Network Security Essentials: A Checklist for your Business

I hardly need to labour the point that network security is essential in an age where companies of all sizes are hacked. Hardly a week goes by without data breach headlines in the mainstream media. 2021 is so exception so far, with high-profile hacks including LinkedIn, Parler (an almost complete website scraping in this case), Mimecast, U.S. Cellular and many more. The reasons for these successful breaches, which compromised the data and privacy of clients, ranged from targeted attacked, exploits on misconfigured cloud services and unsecured data to malware injection and scamming. Many of these data breaches could have been prevented. It makes you wonder why, in 2021, companies (large and small) are still so careless and cavalier with important client data, especially when you consider that lack of IT personnel or funds is not an issue for the global giants. Didn’t these companies have a simple checklist or basic code of practice for network security? Remember to protect all client data as if it were your own data by using encryption, authenticated access and any other precaution possible. Consider the following an overview or starting point for creating your own checklist.

The Basics

Let’s assume, as many do, that larger companies have a handle on the basic elements of network security. Firewalls are configured correctly. Administrators have a full list of their hardware and software and all security updates and patches are installed promptly. They have a robust backup procedure that ensures prompt restoration of company data even after a ransomware attack. Brilliant! Now what?

Despite the naysayers, password management is still an issue and not due to password length, authentication method or complexity but instead due to longevity i.e., passwords are in use too long without being changed.

Employees will also log into personal solutions during office hours and if part of a BYOD policy, ALL will have devices approved and with OS versions approved by IT? Again, let’s assume enterprises have no flaws in all these areas, despite almost daily reports of data breaches. Enterprise-level solutions seek to address more advanced problems…

SIEM, NGF and User Error Prevention

Modern network security is aimed at identifying emerging threats and reducing the impact of human error (which is still the biggest threat to your data). In fact, a recent joint study from Stanford University and Tessian indicates that 88% of all data breaches are caused by employee error. The Blame Game is not the solution here as the study also points out that “Your employees are focused on the job you hired them to do and when faced with to-do lists, distractions, and pressure to get things done quickly, cognitive loads become overwhelming and mistakes can happen.”

Therefore, recognising that security awareness training is not the entire solution and that employees are not cybersecurity experts, companies must use technology to help with the problem. While classified as enterprise solutions, most of them are available to smaller companies, whether it’s next-generation firewalls (NGFWs), analytics-driven security information and event management (SIEM) or remote solutions offered as-a-service. All companies should perform a risk assessment and identify their greatest threats to network and data security, then and then arranging a trial of available solutions.

Even a brief look at NGFWs will confirm they are a key step in enhancing cybersecurity, including basic firewall function with several additional benefits. These include intrusion detection systems (IDS), intrusion prevention systems (IPS), application awareness from Layer 2 to 7, reduced infrastructure footprint, and antivirus and malware protection. Finally, NGFWs do not affect your network speed. Surely, a worthy purchase that can help reduce user errors by blocking threats?

Email & Internet

Your anti-malware solution (if not part of a NGFW) must scan incoming emails and monitor internet traffic. Companies need to decide if they prefer to only allow certain websites (based on a whitelist) or block some (based on another list). Whatever you decide, security (and perhaps productivity is the primary consideration). Different companies will have different ideas on this and are free to do so, since company-owned equipment is involved. However, I’d advise against keyloggers, surveillance cameras and the like as they can affect employee morale.

Ransomware and Backups

There is always the possibility of an emerging threat penetrating your firewall and ransomware is the worst of these, requiring that a ransom is paid (and that we ‘trust’ the cybercriminal to act ethically?) or full restoration from clean backups. Therefore, your backup and disaster recovery plans must be fully tested and verified as working before the worst happens. It’s obviously too late when it’s discovered the backup is worthless. Industry practice is to have at least three backups with at least one air-gapped (drives or tapes stored in a fireproof safe, for example). Backup verification is worth emphasising… Ever heard of bit rot? It’s the death of hard drives, SSDs and tapes (all magnetic media, in fact) over time and underlines the need for regular backup or archive verification.

In conclusion, all the above and any additional technological solutions you wish to make to mitigate identified risks should be part of an overall IT policy, outlining security goals with examples and user scenarios where possible. Security is an ongoing task and is constantly evolving as new threats emerge. That is the reason for data backups, penetration tests, encryption and other processes. If BYOD is present, do you have a mobile device management (MDM) solution? An employee has left the company. How long do you wait before disabling the user account and all LAN credentials? How about DHCP? These and other questions are yours to answer when ensuring maximum LAN protection. How will you proceed, or do you already include all these recommendations in your security posture? If so, well done, you’re immediately ahead of many global companies…

Use Hybrid IT To Maximise Remote Working Benefits

At its simplest and according to industry insiders, the term ‘hybrid IT’ is used almost exclusively to describe a combination of on-premise and cloud-based services. In my opinion, it could also be used to describe the IT infrastructure and processes necessary to allow office-based employees to work from home when necessary. For many companies and indeed governments, it became necessary during the current Covid-19 pandemic and unfortunately, they soon discovered that their business continuity/emergency response plans failed in many areas.

Allowing Working from Home

The decision to allow working from home (WFH) is never taken lightly by company management as many believe that employees require supervision, direction, or management and that a lack of these leads to a lack of productivity. Among professional employees, the reverse is often true. Business or organisational stakeholders must embrace the concept of remote working, especially true during a pandemic. However, they don’t have to blindly accept it and will follow a logical process before rolling out a remote working solution that minimises risk and secures data.

As Przemysław Jarmużek, IT Administrator at SMSEagle, is quick to point out,” From an operational perspective, it’s essential that IT and all department heads perform a brainstorming exercise to not only define all remote requirements and offer some proposed solutions but also to identify the potential risks involved. The ideal solution will maximise efficiency and minimise risk to your organisation’s digital assets.”

Is Remote Working Viable?

Remote working is only a viable solution for your organisation if it allows business continuity, even if solutions are provided in a reduced manner. Not all companies or industries benefit from it. Anything requiring hands-on interaction with the public is impossible during pandemic lockdowns, for example. This can include barbers, brick-and-mortar retail outlets or indeed hotels, restaurants or trade services such as plumbing, electrical or construction. “To benefit from remote working, your organisation is comprised of an office-based environment, where the fixed office setting is duplicated at home and allows the completion of tasks normally performed while connected to the company LAN,” said Radosław Janowski, Product Manager at SMSEagle.

The Home or Remote Office

Have your employees the space or equipment necessary for a home office? Most will agree that access to high-speed broadband is essential. If your employee is in an area that does not support it, then remote working is doomed to failure unless a solution is found. Should your employee invest in broadband (unlimited 4G, for example) and office equipment such as a printer without compensation? I don’t think so and good companies will ensure that at least a percentage of any additional setup costs are reimbursed.

While it’s certainly true that most households will have a family computer or two, it’s unreasonable (and poor security practice) to expect employees to use these workstations for work. IT need access to all systems used for work and unless a BYOD policy is in play, it’s best to avoid using an employee’s own equipment. Why? Because IT will need to audit the device before remote working takes place. They will need to install additional security software as users no longer have the protection of company firewalls, endpoint protection etc. In additional, IT must ensure that the device is ‘clean’ before allowing remote connection to the company LAN or related services. They must install a secure VPN to ensure permission-based access only – secure user authentication is often a problem for a variety of reasons. The list goes on, suffice to say that any devices used remotely must be as secure as any on the company network.

Collaboration and Interaction

Once the overall IT security strategy for remote working is decided on, it’s up to each department to recommend their chosen solutions for remote connection to the network (document access, for example) and any tools they need for effective collaboration with clients, suppliers and colleagues. You are effectively replacing onsite processes and operations with virtual ones over a remote connection.

To give one example, your company may have weekly, biweekly or daily internal meetings. When working from home, if you do not have a VoIP solution in place, what will you choose? Zoom got a new lease of life during the pandemic, but many companies use Skype or WebEx. There are many other options to choose from.

How about document management and sharing? Will you choose cloud solutions such as OneDrive or Google Drive? Perhaps you use a lot of cloud-based solutions such as Office 365, Salesforce. OR you prefer to access an internal document management system with full tracking, versioning etc. Whatever you decide, data security is a must as governing laws, privacy regulations and compliance requirements remain unchanged. You can use any combination of private, public or hybrid cloud solutions in addition to remote connection to the company LAN for internally managed data.

In conclusion, the main thing to remember is that remote working has its place, even without a pandemic, and once set up correctly by IT, poses few security risks. The process of extending the security perimeter to include remote workers is quite painless, should involve company-owned and monitored equipment (using approved software and services) and compensate employees for any expenses in initial setup and ongoing costs. Uptime is even more critical and network monitoring and alerts should be considered on the company LAN.

Remote working is possible for all companies who can benefit from it and as someone who’s worked remotely for more than ten years, I can state that morale is not an issue. In addition, productivity is higher as there are no distractions or conversations around the water cooler.

Protect Your Home and Business by Securing Wi-Fi and Connected Devices

In the last ten years or so, securing our local area networks has become more difficult, thanks to ubiquitous high-speed broadband and a proliferation of internet-enabled devices. Some of these are branded ‘smart’ but their widespread adoption could be considered less so. Some, like smartphones, add convenience but most introduce security risks. Whether it’s at home or at work, smart devices vary widely in terms of security. Some devices operate on Bluetooth, others connect to wireless networks and via cable. Whatever the connection protocol, it’s important to ensure that all are monitored as part of a cybersecurity policy or if at home, a common-sense attitude to security.

But, where do you start? How do you identify potential security threats?

In the same way that you protect your home and business, any worthwhile security system will start with access points; all exits and entries are protected first. For networks, initial perimeter defence is controlled by the routers that distribute your broadband connection.

Securing Routers

Most routers offer a combo of LAN ports and a wireless option (with or without antennas). Router configuration is key to enforcing security. I recommend changing all default options. Make sure your default gateway is changed. Ditto, the IP address range for your domain or workgroup. 192.168.1.x will be the first avenue of attack for hackers. Ensure that a complex password and username is in place. ‘Admin’ and other defaults are not acceptable. It’s also important to name your router as leaving the default name will provide clues to hackers sniffing your network. I’d suggest your favourite Klingon entrée or perhaps the name of the dumbest president to ever hold office. Finally, use an encrypted connection (at least WPA2).

Thanks to BYOD (bring your own device), guests at work and at home often request your Wi-Fi password. Many routers offer a ‘guest network’ option that prevents temporary users from accessing shared resources on the network. Enable this function.

If not available, claim ignorance of the password (passwords are assigned by our IT admin only) to prevent unauthorised access to company resources or suggest they upgrade to a higher data plan for their mobile device.

The Internet of Things and Smart Devices

Granted, it’s much easier to add new workstations or devices using wireless. It saves time and there are no trailing cables. Office disruption is also minimised as no building alterations are required. Convenience is the name of the game and portability comes a close second, with tablets, laptops and smartphones in common use.

With the Internet of Things came a recognition that we were running out of IP addresses and IPv6 became necessary to allow for the predicted billions of internet-enabled devices. Everything from fridges to toasters and webcams became smart… or as smart as their manufacturers made them. The key security element for connected devices is to remember one thing – many are not built in a security-first manner.

Hard and Fast Rules for Connected Devices

Before purchasing an IoT device, you should consider all, but not limited to, the following questions:

  • Is it REALLY needed? We all love buying gadgets but if there is no efficiency benefit then why even bother? Check out this 2017 list from Gizmodo.
  • Is the device secure? The blind assumption that the router will protect all devices connected to it is a dangerous one. I consider an IoT device secure if:
    1. I can modify the security settings from the defaults. Hardcoded settings are exploited by hackers.
    2. I can stop unnecessary features.
    3. The device supports future firmware updates or security patches that are installed locally (via USB or SD card, for example) or remotely.
    4. The device does not rely on SMBv1, which has known weaknesses. Microsoft has published a list of some affected manufacturers and related products. YOU need to check all connected devices for this vulnerability by reviewing manufacturer websites. Bear in mind that healthcare, medical and industrial products are also vulnerable so this condition does not only apply to consumer products but for every industry.
  • How invested is the company in security? In other words, how would you assess their expertise? If a smart coffeemaker is in your future, is it fair to say that the company knows domestic appliances and is totally new to securing smart devices?
  • Is the primary function of the device enhanced by being ‘smart’? In the case of a coffeemaker, I’d have to say no but in the case of health-monitoring equipment it’s an emphatic yes. Maybe it’s just me but communicating with or receiving alerts from a coffeemaker or other domestic appliance seems a little pointless. But, health monitoring can detect anomalies and perhaps save lives.

Of course, despite security risks, some devices are worthy of connection. In such cases, why not use a different workgroup or domain? Segregating all IoT devices makes perfect sense and protects the rest of your network from attack.

In conclusion, the use of Wi-Fi and a multitude of connected devices adds convenience. However, awareness of security risks is crucial when selecting devices. Regular auditing of existing devices is necessary as well. In the meantime, perhaps it’s worth policing connected devices to ensure your network is not compromised by smartphones with vulnerable OS versions, cheap imports or wearables. What do you think? How vulnerable are your smart devices and sensors? Have they been hacked before now? Smart locks certainly have.

Network Security: Shadow IT Risk and Prevention

Contrary to many opinions discovered online, shadow IT (a.k.a. rogue or stealth IT) is not down to the IT team saying no or refusing to provide required productivity tools necessary for a specific job role. In truth, it is often down to restrictive budgets and senior management decisions on same. Speaking as an IT pro, we do not care what software users need and would happily supply it if the budget is available and the software need is indicated. WE are not responsible for users installing unauthorised software, using unapproved cloud services or adding their own hardware such as memory sticks and external drives to company systems. BUT, as always, we are expected to assume the responsibility and the blame for such practices.

What are the risks of Shadow IT? How can they be reduced?

As Przemysław Jarmużek, systems administrator & support expert at SMSEagle was quick to point out: “The level of risk will depend on the type of Shadow IT and the motives of the user involved” with common dangers including but not limited to the following:

BYOD

The rise of BYOD in the workplace has tied IT’s hands in cases where IT do not have control of the device. Device owners are free to install whatever they wish on their own device and rightly so. In an ideal world, the device would mobile device management (MDM) to segregate work and personal use by using a virtual partition. This work ‘partition’ could be managed remotely and the partition could be erased or deleted if the device is lost or stolen or if the employee leaves the company.

Consumerisation of Software

Anyone with a credit card can purchase a cloud service or online subscription to a wide array of software and collaboration tools. Many are free and only need an internet browser to access. This is an obvious problem when trying to control the flow of company data, making it almost impossible to track the impact of a data breach. These unauthorised activities could also have an impact on compliance requirements, especially in relation to data protection and requirements for storage of personally identifiable information (PII). The risk of intellectual property loss also increases if third party service providers are breached by hackers.

Licensing

Users installing licensed software from home is also a danger. Note that this activity is sometime used by malicious employees seeking financial gain. They install illegal software on company systems and then send a ‘tip’ to organisations responsible for copyright theft to obtain a percentage of the high financial penalties levied. This point is demonstrated accurately in a TechCrunch article: Software piracy claims can ruin your business and reward those responsible. An old article but all the points raised are still valid today.

Productivity Aims

Many users install or use unauthorised software and tools to improve productivity and lack any malicious intent. They are just unaware of the possible dangers of installing freeware and paid solutions that are not approved or monitored by IT.

Preventing Shadow IT

Radosław Janowski, product manager at SMSEagle said that “IT cannot be expected to have psychic powers and each department head should provide a list of software and tools that they need to fulfill their roles in a productive manner. This will allow IT to supply it and eliminate the requirement for Shadow IT.”

An excellent point. Tell the IT team that you can’t do your job effectively without software X and tool Y. We will listen and respond with updates.

In fact, there are several ways to reduce shadow IT while enforcing the fact that IT are responsible for security on company equipment and on BYOD devices when the owner has signed an agreement allowing remote administration.

  • Admin Access – There is no reason for users outside the IT team to have the ability to install programs. Any and all programs should be installed and managed by IT.
  • Network Inventory Management – IT will regularly monitor hardware and software assets on the network, automatically detecting any additions and reacting accordingly based on potential risk. There are many tools available to accomplish this task and some will aid security patch and update management.
  • Network and port monitoring – to prevent access to unauthorised cloud services.
  • IT will provide a software repository for all approved software and tools. If additions are required by a user or department, it is formally requested.
  • IT will foster an environment of security awareness to include the potential dangers of Shadow IT and ensure that there is an onboarding process for new employees.

However, without senior management support, none of the above will work. Available budgets and claims of IT interfering in all departments no longer hold weight as IT is needed in all departments. IT are responsible for security and if identified security risks are not acted on, then future problems that result from inactivity cannot be blamed on IT. When you consider that a recent Forbes Insights report finds that more than one in five organizations have experienced a cyber event due to an unsanctioned IT resource, is it worth checking if shadow IT is a potential risk in your business? I think so.

Document Security — Does Your Security Policy Protect Digital and Physical Documentation?

Disclaimer: As there are books about document/data security, consider the following as an introduction. Discuss the points raised and estimate how your company would be rated if tested by an ethical hacker or penetration tester. Perhaps you might want to hire a penetration testing company to evaluate your digital and on-premise security?

Digital transformation is simplified as the aim to eliminate paper-based documents and go ‘fully digital’. As much as we would like to, it’s generally impossible to achieve a paperless office. Barriers include financial, accounting, legislative and compliance requirements that require retention of original paper documents for a specified number of years. Some industries (legal, for example) have yet to make all their processes digital and physical form-filling is common in many situations. Therefore, any worthwhile security policy must consider both physical paper-based documents and their digital counterparts.

How can companies ensure adequate protection of physical and digital files? What are the common attack vectors involved? Does your security policy consider remote and onsite attacks?

Risk Management

The first step in creating a security policy is to identify risk. Attack vectors include but are not limited to:

  1. Remote hacking – Industry best practices recommend a comprehensive cybersecurity strategy. Many companies use industry standards such as HIPAA as a guideline. Recent requirements in Europe in relation to data privacy (such as the GDPR) also force a strategy as part of compliance. The key message is that companies are responsible (and can be penalised) for failing to protect data adequately as most jurisdictions have corresponding data privacy regulations, especially for medical and financial data and any other personally identifiable information (PII).
  2. Internal threats – disgruntled employees are a viable attack vector. In addition, employees can unwittingly allow a hacker to breach your network after falling victim to phishing, ransomware or other remote attack based on social engineering techniques.
  3. A combination of the above – where the remote attacker has a willing accomplice onsite.
  4. Decommission, donation, recycling or theft of onsite equipment such as PCs, laptops, smartphones optical media, hard drives and memory cards can all introduce risk. This is true because even when wiped, forensic techniques can successfully recover data.
  5. Insecure storage areas – when filing cabinets and digital backups can be accessed by anyone.
  6. Sharing – consider the numerous ways we can share or capture data. Our smartphones can act as personal computers, take photos, share via chat program, upload to any number of free cloud storage providers, share on social networks and, of course, use the internal storage of the phone to store files for later review. Shadow IT, where users install their own unauthorised programs, could also allow dispersal of confidential data.
  7. Security Updates and Patches – Prompt updates prevent hackers from exploiting security vulnerabilities. Best not to ignore them.

Okay, so now you have an idea of the potential threats. It’s worth noting that hackers will take the easiest route to acquire data. In film and TV, sophisticated hackers acquire passwords and systematically break through all cybersecurity defenses, but the reality is very different. It’s much easier to hack the user or use ‘low-tech’ or ‘no-tech’ methods than breach firewalls and other security features.

Social Engineering

As reported in MeriTalk, citing ISACA’s survey STATE OF CYBERSECURITY 2019, PART 2,  cyber threats remain consistent but have increased in volume in 2019, with the top three most prevalent attacks coming from cybercriminals, hackers and non-malicious insiders. All three accounted for 70 per cent of all attacks reported by survey respondents. 44% said phishing was the most common attack, 31% said malware and 27% claimed social engineering was most prevalent.

However, since phishing is a form of social engineering, and malware creators often use social engineering techniques to fool the user, the truth is that social engineering of the human factor is the most lucrative option for any hacker. We are the weakest links in any security system.

How to Protect All Your Files

Firstly, be paranoid. Then, be very paranoid. Be aware that the size of your company does not matter. You may be in an industry attractive to hackers or be a client or supplier of a target company. In addition, it’s generally a numbers game, with cybercriminals, hackers and wannabe hackers all launching volume attacks using easily acquired tools and hacking packs. Being a hacker doesn’t necessarily mean you need skills. The “as-a-service” model also applies to the hacking community and on the Dark Web, you can acquire all you need to start hacking. Clearly, to protect your files and documents, a detailed security policy is necessary or perhaps, different security policies for each process. The SANS Institute offers a wide variety of free security policy templates that can be personalised for your company, which saves time in policy creation.

I’ll save you some more time… Assume that your company is a viable target and protect files and documents accordingly. The following is not an exhaustive list but will offer some suggestion to enhance your security posture and protect confidential data.

  • Identify potential risk and create the appropriate security policies.
  • Ensure OS and software updates are promptly installed. Likewise, security patches and firmware updates if appropriate.
  • Use antivirus, malware and spyware tools.
  • Use permission/user management to control data access. The aim is to prevent unauthorised data access.
  • Use device level monitoring to prevent the install of unauthorised software (shadow IT) and ensure all company-owned mobile devices have a remote wipe feature if lost or stolen.
  • Ensure security awareness training is an ongoing process, where users are informed of the latest attack methods. Basics include not clicking on links within emails from unknown parties.
  • When disposing of equipment, ensure data is destroyed by sending to a certified recycling company. Ensure data recovery is not possible by shredding or incinerating the device.
  • When disposing of paper-based documents, fine cross-cut shredding or incineration is best. Low-tech hackers are not above searching rubbish bins for clues.
  • Ensure non-employees cannot sneak onto your premises.
  • In public areas, be aware that shoulder-surfing (looking over your shoulder) is possible. It’s an easy way to gather info directly from your screen. Similarly, visual hacking is a threat, with smartphone cameras allowing easy capture of information.
  • Confidential documentation should be locked away, with on-premise security essential.
  • Consider the many ways files are shared online and aim to restrict as many as possible. Some companies operate using a whitelist of essential websites, blocking any that allow sharing of data.
  • Protect your hardware – Some companies use tamper evident labels to prevent low-tech hacking using memory sticks, cards and other solutions to directly acquire data from target systems.
  • Consider Wi-Fi access. Do you allow guest access or segregation from your network or even prevent it entirely?
  • In electronic manufacturing, all employees and visitors are scanned with a wand (just like in the airport) and must store all electronic devices in a provided locker before access is granted. Is this worth considering?
  • Social Media – Ensure employees are aware that social media info posted is often used in convincing spear phishing campaigns. Never post anything that will aid social engineering or disclose company workings, even something as innocuous as a planned vacation or lunch times can help a hacker.
  • Encryption and password management – both are highly recommended. It’s also important to remove data access promptly if an employee leaves the company.

By no means a complete list, but still difficult to implement securely. NOW consider how difficult it is to prevent against an insider threat, when that user already has access to your network…

In conclusion, cybersecurity is an ongoing process, but it is very important that paper-based documents are also considered. Ensure printouts and other files are disposed of correctly and not thrown out with the general rubbish. Security awareness is not limited to cybersecurity but must also consider real-world activities such as copied ID cards, premises security and storage and disposal of physical documents. Penetration testing is a worthy exercise that will highlight any insecure areas in your organisation. With the number of data breaches increasing each year, ethical hackers can identify problems and close off any vulnerabilities. How confident are you that all documents are secure?

Update Management —Prompt Installation Required to Maintain Network Security

In most companies, at least those who believe in managing security correctly, the rollout of all updates is controlled by the IT team. Only users with administrative access can install security patches, firmware and software updates or service packs. Basic users are also blocked from installing software on company assets. This is good practice and prevents shadow IT (where users can install unapproved and unsupported software). It does annoy users, as they must ask IT to add any applications they feel are necessary to add productivity to their roles. However, it does make sense and aids security, ultimately creating a list of approved software that satisfies all company activities.

Unfortunately, this activity is not enough as, regardless of hardware and software configurations, updates are necessary on at least a weekly basis, whether related to the OS, applications or installed hardware. Some experts recommend prompt installation while others advise performing some research before installation, to make sure the update does not have a negative impact on operations. I advise a combination–it’s better to verify on an offline machine before rolling out the update to all.

What is the ideal way to ensure reliable yet prompt update installation? In a traditional office environment, is it practical to supervise individual installs? Can we rely on all updates or will they cause additional problems?

Unfortunately, there is no single solution, given the plethora of hardware and software configurations available. It’s impossible for manufacturers to test on all possible system configurations not to mention on connected peripherals and other software. Therefore, as security vulnerabilities and other issues are identified by end-users and real-world usage, patches and updates are released. Managing all these updates on a company network is a task that requires prompt action but in a way that ensures business continuity, given that some updates cause problems.

How Important is Update Management?

Ignoring updates is not a good idea as hackers exploit known vulnerabilities, secure in the knowledge that companies are often slow to implement security updates. It’s not enough to focus on OS patches as commonly used applications such as MS Office, Acrobat and many more are all attractive targets, exploited to launch cyber-attacks, ransomware, or simply to harvest data. Therefore, a process is needed to stay on top of all updates.

Are you Prepared for Updates?

A company’s activities are often defined by processes, procedures and compliance requirements. Documentation is key to ensuring a defined strategy for all aspects of the business. Most will have a security policy, cybersecurity strategy, disaster recovery policy and other documents to ensure a defined process is maintained and improved where necessary. Update or patch management is no different. Define your process and follow it. If you haven’t decided how to officially handle updates in your organisation, it’s worth starting. Let’s make a few assumptions first:

  • Most companies will have similar (if not identical) desktops and notebooks. In most cases, they will at least be from the same manufacturer if not the same model. It makes sense to do so as discounts are available for volume orders. A mix and match approach to desktops is rarely observed.
  • All will have the same OS.
  • A complete audit of the network has provided an inventory of all hardware and software on the business network.
  • Installations and updates are managed by the IT team, with users unable to perform admin functions on their machines.
  • System restore or other rollback function is installed on every machine in case a patch or update requires removal.

If all the above are not true, it complicates matters for the IT team. In my opinion, driver updates for hardware and application updates rarely cause problems and can easily be rolled back on a machine if problems occur. OS patches are another matter and need more careful rollout, given that they will apply to all machines. If flawed, a patch can grind operations to a halt. It’s for this reason, I’d recommend a dedicated machine for testing updates before rolling out updates to the entire network.

Define a Process

Therefore, a potential process could include a review beforehand. Ask some questions. These could include but are not limited to the following:

  1. Is the update plugging a security vulnerability or just a performance/feature update? Security updates receive priority.
  2. Have any problems been identified by those who have already installed the update? Google is your friend in this case.
  3. Who is affected by the update? If everyone, test on standalone machine before rollout.
  4. Is a network rollout possible or is it necessary to update each individual machine? Most sysadmins perform updates after hours to mimimise downtime.

Of course, there are other issues, especially for software companies or those who use software with a browser-based GUI. Such issues should be identified during online research.

In conclusion, it’s best to act on new updates as soon as possible. Automatic installs are possible but carry some risks. It may be best to avoid automated installs in some cases and follow a manual process based on prior experience with your company systems (most admins will identify a pattern of problematic updates). Regardless of the method used to process updates, ignoring them is not an option, especially when you consider that doing so could allow a data breach or result in network downtime. Can you take that risk?

Password Management —Secure Passwords Essential for User and Business Protection

It’s safe to say that most users rely on hundreds of passwords to access their devices, websites and apps. Few will remember these passwords, unless of course they are in the habit of using the same password for multiple logins–a big security no-no. For years, security pros have emphasised the need for different passwords, as identical passwords make it way too easy for hackers. If they obtain one password and it’s also used in to access online banking, for example, your resulting zero balance is to be expected.

Let’s call it a rule–never use the same password twice, or variants of it.

Some of you may think this is obvious and I do agree but according to the UK’s  National Cyber Security Centre, in collaboration with Troy Hunt (a Microsoft regional director), the password ‘123456’ has been detected 23 million times in the breaches collected. They’ve also published a top 100,000 list of most frequently used passwords… ‘qwerty’ and ‘password’ are also in the top five.

Change User Habits

Network administrators cannot assume that users will select secure passwords, making it necessary to enforce password policies, with rules for password selection. These rules should include but are not limited to:

  1. No passwords based on keyboard layout–such as ‘qwerty’ or ‘123456’
  2. None based on names of family members, employers, pets, birthdays or favourites–‘walle’, ‘pokemon’, ‘liverpool’–hackers will use social engineering to find likely passwords and your love of Metallica leads to an easy password hack.
  3. No real words, regardless of language–hackers can check against entire dictionaries in minutes.
  4. Avoid short passwords that are easily remembered–where possible my own passwords exceed 20 characters.
  5. Change passwords from time to time – perhaps once every month or at least four times each year.

Obviously, adopting a new complex password strategy requires some form of management. How will this be achieved?

Storing Complex Passwords for Easy Retrieval

I’ve thought it about this for some time and believe there is no single solution, as it will depend on budget, company size and level of security awareness. A big no-no is writing passwords on post-its and sticking to your monitor or in your wallet. How about Excel or MS Word? Sure, it could be used but if the Excel file is unprotected then all passwords are visible once accessed by a hacker.

BYOI (bring your own identity) is one option but I believe it’s only effective if two-factor authentication is employed to verify the user (by sending a code via SMS, for example). In such an environment, all passwords are stored in the cloud, needing one login password to access all others. With the global identity and access management market predicted to reach more than US$22 billion by 2025, such solutions may only be viable for the middle market and enterprises.

How about secure login via social media platforms or search engines such as Google? I’m not really interested in sharing more data with global giants but the decision is yours.

Password mangers are often touted as a solution to password bloat and I do find them useful. However, they also have weaknesses, some of them caused by the OS used preventing security processes from completing, as indicated by the Washington Post.

I use one (not disclosing which) but I store my password file and token (required to access the password file) on a memory stick. When I need a password, I insert the memory stick, perform the required action and remove it immediately afterwards. I wear the memory stick around my neck so apart from a violent attack or removal from ‘my cold dead hands,’ I believe my data is quite safe. I avoid all related cloud-based services and rely solely on the memory stick – with a secure backup in a fireproof safe.

The most useful feature of password managers is the inbuilt password generator tool – I recommend at least 20 characters, including special characters, alphanumeric and underlines for all passwords, especially ones involving financial or medical data.

Company and Personal Data

While I’m not advocating a choice for password management, there are many options available and segregation of personal and company data must be part of any password management policy. BYOD (bring your own device) can complicate matters but any effective strategy must also include device encryption and partitioning to separate personal data. If an employee leaves the company, remote erasure of all company data, including passwords, must be possible, without disturbing the user’s personal photos and other files.

According to research from the Ponemon Institute and sponsored by Yubico, The 2019 State of Password and Authentication Security Behaviors Report stated that while 66% of those surveyed agree that it’s very important to protect passwords, 51% believe they are too difficult to manage. Both parties have a point. Managing passwords is a chore but weigh the inconvenience against the costs of a breach, not just financial but reputational.

In conclusion, I’ve outlined some suggestions for password management. It’s up to you to decide how you will enforce a password policy and how it will be rolled out effectively. Enhancing staff awareness is a given but what methods will you use to ensure all employee passwords are secure and are changed regularly? Two-factor authentication is worth considering but do the added costs and IT resources outweigh the benefits? After some brainstorming with IT and executive stakeholders, you’ll be able to choose the best path for password security, one that will at least slow down persistent hackers. Best of luck.

Network Security – Why Security Awareness is Essential for Internal Threat Management?

Security awareness is often linked to anti-terrorism programs around the world but in the IT world we are referring to cybersecurity awareness. Many of you are already switching off, yawning and considering leaving this page but hang on a moment…

The subject may well have been harped on by management, consultants and IT teams and this instinctive reaction to tune out is down to poor implementation in the past. Advocates of security awareness are often condescending, are too technical or fail to link practical threat examples to real-world situations. Other failures include a lack of management buy-in. This “do as I say, not as I do” attitude has the opposite of the desired effect, no significant increase in security awareness and a growing employee resentment when management errors in this area are not penalized.

Be Aware of the Potential Threats

It’s not as simple as telling employees to stop clicking on links in emails and in social media, although this is part of it. Requests to reset passwords or requests to update online banking details are designed to gain logon info i.e. fishing for information. That’s why they call it phishing and there are many forms. Security awareness is not limited to computer usage but can extend to any form of social engineering – a term used to describe methods of hacking the user or company while avoiding technological countermeasures. Methods can include shoulder surfing (the ‘hacker’ simply gets required information by looking over an unsuspecting employee’s shoulder), dumpster diving (extracting printed documents from the rubbish bins outside) or indeed by gaining onsite network access (perhaps by joining employees who smoke outside and then entering the premises unobserved when they return). Employees who leave their phones or laptops unattended could unwittingly allow a hacker time to install a program that remains inactive until connected to the company network. There are many other examples of social engineering.

“Any security awareness training must include social engineering, as many of these threats do not require any IT or computer knowledge. The aim is the same, to gather information that can in turn be used to either hack the employees or the company network. For example, a discarded printout may contain names of senior employees that are then used to send convincing emails to all employees, perhaps requesting them to change their network logon credentials,” said Radosław Janowski, Product Manager.

Dispel the Myths

Hackers rarely have positive motives and are generally classed as cybercriminals, with their primary motives being either financial or disruptive. Ones that act on behalf of governments are after classified or proprietary data. Ethical hackers and security companies know their methods and produce countermeasures as new threats are identified.

Let’s start with some obvious facts that most industry experts agree on.

  1. Hackers will go after the easier targets and hacking the end user is a much easier prospect than hacking the technological barriers that are included in the modern network, whether it involves endpoint protection, AI-related analysis or any other security assets such as firewalls. In the same way, hackers will hack smaller companies as a means of eventually hacking their larger clients or suppliers. This means, YOUR COMPANY IS NOT TOO SMALL TO BE HACKED.
  2. Security awareness training takes take time and money and the potential benefits are sometimes ignored, especially by smaller companies.
  3. The age, sex or IT knowledge of the end user does not indicate an enhanced awareness of the potential threats or how they will be carried out. A BBC article focused on the on the results of a survey which indicated that British people aged 18-25 lacked cybersecurity awareness, using the same password for multiple services and sending sensitive data (including passport information) over email and messaging systems. detective inspector Mick Dodge, national cyber protect coordinator with the City of London police said: “Your email account is really a treasure trove of information that hackers won’t hesitate to exploit… You wouldn’t leave your door open for a burglar, so why give criminals an open invitation to your personal information?”
  4. Internal threats are much more difficult to handle than external ones, as most technological solutions are designed to block external network attacks.

As Przemysław Jarmużek, Technical Support Specialist at SMSEagle, pointed out: “Companies that ignore security awareness training are putting themselves at risk unnecessarily. Cost is not a barrier when free courses are available online. The inconvenience of losing an hour’s productivity each month is nothing compared to the time lost if data loss or network outage occurs. Not everyone is an IT expert and security awareness training must consider that. In addition, perhaps the most important aspect of security is that everyone who accesses the company network, whether on LAN or using Wi-Fi, needs to be aware of how hackers attack the user. In adopting a security-conscious culture, everyone at SMSEagle has mandatory awareness training and this includes senior management.”

In conclusion, if you take nothing else from this post, it is that security awareness is essential, a free course is available to all (I’m sure there are others) and that ongoing security awareness training is a must as new security threats are identified. It’s not necessary to spend hours per week on training. Instead make sure that all employees take the initial course for an hour or two then perhaps a half an hour each month will suffice, to advise everyone on new potential threats and to show the attempts that were made the previous month, even the common lottery winner alerts or other email scams. If you foster an “us vs. them” proactive attitude (against hackers) within your company, then every attack that is prevented will seem like a victory for all.

What Every Disaster Recovery Plan Must Include

Business continuity (BC) and disaster recovery (DR) are not the same thing, although there are some common characteristics. A BC plan is designed to include all departments in a company, but a DR plan is often focused on restoring the IT infrastructure and related data.

“A disaster recovery plan is an essential IT function and if not in place could result in company bankruptcy or severe reputational damage when data cannot be restored”, Przemysław Jarmużek, technical support specialist at SMSEagle. The financial costs involved are just another factor, he added.

What elements of a disaster recovery plan cannot be omitted? What’s the purpose?

Few company owners are psychics but things like insurance and DR plans reduce company risk, providing a framework for companies that allows rapid recovery of data and/or replacement of key hardware/software components.

Know your Network

Your company network administrator must have more than a fair idea of the software and hardware that are currently part of your network. Therefore, an ongoing inventory list is essential, most of which can be achieved by using network monitoring and auditing tools. These will allow a comprehensive list of computers connected to your network and the software on each. Note that license management is another part of this inventory control process and additional hardware is also added where appropriate. This additional hardware could include multifunction printers, hubs or routers and anything else that is needed for network functionality. Consider this inventory as your shopping list when disaster strikes. It is also worth noting which items have a long lead time (servers, for example). Creating an inventory of spare parts is a good idea and could save the day when disaster strikes.

Know your Disasters

It is pointless to instil fear in company owners about impending disasters. They are as aware of the risks as we are. Each company will have its own risks. Many of these risks are directly linked to its location, whether extreme weather conditions, risks of flooding, forest fires or loss of essential services and equipment. These are the most obvious, but to lapse into management-speak briefly, why not think outside the box?

Even the Pentagon has used a hypothetical zombie apocalypse to test their response methods and maintain a working government under these conditions. Consider alien invasions and any other scenario that could conceivably or inconceivably shut down company operations. How long would it take to resume work if each scenario happened?

If your company can continue operating during a zombie apocalypse (when essential services are down) then yours is truly a robust DR plan.

Now What?

What actions will you take for each disaster type? Obviously, if there is a flood scenario, the aim is to protect equipment again water damage. Perhaps placing all equipment high above the floor is a solution but how high is necessary? Given that you have drafted a list of possible and impossible scenarios, make sure that your solutions to each one is well documented, logical and possible at short notice. Bite the bullet and purchase or modify the equipment necessary to protect your IT infrastructure.

Unfortunately, not all water damage is caused by flooding, perhaps a water tank leaks through the ceiling of your server room and casually destroys the server, firewall and 24-port hub before you can move the server rack. How long will it take you to restore the server and network? Do you have a spare server, firewall and hub? In this scenario, a company is caught unprepared, unaware that water is stored above their equipment. Know where all water is stored and dispersed throughout your building and avoid such problems.

From this simple example, you must focus on minimising risk in as many areas as possible.

Tactical Teams

When a disaster happens, the priority is to make sure that all employees are safe and to inform them of current events.  Once this task is completed, who leads the disaster response? When a disaster occurs, it is too late to leap into action, assigning responsibilities on the spot. Responsibilities and tactical team members must be assigned as part of the DR plan. In addition, if zombies eat your designated team leader, then the backup must take over. Define employee responsibilities and have backups in place in case they are delayed or incapacitated. This last item is perhaps the most important. However, to be most effective, any interruption in network service should generate an alert to multiple DR team members. This is often achieved by cost-effective (and self-powered) network monitoring devices that utilise a GSM/3G network to send SMS messages and emails as soon as network traffic stops.

In conclusion, while the above lists the key elements of any successful disaster recovery plan, it is also worth noting that an untested plan is less than useless. Test your DR plan during off-peak hours to ensure it will work when needed. Test how long it takes to restore all your data from backup. Such activities will ensure that if the worst happens, you and your company will emerge unscathed to resume your company operations.

Is your Disaster Recovery Plan Designed to Reduce Downtime?

Numerous reports, surveys and statistics confirm that commercial entities of all sizes are woefully unprepared for unexpected events. Ivenio IT stated that 54% of companies with less than 500 employees have a disaster recovery (DR) plan in place while 74% of larger companies had one. For smaller companies in the U.S., the figures are even worse with a Nationwide 2015 press release indicating that just 25% of companies with 50 or less employees had an active DR plan. Given the cost of downtime, surely we can do better?

We must as, according to Zetta’s infographic and online survey, there is much to improve, not least of which includes usage of the hybrid cloud and the fact that only 45% who experienced downtime issues bothered to make changes to their DR plans after the event.

Before delving into the benefits of a logical DR plan, an understanding of its meaning is necessary. Firstly, business continuity (BC) and DR are not the same thing, although there is an obvious overlap in business goals. BC reflects the efforts to avoid loss of service or downtime while DR reflects the response required to resume activities after the worst has already happened.

Disasters can include cyber events, extreme weather conditions, fire, flooding, loss of a key staff member, service interruptions from third parties (most commonly electricity or broadband), hardware failure and human error.

“This list is not exhaustive, and the formulation of any disaster recovery plan must include a risk analysis step in the early stages to identify potential risks that apply to your company or industry. Once risks are identified, you can brainstorm on ways to solve them immediately or at least initiative a process that will solve them in the fastest possible time”, said Radosław Janowski, product manager at SMSEagle.

Sounds reasonable, but how about an example?

Disaster Recovery in Action

Okay, let’s take a simple example to demonstrate DR in the real world. Company X is located in a commercial district and their primary data server goes down due to water damage from a leak in the ceiling. As the smoke indicates, the server is out of commission and business activities grind to a halt along with the company network.

Fortunately, Company X has a DR plan in place. The risk of server loss was correctly identified and the solution proposed was an offsite real-time backup in the cloud (in a data center that is not impacted by local power or service outages). This means that all Company X clients are unaware of a technical issue and business continues uninterrupted. Company X employees are not connected to their local server but they can also continue working using a mobile broadband option. It’s not ideal but gives the IT team (and a plumber to fix the leak) the time necessary to repair the damaged hardware and restore everything from cloud backups.

There you have it. DR in action. The disaster occurs, the DR team (usually IT) are notified automatically and the backup solution is in play while the cause and effect of the disaster is fixed.

“Automatic notification is key as any delays only increase costs. In this example, if equipment is not moved from under the leak, then instead of a single server, perhaps an entire rack (with hubs, routers, firewalls etc.) is compromised”, said Przemysław Jarmużek, technical support specialist at SMSEagle.

Automating alerts is certainly necessary, given that disasters need not occur during office or support hours.

Strategise then Plan

When designing a DR plan, brainstorming is necessary. Think about every aspect of your business and the infrastructure that supports it. Think about your service and utility providers. Think of the unexpected. Even discussing a zombie apocalypse has implications that are of benefit in a disaster recovery process, even if it relates to building security. Once you have exhausted ‘what if…’ scenarios, you are ready to offer strategies to solve them.

“Preparing for the unexpected is not a wasted exercise but makes excellent business sense.”, said Radosław Janowski, product manager at SMSEagle.

Once you define potential threats, you can then create a prevention strategy that includes response and recovery options that evolve as needed.

In conclusion, ISO/IEC 27031, the global standard for IT disaster recovery, states that “Strategies should define the approaches to implement the required resilience so that the principles of incident prevention, detection, response, recovery and restoration are put in place.”

Do your DR (for IT disasters and others) strategies follow this approach? They should.