The keys to the Kingdom.

Passwords

They’re everywhere.  It seems you nearly need one to go to the bathroom these days.  Unfortunately though, they’re Essential.  No, essential isn’t strong enough.  They’re absolutely CRITICAL!

As you undoubtedly already know, these pesky passwords are quite literally the keys to the kingdom. You work with them, you bank with them, you store your online documents with them, you reveal your personal life on social media with them, you shop with them.  In short you secure your whole digital world with them.

However we still deal daily with people who don’t seem to get what would happen if someone were to obtain their keys to their kingdom.  If you re-use passwords at multiple locations (and we know none of you ever would 😉 ), it is trivial for someone to access passwords from a breach at one of those sites, and use a technique known as Credential Stuffing to compromise your other accounts.  Once they have access to them, it all starts to unravel very quickly.

And let’s assume for the moment, that you truly don’t have anything important in your email or online documents (extremely unlikely, but for the sake of argument…) other people trust you.  When you send an email to anyone you know, they assume that they can trust its contents. However, if your account has been compromised, all bets are off.  But your recipients may not know this.  We see this happen A LOT!!!

For the sake of brevity, please believe me when I say that ALL your online and computer passwords are critical.  When they fall into the wrong hands, bad stuff follows.  Incidentally, if you want to know if your passwords are already compromised (pretty good chance they are) head on over to Troy Hunt’s excellent HaveIbeenPwned (no that is not a typo) site to test your email and passwords.

So here’s what to do…

If you follow this advice, your digital world will be a lot more secure than it probably is now.

  1. Never reuse the same username/password combination on more than one site.
    1. So that means every site needs a different username/password combination.  Every Single One!  This is the most important thing to do.
  2. Obviously this means you can’t remember them all.  So don’t!  Use a password manager.  We use, LastPass, but 1Password and Dashlane are also excellent.  At the very worst, write them in a book. LastPass has a free option that is pretty good if you just want it for home.
  3. A good password is hard to remember.  More than 16 characters with a combination of characters, cases, numbers, and symbols. (So use a password Manager!)
  4. If you must remember the password (very frequent use etc) use a few disparate words strung together. (e.g. “Ferrari desired-moolah,mi55ing” and please don’t use this one).  Just something that you’ll remember, but would be hard to determine from knowing something about you.
  5. Use 2FA/MFA anywhere you can.  This is something you you have.  A Biometric feature, hardware token, Authenticator app, your location,  text to your mobile etc.
  6. Don’t share your password with anyone.

And there you have it.  Simple! Well maybe not simple, but free and achievable.  And please persist with the password manager.  They’re a pain for the first month, while you load them up with all your info.  Then you’ll wonder how you survived without one.

TL;DR (Admins section)

However this only makes your passwords more secure.  It does not secure your email system.  If you are a business it is also critical to protect your email systems.  Most people in business tend to use one of the following…

  1. Microsoft Exchange Online
  2. Microsoft Exchange On Premise
  3. Gmail (GSuite for Business)
  4. A “free” account that came with their website of outlook.com or similar.
    1. Remember if you don’t pay for the product, you are the product, so free is never free.  In fact it is usually the most costly in the long run.

Not one of these common business options (which account for over 90% of business email throughout the world) come secure, as standard.  When these companies build these apps they build them easy to access and simple.  They don’t build them secure.  They do this purely so you will adopt them.  But they all require extensive alteration to make them more secure.

There’s not enough space here to go through how to effectively secure your email systems for every type of email system, so let’s just give some generalisations

  1. DNS:  Secure your DNS.  SPF, DKIM, DMARC and DNSSEC are all tools you have at your disposal for DNS protection.  Use the ones most appropriate for your business.
  2. Link Scanners/Sanitisers:  Put one on your system for added security.  Put it on the Mail Exchanger.  on the endpoint is not nearly as effective.
  3. Attachment Scanners/Sanitisers:  As above
  4. Multi Factor Authentication (MFA/2FA). Use it!
    1. Biometrics are best IMHO
    2. U2F style tokens are a close second (Yubikey etc)
    3. Software tokens (authenticator apps) are next
    4. SMS code is okay, but still way better than no MFA
    5. Location based is also way better than nothing.
  5. Turn Off protocols not needed.  e.g. O365 rarely needs POP3, iMap, EWS etc enabled, but they’re on by default.
  6. Alerting:  Have your system send alerts if anomalies happen.
    1. Privilege escalation,
    2. forwarding rules added
    3. Delegation changes
    4. Logins from multiple locations
    5. logins from unusual locations.
    6. TOR access
    7. Change in protocol availability
  7. Regular auditing of the system for security issues.
  8. You will have noticed by now that if your system doesn’t support these features (very few free ones do) it may be time for a new Mail Exchanger system.

All this will go a long way towards keeping your users far safer than an out of the box system.  And most cost very little or nothing!  Now you can turn your attention to your wider Business and systems Security.

You can also call and speak to us to assist with a security audit and assistance with implementing a CSF (Cyber Security Framework) for your organisation.  It costs very little and will make an enormous difference to your business’ security and hence, bottom line.

Safe Travels!

Ross Marston.

Cybersecurity is under control, I think…

“Cyber Security is under control, I think…” – CEO

How many times do you hear a CEO say “The finances are under control I think.  The finance department said they were okay.”  My bet is never.

No CEO is going to just accept that the businesses finances are “okay” on the say so of someone else.  They’d rightly demand evidence.  They’d need to see P&L’s, Balance Sheets, and management reports.  They’d want to see
comparisons to equivalent periods.  They’d want to know trends.

They would also want to know what plans were in place to ensure positive trends and growth strategies.  Any CEO worth their salt would also be continually reviewing the strategy to advance the business.  In short, they’d have a strategy.

However, when it comes to Cybersecurity, whether you realise it or not, the stakes are a lot higher.

A significant Cybersecurity breach can send a business to the wall a lot quicker than the business finances can.  The statistics for businesses in the $1m to $200m turnover range (SMBs) are that 60% will be closed within 6 months of a significant Cybersecurity breach.

That’s a staggering statistic when you consider that SMBs are nearly 100% likely to suffer a significant Cybersecurity breach within the next 3 years according to Forbes.  We see breaches happen everyday, and I’m sure you’ve read about the most publicised ones regularly yourself.

Yet I regularly meet with CEOs that tell me that they think their “IT guys” have their Cyber Security “In Hand”, whatever that means.

However Cyber Security is NOT an IT problem.  It is not for the IT department to handle.  It is the CEOs responsibility to have a clearly defined strategy in place to manage Cybersecurity.  

Sure the IT department have a role, the same as the HR department also have a significant role (probably the most significant), as do the Legal Team, the Marketing/Sales/PR departments, the Finance Department, and the Board as a whole.

It is a company wide issue for Every business.  It can only be
effectively dealt with from the senior management of your business.
And, unless you as a CEO take charge, you are aboard the Titanic, and the waters around are icy.

The good news is, it is easy for any decent CEO to mange an effective
Cybersecurity strategy. If you are smart enough to run an SMB, you are definitely capable of implementing an effective Cybersecurity strategy to help safeguard your business. And the good news is, it doesn’t have to cost much money.  You probably already have most of the resources you need.

Step one is to take control and recognise that it’s your responsibility.

At BIS we specialise in working with CEOs and SMB leaders to gain control of their Cybersecurity, and build resilience in their business.

Cyber Criminals are not going away anytime soon.

Ross Marston
Founder and Chief CyberSecurity Strategist Business Intelligence
Security.

Culture Eats Process For Breakfast

BIS Happy Team

Creating a “secure” workplace culture.

It is never more true than when it pertains to Cyber Security.

We’ve all heard the saying, “Culture eats Process for breakfast”. In other words, you can have all the processes you want in place, but if the workplace culture doesn’t support the processes happening, they never will.

You can have as many processes in place as you want, but if you have a workplace culture, where staff are “shamed”, belittled or intimidated for security indiscretions, welllll…, you’ve already lost the battle I’m sorry to say.

In an environment where staff are in some way belittled for any security related incidents (opening a phishing email, being the object of a targeted attack, getting malware on their work station or server profile, etc, etc), most people will do the same thing.  They’ll avoid being belittled of course.

In other words, they’ll try their hardest to cover up the indiscretion.  They’ll avoid being associated with any security related incident at all costs. And why wouldn’t they.  They know the “consequences…”

What to do about it.

So what is the alternative?  We all know security incidents are bad, right?  The media is constantly banging on (mostly inaccurately) about various security incidents.  Who the latest victim is, or some other sensationalised, inaccurate story.

And of course, everyone hates being the person that clicked on the link in the phishing email, or went to the site infected with malvertising, etc.  Even  the IT guy who left his companies website exposed to SQLi or XSS attacks.

But what about if we change that culture?  What about being rewarded (or at the very least thanked) for finding the spear phishing, clone phishing or whaling attack email and notifying your staff mates and IT?  What if there was a demonstrable benefit to quickly notifying your IT specialists if you suspect your devices have been compromised.  What if there was even some sort of game and reward associated with prompt action regarding any security incident?

Now you have what we like to call a warmware firewall.  An early warning and detection system to rival the best NextGen, GenIV, AI, [insert other meaningless sales term here] Firewall available.  Now we have staff and IT motivated to find, notify, and help eliminate Cyber security threats as soon as they’re detected or even suspected.

So how does this work in practice

Humans (the warmware ones we’ve already mentioned) are the ideal firewall.  They’re self learning, they possess AI (Actual Intelligence as opposed to that other sort), and they’re motivated to help naturally as opposed to programmatically.

With some simple and ongoing training, and some motivation (Warm fuzzy, financial or otherwise) they’re the perfect resource to build significant resilience to your Cyber Defense systems.

Example

Here’s an example of how I think this might work, both before and after culture change…

A users inadvertently follows a link in an innocuous (or even obvious) looking email.

  • Before culture change
    • User thinks “last time Bob mentioned something like this the IT guys laughed at him, and everyone else gave him a hard time for being so ‘stupid’.  I’m just going to shut up.  If it has done any damage, someone else might notice it and, it won’t get traced back to me.  If it does, I’ll just deny it.”
    • User shuts up and just keeps working albeit with more perspiration than before.
    • Eventually IT department finds that nightly backups are getting filled with strange files.
    • Investigation reveals most of their file system has been encrypted and held for ransom.
    • It’s taken so long to discover that the encrypted files have written over all the “good Files”
    • Company is forced to negotiate with Cyber Criminals to try to recover their encrypted files.  Unsuccessfully!
    • Everyone hopes it wasn’t their fault.  But it doesn’t really matter as they probably won’t have jobs next week anyway.
  • After Culture change to a Security Rewarding culture
    • User thinks “I better tell IT and team straight away!”
    • User immediately logs off and turns computer off, calls IT.
    • Problem is rectified with very little damage to company infrastructure.
    • User is rewarded with new Mercedes, or TimTams in the ‘fridge  [or insert more practical reward of your choice here…] for their quick action saving the company from extinction.

Some things I think staff should be rewarded for…

There’s obviously no point just creating white noise of false positive alerts.  We need to encourage staff to be alert to certain (and ever changing) events to makes this system work.  But at the top of this list needs to be the end to victimisation (or vilification) of people for reporting issues.

So if users or staff make a false positive report, use the opportunity to encourage them and maybe even educate a little on what to look for in the future.  But if they alert you or others to a real issue.  Reward them!  It’s the best firewall you’ll ever purchase.

A (very non-exhaustive) rewards list…

  • Users who use good Password hygiene…
    • who use a Password Manager to store their myriad of passwords for various sites.  (we recommend either Keepass or 1Password .)
    • who don’t use the same username/password combination on multiple sites
    • who use complex passwords (16 characters with many different types of characters)
    • Who change their passwords regularly.
  • IT People finding vulnerabilities and patching.
  • Users or IT Staff finding un-patched browsers, Apps, or OSs
  • IT Staff noticing unauthorised devices on their networks.
  • Users finding scams or phishing attempt and alerting others.
    • emails with dodgy attachments
    • emails with suspect links
    • emails from suppliers or contractors that are “unusual or unexpected”.
    • AGL electricity bills when you don’t use AGL.
    • Emails that seem to know a lot about you from people you don’t know.
    • Parcel delivery notifications.
    • Overly amorous offers from unknown people.
    • I could go on all day here.  The point is if you find them.  Let others know that it is suspect, so they may be able to spot it next time.
  • Users notifying management about unusual behavior (other staff or their own workstation)
    • Someone copying large quantities of data to USB drives.
    • Their own computer behaving unusually after visiting a site ( weird pop up etc.)
    • Their computer behaving unusually after opening an email or clicking on a link.
      • e.g. “Nothing seemed to happen when I opened the document.”
      • “it asked me if I wanted to enable Macros”
      • strange popup windows appearing.
      • It took me to a completely different site than what I was expecting
    • Finding a file that looks like it has been encrypted, or a file that now has a weird extension
      • e.g. .enc or .locky when it should be .xlsx
  • Users finding that their browser or operating system is out of date or has patches ready to be applied that they think IT may be unaware of.
  • Users finding errors when accessing websites. (e.g. “Flash player is out of date”)
  • users finding your company info in places it shouldn’t be.
  • The list could go on and on.  Maybe create your own and share it with us.

The bottom line is, let’s stop the pointless practice of shaming staff and users who have either made a mistake or inadvertently done “the wrong thing”, and start rewarding our precious “Warmware Firewalls” for their great work in helping to build the defenses of our businesses.

You have absolutely nothing to lose with this approach.  This is a secure culture.

Contact our office for more information on our Workplace Cyber Awareness programs, or any other Cyber security Related issues.

Stay Safe
Ross Marston