To the tune of Smooth Criminal by Michael Jackson (with apologies)
As he came in through her Windows,
Unpatched is the innuendo.
Got into all of her accounts,
Left nothing, in the balance.
She was left without defenses,
No firewall, on her cable
Web cam on in the bedroom
Was her luck down, it was
Annie are you okay?…
The sophisticated cyber-criminal brings up mental images of Michael Jackson in a white suit, or perhaps David Niven in a tuxedo, or even Alan Cumming in a leather jacket or Hawaiian shirt (I am INVINCIBLE!) but it doesn’t call to mind images of organized crime or even state-sponsored agents targeting your business and your personal data. How ever you visualize them, you can bet that they have one mental image of you, and it looks like $, or maybe €, or £, or even ¥. Whatever your country’s currency symbol, you’re a paycheck to them and it’s in your best interests to protect yourself and your business from cybercriminals. Here’s some practical and simple steps you can take, whether at home or at work, to help keep yourself, your family, and your data safe! And like all the best lists, this one goes to eleven!
Whether at home or at work, consider NOT making users local admins of their systems, and ensure you do not log on as an admin when not necessary. Malware in email attachments and online can only do what the user account that executes it can do. If a user isn’t admin, then malware cannot install without another way in, like a missing patch. Yes, this can be a pain when it comes to deploying software, but it’s not as painful as having to reinstall an entire operating system because someone clicked where they shouldn’t have.
Patches and updates
Make sure you keep all your computers and all their applications fully patched and up to date. At home, this may mean running Windows Update in automatic mode, and setting third-party apps to update themselves when you install them. At the office, this means patch management software so that you can test, deploy, and confirm all updates on all computers. Don’t forget your mobile devices though. Patch those phones and tablets and the apps they run to minimize your risks. GFI LanGuard can help you with this for both operating systems and third-party apps.
Always, ALWAYS run antimalware software on every single system. If it has network connectivity, it needs antimalware software, and that includes both mobile devices and Macs! At work, use an application that lets you centrally update and monitor your systems so you can be sure nothing was missed.
Email and web filtering
At home and at work, make sure you’re using both email and web filtering to help protect your systems from spam, phishing, and malware. Work users should have some form of web proxy, while home users can use third-party apps from antimalware vendors, SmartScreen for Internet Explorer/Edge, Safe Browsing in Chrome, etc. For email, your corporate email should have a full filtering solution, while at home you will want to pick a consumer service with the same levels of protection.
Multi-Factor Authentication (MFA)
On every single website and hosted app you use, EVERY. SINGLE, ONE. turn on and use multifactor authentication. If a website or service doesn’t offer MFA, stop using it, and tell them when you leave it’s because you deserve better. Anyone, anywhere, that is relying only on a username and password is going to get hacked sooner or later. Even the best security pros can be fooled, or their creds guessed, or something somewhere leads to a compromise somewhere else. MFA is a very straightforward way of reducing the risk of account compromise significantly.
Have you ever heard the acronym TMI? It means Too Much Information, and most folks share way too much information, whether it’s on LinkedIn or Facebook or Twitter or Instagram or their blog or even their Out Of Office message in email. Most probably don’t look at the terms of service and privacy settings when they sign up for shopper loyalty programs and other web services, or even install apps (why does a game need to use my location???) so they permit the companies to harvest, analyze, and even sell information about them to others. You should opt out and default off everything in every account you set up, in every app you install, and in everything public about your company including domain registrations and WhoIs data. Everything you share is something a sophisticated cyber-criminal can use to either compromise your account or fool others into thinking the attacker is you. It’s not being paranoid if they really are out to get you, and they are!
They are your last line of defense, and often an attacker’s first target. You need to include your users in your defenses, both at work and at home. I don’t mean to imply your users are like your kids, but there are parallels to this since they are both the end users, are usually not as tech-savvy nor as security conscious, and they both are the ones that are most likely to click on links, download and open attachments, and if they have perms, disable antivirus software because “it slows things down!” Include them in your plans, or plan on them contributing to problems.
Use them, deploy them in implicit DENY ALL, and monitor them closely. Just don’t bank on them as your only, or even your best, line of defense. The point of firewalls is to help prevent oopses, and to give you a central point of logging and alerting, but don’t count on them alone. Application firewalls are more properly called application proxies, while firewalls that permit or deny based on ip.addr and port are actual firewalls. And these have to allow inbound TCP 80 and 443 to webservers, TCP 25 to mailservers, UDP 53 to DNS servers, etc. and by permitting that in, they have to permit in both the good and the bad. What they can do is prevent access to unapproved anonymous FTP servers, or new webservers before they have been scanned, etc. They can and should also block outbound things like SMTP from workstations, web access that bypasses the proxies, NetBIOS traffic, etc. Most home Internet providers these days offer firewall functions on their routers, but consider investing in a better SOHO device with more configuration and alerting capabilities.
The newest trend in information security circles is to operate under the assumption that you’ve already been hacked. It may be a bit fatalist, but most would say it’s just being realistic. If you assume you’ve been hacked, you don’t stop at not finding evidence that you have been hacked; you keep on searching, and you take more care with everything you do. It’s not much fun, but it makes sense when you consider how many organizations are hacked every day, and how long it goes before they realize it. At home, ensuring you change the default passwords on all your home devices, and use a good back up solution to protect your data are good first steps. Keeping the kids off the computer you do your online banking and other financial activities with is a better second!
Don’t log anything unless you review your logs, and if you review your logs do it daily. In the home or small business environment, that is manageable by hand. In any larger environment (meaning, if you have to take off your shoes to count the number of computers you have) then you need a centralized log management solution. Look for one that has some automatic analysis capabilities to help you find the needle in the haystack, but don’t count on that alone. You need to review your logs regularly and investigate any anomalies to help detect when things go wrong.
Businesses should either conduct their own vulnerability scans on a regular basis or contract with a service provider to do it for them. Vulnerability scans can help you find and remediate problems…hopefully before that sophisticated cyber-criminal finds them. GFI LanGuard excels at this for work. At home, there are free and limited-use vulnerability scans you can use. Use your favourite search engine to search for “free vulnerability scans” and you will find several.
They are out there, and they are looking for victims just like you. Protecting yourself from sophisticated cyber-criminals doesn’t have to be hard. You just have to be diligent, and unwavering. Piece of cake, right?