Security 101 – Protecting your assets in the digital world

Hello CopyLady Family and friends!

I think it’s time we talk about the most important aspect of your business, and it’s assets: Security. Namely, cybersecurity.

After all, a door is only as secure as the lock keeping that door shut, and the lock is only as secure as the key that opens it! A weak password (or other access control method) is like having a lock that can be opened with a blank key, or even a hair pin!

This is going to be a long, but informative post, so be sure to take notes along the way!

What is Cybersecurity??

Just like physical security for your building (door locks, cameras, guards, etc), you also need protection from online threats, such as cybercriminals, malware, ransomware, and data breaches (Yes, I am sure you have heard about data breaches many times!). Notice that I did NOT use the term “Hackers” anywhere. This is because, unlike what the media wants you to think, NOT ALL HACKERS have malicious intent! A hacker will fall into one of the three “hat color” categories below:

White Hat: These are the GOOD guys. Their primary goal in hacking is to gain knowledge for themselves, or to help secure a system from outside threats by identifying and assisting in securing any exploit vectors, as well as identifying security weaknesses. Professional pentesters usually fall in this category. (I’ll write more on pentesting later)

Black Hat: These are the BAD guys. Their primary goal in hacking is exploitation, financial gain, and cyberattacks. Black hats are in the same category with cybercriminals. They find and exploit security weaknesses for their own benefit, or to the benefit of a third party. Black hats will discuss vulnerabilities with other black hats, usually on dark web boards, or in chat channels.

Gray Hat: These ones are half and half. While a gray hat hacker will exploit for gain or malicious intents, this is not always the case. Gray hats will also just poke around for knowledge, but usually don’t disclose the vulnerabilities to anyone.

So, when you hear the word “Hacker” mentioned when there’s been a data breach or some other cyber attack, always think BLACK HAT. Black hat hackers will be the ones causing the most mayhem. White hats are the ones you would want to help you with security!

Now that we’ve gotten the definition of “Hacker” out of the way here, Let’s dive into what we like to call Operational Security, or OPSEC. Proper OPSEC practices are key to keeping your company’s data out of the hands of cybercriminals, and off the dark web.

Wait, I’ve heard so much about this “dark web”, but……..What IS the dark web??

You know, I’m glad you’re asking this! Everyone has heard of the term “Dark Web”, but few (outside of us IT geeks) know what it really is. Let me clear it up some. The “Dark Web”, is what’s known as an “overlay network”, which operates using the normal internet as a mere conduit. The dark web is a completely anonymous underground network of sites that can only be accessed using special software. While there are many different forms of dark web, the number one most common is known as TOR (Short for “The Onion Router”). Dark web sites consists of legal things, such as uncensored gateways to normal internet sites (Wikipedia, Facebook, etc), to various types of underground markets. The most common use of dark web sites is the sale and purchase of illegal drugs, firearms, stolen goods, ransomware campaigns, and of course, stolen data. Cryptocurrency (such as Bitcoin) are the main tender used here, as it is largely untraceable. Combined with the level of anonymity the dark web offers, anything can go here. The other side of the dark web is how it operates at a technological level. When you access a dark web site on TOR (using a .onion address), You’re not connecting directly to said site, but your connection is routed through a number of different “nodes” on the network before reaching the final destination, and the return traffic is routed back on an entirely different set of nodes! TOR in itself can also be used as sort of a VPN to the main internet, although it’ll be considerably slow, and the majority of popular websites actively block TOR users for security reasons. (Facebook is the only one NOT to do this, as they have a .onion of their own. (facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion – Yes, this is what a normal .onion address looks like, and yes this is Facebook’s official .onion! Duckduckgo also has their own .onion address at duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion))

Ok, so now that we’ve defined the dark web, Let’s get back into learning how we can keep our data OFF this system! Let’s learn to practice good business OPSEC!

Secure it tighter than Fort Knox: Let’s face it. A chain is only as strong as it’s weakest link. We need to make all the links as strong as we can. For this, we will start at our workstations. Make sure you have strong, working endpoint protection on each workstation. Make sure your users only have STANDARD level access to their workstations. Unless you really trust your user, they should never have full ADMIN access to their system! Consider also disabling USB port access on your workstations, especially for things like USB drives, etc (You can get security locks for the USB ports). The only thing that should be plugged into a workstation is the keyboard and mouse. You will also want to implement a strict strong password policy on your users (Minimum characters, acceptable passwords, and expiry durations) If the user is handling critically sensitive data, you’ll want to implement serious lockdown procedures on that workstation, maybe even consider putting that system on a separate network behind it’s own very strict firewall. (If it’s just Bob the Janitor, or you’re the IT geek behind all this, that’s a different story, but still!)

Controlled data access is key: Another area to look at: Just how much of my company data CAN my users access? The point I am making here, is your users should ONLY have access to what they need to perform their required tasks. Ask yourself this: Does the secretary really need access to the accountant’s data? Moral of the story here: If they aren’t in that position, they do not need access to that position’s data!

Lock down the wild web: While good stuff can be found on the internet, so can bad stuff. It only takes one person visiting a site with a malicious ad banner on it to wreck your network with ransomware! Consider restricting internet access with strict filters. This can be done either with your endpoint security, or with a network based firewall (Cisco, Juniper, pfSense, etc). I’m not saying to completely destroy internet access for your users, but to make it safer. You can fit what’s known as an “Ad blocker” to your browser to enhance web security greatly (uBlock Origin is the best one to use here). Breaks here and there aren’t bad (to prevent burnout), but you definitely want to keep things safe.

Skip the BYOD policy altogether: BYOD, or Bring Your Own Device, can seem like an easy way to lower operational costs, but this also lowers OPSEC levels severely. We’re talking users bringing in their OWN systems, which were connected to unfiltered, outside networks and used for whatever purposes being brought into your organization, to access sensitive data! In other words, If you’re considering BYOD, Let this force you to think twice! Invest in properly set up workstations, and save yourself the headache. PS: BYOD as it is, is also not PCI compliant, so you risk that as well! If you absolutely MUST do BYOD (Remote work, etc), consider a remote workspace system, where the employee has to access a remote desktop session in order to work. This lets BYOD happen while keeping your data pretty safe (IF you’re enforcing password policies……You ARE enforcing a password policy…..right? RIGHT??)

Lock down the WiFi: WiFi is amazing and all, as it saves you the headache of trying to connect a workstation to your network, especially if there isn’t an Ethernet port nearby……But, Remember what I said in my whole post on WiFi? That applies here too! Use strong encryption with strong passwords, Skip the guest network, and implement a strict policy against connecting outside devices to the network. Most, if not all wifi routers have what is called MAC filtering, which allows you to control what devices can connect. Please note however, that MAC filtering is NOT a substitute for encryption, but rather just an additional deterrent! (Don’t let it stop you from putting a communal wifi network in your breakroom for your employees, just put it on it’s own network and firewall it from your production one, Oh…..and use strong passwords here too!)

Know your network: This one is more for us IT admins, but you can benefit from it too: Be sure you know what is on your network at all times! You know for a fact what devices belong on the production network, so you should always be monitoring network logs (DHCP, Web access, etc) for anything unusual. Rogue devices connected to your network are an amazing way for a malicious actor to gain a foothold into your network. If you see something you don’t know what it is, track it down and disconnect it ASAP! If your firewall appliance lets you block devices, block it’s access, but still track it down and remove it. If it does not belong to anyone you know of (and it’s not a device from one of your vendors, such as the CopyLady TRS agent (which is a small black or white box with our name and a “TRS-” number label on it)), disconnect it immediately and consider notifying law enforcement, especially if you begin noticing trouble.

Don’t expose anything: What’s just as bad as a rogue device on your network? One of your internal services being exposed to the world! Port forwarding and DMZ can be useful (DMZ is especially useful if you cannot enable bridge mode on your ISP supplied router, but you are behind a strong firewall (otherwise known as “Poor man’s bridge mode”)), but it can also be extraordinarilly dangerous, especially if it’s a service that would allow remote access to a system (There’s no harm in serving web pages from something, as long as the HTTP server you’re using is fully patched!). The most common remote access protocols are: SSH, VNC and RDP. RDP is highly prevalent in corporate settings for remote workers. There are hundreds of thousands of bots out there scanning for these protocols, then once they are found, malicious actors start poking around, trying to find a crack in the wall they can slip through, be it through exploiting a vulnerability, or trying to force their way in with password attacks. If you must have remote employees, consider using a secure VPN system. In fact, most firewall vendors already offer this with their appliances, so go this route! Don’t leave doors open, unless you really want to let the riffraff have access to your goodies!

Follow the 3-2-1 Rule: This is one that will stick with you. This involves safeguarding your company data through regular backup routines. The 3-2-1 rule is simple:

3 copies of your data
2 different COLD storage devices (More on this in a sec)
1 copy of your data stored OFF SITE in a SECURE location (Bank deposit box, Secure vault, etc. Cloud storage counts as well – This helps safeguard your data from disasters (Fire, Flood, etc))

What is COLD storage? Cold storage is an external hard drive that is NOT always active, but rather only brought online to perform the backup tasks, then taken right back offline after completion. This is highly vital, especially in the event you are hit with a ransomware attack!

SPAM: Great on sandwiches, Not so much on your network: This is more of a education course for your users. Advise your users against using their company E-mail addresses for personal things. At the least, a deluge of spam will wind up clogging your email systems, or at worst, lead to the next possible outcome: Phishing emails!

IT Admins HATE users falling for this trick: You get an email that looks like it’s from one of your coworkers, asking you to review an Excel spreadsheet they sent you. You try to load the document, but it’s asking you for your username and password (or email and password). You think nothing of it and just supply the information. Moments later, you’re getting emails from random users, and even random outsiders asking about what you sent and why it’s asking for their password. Can you spot what went horribly wrong here (Aside from creating a colossal mess for IT to have to clean up)? If you answered “I fell for a scam”, you’re right! At least it was only a silly deluge of phish spam, not something more sinister like Ransomware. You got lucky, pal! HR may not be too happy with you on this (You better treat the IT guy to dinner and a 12 pack later, he’s going to need it after cleaning this up!) – Fortunately, this is all down to educating your users. Train your employees on how to spot common scams. For example, if an employee is sending you something internally, they will just email it directly to you. A properly configured Email system will also flag external attachments and links, requiring you to interact a little bit more with that email. This interaction may make you think twice about opening that email, especially if it’s from Joe in the shipping department, but it comes in flagged as an external email!.

It can wait. Trust me: Cellphones are just as much of a danger to your data as someone with a USB drive, and even more dangerous to PCI compliance. To ensure PCI compliance, You must enforce a no cellphone policy in any area where Payment info (Credit card or banking accounts) is handled. After all, it only takes ONE person’s card/bank info getting stolen by a rogue employee to completely torpedo your company’s reputation. For proper OPSEC however, consider a no cellphone policy companywide. You have internal email, desk phones and internal messaging systems, there’s zero need to have a cellphone out on your desk. (That means you, Karen! Wait until your lunch break to scroll through Facebook!)

Maintain your workstations and network: We covered securing your workstations at the beginning of this list, but we also need to cover maintaining said workstations, as well as other network equipment! Like I said earlier, a chain is only as strong as it’s weakest link! What good is all the OPSEC and protections in the world if you have some workstation or other device with outdated firmware or patches! A device with outdated software or firmware is like a wide open door to cybercriminals, and they are all too happy to let themselves right on in! Let’s list out some steps you can take to maintain your security levels:

Update that OS: Mac OS and Windows are the two most popular computer operating systems out there, and the most actively targeted by cybercriminals. Apple and Microsoft are always putting out updates to fix vulnerabilities and issues with their software, so be sure your workstations are always receiving updates. You can enforce update policies on your network to ensure proper patching.

Check your firewall, router, etc as well: Alongside your workstations, be sure you are checking for firmware updates on your network equipment as well. If you’re using a router provided by your internet service provider, they will do the firmware updates for you, usually during after hours. If your device is no longer receiving firmware updates, seriously consider replacing it with a newer one. Just because it’s OK now, does not mean someone won’t find an exploit that the manufacturer is no longer willing to fix.

Get rid of those old workstations: Did you know that both Apple and Microsoft have dropped ALL support for older versions of their operating systems? For Microsoft, The currently supported versions of Windows are 10 22H2 and Windows 11 22H2, and the supported versions of MacOS are 12 (Monterey), 13 (Ventura) and 14 (Sonoma). What this means is that these software vendors are currently providing up to date security and performance fixes for these OSes. They are NO LONGER providing these updates for anything OLDER than these versions. These include:

     

      • For MACOS: Anything older than OS 12 (And I mean ANYTHING)

      • For Windows: Anything older than Windows 10 22H2 (Including all versions of 10 21H2 and older, All versions of XP, Vista, 7, 8 and 8.1)

    If you MUST run a workstation with an unsupported version of any OS (for some legacy equipment whose software does not play nice with newer OSes), it is advised that you air gap this PC (In other words, this PC must NEVER get a network connection. Remove the WiFi card and permanently block off the Ethernet port if you need to). If it must be networked with something, consider an air gapped network, or a closed network (This is a network of just workstations with no internet access or external service access)

    Don’t forget those OTHER devices! Security cameras, Internet based alarm systems, and other Internet of Things (IoT) devices. The majority of these devices, for the most part, receive firmware updates automatically, but in some cases, you will have to check them via their respective app. IoT devices are a cybercriminal’s favorite toy after all, and an unpatched one is a wide open door!

    Get rid of those silly default passwords: Once upon a time, before California came in and changed how network connected devices work, things shipped with a common default login to access the configuration. Most common ones were: “admin”, “Admin”, “password”, “1234”, and simply no password. Thanks to California law, Devices with a web interface now ship with admin passwords that are unique to THAT specific device. In most cases, the password is either a randomly generated passphrase (like carrot-bear), randomly generated characters (HqXb791), or even the serial number of the device (W9S2401234) (Note that the “passwords” in quotation marks are just examples). If you’re still using a device that has a simple, common default password, Change it. If it’s a REALLY OLD device (Such as a router), Consider replacing it with a newer one, if not for the password, then for continued security patches. (HINT: You can use the site www.correcthorsebatterystaple.net to generate fairly strong, yet easily memorable passwords!)

    Enable 2-Factor Authentication: While a strong password is great security, adding a second authentication mechanism to the login process can make it even stronger than it is now. 2-Factor Authentication adds an extra layer of security to your online accounts by requiring an additional code or action, one that only the account holder should have any access to. There are multiple forms of 2 Factor authentication, which I will list from weakest to strongest:

       

        • SMS/Text Messaging: This is the most rudimentary form of 2FA. With this, a code is sent via text to your phone. This is considered weak due to the prevalence of SIM-swapping attacks. This is also weak to device theft, as an attacker can simply put your SIM into a device they control.

        • E-Mail: Similar to SMS 2FA, but the code is sent to your email instead. This is stronger IF your email is also secured with 2FA (And not by Text!). This method is also weak to device theft IF the email account is on said device.

        • Service-specific App: Some services, such as Google, Outlook, etc will send a confirmation to the app on your phone. Accepting this confirmation will log you into your account. This is fairly strong as long as your device is properly secured (strong lock screen PIN or password)

        • Authenticator App: Apps, such as Google Authenticator, generate random codes that you will use to authenticate to your online accounts. Can be considered high security, but again, this is only as secure as the device it is on.

        • Physical Authenticator: This is a physical device that generates 2FA codes at the press of a button. This can be considered the highest level of 2FA security as this does not rely on a mobile device app, and is completely offline, so it is not susceptible to SIM swaps or device theft (Someone stealing this will likely not know what it goes to), The only downside is if the device fails, or is lost, you’re locked out of your account.

      Secure or disable unused Ethernet jacks: This is going to be the biggest one here. An open ethernet jack is a wide open door into your network as it can bypass any protections you have in place. If you have unused ethernet jacks in your building, and you don’t plan on using them at any point in the future, consider securing it. You can secure unused ports one of three ways:

         

          • Simply disconnect the port in the network closet. If you’re not going to use the port at this time, you can just disconnect it from your network. If you need to use it in the future, then you can just simply reconnect it.

          • Use a ethernet port lock, such as PadJack. If you cannot disconnect the port, or the wall port is not labeled for some reason (And you really don’t want to fuss with tracking down where it goes), using a port blocker is also an option. PadJack makes high security port blockers that cannot be removed without the special tool. These are also serialized, so you can track what ones are where. This is OK to do if you don’t intend to use the port, but if you want to use the port, you can remove the blocker.

          • Remove the port altogether. This is the best option IF the unused port is in a public area (Such as a waiting room, lobby, etc). If you never intend to use the port, ever, you can simply remove it by taking the wall plate off, Remove the jack from the plate and tuck it into the wall, and put a blank cover over the opening. This will make it easy should you wish to use the jack sometime down the road for something. Don’t forget to disconnect it in the network closet.

        Stay up to date on the latest threats: There’s tons of resources you can read to get a feel for the current threat scape. Bleepingcomputer.com is one of those sources as they deal largely with cybersecurity and IT. The Register is another good source. Reading the articles here, as well as in other tech blogs (like this one), can help make you aware of what’s going on in the digital world, and how to bolster your defenses against the newest forms of cyber threats.

        After all, Only YOU can prevent cyber attacks and data breaches. Don’t become a victim!

        How about a nice game of chess?