Cyber Security Tips!

As it is #CyberSecMonth I am going to do some Security Tip(s) of the day .. or some days... most days.. well let's see how we go anyway!

A lot of this will be back to basics and maybe "obvious" to some but not everyone. Ill aim to do a mix for all shapes and sizes with as plain English as possible and would welcome some friendly feedback.

Summary of tips (in no particular order):

1. Enable Multi-factor Authentication
2. Implement Single Sign On
3. Patching
4. Vulnerability scanning and Penetration testing
5. Coming soon! Stay tuned!

Tip Number 1:Enable Multi factor Authentication

Having a complex password is no good when passwords are being left lying around and being phished (a method attackers use to steal credentials) all over the shop! If you think this doesn't happen often and especially not in Ireland you are very extremely wrong. It happens from Phishing attacks and stolen credentials all the time. See if you have had any data or credentials stolen here: https://haveibeenpwned.com/ for some of the more public data breaches. You could have the most complex password in the world.. like qwerty12345! or passw0rd2020 (please note that this is sarcasm) but as long as someone knows your password it doesn't matter.

Multi-factor Authentication (MFA) is simply a solution that requires more than just your username and password. You also need something else that is not another password that you know. This could be a prompt on your phone, an SMS text verification, a form of biometric, inputting a code that has been sent to your authentication app or a good old fashioned hardware fob with rotating digits.

Please please please, if you have any public facing systems or cloud based services (including office365) or access to critical systems or anything with a blinking light..... consider enabling an MFA solution. Also make sure it is a single MFA solutions and not 2 - 3 depending on what you are using. People may want the option of the different types so let them have it! This is suitable for all shapes and sizes!

There are some use cases where MFA may not fit due to a shared device and accounts however there are other ways around this by adding in conditional access. This is where a device must hit a certain criteria before it is allowed into the application. For example must be a corporate device, must be on the corporate network, must be coming from a trusted IP address etc etc.

You could even jump on another trend which is a passwordless solution. Using an app on your mobile phone that scans your biometrics for example. Because you do not even know the password to the service you cannot type it in by mistake or write it down for others to see. In order for someone to gain access they would physically need you, your phone, your phones password, your MFA application, your biometrics and your willingness to let them do all this!

Tip Number 2: Join as much as you can to a Single Sign On (SSO) solution (ideally with tip number 1)!

If you have lots of different user names and passwords for different applications things get a little riskier and difficult to manage.

If a company has 10 different applications (internal, external, cloud based etc) and SSO has not been applied that is 10 different passwords they need to remember. Or more likely a case that they have used the password across 10 different accounts. The user experience becomes pretty poor, you start getting hammered with password resets.. accounts lock out (which I hope you have enabled if there has been a number of failed attempts!) or even worse.. you have no way to invoke a standard of a secure password policy across all services.

The idea of SSO is that when a user goes to the application and goes to login, the services (e.g O365, Salesforce, Dynamics CRM. Citrix, etc) login points to a single point of truth.. your companies (Active Directory/ Azure AD). This checks and validates that the user exists, the user is allowed access and what the users password is! In that instance the application does not hold a copy of your password (unless it is SAME Sign On where a hashed copy is kept to compare).

That single location holds a single username and a single (and secure) password for each user. So now you can change a password in one location, you can enforce a secure password policy (in one location) and guess what... if someone leaves the organisation you only have one location where you need to remove their access! This is a big gaping hole for many organisations. Even more important, because you are also looking at Tip number 1 (MFA) you can couple this super secure solution across all your applications. Happy days!

There are more advanced IAM (Identity Access Management) Solutions that can also be implemented to help you with permissions of access, and control within systems and applications that can also be managed in the one location. This is an ultimate goal in your identity journey if you are the right sized organisation.

?Tip Number 3: Patching

Technology is for ever changing, advancing ... and also breaking! As ICT is generally hardware and software or just software it is easy in some instances to provide an enhancement feature post sale and deployment of a product.

When something is installed it may be up to date on the day of installation. However, a few weeks later a bug in the code maybe found that can be used to exploit that piece of software or equipment. This is called a vulnerability. When an attacker is looking to attack a business they would often do a reconnaissance. As part of that reconnaissance they would identify what assets you have and more importantly, if they have any vulnerabilities that they can exploit in order to gain entry to your business. Patches can also be used to increase performance and additional features. As such it is important that you keep an eye on security patching, especially on anything that is accessible to unwanted actors. Firewalls, Client devices, Servers, networks, wifi, storage etc etc. Needless to say in large organisations this can be a difficult task as there are considerations around compatibility, integration, downtime and other factors. Testing of patches is advised in these scenarios and potentially the use of a third party to assist with overall patch management.

Bottom line - If you do not patch, you have vulnerabilities.

Tip Number 4: Vulnerability Scanning & Penetration Testing

As per Tip 3 patching is extremely important. You should keep a sharp eye out for any service vendor updates that highlight any critical security vulnerabilities. This however can be hard to do if you have a large estate with lots of different types of technologies from multiple different vendors. For organisations that are serious about their security and especially ones that have any public facing systems or services that hold sensitive information should consider vulnerability scanning solutions. Vulnerability scanners can be set up to scan on a regular or on demand basis to ensure that any vulnerabilities or weak configuration can be caught by the good guys instead of the bad guys. This absolutely needs focus however and also needs to be a continuous regular service that is being actioned and managed. Also you need to ensure that you add context to the vulnerability. What are the chances of it being exploited? Is it possible to be done from where it is etc As such having a managed vulnerability scanning service that can interrogate and review the results whilst also adding context makes a lot of sense. Especially if your teams are already stretched.

Penetration Testing - Hiring an ethical hacker to actively break into your systems to see how far they can get. Sounds pretty cool right! Art museums sometimes would hire a professional thief to attempt to break into the museum and to steal an item. The concept being is that once the task is completed the thief will either have succeeded or failed. If they succeeded further controls will be put in place to help them prevent the issue from happening again. Exact same concept with IT... However very often not as hard to do! Human error, poor configuration, social engineering, lack of patching (as per Tip 3!) are very often the easy ways in. Again, if you are serious about your data and protecting your business this is something that should be done on a regular basis. Once every few years isn't sufficient.

Tip 5: Coming soon!