Protect your midsize business from Cyberattacks
If there’s one thing we learned from recent political scandals regarding email leaks and hackings, it’s that cybersecurity matters. Organizations big and small need it to survive.
It is vital that every technologist and business leader understands the possible impacts of cyberattacks on their organization. These days, cyberattacks can range from espionage (i.e., internal secrets being leaked) to sabotage (i.e., internal data being corrupted or destroyed), and the outcome can precipitate a company’s downfall. Rice University Professor, Dan Wallach, recently presented on the most effective ways to guard against cyberattacks and we could not put it any better, so here are our favorite steps. Check out these 3 tips on how to guard your midsize business against cyberattacks. Hope you enjoy!
1. Know your adversary
Generally speaking, there many sorts of adversaries that you need to defend yourself against:
1. Untargeted, remote (spammers, phishers, ransomware griefers, etc.)
2. Targeted, remote (spear phishers)
3. Targeted, in person (immigration agents, police, criminal trespass)
Everybody in the whole world has to deal with untargeted attacks. The prince who wants your bank account to help with transferring ill gotten gains is spamming everybody and the defenses are pretty straightforward: learn to ignore them. Similarly, if you get a Facebook request from a friend of yours who you’re already Facebook friends with, then it’s entirely possible that somebody is trying to clone your friend so you should ignore the request and let your actual friend know. There are many variants on this attack. It’s worth expressing a healthy skepticism about a fresh email from an “old friend” or a Facebook friend request when they arrive unexpectedly.
The 2016 attacks against the DNC appear to have been an example of #2 on this list. Notably, John Podesta received a fake-but convincing email telling him that his Gmail account had been compromised with a “click here” button to fix it.
There was nothing wrong with Podesta’s Gmail account before he clicked the button, but afterward? Yeah, that was the problem. This is an example of a spear phishing attack, where the attacker was going after a very specific high value target. Such attacks can be quite pernicious and cleverly done (e.g. sending what looks to be W-2 tax forms from HR around the proper time of year, when users would be
primed to expect such a communication).
This style of attack is unfortunately common, and every government has teams of experts who do these sorts of attacks. Readers may enjoy this video of the NSA’s chief of “tailored access operations”. His message was that we attack others, and they attack us.
In-person attacks are probably the most difficult to defend against, because the threat actor has unfettered access to your phone or computer, whether by breaking into your hotel room or in the person of an border agent demanding such access. We’ll discuss a variety of countermeasures below, but the short answer is that these cases require anticipating the threat in advance. Information you don’t have with you is information that cannot be stolen from you.
2. Know your tech
The single most important technical measures you can take are to use up-to-date equipment and best-of-breed cloud services. Whether you’ve got a Mac or a PC, you should be running the latest versions of OS X or Windows 10. If you’ve got an ancient machine that won’t accept a modern update, it’s time to retire it and get a new one. This also applies to the applications on your computer. If, for example, your Mac is running Office 2008 or Office 2011, then it’s time to upgrade to Office 2016. Why the upgrades? Because Apple and Microsoft have really improved their game. If you run the newest software, you’ll be protected against the most recently discovered vulnerabilities. This also applies to your smartphones. Many cheap Android devices are running ancient versions of the Android system.
A. Should you get a Google-branded Android device like a Nexus or Pixel or are third-party
Android devices acceptable?
Google pushes monthly security updates to its own phones. For third-party devices, some manufacturers are better than others at rolling out these updates, particularly for older devices. If you’re genuinely concerned about targeted threats, then using a Google-branded phone is likely to be more secure. If you’re using a third-party device, check what version of Android you’re running. If it’s anything older than Android 7.0, it’s time for a new phone. Not sure? Go into your Settings and select “About phone”. Below is an image from a current Google Pixel XL. Notice how the “kernel version” and “security patch level” have recent dates (relative to the date at which this document was authored: mid-October 2017)? If your phone shows older dates, you need to replace your phone.
B. Is an iPhone better than Android for security?
Apple and Google have both worked hard to improve their security chops; newer iPhones are definitely better than older ones. When comparing the latest Apple iPhone 7 or 8 with the latest Google Pixel or Pixel 2, I’d say it’s a wash. Get the one that you prefer. At that point, your security will depend more on the apps you choose than on the phone platform.
C. What about Chromebooks?
If your needs can be satisfied with Google Chromebooks, you should seriously consider them instead of Windows or Apple laptops. Not only are they cheaper, but they only run a web browser and nothing else, making them much harder to compromise. Newer Chromebooks with touch-screens now also run Android apps, making them much more useful. Chromebooks are automatically updated by Google with the latest security patches and they have features that make it very hard for a hacker to install malware. And, of course, if they’re stolen, there’s nothing really there for an attacker to steal. All of the data is safely in the cloud.
D. Do I need third-party anti-virus software on my computer or phone?
Surprisingly, no. The most likely vector for which viruses might attack you is through email, and AV companies offer plugins for email servers. Cloud email providers like Gmail also have AV built-in. Windows 10 also comes with “Windows Defender” built-in, which is free and which serves the purpose. Conversely, there’s increasing evidence that many third-party AV engines actually make your security worse . If your devices are running the latest software versions with the newest security patches, you’ll protect yourself very well.
E. What about the apps I install?
The fewer the better. When you install a popular app from a big company like Twitter, Facebook, etc., you can have some confidence that it’s not out to get you. If you install games or whatnot, you have far less assurance. In some cases, even mobile web pages from sketchier parts of the web try to pretend that they’re apps and will generate fake warnings that they’ve detected security vulnerabilities. If you’re installing an app which has a “free” and a “pay” version, where the latter has no advertisements, you significantly improve your security posture by paying the money. Ads are a vector for attacks into your phone.
F. Can I protect myself by moving to the cloud?
Consider switching away from local infrastructure (e.g., Microsoft Office and local file servers) and using a managed cloud
infrastructure (e.g., Google Docs). One of the benefits of moving to cloud services is that the vendors who run them offer you a variety of security features that are hard to set up on your own. Google’s Gmail, for example, has top-notch anti-virus, anti-spam, and anti-phishing defenses. If you go wholeheartedly to the cloud, then you can replace your computers with Chromebooks (see Question C, above).
While you could run a small organization on personal Gmail accounts, it’s much better to pay for a “G-Suite” domain. At that point, you can have the familiar Gmail and Google Docs with your own custom domain-name. The security win is that you can centrally manage your users, making it easy to add and remove staff. As the administrator of a G-Suite domain, you can require all your users to use two-factor authentication (see below), making everybody more secure. Also, a G-Suite administrator can limit which third-party apps your users can use, eliminating a delegation attack.
G. How about two-factor authentication (2FA)?
It’s now considered an industry best practice to combine passwords (“something you know”) with physical tokens (“something you have”) and it’s easy to do. Many web sites let you associate an app like Google’s Authenticator with them as part of the login process. You have to enter your password, then you run the app and type in a 6-digit code. Google and others also support “Fido U2F” keyfobs which you plug into your computer ( only $18/each on Amazon ; a variety of U2F devices are available, the blue-colored Yubikey is the one to get). Just put it on your physical keychain and use it when asked. If you’re using G-Suite, you can even make these things mandatory for all your users. Had John Podesta been using 2FA like this, then divulging his password to Russian attackers wouldn’t have helped them log into his account. The way Fido U2F keys work, there’s no way for an attacker to request you give them the PIN, so they’re more resistant to phishing attacks than two-factor apps. Some web sites try to send you an SMS text as a form of 2FA, but this is now considered insecure and is not recommended for use. A single Fido U2F key in your pocket works safely with multiple web sites at the same time,
including Facebook and Dropbox.
3. How to communicate online and elsewhere
A. Am I safe using a public WiFi in a coffee shop or airport?
The short answer is that you’re safer now than you were in years past. Most web sites you might use these days are encrypted; look for the “https” in their URL. Similarly, most apps on your phone will encrypt your data before connecting to their cloud servers. If you’re using a Chromebook or a recent smartphone, then you’re unlikely to be successfully attacked. If you’re using an older Windows laptop or an older Mac without the latest security patches, then a public WiFi service might have unacceptable risks for you.
B. Are there risks from social networks like Facebook?
The biggest risk is to your privacy.
Assume everything you say or do will be visible to the public . It’s just too easy to post something that you mean to be private and accidentally have it be visible to the whole world. “Private groups” on Facebook are somewhat better, but any group with thousands of members might well have somebody you don’t trust, just waiting for you to say something inappropriate and make a copy of it for later use.
Related: be cautions of all these online surveys and quizzes. Find out which Game of Thrones character you would be! Please don’t do these. You’re telling marketers about yourself so they can target you with advertisements.
C. Basic organizational functions.
There are a variety of other enterprise offerings, like Slack for group texting, or Expensify for expense reporting. As you evaluate these providers and their competitors, make sure you understand more than their dense legally worded security and privacy policies. Interview them about their security practices. Look for their ability to support two-factor authentication or, even better, to connect to authentication services provided by somebody else. Think: “Login with Google”. Every time you can get such a “federated login” or “single sign-on” feature, it’s one less place where you need to add and remove an account every time somebody joins or departs your organization.
This also means that you want to discourage your users from communicating with personal email addresses, text from their phones, etc. The extent to which you can manage and control your users’ communications is directly related to the extent to which you can protect them from being leaked or tampered. Consider what might happen if you need to fire an employee / staffer / volunteer. You want to be able to pull the plug on them, all at once, killing off their access to email, cloud documents, everything. You can’t do that if you’re using personal Gmail, but you can if you’re using G-Suite.
That said, if your organization is less organized, say it’s nothing more than a group of people planning and organizing political protests, then none of this advice is particularly helpful. At that point, the best you’re going to do are “secret groups” on Facebook (i.e., invitation only groups that are not publicly visible). You can also set up a free account on Slack, but you don’t get some of the cooler features, e.g., Slack only lets you require 2FA on a paid account. You can at least set up 2FA on a personal Gmail account, preferably using the U2F tokens discussed above.
Cybersecurity allows your business to thrive. Investing in cybersecurity helps you stay ahead of evolving risks and protects your most sensitive information. Advoqt’s cybersecurity experts partner with our clients to execute IT security projects tailored to each organization’s specific needs. We work to protect from the inside and proactively prevent, rather than react to potential threats.
Sign up to our monthly newsletter, and stay up to date with the latest cybersecurity trends:
Increased use of cloud computing may increase the risk of a cybersecurity breach. therefore, monitoring is a critical component of cloud security and management.
Darmouth decided to conduct a Penetration Test and selected Advoqt team. About whether to tell their IT team in advance, here are the pro’s and con’s.
Dartmouth College engaged Advoqt to conduct a Penetration Test. This case study details their reasons and the benefits Dartmouth received.