ONIONS: THE SECRET TO CYBERSECURITY
Simon McCullagh
Helping companies in Central Scotland securely use technology to grow their business
The last decade has seen an undeniable increase in the sophistication and volume of cyber-attacks across the world. Businesses, from data analysts to pig farmers, are concerned about the risks. What’s worse is that we exist in an ever-evolving risk landscape that is diverse and likely includes factors that we have yet to conceive. Technology that was once an adjunct to our business is now a central platform from which we function. This now opens us up to a complex range of security threats. This new landscape involves our employees, partners and suppliers, our physical security, use of the internet and social media.
So, how do we construct the onion of defence to protect against this evolving landscape of risk?
The Onion Requirements
Use a paid-for product in which the money goes towards R & D. This will ensure that updates to the applications and the virus definitions happen in a timely manner.
All businesses should use business-grade software. You need the additional features this offers. These include central management, policy controls, tamper settings, and controlling actions that can be arranged in an ad-hoc or scheduled manner along with alerts when appropriate.
Computers
These represent the most significant risk to your business as they have the most direct exposure to the internet. The danger is due to the unpredictable nature of their users. The varying emotions, vulnerabilities and even the sense of reasoning of your users can cause most issues. Human error and a lack of training are often at the heart of risk.
Antivirus
Your antivirus software is used to form the extent of the defence against insecurity on a computer. Unfortunately, this is no longer sufficient to cover all modern attacks as they have become more sophisticated than antivirus software can cope with alone. Infections due to the use of USB drives, CD’s and other forms of physical media are on the decrease. Now, issues stemming from infected emails, websites, web banners and social media are far more prolific
Web Protection
This isn’t a new feature, but it is one that few smaller businesses consider. Your antivirus may initially stop your computers from being exposed to infections through containment of downloaded files. However, would it not be better to take an active role in controlling some of the areas from which the viruses originate?
Web protection can be established in a couple of ways. You can create a layer of protection with a web filter device in your office or at a central location in your network. This can form part of a Unified Threat Management (UTM) device - a new internet firewall breed. Alternatively, you can utilise a dedicated network device, but this only protects your web traffic explicitly. Both options are acceptable, but they have one limitation: they only cover the devices directly in your office. You are still exposed to risk with the increase of working remotely. Your business could easily be under threat due to the actions of a child downloading movies or software from dodgy sites on the internet.
The more robust approach in protecting your web traffic is a software-based filter. This will ensure that your machines are covered no matter where they travel and no matter how they interact with the internet.
The fringe benefit of web filtering is that you can control more than just possible security risks. Web filtering allows you the ability to block access to groups of internet areas such as gambling sites, those engaged in violence, adult sites, social media and many more that can endanger the interests of your company. In this way, you can also minimise the distraction of your employees and improve their productivity.
Patch Management
Another layer often lacking from the security onion is patch management. Recently several major security incidents that have taken place as a result of this gap in cyber protection would make you “wanna cry”.
A well-used message by many IT professionals has been to “Patch. Patch. And patch some more.” This is sound advice. The operating system is the most significant and most complex piece of software on your machine, but as such, offers the most likely target for vulnerability. Patching has traditionally been about the operating system whether that be Windows, Linux or Mac.
Keeping the operating system up to date with patches is a good start, but there are a few big suppliers of software that also burden us with vulnerabilities like Adobe reader, Flash Player, Adobe Air, Java, Chrome and Firefox, to name a few. Thus the security requirements have now increased.
As a rule of thumb, you shouldn’t rely on your staff to install patches on their machines. They will hate the inconvenience of waiting for the installs to run, and the frequency of the installs will be too slow compared to the business requirements. They also won’t have the tools required to find patches for all of the applications on their machines.
You need to:
- Understand patch management requirements.
- Provide staff training on patching importance, implications and schedule.
- Centrally manage the patching.
- Ensure that you patch ASAP to the release date - no later than 14 days for laptops\PCs and mobiles.
- Provide reporting for patch failures.
- Understand that some patches can cause undesirable effects, but better that than infected machine
Vulnerability Scanning
Vulnerability scanning uses a database of known vulnerabilities and scans your machine for these. Even if you have patched your machine, you may still have a vulnerability. This could simply be a poor configuration, the fact that you are using a weak password, or not having changed your password on a regular enough basis.
Backup and Recovery
In some instances, you may be hit by an attack that is so new there is no defence for it. In this case, the best form of defence is to have a comprehensive backup. Ransomware attacks are now the greatest risk to your business. If you have the misfortune of having your files encrypted, and no one should ever pay the criminals, then your only option is to restore the data from backup. This is the case for PC’s laptops, servers, and even online file storage systems like OneDrive and Google Drive, etc…
Drive Encryption
One of the biggest forms of data loss is when a device is left behind on a train, plane or car. In this situation, you should report the incident to the information commissioner’s office - especially if you have customer data on the device in question. Theft is also a way that data can be lost, and we have direct experience of a window being smashed and a PC being stolen. The best way to mitigate this risk is to encrypt the hard drives of your devices. These considerations should be made for all devices including mobile devices
Mobile Devices
The increased use of smartphones in business opens up the attack surface of your network. Generally, phones have no restrictions for installing apps and have a near-constant connection to the internet. This, in itself, isn’t an issue. However, once you sync your corporate email to that device you then expose the company to risk
So what should you do?
- Use a mobile device management system. These can track phones if lost or stolen and have the ability to wipe the device.
- Encrypt the device. This will prevent the data from being read if the phone is connected to a PC.
- Use a fingerprint or strong PIN (at least six characters) to lock the device.
- Install all app updates within two weeks of release.
Cloud Services
The introduction of cloud services has revolutionised the way we tackle solving everyday business issues with technology.
Access to these cloud services does, however, expose your business to yet another location that can be compromised. The key thing to remember here
is that relying on the default security of online services isn’t enough. You should always tailor the settings of your security onion to the individual needs of your business. Do not rely on the default cloud settings. Instead, make them better to provide you with security tailored for your business.
An example of this is that Office 365 doesn’t turn on email filtering of file extensions by default. Without filtering, you potentially could end up with an infected file in your mailbox.
Website / Internet Sites
The increase in Content Management Systems (CMS) like WordPress, Joomla, SquareSpace, etc… have made it very easy for non-web developers to create sites. However, it has also exacerbated security issues. Again the solution is updating the onion. As with the other layers, the backend of CMS should always be updated within two weeks of an update’s release. This rule of thumb also applies to website plugins, which in themselves can prove to be a chink in the armour of your website security.
Another website danger to avoid is being exploited by malicious bots. To counter the bots, you should think about including a captcha on any form you use. A “ReCaptcha” is the question you see at the end of some forms asking you to add 2+5 or tick a box to confirm that you’re not a robot. Using a captcha will prevent your website databases from being filled with junk data that could potentially make your site go offline due to a lack of available space.
Conclusions Around Your Security Onion
Now you may be thinking that you have a mammoth task ahead of you. You do! The legal requirement to ensure your business technology is secure is getting ever more essential. With new legislation coming out on a regular basis, it’s not only keeping the hackers out but keeping you legally above board that’s important. The truth of the matter is that cybersecurity must be reviewed on a weekly basis, if not more often.
What can you do?
- Try and look at every part of your IT system and check for exposure to weak aspects of your security onion.
- Ask your current IT support supplier for a security coverage report.
- Instruct a third party to perform a security audit to provide you with an objective perspective.
- After you have ascertained the areas you need to work on, then you can program these into budgets, project and ongoing support.
It’s important not to become overwhelmed by the cybersecurity onion. Having an active information and training programme for your staff is probably the quickest and easiest way to reduce your security risks.
Keep the issue a key business objective. Ensure that your senior management team accept the importance of cybersecurity. Develop a strategy in bite-sized chunks and get some help from an IT professional.
If properly constructed, your Onion of Security can not only help protect your business but can also create an IT environment in which your business can thrive.
Call on us – we’re here to help…
Want to talk about how we can help you and your business? Got a question about something that’s not covered in this document? Like what you see and want to know more?
Lets book a 30min ask anything meeting.