Improving security doesn't always mean having to buy more equipment or invest in expensive training
Last week’s Security Serious events and seminars drew attention to the simple ways smaller business in particular can improve their security without spending lots of money, or in many cases any at all. The problem is that a lot of advice remains trapped inside some of the country’s most experienced security professionals and companies and is not always heard by the SMEs that would benefit from it.
The perception remains that to improve security requires huge organisational change and major investment, possibly beyond the pockets of smaller businesses. But as Security Serious underlined, the biggest weaknesses don’t always require large investment as long as organisations pay attention to the handful of big weaknesses attackers always look to exploit. Here we collect some of the best advice.
Stop ignoring email threats
Email is the front door attackers will always try first when targeting a company’s systems, with numerous case studies from real-world cybercrime incidents pointing to the ease with which the tactic works. All it takes is one email with a malware-booby-trapped attachment, possibly from a known named contact, and an attacker has gained a foothold on that system. From there, they can email other contacts, access parts of the network, and so the scope of the attack spreads quickly.
Telling people not to open attachments from unknown contacts is, frankly, almost useless advice – if staff can never open attachments from third-parties then why have email at all? Inevitably they will.
The first reform is to look at the email systems being used. Hosted Exchange and Gmail services can be configured to use whitelisting from contacts added to the address book, and they also use their own filtering to reduce the load of suspicious emails in the first place. All recent email clients, including webmail services such as Gmail will also treat attachments from unknown contacts as automatically suspicious, applying similarly tough rules to emails with embedded links. This is a start.
The problem is that attackers just as often use phishing attacks on what look like legitimate websites so the second layer of defence requires training users to spot the sometimes subtle signs they are being targeted. Easier said than done but a number of companies offer anti-phishing training and testing systems, which usually cost money. However, US consultancy KnowBe4 offers a free online test which is worth trying out to get an idea of how well oriented a workforce is to phishing.
Assume websites are vulnerable
Exploiting flaws in e-commerce websites using SQL injection, Cross-Site Scripting and the like is another absolutely standard way to attack a company, with even the largest firms struggling to contain what should by now be a well-understood issue, as TalkTalk recently found out to its cost. The precise role of web flaws in this attack has be to be confirmed but the company has been accused of ignoring known issues.
Numerous website vulnerability scanners are available from Qualys, AlienVault, Acunteix (most of which offer free trails) while free open source tools abound although these require more expertise. Tools such as Vega and W3af and SQLmap are good places to start.
Security Serious launch, London, 26 October 2015
Disable risky software
Most work PCs run far too much software, some of it installed by employees without admins knowing anything about it. This is incredibly risky but luckily remediation is possible simply by removing common-targeted software known to have a stream of zero-day vulnerabilities. Chief offenders are Flash video plug-ins for browsers, Adobe’s PDF Reader application and the Java Runtime Environment (JRE, including old versions), and almost anything published by Apple, none of which are as essential as they once were. Remove them and you remove a large chunk of risk for very little disadvantage. You need PDF capability? The latest browsers build in a sandboxed viewer without the need to load the full program or even download the file. At the very least, interfaces such as Flash should be enabled on demand, which requires the user to run them manually.
“If you can’t disable software, at the very least be aware of what software is running in your environments. Monitor, monitor and monitor. Check who is doing what, what files are being accessed, who is logging on etc. Get to know what your system looks like,” says Javvad Malik, Security Advocate at security firm AlienVault.
Use encryption wisely
No technology is more often invoked as a simple way to improve security than encryption, but using it is not a simple panacea. The first challenge is that encryption is often expensive, proprietary to specific applications and, of course, the keys used have to be stored somewhere secure too.
However, encryption can still be useful for stored data, particularly mobile devices with platforms such as iOS and Android offering secure encryption as standard on recent versions. Business laptops will always be offered these days with Full Disk Encryption (FDE) as an option, one the SME should always take. USB sticks should also always be encrypted.
Small-scale desktop encryption is a bit more complicated, more so now that the famous stalwart open source program TrueCrypt is no longer seen as trustworthy. Microsoft offers the excellent BitLocker in Pro versions of Windows, including Windows 10, which should be the basis of any desktop running the OS that accesses important data. Tools tend to work in different ways from file by file encryption to creating encrypted volumes. Volume-based tools worth looking at include DiskCryptor and FreeOTFE.
Symantec offers Drive Encryption, and although relatively expensive dies offer some central administration.
However, as Javvad Malik of AlienVault reminds us before rushing to encrypt everything: “Another question worth asking is, “do we actually need this data?’"
Secure online banking accounts
One of the main targets for attackers are machines used to access online business account the better to empty them. This type of attack is now epidemic with thousands of pounds lost at a time. There is no easy defence against this but thinking laterally, one option is to use a dedicated machine running a minimal install to access these services.
Most SMEs taking this approach either use a Linux machine or a stripped-down PC but another option is to use a cheap Google Chromebook. Capable of being stripped back to a basic Chrome browser experience quite easily, they can’t be infiltrated by executable malware the way other endpoints can. The only limitation is that some don’t come with a physical Ethernet port, something we’d recommend. Note: online backing should always be used with a full two-factor authentication system setup (i.e. not authenticated via SMS) regardless of endpoint. Note also that Chromebooks are not invulnerable, simply a lot less vulnerable when used in this way.
Get serious about passwords
Everyone knows passwords should be long and strong and oft-changed but what does this mean in practice? How often is enough and how long and complex will make the grade? The most important discipline is simply to change passwords often that grant some kind of admin access. Doing this – and making them complex enough – will minimise the opportunity of attacks that do manage to get hold of them.
The only way to do this reliably is to automate the process using a password manager such as LastPass Enterprise, Centrify or Dashlane, although this also imposes 2FA security as an additional layer too. In particular, these automate regular password changes to a required standard of complexity. The underlying security of these products does have its complications, however, and one – LastPass – suffered a cyberattack of its own within recent times. The company was bought out by LogMeIn last month.
Patching of endpoint software is a major chore for most businesses, not helped by Windows’ lack of a centralised patch manager. Windows 10 has also made big changes to the patching regime that some have struggled to understand.
While enterprises buy complex systems to manage patching to defined timetables and policies, small businesses can still try out free vulnerability and patching scanning tools such as Retina (for up to 256 IPs) or Microsoft’s Baseline Security Analyzer (MBSA), the latter windows-only.
Disable admin rights
Admin right represent a major risk because it allows the user and software to do things that might put the machines in peril such as over-riding security settings or installing non-approved software.
Versions of Windows prior to Windows Vista granted users admin rights by default, which allowed malware writers to request the elevated privileges they needed without much barrier. In Vista, Windows Server 2008 and Windows 7 this was tightened up using something called User Account Control (UAC), a much-criticised system that threw up requests for elevation to the user. Many simply clicked yes and for good reason – legacy apps were designed to have admin rights to carry out certain actions so users needed this layer of control from time to time to stop applications failing to work.
In a much-needed reform, Windows 8 and 10 removed these admin rights and users requiring elevation by logging in with an account created for that purpose – no account, no elevation. On standalone machines this account must be enabled although business machines should not be configured to offer this control.
Monitor cloud storage
Not everyone sees shadow IT and the cloud as an unmitigated risk but the potential for trouble is obvious. Generally, cloud services are a major boon for SMEs but small organisations should be careful about using them naively. When it comes to storing an organisation’s files in the cloud, these will normally be encrypted by the provider, e.g. Dropbox, to a high standard. However, the provider holds on to the key and can, in certain circumstances, access them which is why third-party encryption systems such as Boxcryptor (which works with Google Drive, Dropbox, OneDrive and SugarSync) have sprung up to allow users to retain control over their own keys.
Most important of all, cloud storage is not the same as backup and should not, for example, be viewed as a way of defeating ransomware attacks that lock up a victim’s data. If ransomware encrypts data on a local PC and its attached storage drive, these files will also be copied in that state to the cloud service. Cloud storage offers 30 days of file versions but reinstating these can be incredibly time consuming and will cause problems for sharing.
Dispose of old hardware securely - 10 ways SMEs can improve security
Old storage and smartphones should be run through a reliable wiping process before being sold second hand or disposed of. Sister title Techworld published a more detailed guide on how to do this in October but the key takeaway is not to trust the easy methods.