Wednesday, April 29, 2015

Train your users. Save a Breach

I have been talking about perimeter security. Please keep in mind that all of these are on a really high level because frankly I don’t want to bore you to death with details. It is more about awareness and what you can do to keep safe.

I have talked about the router, wireless threats, threats from other sources not commonly thought of and now we get down to the nitty gritty. The desktop itself. I am not even going to go into laptops, pads and the like at this point because that is a discussion point by itself.

I would say one of the most common calls I get is for a malware infection or virus infection. I know what you are thinking. “Mitch, I thought you were teaching us about perimeter defenses here. Don’t you practice that yourself?” I sure do but the fact of the matter is no matter what system I put in place, no matter how much I monitor it, no matter how tight I have that security there is still one factor out of my control. The user.

I get that question a lot. “How did this happen?”  Usually I get that before I look at it. It is like saying my car isn’t running right so what is wrong with it. Until the mechanic can do some looking, discovery and digging he can give you a wild guess but not an answer. Almost always the cause of the infection is the user themselves. They clicked on something, plugged in that USB stick or opened an attachment that they shouldn’t have.

Before I get into the whole clicking on something you shouldn’t I want to stress some precautions that can help at least spread a virus or due a ton of damage but isn’t fool proof.  First PATCH that computer. So many of the problems come from companies not putting on those latest updates from Microsoft every 2nd Tuesday of every month. I am a little cautious with this when it comes to doing a patch for an entire organization. There has been occasion (one fairly recent) when a patch can mess up a machine. I wait a day or two to make sure I don’t have to go backwards fast. Another strategy is to have just a couple of machines in an organization as your testers to make sure nothing will blow it up. Then schedule the rollout. There are many ways  you can do this which I will not go into here but just set your machine for automatic updates if you are a small company.

Second. Keep your firewall turned on. Many times I run into where someone installed a piece of software  and it didn’t work. They turn off the firewall and forget to turn it back on. (The firewall is another layer of protection. Remember the analogy of the bank and the doors. More doors only they are on the PC itself)

Third.  Make sure you run some kind of virus scanning. It at least catches the most obvious stuff. The virus scanning programs are becoming less and less effective every day because they have been using that same format and technology for years. The bad guys have figured out ways around that a long time ago (again.. another subject I could write about for a long time)

Frankly the best prevention technique today and probably always will be is TRAINING! I am amazed how companies do not train users on the basics of what to click and what not to click. It is kind of like giving your Son or Daughter a cell phone without teaching the basics of how to stay safe online. Oh wait!  That happens too. (Sorry, couldn’t help myself) Maybe a better analogy is showing someone how to drive without teaching them where the brakes are so they can stop before they hit something. I think you get my drift.

In summary,  that desktop is usually the culprit (more like the person using it). It may not be because someone is going to a bad site on purpose but with lack of training and recognition of what they are clicking on it could wind up costing a lot of money and a lot of productivity.  I try so hard to get clients to see the benefit. By stopping one bad action through recognition it could save a company literally thousands of dollars and a thousand more headaches. Awareness is the key.

Monday, April 27, 2015

Common holes in your Cyber Security Defense - What else you need to think about.

Did you know that there have been successful attempts to enter a secure building through a heating and cooling duct? Have you looked around your building lately to see what entry points a creative bad guy could use for entry?

In my last blog WIRELESS I discussed how wireless on your network can be a way in for our actors (bad guys). I am going to expand on that in this blog. There are many holes you may not even realize you have on your network so I will show you how some very simple every day things can put you at risk.

BYOD - (Bring your Own Disaster... ohhh I mean device) is a really hot topic and has been for a while. I think one of the biggest reasons is the constant struggle on how to regulate it much less control it. First, let me define what this is. Pretty much it is allowing equipment (cell phone, pad, laptop or anything else you can think of) to attach to your network wirelessly or wired which your business does not own. An example would be Mary doesn't like Windows very much for her publishing job you have her doing for your marketing. She asks if she can bring in her MAC to do publishing (makes sense to me) and you allow her to do this. She brings it in, hooks it up to the network and does her job with your network resources.

Probably a more common scenario is an employee with a phone that you let use your secure WIFI in order to pay his bills at lunch time, do a little surfing (because you put the proper filters for web sites in place... hint hint... wink wink..) and it is allowed to carry that data across the network to his phone because phone reception sucks in your building.

Could anything possibly go wrong in either of these two scenarios? NAH!!  Everything is peaches and cream. Nobody goes to a bogus site or clicks on a bad link. WRONG!!  The best way I describe this is kind of like a Trojan horse. You have a device that was possible infected BEFORE they started using your network. It is like sterilizing an area for a medical procedure only to have the doctor sneeze all over it once in the area. You get my drift.

Think about that router and firewall again. Like a moat and wall around a castle it is there protecting you. Someone sends you a gift of  a pretty horse that gets delivered INSIDE of the protection perimeter. Now you have an issue on how to contain or even stop it from spreading inside out. That is the danger of people bringing devices into your space. But that is just one thing to be aware.

I mentioned printers in my last blog but it is not just printers. It is any device attached to the network. It could be that fancy new scanner you just bought. It would even be that electronic picture frame. Maybe even the new fridge you just bought for the company break room but thought it was so cool that you could monitor it from the Internet so hooked it up to your network.

There is one that I am suddenly seeing more and more of. HVAC. That is right. Anything within the last few years are going to controls that are hooked up through the Internet. A very perfect and vivid example was Home Depot where the actors used credentials that the HVAC guys failed to changed to gain access and go where they needed to go. Every device that connects to your network is capable of being used as an entry point. What is worse is that it is on the inside of your defense. That isn't a good thing.

So once again I will stress. Policy and procedure. Know what is on your network and how it interacts. Did you password get changed from the default? Who knows the passwords and are they complex enough? When was the last time (if ever) you had a security professional just simply test for these holes? 

What are becoming obvious to hackers today for holes are things the common businesses owner has no clue are even a threat much less how to fix it. All of the way back to the bank analogy. It is like having that vault in a bank but there are all of these passages in that you dont even think about. When it comes to security you need to keep in mind what is connecting where. It is easier than you think for the bad guys when you leave those holes open. Think like the bad guy..

Monday, April 20, 2015

Wireless is like leaving the window open

Have you ever left your house, locked it up and drove way not really thinking about it. You return home later and notice air moving. Where is it coming from? You left a window open!! (Gasp). If you think about how a bad guy would enter your home when you are away he probably isn't coming through the front door. My guess is he would see the open window and not take long to get in.

My last blog I talked about perimeter security using a router. If you leave a window open (wireless that is not separated by from you network) it is a pretty easy entry into the network. Again, the hardest part is getting inside the first layer usually. Many small businesses do not even give it a second thought. A few customers ask for if they have wireless, they think why not and throw up an access point (that's that thing with the funny looking antennas on it but sometimes they don't have them)  so people can cruise the internet.


So whats wrong with that you as? Say I am a bad guy. I drive to the back of your building at about 2 am. Earlier that day I was just driving around to see if I could find anyplace that has an unsecured access point I can jump on to. BINGO!!  Your it! Most of the better routers (see how I came back to that router again?) will have the ability to plug multiple pieces of equipment in and then program it so you can separate things like access points from your regular network. People can still cruise the net but it makes it difficult for them to get into your network (not impossible). There are other ways to do this but with the right programming and hardware it can help allot. One other thing that I do with my clients is the Access Points they buy have a schedule in them so I shut them down about an hour after everyone leaves. That prevents Johnny or Jane hacker from jumping on at 2AM.

I still have not explained why you should do this, have I?  Johny or Jane hacker can leverage that access point in a number of ways. They can plant some viruses, mess with your systems and here is one that most don't think of (I actually had this happen to a client) commit a crime while using your lines so they trace it back to you. How fun would that be to have the FBI at your door questioning you about some fraud that came from your network? Exactly!!

Now I have one more that hardly any business thinks of. Most printers and copiers these days come with a wonderful wireless feature on them. One that is typically turned on by default and left on. So that isn't so bad. Right?  Couple it with most vendors NOT CHANGING DEFAULT PASSWORDS and you have another wide open window.

To stay consistent lets just say there is a bank. It has a copier and wireless was left on. Blasting out to the world "Here I am..Come see me!"  Jane Hacker knew this because she was using a wireless analyzer to drive around and again, find open systems or at least ones broadcasting. This time she mixes in with the rest of the cars in the parking lot. She is able to EASILY access that printer through wireless. She now can see the internal hardrive (yep, they have internal hardrives) with stored documents complete with account numbers, names, addresses and social security numbers. (And yes, this happened but it was years back). Jackpot and now she can go sell that info on the black market at a premium of $15 a pop. Just for fun before she leaves she reprograms the LCD display and locks everyone out of it.

I could go on an on about real life things that have happened like this. I could also go into BYOD (Bring Your Own Disaster ... I mean Device) that leverages wireless and other ways it can open a door to your network but I want you to actually continue to read my blogs. I can also get much deeper into the mechanics of how this works but for now lets just say its making you aware.

My lesson for today is, just like looking at a building think of the most unusual way you can get in and not just the obvious. If someone gets inside then the whole router thing I talked about is irrelevant, though I will be talking about those inside layers. AH HA!  Its like locking all the doors but letting someone in the back door to look around. Still will catch up with you. Remember. The bad guys really don't want to be seen just like a thief so they may not come at you in broad daylight. Think like a thief!

In the next blog I will touch on some of the more unusual "windows" (Not Microsoft. Figure of speach here folks)  that are open out there but have actually been the cause of some of the most publicized and large breaches in the last year. Till then!

Saturday, April 18, 2015

Starting at the perimeter for Cyber Security

I believe the old saying goes " A chain is only as strong as a the weakest link". Same goes for perimeter security and it is a place to start talking about a structured and layered approach.

In my previous blog I described your data being like money in a bank. It should take many layers to get even close to it just like in a bank. If you are a bad guy trying to steal money in the middle of the night the first order of business is trying to get in the door or inside of the building. The same goes with data on a network.

I am going to pause for a second and put a disclaimer out there for you. In this blog I am only going to describe the technology side of security. Not the actual physical security. Physical security is as important but for the sake of simply staying focused we will talk on the technology side. Many businesses do not think about the physical security aspect of protecting data but in later blogs I will go through some of the things I have seen and experienced that will bring to light how important that aspect of security is. Still with me??

Think of the Internet as the world outside of the door of your business. So you have a door on your business. Right?  Same goes for your network. You have to put a door there so it is not wide open that any body can come on in. Take a look around at your data and financials. We are trying to avoid that. The harder it is for the bad guy to break down that door and get in the more of a fighting chance you will have.

So this door. The door will be a piece of equipment that you probably have heard of at some point called a router. What that router will do is let traffic in and out of your door or doors (I will talk about those doors in a minute) and direct traffic (emails, data etc) to where it needs to go. I will not go into the gory details of how that works but it is kind of cool what it can do.

Now a router is not just a router in most cases. A router has on it something called a firewall (the better ones at least). Picture our bank again. Now think of that bank of having thousands of doors on it that can either be made to just let people in, just let people out or to let them go in and out. On the router these are called ports. Here is a very important part. There are a few doors every bank has to have open just to make sure people can come in and go out (when you surf the Internet you have to go in and out of one of those ports). The rest of them should pretty much be locked, sealed and welded shut so someone doesn't get into your bank without you knowing. This is typically done when it is first set up. 

Even more important is every door has a master key (this would be the admin password for the router itself which can be used to change settings). That key is known to the world and anyone with the key can get in the door and do what they please. So what do we do if we know we have a common lock with a common key?  Change the lock and key!! I can not tell you how many times I go to visit a new client and simply test the original password (typically either admin, password or 123456.. I am not kidding!!) and bang!!  I am in their router and able to do any type of voodoo I do including opening doors they don't know about so I can get in later. I just described how a majority of hacks on routers happen. CHANGE THE DEFAULT PASSWORD!  

Sorry for yelling but this is one of the simplest and most effective ways to keep a common hacker out of your system and so many times it just is not done. Anyway.. That is kind of routers 101 so to speak. I do have one item to add. Spend a few hundred dollars on a router. Please!! I have replaced countless inexpensive routers because frankly they just are pretty easy to breach. I wont mention brands hear.  

I will mention several brands that I like to work with that really are solid. My favorite is probably Watchguard ( . Excellent product! Very powerful if you need it but also does a fantastic job of updates on their systems and I just do not have problems with failures. Averageish cost is $500. You can add services such as a web filter, virus protection and Intrusion detection but that where you would have to have someone who knows his stuff to be running it. Other brands I have used are Cisco, Dell Sonicwall and Fortinet. There are many more out there but any of these work for a small business without killing you in price. All make routers that are $100K + so lets just say you have a wide range.

There is one more thing to be addressed. I have run into businesses that would not put a router on thinking they were safe. Their provider of their Internet plopped this black box in (cable modem), hooked up to their stuff and sure as shootin they had Internet. They never asked if there was a firewall on there. Some do have that firewall, some don't and some just are not very good though it has been getting better. Don't just trust that black box. Many providers will not even give you access to see what is going on in case one day you have trouble. Put your own equipment on.

So in closing the router is your first line of defense for your network. If you want to tighten up your security this would be the best place to start. Not the only place though! Many more layers to go through. Aren't you excited? Next I will touch on wireless which is an area many businesses are not understanding is a wide open door into their system.. Till then...

Thursday, April 16, 2015

Cyber Security for Small Businesses

Image result for Information security
I was thinking the other day that the majority of my current clients fit into the Small-Medium sized business category. One thing I have truly noticed is there are not many people out there helping these businesses out when it comes to security. I am doing all I can but I have such a small fraction of those businesses so that is where this blog comes in. Hopefully this will help those business owners understand what security is all about and take actions to protect themselves and their business.

Let's start out with some terminology (yes, I heard the sighs out there). As a business owner you probably have some techy person already doing some of your work as needed or on a schedule. The first thing I hear out of business owners mouth is "Tell me in simple terms". Not so easy for many in the tech industry but through my long career I have learned that most people do not want to really know the detail. Just the what, why and how much in most cases. I know I am talking your language so this blog will follow that protocol.

Cybersecurity. I just read an article yesterday from a guy who tired of hearing the word Cyber and it is not even being used properly. I agree but it does indeed instantly give people an image of what this is about. It's that Internet, technology, computer, wires and all that stuff that goes with it word. It is kind of the catch all today for anything technology or hooked to the Internet. I equate it to Kleenex (I actually used to work for the folks who make the actual Kleenex brand). You can grab a box of Puffs and people still call it Kleenex. Same here. Technically there are all kinds of things that fit into Cyber including Info Sec (Information Security) but for our purposes lets just keep it Cyber. Fair enough?

So you own a business. Where in the bloody heck to you begin with security?  Truly there is a very wide range of topics we could cover here but I want to give you a visual so we have a model to work with and we will use it going forward. Equate your data to money. Without it you can not operate. If it gets stolen it could be used for bad things. You need a place to store it and then a plan to protect it. Then if anything should happen with it how do you react?

So give that visual all of your data is stored in what is equivalent to a bank vault (this typically will be your server). There are many layers in a bank before you get to the vault or even the money. You have to get through the door, avoid detection (software or hardware with alarms), make your way to the vault (network), get to the door of the vault and put in the code to open it (passwords). There are many variables in that route but if you make it simple for the bad guy to get in the door (no router), walk unopposed and unseen in the network (log files and detection software) and do not even put a password on the vault (your getting me) then all they really have to do is find your door to get in (be wide open to the internet with no protection).

Now that being said if you keep all of you money in one place and have nothing in reserve (data backups) you can call it a night and your done! The figure is somewhere around 60% of businesses breached will not survive 6 months. If it is a true data loss (flood ruins your server, tornado or angry employee) that number goes to about 94% depending where you get your stats from. So one thing we need to included is a data backup and recovery plan. Many do not think of that as a security issue but it is.

So that is a pretty wide view of what will be in this blog. I will break up and tackle things subject by subject and try not to bore you with detail like I promised.

So back to the data is money analogy. It truly actually is. You can put a price on your data pretty easily actually. Just think if all of your client information including pricing etc fell into your biggest competitors hands? How much would that cost you. I am thinking a lot.

So I will leave you with this. There is so much noise out there about data breaches and identity theft that it gets numbing. What do you listen to? Who do you believe? Hard to say these days with all of the NSA stuff etc going on. The good news is I do have a certification in Information Security (ready??  Last one till next time. CISSP Certified Information Systems Security Specialist). Now you know why they say CISSP. That Certification was built on a standard (if you must know it is ISO27000. Your welcome) which is where much of my information comes from. Its a standard because it works if applied properly.  It at the very least gets you a fighting chance to stay sane.  So until my next blog where we will find that starting point and start getting you secure!