The hot topic in today’s world, pushing regulation changes that help to protect all of us in the digital age. We have many devices connected to the internet that we use for work and play. Our trust in the network is ubiquitous.
Crafting what we know based on years of experience plus the latest guidance from the National Cyber Security Centre and vendors like Microsoft or Apple into a usable and secure framework based upon the good enough security Vs tougher security where it’s needed.
Reported a breach in 2019 according to Department for Digital, Culture, Media and Sport
Reported a breach in 2019 according to Department for Digital, Culture, Media and Sport
Any router you can get your hands on is going to offer a firewall feature by it’s nature of routing packets in a NAT form (this is where you have the private address space internally and multiple devices sharing one internet connection or single wide area network IP address.)
Similarly any firewall is actually a router. By design all inbound connections originating from the internet are blocked unless otherwise opened through Port Forwarding (DNAT) or some other bespoke configuration.
Note that you should never place any devices into a firewall’s DMZ zone – unless you know exactly what you’re doing. The DMZ (which stands for De-Militerised Zone) is like a no-man’s land, nothing in the firewall will block connections to this device – all inbound packets received on all ports will be redirected to it by default.
Even then not all firewalls are created equal. There is huge disparity in the costs you can expect to pay. If you know what you’re doing there are plenty of free firewalls you can build yourself (See OpnSense, PFsense, Sophos XG Free for Home, etc).
Regardless the cost, most firewalls I see in business use are either not easily configurable or able to block outbound traffic. Or they are never configured to do so by the admin in charge. Blocking outbound is important, see below FAQ.
Your Windows Or Mac operating system will also offer a software based firewall. This will go further than your router will because it will protect you from attacks on your local network too. This is why you should always tick that box that says “public” when connecting to wifi you don’t trust as it should block all inbound connections from the same local network/wifi and in some cases even go into a proper ‘stealth mode’ to hide itself even further.
if you allow certain ports and services to connect out of your network you could be allowing internal assets to be exposed beyond the firewall. For instance your staff could put a VPN connection on a machine inside your network and allow it to dial out to another.
It’s all too easy for hackers to try and steal your username and passwords too. One good reason why you should block certain outbound traffic leaving your network through your firewall is an example of the file-sharing protocol called Server Message Block (or SMB). This is because if your computer is fooled into trying to open a file one a remote server you may be prompted for a username and password. Even worse, maybe a saved username and an encrypted version of your password could be sent to the attacker automatically.
Therefore in today’s world we should pay careful attention to tune firewalls properly and block everything we can in the same place for all devices where possible; the internet gateway which is in your firewall.
See Microsoft’s note about the issue here: https://support.microsoft.com/en-gb/help/3185535/preventing-smb-traffic-from-lateral-connections
Modern firewalls offer more than just port/IP services and the opening or closing of port-based security. We recommend using firewalls that offer more features and go further in today’s modern world. Look for firewalls that can actively monitor and block actual applications on all or just some of the users in your network.
Blocking remote access VPN (virtual private network) and other intrusive software that is sometimes loaded by malware or even staff is critically important to ensuring you know who has access to your data.
You can even block bespoke applications like Facebook Messenger but continue to allow the main Facebook site to work. Or block access to entire categories or sites at given times of the day.
For businesses this has multiple applications from basic monitoring of staff internet usage (work vs play) to ensuring safeguarding access to the internet for vulnerable persons or minors.
When blocked at the firewall there is a blanket and transparent configuration applied to all devices on the network.
The most common issue I find with users in all business sizes and at all levels of competence in IT is the dreaded password dilemma.
For years I have advocated the use of not a password but a passthrase. Something where you tell a story to link three or more words and then add a year and a special character somewhere.
To go better you should use tools, like Keepass for individuals (remember to back-up your password database) or for larger organisations look at a web-app version of Keepass in a product like Secret Server (There is a free version which I highly recommend all businesses with 10 users and an on-premise server should use).
Other similar advice and deeper insight into passwords is on the NCSC website: https://www.ncsc.gov.uk/blog-post/three-random…andom-0
The industry also strictly recommends that you NEVER-EVER recycle passwords on more than one site/account you use. Go to this website and put your email address in and see if your account has ever been compromised and if your password used anywhere is out there for the public to find:
Furthermore passwords are becoming extinct as a secure mechanism for protecting data. We are in a modern world with devices like our smartphones on us all the time. Read on for information about Multi-Factor Authentication & Bio metrics like Windows Hello for Business.
It’s more likely than not that you have needed to use a code or one-time password that has been sent to your phone in order to log into a website like a bank or even gmail.
This is called Multi-Factor Authentication or 2FA or Security Token. Once turned on it further secures your account from unauthorised access.
This is because the principle of something you know (the password) and something you have (the token) being two separate keys to open the lock. Somebody might guess the thing you know but not have the thing you need – or steal your phone and not be able to guess your password.
Multifactor solutions provided by the big tech companies such as Microsoft and Google are free. You can also purchase even more secure solutions with physical keys and or other bio-metric hardware.
You should find that you only need one authenticator application to manage pretty much all accounts you can attach MFA/2FA to. For example the Amazon MFA feature to secure your shopping account works fine in the Microsoft Authenticator app even though they are separate software vendors / websites.
Once you have MFA you can further enable bio metric security too. Windows Hello for business is a great example of this – enabling sign secured sign in using one’s face or fingerprint.
Every business should take the same care and consideration to securing it’s network as it does it’s physical premises.
It’s easier than you think to offer secure and separate virtual networks inside your one physical network.
Servers should be firewalled from normal clients, guests devices and staff owned devices should be classed as un trusted and placed into a totally separate area where only internet access is offered.
Our clients enjoy maximising the investments made in the right network design yet achieving simplicity and security.
From wired to wireless, from on-premises to remote access. We can get your business productive thanks to a fast and secure network.
Basic security revolves around the idea of a trusted machine that a business will let a user conduct it’s activity on.
Traditionally the workplace provides a computer that is joined to a domain or managed in some way by an administrator.
The files are stored on a file server which is ran by the company and the access granted either locally on site or via a VPN. So all activity takes place within the firewall.
This is the concept of trust, only using devices that are authorised to access data inside the perimeter of the company network.
But today we not only have staff accessing email on personal devices but also the data that lives in the cloud is also more easily accessible.
Trust has a problem. Devices no longer managed by the company are being used to access data.
To this end companies should be looking to adopt a “zero trust” model whereby all assets inside and outside are no longer counted as trustworthy.
We can look to take some guidance from a zero trust model and build it into some basic security principles:
ACITC is ready to help your business whether large or small. We can put in place new security controls or help you tweak and review your current ones.
There is no such thing as a free lunch. Antivirus has always been something that is offered at a basic level with the view to trying to hook you onto a paid or professional subscription.
However the best Antivirus is really the human sat at the computer. The route an attacker will take to steal your identity or take your money is typically not going to be stopped by any antivirus.
This is why in a business environment it’s the wrong approach to rely on Anti virus programs alone to protect you. See below for information on Phishing, Adware and the dangers of USB devices.
The free Windows Defender bundled in Windows is very effective and scores highly when checked on the scoreboards (just google search antivirus comparisons). Defender is even on Windows Server now too.
When correctly configured it will work in harmony with the operating system to stop common attacks.
In larger business it’s helpful to have a central console or dashboard where clients report back and can be managed in real time. There is usually a higher cost associated with this.
Everybody has received an email claiming to be from either HMRC, eBay, Paypal or their bank which infact was fake, spam or obviously fraudulent in their objective.
This is known as Phishing and it’s more common than ever.
Email hosted by Office 365 Exchange has built in filters to detect and filter Phishing attempts. Yet you will still receive the odd message that may indeed look totally legit.
It’s important to fully understand the risks with using email and train all staff who use it. Especially those who have access to important data like data processors, finance, HR or the executive board. The higher you go in an organisation the more specially crafted the Phishing attacks will be.
Therefore be vigilant and never open any attachments, click on any links or indeed reply if you suspect even the slightest thing wrong.
Attackers want to pray on the human sense of urgency and curiosity.
If you click the link or open the PDF/Word document you are likely to allow hackers all the access they want without you even knowing. They can hujack your files for ransom, use your computer to launch other attacks or simply sit inside your network for days/weeks or even months conducting surveys to launch a bigger attack.
The dangers of using USB devices in your computer, especially if from an untrusted source, can bring about two main threats to your business:
1. Data Leakage
Allowing anybody to use disk drives on your business computers provides staff with a way to extract data without being detected too easily.
Your entire portfolio of secrets, protected intellectual property, financial spreadsheets, backups… anything available to users on the network can be stolen.
You can enable logging in the event viewer but you still need to catch the event or suspect it has happened. But it’s too late once it’s taken.
2. Malware or System/Network compromise
Autoplay on computers will load software that has been preinstalled on the USB drive. If the payload is malware or a virus then it will infect your machine and potentially any computers on the same network.
Your logged in credentials could be stolen and your identity easily compromised. Furthermore if the device is a server or something stationary like a desktop then there are devices that allow remote access to the monitor, keyboard and mouse.
Think carefully if you are going to allow USB drives to be used on your computers. If you are make sure it’s only to a set of privileged users and enable logging where relevant.
Companies typically require some form of remote access that allows them to connect to applications or computers that live inside the firewall boundary at the office. Maybe the networked CCTV, intranet pages, mapped file shares, virtual desktops or even the printer.
Many businesses will use a Virtual Private Network solution to enable them to connect from any internet connection on the planet and access the same files, web pages or applications securely as if they were in the office.
The concept is that you are tunnelling through/under the internet, hiding from all networks and prying eyes that you go through or under (including the cafe/hotel or 4g operator you are accessing the internet via) only to pop out at the other side via the VPN gateway that lives inside the business firewall or private network.
VPNs are used by the public or consumers too. By tunnelling through the internet and popping out at a different location you can appear to be using the internet in another country. Activists use it when their governments restrict open internet access, others hide themselves for nefarious reasons.
But for business use the case is sound and you need secured access to your internal resources. VPNs are typically free if you can host them in your Firewall/Router or even using Windows Server for example.
Data that resides on your devices lives inside either a hard drive or a solid state disk (maybe flash in smaller devices). This data can be accessed when removed from the laptop or computer and if this data is not encrypted at rest it can be very easily accessed – even if you have a password on the device in question.
Therefore most computers offer the ability to encrypt data at rest. In Windows this is called Bitlocker and is usually enabled by default on newer computers.
In a business it is more important to ensure that this encryption at rest is a minimum baseline configuration on all devices. Windows Bitlocker can also be used to encrypt external hard drives such as usb sticks or removable hard drives. Once protected by a password you can securely transport or post the USB key and send the access password separately.
Recovery keys must be kept safe and away from easy access. If you lose the recovery keys and forget the password you risk losing the data permanently.
Don’t forget to ensure your backups are also encrypted.
We guide all our clients to using encryption at rest on all devices where data exists. This is a huge tick in the box for compliance and peace of mind. You never know when you might lose that laptop or where your hard drives go after you dispose of your computers!?
The Cyber Essentials certification is important for all organisations that want to embrace the above principles and go further to enhance their compliance and policies.
Please see the page on this site https://www.acitc.co.uk/cyber-essentials/ to learn more about the government backed scheme and how it can help your business too.