Using Your WiFi, Your Neighbor Could Spy

In my previous post, I mentioned that many wireless routers are sold with no wireless security enabled.  This is a major issue for small and home based businesses considering no security means the bored neighborhood teenager with too much time can scan and save everything you’re doing then look through it later. This brings up a quick point we should review.  Here’s a quick glimpse at the nature of the term “hack”.

wifi_sec
courtesy wired.co.uk

Myth versus Reality
Computer users generally envision a hacker sitting at Starbuck’s waiting for his victim to walk through the door, or at least that’s how it’s normally portrayed on TV.  But think of the time wasted in that scenario.  Remember that most hackers are smart enough to write a program that does the work for them which means most hackers also know how to be efficient.  The smart hacker would launch a program that copies and saves everything you are doing any time day or night then look through it later.  So yes, Starbucks and any other restaurant can house a hacker, but the more likely scenario includes remote hacking.

For instance, your Joe teenager neighbor sets up a small computer that he remotely joined to your unsecured wireless network.  In this scenario, the free hacking program he downloaded from the internet is monitoring your network 24/7 and saving the results to his computer every few seconds.  Joe leaves the computer running all the time so he can go back and review it at a later date.  The next day, you see Joe walking down the street on what appears to be an afternoon walk.  He notices you are using the internet on your iPad so he immediately makes a mental note of the exact time.  When he gets back home, he copies off all the files from the monitoring tool then reviews the narrow time frame to see what you have been up too.  Depending on the security of the websites you visit, Joe might even have the ability to find user names and passwords used which he can use at a later date.

This is just one example of why you should secure your wireless network.  Another major problem is the same scenario but run from another side of the world.  A hacker can set up a program that scans any vulnerable internet address (including home and business networks) for a back door into the network.  The program will only prompt the hacker if it finds a way into the network.

courtesy cisco @ linksys.com
WPA is the least security you should choose. courtesy cisco @ linksys.com

Security Settings
Every vendor has different instructions on how to secure a wireless network so consult their website and documentation.  Here are three steps you should verify on your wireless network:

  • Enable wireless security

    Wireless security relates to the level of encryption.  Encryption converts your data into what appears to a hacker as a garbelled mess (undecipherable).  Choose a minimum security type level of WPA. The WPA option relates to how complicated it would be for the hacker to break the encryption.  WPA2 is even more complicated as WPA is not the strongest by any means, but it is the least you should choose.  Do not use WEP since it has been proven vulnerable.

  • Enter a randomly complex wireless password

    Just like all passwords, never use anything simple like your date of birth or a family member name. Choose some random word or phrase like “toothpaste has flavor” then make it more complex by adding various numbers and characters.  Example – to0thpAst3hAsFla^0r

  • Change the router password

    The router password provides access to the router itself and is separate from the wireless access password. The router password can normally be set on the first screen when you log into the router.  Changing the router password avoids someone remotely logging into your wireless router and gaining access to your router settings. This information can be found in the user guide from your device manufacturer support website.

Cisco makes one of the better selling wireless router brands sold at Walmart and other big box chains.  As an example, the cheaper Linksys E900 series wireless router security configuration program walks you through screens that secure the router for you.  If that doesn’t work, you can find default settings in the User Guide that every newly sold router has enabled.  Therein lies the problem – every router sold has the same default settings.

Following the above steps will make you less vulnerable.  The more difficult you are to hack means the quicker a hacker will move on to the next person.

 

Small Business IT 101

You’re an IT of 1

The only difference between your small business and a large corporate IT department is the volume of problems and the number of IT staff.  Small and home based businesses will at some point experience and require defense against the same problems a large corporate IT department defends.  That’s why I’m putting my fifteen years experience including numerous technical certifications and research to work for you in the Small Bus-y IT section of this blog.  My goal is to make each post simple so you can spend 5 minutes or less reading and implementing a “Small Bus-y IT” post.

I believe strongly in entrepreneurship and the American spirit of freedom.  There is no need for you to waste time fighting IT problems after a major disaster when I can help you prevent the issue.  This first post will cover only the basics then I’ll delve into more detail in future posts.  Let’s get started.

Here are the TOP 3 most important things you must take action on now:

  1. Always have a backup!!!!!!!!
  2. Secure your electronic home
  3. Stay up-to-date

1 – Always have a backup!!!!!!!!

I have seen 30 year experienced IT employees feel like complete idiots after accidentally deleting a file only to realize they had not made a backup.  This is literally IT 101, but it usually gets overlooked for action we deem more important in the heat of the moment.  Have a backup of everything – software installation DVDs or downloads, hard-drives (backed up to an external drive or cloud storage), a database backup, a backup laptop in case your primary computer goes down, and a temporary backup of any file you consider important.  As an example, many things can go wrong when editing a file in Word, Excel, Access or any other program actively being used.  Take 10 seconds to make a duplicate for those important files before editing.  There are multiple ways to keep backups, but the easiest backups that run themselves are iDrive, Mozy, and Carbonite.

2 – Secure your electronic home

courtesy portforward.com
courtesy portforward.com

Most people would never build a house without putting a deadbolt lock on the front door, but that’s exactly what happens with many routers bought from a big box store.  They come wide open with no security.  That’s where a firewall becomes a priority.

You may have heard the word ‘firewall’ before but never really known exactly what it meant.  In the physical world, a firewall is usually made of brick or some other material that will keep fire from spreading from one room or building to another.  A software firewall serves the same electronic protection of real world firewalls.  It closes off all communication channels (also known as ports) to the outside world and forces you (the administrator) to approve any communication coming into your network from the outside world.  In a sense, you can view the firewall as the deadbolt on the front door of your home where only those with the correct key are allowed to enter. All Windows operating systems include a software firewall in the Control Panel so you should take a minute to enable it now.   Enabling a firewall will cause software, Skype for example, to stop functioning since it’s communication channel will be disabled.  To ensure Skype will work with the firewall enabled, you’ll need to allow the specific port number access through the firewall.  This functionality will be reviewed in a later post along with password protection and data encryption, but for now you should only trust known ports meaning those that are well known from large established software vendors like Microsoft, Apple, or Cisco. If you are looking for a suggestion, I say enable your firewall permanently and only disable it when the need arises such as making a Skype call.

3 – Stay up-to-date

Most of us have heard of software updates like Microsoft Windows Updates, but a lot of people just don’t see the point.  Windows Updates, in addition to software updates from any other operating system, many times include security patches that correct known vulnerabilities.  For that reason, I always tell small businesses to update immediately.  If you prefer not immediately, always install a patch within a month of its release.  The month lag time will give some time for the vendor to recall the update if it is found to create a bug or other annoyance discovered by other users.  The most recent Windows 10 updates have gotten tricky for small businesses, but you can get those details here.

There are so many more items we’ll cover that I can assure you are important, but I suggest you stop everything until you have completed these 3 items.  A few minutes of planning can result in hours saved by implementing these three actions before it’s too late.

So you think you want to be a CISO…

Information Security is a great career path, but there are a few things you should think through before starting the trek down the information security highway.  The CISO (Chief Information Security Officer) creates new security obligations within an organization and must be the enforcer of any obligations produced.  Think of it as being the first person to ever set a speed limit on the highway then tell people they will get a ticket for going over the speed limit.  If you are like most of us, you probably speed every now and then just like most computer users break security laws on a regular basis.  In case you are still thinking it sounds easy enough to be the enforcer, let’s see what all is involved in creating a successful CISO.

First, you must have an inner determination that drives you outside of receiving a word of thanks from others.  That’s because information security is more thankless than most IT jobs which is saying a lot.  Security officers must regulate data security.  The officer must enforce security regulations with everyone, including executive management.  In the real-world, that’s kind of synonymous with telling your CEO that he is not the boss.  The CISO must also obtain buy-in to roll out and enforce new policies.  Security is ever-changing, and the CISO must have a good enough relationship with upper management to be able to gain buy-in as he rolls out new changes.  It’s worth a re-mention that the CISO has to be well spoken enough that he must tell the CEO he is not the boss while also getting buy-in from upper management on new policies.  That is a tough balancing act even for the best employees.

portsec_securityThe CISO must also be willing to admit and change when a policy is not working.  Some of the most simple security changes may create a political backlash like no other.  It’s those times where the CISO must review what changed and determine the next best step for the organization as a whole.  This is yet another political balancing act wherein data must be secured while customers must be happy enough that the CISO doesn’t lose his job.

It’s definitely not easy to be the enforcer, but here are a couple of suggestions if you still want to make your way to the top of the security pyramid.  Obtain a CompTIASecurity+ designation.  This is definitely not a CISSP, but it gives you good entry level knowledge of the field which will help determine if you want a long-term career in information security.  Whether you already work in IT (Information Technology) or not, find a way to get involved with your information security department.  Someone already in IT can work to become a liaison to the information security team.  If you are not in IT, tell someone in your IT department you want to become a super user for your application and that you’d like to help make sure your department is as secured as possible.  IT departments are always overloaded and would love extra help from internal staff.

 

*Originally posted through the PortSec blogger.

Target hack raises serious questions about Risk Management effectiveness

Corporations spend extremely high dollar amounts each year to obtain certain information technology security standards.  Such a standard puts a theoretical seal of approval on how the corporation handles the data it stores on a daily basis both while that data is stored on a server and while it is sent between other servers.  These standards are classified, in large part, by independent engineering organizations who understand the internal functionality of the software, and by software vendors who maintain and improve the functionality of the software.  So what happens when technology advances quicker than written security standards?

portsec_targetTarget stores is a prime example.  The major store chain was hacked over the 2013 holiday season.  The chain had recently completed a network security audit which was certified by an outside company named Trustwave, but the mistakes uncovered after the breach should easily have been exposed prior to the attack.  The question is now being raised as to what steps were taken to secure the company in the most recent security audit.  Target was supposedly following the PCI-DSS security standards established by Visa and other members of the payment card industry which raises the ultimate question as to whether or not the entire risk management compliance process is flawed.

Visa Corporation, probably the most well known brand of credit card vendors, requires corporations who use their credit gateway verification process to follow a strict set of guidelines such as door locking procedures on sites where credit card data is stored, visitor sign in requirements, subsequent vendor approval, technical storage requirements for databases that hold secure information, and other criteria.  The problem arises that many of the same software vendors supplying applications to audited companies also have political ties to audit and security standards companies.  Every major company involved in software breaches over the last few years has been security audit approved just as Target was last year.

There is no magic bullet to fix these failing issues although customers will begin talking to breached companies by shifting where they spend their hard earned dollars.  New technologies may be developed to avoid similar breaches, but each company will be graded on how secure it keeps its own network by customers choosing to shop with other stores.  This gives your security team a chance to jump ahead of the pack by going above and beyond implementing procedures to fully secure your data.

 

*Originally posted through the PortSec blogger.

All your online security in one place

Two-factor authentication has frustrated office dwellers since its inception.  Logging into many corporate bank websites for instance requires a user name and password plus the digital token issued by the bank.  The user must ensure the token does not fall into the wrong hands and must also return the token when a device exchange is required by the bank.  In addition, many office users become lazy over time writing down their bank user names and passwords thinking they will forget the password.  This becomes a prime target for digital crooks and co-workers who know where to look for the user names, passwords, and tokens.

portsec_token-phoneThe twenty-first century brought us a new, safer, and more secure method of two-factor authentication.  Authy provides two-factor authentication in what I like to call real-world usage patterns.  Authy made the same method used in the early days of corporate websites as previously described into a random token presented on a cell phone negating use of the bank distributed token.  Even better, Authy enhances two-step authentication using a cell phone which most all of us in IT now carry and protect like a body part.

In theory, the cell phone attached to an Authy account has been verified by text that the phone belongs to the human you as opposed to only the digital you.  This process verifies you are the token user and not some random person who grabbed the token from a desk at work.  Many responsible cell phone users password protect their cell phones these days leading me to think of the password protected cell phone as a third-factor of authentication, but I digress.  The best and most convenient method of Authy is Bluetooth enabled authentication.  The technology might have glitches, but it basically automates the two-factor authentication seamlessly where the user does nothing other than visiting the website.  A token is generated at login and verified through the PC using Bluetooth on your cell.  It doesn’t get much easier than that.

As a side-note, this is not a commercial for Authy as I have nothing to do with their company.  They are the first I have seen of this technology even though I assume others exist.   Authy has excited me regarding more secure use of web accounts in the future of mobile devices.

 

*Originally posted through the PortSec blogger.

Risk Management: Inventory of Assets

Newcomers to the field of IT get so enthralled with having fun implementing new technologies that they neglect some of the most important details to keep from getting fired.  IT is a fun career but most IT employees should remember they theoretically hold the keys to the kingdom.  This kind of knowledge requires planning for unexpected situations.

For instance, let’s assume you are in an office of 15 to 30 people and only have a few servers.  You should try playing the ‘what if’ game.  What if someone stole servers after-hours?  Would you know the details of those servers, the amount of RAM, the number of cores, the applications installed?  If you were gone on vacation when the servers were stolen, how would your co-workers carry on?  Would they have enough details documented to order new servers without having to bother you?  This is just one scenario with a very limited risk factor, but it shows the possibilities involved and how the IT department of one or two would need backup.  Factor in worst case scenarios too.  Imagine what you would do if the building burned down and you had no knowledge of your servers.  You would literally be starting from scratch.

portsec_assetsampleThe first and most important step to detailing a backup plan is identifying your equipment (aka: assets in the accounting world).  There is no need to waste time starting from scratch.  Choose a template like the “Minimum Information Inventory Template” found at the following link:

http://www.colorado.edu/oit/node/1988

Detail your servers and other pertinent information which is requested in this spreadsheet template.  But remember, that is only the first step.  Step two:  store the spreadsheet on a secured file share that is backed up to the cloud or some form of remote storage.  These are important details and should only be shared amongst you and your backup employee.  Step three: cross-train with your co-worker.  In the case you are an IT department of one person, this is the time where you either delegate backup duties to a non-IT person or have an outside contractor on standby.  Someone else needs to be available so you are not bombarded with requests.  Communication between staff will make your job a lot easier.

 

*Originally posted through the PortSec blogger.

Set One and Done

Windows based systems use a security measure known as Discretionary Access Control or DAC for short.  By default, the DAC method puts the user 100% in control of the system making him or her able to set security controls on folder and file permissions.  Windows 7 is an example of a DAC system that makes the first user who boots the PC an administrative user out of the box.  It is very common for the network administrator of many small offices to give the data owner, PC user in many cases, full access to the computer by making him a computer administrator through the Manage Computer snap-in.  The problem with this change comes when a user accidentally or intentionally deletes or changes computer files without the knowledge of the true network administrator.  Even more problematic is when the local drive is shared to other computers leaving the network users to delete or change data on a network drive without knowledge of other computer users or PC administrator.

portsec_gpThe answer to these problems requires research and planning of ways to lock down computers, but the effort can save the network administrator of a small office a lot of time on the backend.  For one, it is safer to control the DAC permissions at a parent level through use of group policies which affect the organization at a global level.  The overview of policies involves setting restrictions for one PC in one place then copying those same restrictions to all computers that log on the domain.  This requires a Windows Server serving as a domain controller and a few internet searches related to group policies.  The domain controller administrator will need to ensure that all network computers are logging on to the domain controller where restrictions are added.  He’ll also need to ensure the restrictions are passed on to, or applied, to the PC through group policy changes.

DAC permissions can be enforced by group policy, but users will still need access to the internet.  A secured PC with full internet access is a contradiction since most viruses and malware are spread using the internet.  This can be fixed through group policy tightening of internet access restrictions in addition to other safety tools like antivirus and real-time access scanning of internet traffic.  If internet security is extremely important, use a proxy server to allow only certain website access.

*pic reference: http://obieosobalu.files.wordpress.com/2011/04/grouppolicy.jpg

 

*Originally posted through the PortSec blogger.

Do as I say, Not as I do

Imagine that your boss tells you to secure your work network and make sure nobody uses the internet unless the boss knows exactly what website was viewed and when.  Before the conversation ends, the boss says “…but make sure I’m excluded from the policy”.  That is comparable to what the NSA is being accused of in relation to the Heartbleed bug exposed last week.  Details are still sketchy based on denial by the NSA and secrecy behind who knew what, but documents released by former NSA contractor Edward Snowden show what may have happened.  Even more confusing is a loophole approved by President Obama which gives authority of hiding the flaws “for national security” according to senior administration officials.

portsec_scanThis CNet article exposes where the NSA supposedly spent millions of dollars acquiring and abusing the nature of flaws like the OpenSSL flaw reported last week.  NSA also was documented as spending ten million dollars paying the encryption company known as RSA to implement flaws in its security technologies.  RSA denied a back door was given while NSA declined to comment.  The question should be raised: If you can’t trust your government, who can you trust?  And what should be your approach to training IT and non-IT staff when it comes to trusting websites.

Trust No One.  First, ensure all work computers are locked down through group policy and limited user restrictions.  The days of allowing users to install anything they want are gone.  Smartphones allow the employee to do anything they want for entertainment such as streaming music, sending emails or playing games during their breaks.  This new freedom via phone means the work computer is strictly for work.  For this reason, internet traffic should be completely locked to work purposes only ensuring no random internet traffic initiated by an employee exposes the entire workforce to a software bug.  Moreover, all internal network traffic should be even more secured by blocking any external sources from entering your network across all ports with exception of those required to do business.  Remember, you cannot trust NSA to stay off your network which means you should trust no one.

*picture credit:

http://artinfo.com

 

*Originally posted through the PortSec blogger.

You look tired. Can I get you something? A data breach maybe?

We spend so much time learning how software can attack a network, but there is a completely different element to hacking that many times goes ignored – humans.  The common criminal will never ask if he can hack, but you can bet he is looking for the best way to get in your network without be noticed.  The most obvious expectation of social engineering is to take advantage of untrained employees.  As an example, a new employee could be tricked into giving unauthorized information or non-observant over the phone or employees could be tricked into escalating security access.  But information technology employees are trained to avoid these types of trickery.  They have years of experience and real-life on-the-job scenarios that help them avoid these problems, right?  Think again.

portsec_aThere are different levels of training for IT staff to avoid security pitfalls, but what happens when well trained employees are manipulated?  The smartest technology in the world can still be dependent on a person acting under every day human nature.  The 2013 Neiman Marcus data breach exposed what almost every network security office in America deals with on a daily basis.  Security events were triggered to give security analysts a chance to catch the would-be criminals, but those events were overlooked by Neiman Marcus employees.  The security system logged over 60,000 ignored alerts.

Possibilities include these alerts being ignored because they came through the same channel as maintenance alerts.  The maintenance alerts, which normally create a large volume of false alarms, could have become white noise to many security employees.  Standards and policies should be constructed to direct staff through proper channels when securing data.  Guidelines should be very specifically defined so no questions arise during implementation.  Hackers with enough patience can trigger alerts on a regular basis to the point these types of alerts begin looking normal to security staff, in essence, become ignored to the human eye.  Careless implementation of security mitigation techniques can be as bad as having no protection at all.

Picture Credit:

http://www.euronews.com/2014/04/07/opisrael-strikes-again-anonymous-hacks-israeli-websites/

 

*Originally posted through the PortSec blogger.