Simple steps to secure your SMB network

If you run your own small business network, chances are your security could be better. Consider these two news stories that I posted this week on my Inside Security newsletter:

ITEM #1: A group of hackers shut down the heating system on a block of apartments in Finland last month. The issue was a lack of any firewall protecting the HVAC unit, which was controlled by a computer that had a public IP address. You can bet now they have one to protect their systems.

ITEM #2: An auto dealership CRM used by more than 100 dealers has leaked their customers’ and employees’ data online, mainly because their backups were all unencrypted and accessible to hackers.

Many small businesses don’t have basic security measures such as encrypted backups (let alone any backups) or firewalls, and these news nuggets should give them pause. I wanted to take things a step further and recently spent some time hardening my network doing three simple tasks. All of them can be accomplished in under an hour, if you have some basic knowledge and skills, and if you are careful at following the various instructions and interpreting the results. Nevertheless, it took me a lot longer: either because of my own stupidity or sunspots or whatever.

The three tasks are to harden your WordPress installation, do a better job of scanning your ports, and add a basic level of security to your email domain. Let’s review what is involved.

WordPress hardening 

There are two basic ways to run a WordPress blog: one is by using your own server and the other is by using the free hosting service and having a server at YourDomain.Wordpress.com. I have used both and get into the pros and cons here in a previous post. Assuming you have control over your own server, there are numerous sites that keep track of WordPress plugins and other vulnerabilities, we will just mention a few here:

·      Securi maintains this site and they recently discuss a DDos attack on v4.5.3 and XSS and SQL injection attacks. It is always a good idea to stay current with WordPress versions.

·      If you want some motivation about making your WP site more secure, you should read these suggestions from WPMUDEV. Some are easy to implement, others will take some time.

·      This site has a description of a few vulnerabilities with detailed information on how they are compromised (they also have a free WP plug-in to protect your site). If you get into tracking vulnerabilities, they also have a bug-bounty program.

·      And Network World has an article that goes into best practices about operating your WP site. You can also review many of these on the WordPress Codex that are more of a general security nature too.

·      Finally, you should download the Wordfence plug-in and use it to protect your server. They also have on their site details about general security topics, including an article about how WP-based botnets get started. Their plug-in is free for basic services, and you can upgrade if you want more. I had some trouble when I first installed the plug-in and got to inadvertently test their support team, which was excellent. When I re-installed it, it worked fine.

Scan your ports

For many years I have been a big fan of Steve Gibson’s Shields Up port scanner. It is well worth using, because it is simple, free, and will take just a moment to look at your network router and see what open ports you have. The big limitation is that it only scans the first 1000 ports: that was fine years ago when the Internet was just a gleam in Al Gore’s eye, but now life has gotten more complex. I would also suggest using BullGuard scanner, which will scan more ports. When I did this on my Uverse-connected network, it found port 7547 open. I hadn’t seen this port before and found this mention on PC World, which has to do with the embedded webserver that is used to manage my Uverse DSL modem. There isn’t much you can do about it, unless you want to switch to a cable ISP connection.

Secure your email server

I have written extensively on using email encryption for your day-to-day emails, but there is another way to approach better email security and that is by adding an automatic digital signature to each outgoing email headers using a protocol called DKIM, which stands for Domain Keys Identified Mail. Most email hosting providers now support this protocol, Google’s help page starts here for their hosting services. DKIM is a lot like the public/private key infrastructure that PGP and others use to encrypt messages. You have your choice of key lengths (choose the longer and more secure 2048-bit keys if your provider supports them).

Google’s help pages are very explicit as to the steps you need to take. You basically need to do three tasks: first, you obtain a key from your email hosting provider. Then, you add a DNS entry for your domain provider (which is my case is my ISP). Then you want to take a few days and check to make sure that you did this correctly, using this verification service.

Good luck with securing your domain and servers. Feel free to share other simple tips here as well.