Securing your Mail Exchange System

It’s not enough to simply have an email mail exchanger that you manage. It requires some basic level of improvement to be in anyway regarded as secure. Our aim here is to minimise the impact of an attack on the system. That’s the aim of every information security system we put in place..

We’re making a few assumptions in this post. Namely…

  1. Your’e already using good secure password practices for all your users.
  2. You have a CSF or similar to guide your overall Security decision making and strategy throughout the business.
  3. You manage your Mail Exchange System, or responsible for those who do (CEO, CTO, CIO Etc)

So if you are all ready having all your users adhere to good secure password practice let’s consider the whole system.

Is your Email Exchanger secure for your users?  If you are a business it is also critical to protect your entire email systems.  Most people in business tend to use one of the following…

  1. Microsoft Exchange Online
  2. Microsoft Exchange On Premise
  3. Gmail (GSuite for Business)
  4. Linux / BSD based On Premise systems
  5. A “free” account that came with their website of outlook.com or similar.
    1. Remember if you don’t pay for the product, you are the product, so free is never free.  In fact it is usually the most costly in the long run.

Not a single one one of these common business MXs (which account for over 95% of business email throughout the world) come secure, as standard.  When these companies build these apps they build them easy to access and simple.  They don’t build them secure.  They do this purely so you will adopt them.  But they all require extensive alteration to make them more secure.

There’s not enough space here to go through how to effectively secure your email systems for every type of email system, so let’s just give some generalisations

MX Baseline

Below is a very basic standard baseline. If your MX does not have these basics, you are behind the eight ball to start with.

First and Foremost though, understand what you’re setting out to achieve. Don’t just blindly follow a guide.

Also, use best practice change management processes. Don’t wreck your system by just changing things with no plan. Okay, here’s a sturdy basic baseline for an MX you manage

  1. Secure your domain. Time and again we see businesses that have had their domain delegation tampered with. Please secure your Domain and it’s delegation.
  2. DNS:  Secure your DNS.  Make sure Record changes to your zone file are carefully controlled. SPF, DKIM, DMARC and DNSSEC are all tools you also have at your disposal for DNS protection.  Use the tools most appropriate for your business.
  3. Patch Patch PATCH. If you run an on premise exchanger (MS Exchange or one of the excellent Linux options) keep it up to date and follow best practices regarding redundancy. If you can’t do this, move it to Exchange OnLine.
  4. Link Scanners/Sanitisers:  All inbound links should be at least scanned, if not sanitised BEFORE the users get to see them. None of them are perfect, but it is another layer in the Cyber Defences.  Put it on the Mail Exchanger though.  On the endpoint is not nearly as effective.
  5. Attachment Scanners/Sanitisers:  As above
  6. Malicious and Blacklist traffic dropping goes without saying.
  7. Multi Factor Authentication (MFA/2FA).
    1. Biometrics are great. A good option.
    2. U2F style tokens are a close second (Yubikey etc)
    3. Software tokens (authenticator apps) are next
    4. SMS code is okay, but still way better than no MFA
    5. Location based is also way better than nothing.
  8. Turn Off protocols not needed.  e.g. O365 rarely needs POP3, iMap, EWS etc enabled, but they’re on by default.
  9. Enable extended log retention. I personally think 1 year is minimum. Also consider SEIMs such as Chronicles Backstory for excellent visibility into the past.
  10. Redundancy. It goes without saying that ANY system needs to be backed up and fully replicable. Redundancy is also generally required.
  11. Firewall and access control is also required. You need to carefully control what and who can access your systems. Obviously “Most” other systems should be able to send mail to it, but logging in to mailboxes should be tightly controlled.
  12. Alerting:  Have your system send alerts if anomalies happen. Into a SEIM as well as other alerting systems is obviously best.
    1. Privilege escalation,
    2. forwarding rules added
    3. Delegation changes
    4. Logins from multiple locations
    5. logins from unusual locations.
    6. TOR exit node access
    7. Change in protocol availability
    8. Other alerting required for your system
  13. Regular auditing of the system for security issues.
  14. You will have noticed by now that if your system doesn’t support these features (very few free ones do) it may be time for a new Mail Exchanger system.

Remember that these are simply baseline options. There may be far more you need to do for your particular environment over and above these baselines. Please contact us if you need help with a security audit. Maybe you need a Cloud Services Security check up or just your email system. Just drop us a line and we’d be only too happy to assist.

If you get these baselines in place, it will go a long way towards keeping your users far safer than an out of the box system.  And most cost options very little or nothing!  Now you can turn your attention to your wider Business and systems Security.

You can also Contact Us to assist with a security audit and assistance with implementing a CSF (Cyber Security Framework) for your organisation.  It costs very little and will make an enormous difference to your business’ security and hence, bottom line.

Regards

Ross Marston

The keys to the Kingdom.

Passwords

They’re everywhere.  It seems you nearly need one to go to the bathroom these days.  Unfortunately though, they’re Essential.  No, essential isn’t strong enough.  They’re absolutely CRITICAL!

As you undoubtedly already know, these pesky passwords are quite literally the keys to the kingdom. You work with them, you bank with them, you store your online documents with them, you reveal your personal life on social media with them, you shop with them.  In short you secure your whole digital world with them.

However we still deal daily with people who don’t seem to get what would happen if someone were to obtain their keys to their kingdom. Particularly their email or social media accounts.   If you re-use passwords at multiple locations (and we know none of you ever would 😉 ), it is trivial for someone to access passwords from a breach at one of those sites, and use a technique known as Credential Stuffing to compromise your other accounts.  Once they have access to them, it all starts to unravel very quickly.

And let’s assume for the moment, that you truly don’t have anything important in your email or online documents (extremely unlikely, but I hear this argument all the time…). The issue is that other people trust you.  When you send an email to anyone you know, they assume that they can trust its contents. However, if your account has been compromised, all bets are off.  But your recipients may not know this.  We see this happen A LOT!!!

For the sake of brevity, please believe me when I say that ALL your online and computer passwords are critical.  When they fall into the wrong hands, bad stuff follows.  Incidentally, if you want to know if your passwords are already compromised (pretty good chance they are) head on over to Troy Hunt’s excellent HaveIbeenPwned (no that is not a typo) site to test your email and passwords. IMO it is safe to test your usernames and passwords at Troy’s site.

And please remember, what we are trying to do here is to minimise the effects of an attack.  Attacks against your passwords will continue to happen all the time.  They’re happening right now as you read this.  Your job is to do everything reasonable to minimise the effect of those attacks.  Below is a good starting point.

So here’s what to do…

If you follow this advice, your digital world will be a lot more secure than it probably is now.

  1. Never reuse the same username/password combination on more than one site.
    1. So that means every site needs a different username/password combination.  Every Single One!  This is the most important thing to do.
  2. Obviously this means you can’t remember them all.  So don’t!  Use a password manager.  We use, LastPass, but 1Password and Dashlane are also excellent.  At the very worst, write them in a book. LastPass has a free option that is pretty good if you just want it for home.
  3. A good password is hard to remember.  More than 16 characters with a combination of characters, cases, numbers, and symbols. (So use a password Manager!)
  4. If you must remember the password (very frequent use etc) use a few disparate words strung together. (e.g. “Ferrari desired-moolah,mi55ing” and please don’t use this one).  Just something that you’ll remember, but would be hard to determine from knowing something about you.
  5. Use 2FA/MFA anywhere you can.  (Two Factor Authentication or Multi Factor Authentication.  This is something you know (like a password) and something you have or are (like Biometrics or an Authenticator App, or txt message).  It’s not infallible, but it is way better than not having it.
  6. Don’t share your password with anyone.
  7. You also need to run a minimum of an Anti-Malware (or better still some EDR software like Cisco AMP for end points.) on any computers or Android devices.
    1. If you’re using Windows 10 Defender is free and comes bundled with it.
    2. If you’re using a MAC consider MalwareBytes or ClamAV
    3. If using Andriod (reconsider your life choices 😉 ) and try any one of the 100s of name brands available. Androids are very prone to Malware unfortunately.
    4. At this point I haven’t seen an Apple iOS product I’d recommend.  Not to say it doesn’t need one.  I just haven’t found it yet.

And there you have it.  Simple! Well maybe not simple, but free and achievable.  And please persist with the password manager.  They’re a pain for the first month, while you load them up with all your info.  Then you’ll wonder how you survived without one.

If you manage an email mail exchanger, check out our baseline guidance article for Securing Mail Exchange Systems.

Safe Travels!

Ross Marston.

Cybersecurity is under control, I think…

“Cyber Security is under control, I think…” – CEO

How many times do you hear a CEO say “The finances are under control I think.  The finance department said they were okay.”  My bet is never.

No CEO is going to just accept that the businesses finances are “okay” on the say so of someone else.  They’d rightly demand evidence.  They’d need to see P&L’s, Balance Sheets, and management reports.  They’d want to see
comparisons to equivalent periods.  They’d want to know trends.

They would also want to know what plans were in place to ensure positive trends and growth strategies.  Any CEO worth their salt would also be continually reviewing the strategy to advance the business.  In short, they’d have a strategy.

However, when it comes to Cybersecurity, whether you realise it or not, the stakes are a lot higher.

A significant Cybersecurity breach can send a business to the wall a lot quicker than the business finances can.  The statistics for businesses in the $1m to $200m turnover range (SMBs) are that 60% will be closed within 6 months of a significant Cybersecurity breach.

That’s a staggering statistic when you consider that SMBs are nearly 100% likely to suffer a significant Cybersecurity breach within the next 3 years according to Forbes.  We see breaches happen everyday, and I’m sure you’ve read about the most publicised ones regularly yourself.

Yet I regularly meet with CEOs that tell me that they think their “IT guys” have their Cyber Security “In Hand”, whatever that means.

However Cyber Security is NOT an IT problem.  It is not for the IT department to handle.  It is the CEOs responsibility to have a clearly defined strategy in place to manage Cybersecurity.  

Sure the IT department have a role, the same as the HR department also have a significant role (probably the most significant), as do the Legal Team, the Marketing/Sales/PR departments, the Finance Department, and the Board as a whole.

It is a company wide issue for Every business.  It can only be
effectively dealt with from the senior management of your business.
And, unless you as a CEO take charge, you are aboard the Titanic, and the waters around are icy.

The good news is, it is easy for any decent CEO to mange an effective
Cybersecurity strategy. If you are smart enough to run an SMB, you are definitely capable of implementing an effective Cybersecurity strategy to help safeguard your business. And the good news is, it doesn’t have to cost much money.  You probably already have most of the resources you need.

Step one is to take control and recognise that it’s your responsibility.

At BIS we specialise in working with CEOs and SMB leaders to gain control of their Cybersecurity, and build resilience in their business.

Cyber Criminals are not going away anytime soon.

Ross Marston
Founder and Chief CyberSecurity Strategist Business Intelligence
Security.

Culture Eats Process For Breakfast

BIS Happy Team

Creating a “secure” workplace culture.

It is never more true than when it pertains to Cyber Security.

We’ve all heard the saying, “Culture eats Process for breakfast”. In other words, you can have all the processes you want in place, but if the workplace culture doesn’t support the processes happening, they never will.

You can have as many processes in place as you want, but if you have a workplace culture, where staff are “shamed”, belittled or intimidated for security indiscretions, welllll…, you’ve already lost the battle I’m sorry to say.

In an environment where staff are in some way belittled for any security related incidents (opening a phishing email, being the object of a targeted attack, getting malware on their work station or server profile, etc, etc), most people will do the same thing.  They’ll avoid being belittled of course.

In other words, they’ll try their hardest to cover up the indiscretion.  They’ll avoid being associated with any security related incident at all costs. And why wouldn’t they.  They know the “consequences…”

What to do about it.

So what is the alternative?  We all know security incidents are bad, right?  The media is constantly banging on (mostly inaccurately) about various security incidents.  Who the latest victim is, or some other sensationalised, inaccurate story.

And of course, everyone hates being the person that clicked on the link in the phishing email, or went to the site infected with malvertising, etc.  Even  the IT guy who left his companies website exposed to SQLi or XSS attacks.

But what about if we change that culture?  What about being rewarded (or at the very least thanked) for finding the spear phishing, clone phishing or whaling attack email and notifying your staff mates and IT?  What if there was a demonstrable benefit to quickly notifying your IT specialists if you suspect your devices have been compromised.  What if there was even some sort of game and reward associated with prompt action regarding any security incident?

Now you have what we like to call a warmware firewall.  An early warning and detection system to rival the best NextGen, GenIV, AI, [insert other meaningless sales term here] Firewall available.  Now we have staff and IT motivated to find, notify, and help eliminate Cyber security threats as soon as they’re detected or even suspected.

So how does this work in practice

Humans (the warmware ones we’ve already mentioned) are the ideal firewall.  They’re self learning, they possess AI (Actual Intelligence as opposed to that other sort), and they’re motivated to help naturally as opposed to programmatically.

With some simple and ongoing training, and some motivation (Warm fuzzy, financial or otherwise) they’re the perfect resource to build significant resilience to your Cyber Defense systems.

Example

Here’s an example of how I think this might work, both before and after culture change…

A users inadvertently follows a link in an innocuous (or even obvious) looking email.

  • Before culture change
    • User thinks “last time Bob mentioned something like this the IT guys laughed at him, and everyone else gave him a hard time for being so ‘stupid’.  I’m just going to shut up.  If it has done any damage, someone else might notice it and, it won’t get traced back to me.  If it does, I’ll just deny it.”
    • User shuts up and just keeps working albeit with more perspiration than before.
    • Eventually IT department finds that nightly backups are getting filled with strange files.
    • Investigation reveals most of their file system has been encrypted and held for ransom.
    • It’s taken so long to discover that the encrypted files have written over all the “good Files”
    • Company is forced to negotiate with Cyber Criminals to try to recover their encrypted files.  Unsuccessfully!
    • Everyone hopes it wasn’t their fault.  But it doesn’t really matter as they probably won’t have jobs next week anyway.
  • After Culture change to a Security Rewarding culture
    • User thinks “I better tell IT and team straight away!”
    • User immediately logs off and turns computer off, calls IT.
    • Problem is rectified with very little damage to company infrastructure.
    • User is rewarded with new Mercedes, or TimTams in the ‘fridge  [or insert more practical reward of your choice here…] for their quick action saving the company from extinction.

Some things I think staff should be rewarded for…

There’s obviously no point just creating white noise of false positive alerts.  We need to encourage staff to be alert to certain (and ever changing) events to makes this system work.  But at the top of this list needs to be the end to victimisation (or vilification) of people for reporting issues.

So if users or staff make a false positive report, use the opportunity to encourage them and maybe even educate a little on what to look for in the future.  But if they alert you or others to a real issue.  Reward them!  It’s the best firewall you’ll ever purchase.

A (very non-exhaustive) rewards list…

  • Users who use good Password hygiene…
    • who use a Password Manager to store their myriad of passwords for various sites.  (we recommend either Keepass or 1Password .)
    • who don’t use the same username/password combination on multiple sites
    • who use complex passwords (16 characters with many different types of characters)
    • Who change their passwords regularly.
  • IT People finding vulnerabilities and patching.
  • Users or IT Staff finding un-patched browsers, Apps, or OSs
  • IT Staff noticing unauthorised devices on their networks.
  • Users finding scams or phishing attempt and alerting others.
    • emails with dodgy attachments
    • emails with suspect links
    • emails from suppliers or contractors that are “unusual or unexpected”.
    • AGL electricity bills when you don’t use AGL.
    • Emails that seem to know a lot about you from people you don’t know.
    • Parcel delivery notifications.
    • Overly amorous offers from unknown people.
    • I could go on all day here.  The point is if you find them.  Let others know that it is suspect, so they may be able to spot it next time.
  • Users notifying management about unusual behavior (other staff or their own workstation)
    • Someone copying large quantities of data to USB drives.
    • Their own computer behaving unusually after visiting a site ( weird pop up etc.)
    • Their computer behaving unusually after opening an email or clicking on a link.
      • e.g. “Nothing seemed to happen when I opened the document.”
      • “it asked me if I wanted to enable Macros”
      • strange popup windows appearing.
      • It took me to a completely different site than what I was expecting
    • Finding a file that looks like it has been encrypted, or a file that now has a weird extension
      • e.g. .enc or .locky when it should be .xlsx
  • Users finding that their browser or operating system is out of date or has patches ready to be applied that they think IT may be unaware of.
  • Users finding errors when accessing websites. (e.g. “Flash player is out of date”)
  • users finding your company info in places it shouldn’t be.
  • The list could go on and on.  Maybe create your own and share it with us.

The bottom line is, let’s stop the pointless practice of shaming staff and users who have either made a mistake or inadvertently done “the wrong thing”, and start rewarding our precious “Warmware Firewalls” for their great work in helping to build the defenses of our businesses.

You have absolutely nothing to lose with this approach.  This is a secure culture.

Contact our office for more information on our Workplace Cyber Awareness programs, or any other Cyber security Related issues.

Stay Safe
Ross Marston