protecting yourself from viruses and attacks
  • Wifi networks….are you sure they’re secure?
  • How to protect your hard drives if they are stolen

If you’d like me to cover another topic then give me a shout!

Passwords…..My Complex Password Will Keep Me Safe, Right?

 

password-1433096_960_720

Ok, so you’ve added a a number or even a bit of punctuation (!*@) to your password and you feel smug knowing that no hackers going to get the better of you. Right? Wrong!

The thing is, that complex password you’ve used is really hard to remember so you’ve used it on Twitter, Instagram, Facebook, Amazon, Moonpig and that dodgy dating site you joined up to years ago.  So here’s the problem, we entrust all these websites to look after our personal information, our data assets and some do a better job  than others but you don’t know how they store your data or how or whether it’s encrypted. If you’ve ever clicked on a Resend Password button on a website and it’s sent it back in an email in clear text then you’ve got to question whether they are storing the password in clear text. If they are that lackadaisical with security then it won’t be too much effort for a hacker to get your password.

Now the hacker has your password and your login details, probably your email address. The same 2 bits of information that, when put together, will allow access to Twitter, Instagram, Facebook, Amazon, Moonpig and that dodgy dating site you joined up to years ago.  You need a separate complex password for each account.

I’ve Got 70 Online Accounts – I Can Hardly Remember One!

Creating and remember 70 complex passwords that don’t follow a pattern is some mean feat.  The way to remember them is to use a Password Manager. Password Managers are encrypted databases that can store passwords, create complex ones and interact with your browser so that they auto-login in for you. Typing and remembering the password is a thing of the past.

There are several out there however the one I would recommend is Dashlane mainly for its simplicity and easy to navigate GUI (graphical user interface). I installed it first on my desktop PC and then on my iPad and Samsung S7 and then laptop. The first time I used it the software found several websites that I routinely use and automatically entered their passwords into the database.  The security dashboard then told me how insecure I was.  It pointed out where I had really weak passwords and which websites I had re-used the same password, which was too many for me to admit here. I then set about changing my password on all these sites with the help of Dashlane creating a long and complex password. Eventually and after a couple of hours I had changed the amber warning alert to a nice green tick which informed me that all my passwords were strong and not re-used.  I feel a lot more comfortable about my online presence now.  If a website that I use gets hacked then I’m confident in that the damage is limited to only that single site.

There Is A Catch Though…..You Still Need To Remember A Password…

le-tiss-3Meh. Thought you escaped? Nope.  You still need to remember at least one complex password and that’s the one that allows you entry to the Password Manager itself. It’s got to be complex and it’s got to memorable so you don’t forget it. Write it down and store it in a black book, share that password with a trusted family member but don’t forget it.

Don’t choose something that can be easily guessed.  As I’m a #saintsfc fan I could choose something like LeTissier7 as a password but everyone knows I’m a fan of the club as it’s mostly what I talk about on Twitter so it wouldn’t be too hard to guess.

I suggest using a pass phrase. A phrase that when you put the first letter of each word together that will be your password.  For example:

Matt Le Tissier scored the last goal for Southampton at The Dell against Arsenal in 2001!

becomes

MLTstlg4SaTDaAi2001!

A bit long and very complicated but that does the trick!

Dashlane

If you want to try Dashlane then give me a shout and I’ll refer you.  Although it has a free version my referral will get you 6 months free of the Premium service which has more functionality such as synchronising across all devices.

https://www.dashlane.com/features/password-manager