When we talk about hacking computer systems, actual statistics can be challenging to determine for several reasons. The primary reason is that companies don’t want customers, vendors, and the fear of public backlash. Another reason is that we have an elevated sense of security that Firewalls and Anti-Virus alone will protect our businesses. Then there is the ongoing battle of convenience verse security. The bottom line is that the more covenant it is, the less secure it is, which I know is not the answer that we as business owners want because we care about productivity, and we don't want to listen to the noise coming from the end-users.
System hacking can take time; hacking is typically not something that happens overnight, not that a hacker couldn’t be opportunistic; typically, hacking is not a crime of convenience but more a crime of patience. The best hacker doesn’t want you to know they have gained access to the system, primarily due to the overriding goal of stealing as much data as they can and selling that data or holding your business for ransom and trying to force payment. When a computer hack does occur, the first objective is to load software that allows them to search and exploit other weaknesses or pivot from one system to another to give them access to as much of the system as possible. To achieve their goals, these incursions onto your system can take weeks or months before anything reveals that your system has been compromised. The ability of hackers to hide in your system undetected increases the need to improve your detection, containment, and remediation processes critical to your overall security program.
These are some reasons why compiling a factual statistical matrix is difficult to produce, which skew the risks and risk mitigation evaluation processes and can contribute to the false sense of security some companies fail to realize. However, the industry recognizes that a hacking attempt happens every twenty seconds, and the industry acknowledges that unsuccessful attempts are more common than those compromised. However, you would think that we would see a decline in successful hacking attempts but based on the reported data, successful attempts are actually on the rise.
of the first questions I am asked when I speak about security at conventions and seminars is; who is to blame for the system hack? People must first understand that there is no such thing as 100% secure unless you are willing to unplug your business; being one hundred percent secure is an unreasonable expectation. We all have a responsibility to have reasonable security measures at home and the workplace. In the commercial world, one of the most critical factors in building a culture of security within your workforce would include ongoing security awareness training and testing for all employees, including ownership. Failing to understand that the human factor is one of the biggest threats to your system and adopting proper security measures to address both internally and externally can put your organization at risk.
Where does the responsibility for security reside? The truth is we all have a role; we all have a part in ensuring that we don’t put our business at risk, from the ownership to the employees, to the technologist? The reality is that you can do it all right, have all the protections in place, and you can still be a victim of a ransomware attack, crypto attack, virus, unauthorized access, and many other risks that need to be mitigated. The growth in system attacks is increasing. Emerging technologies to allow for unauthorized access resulting in data loss are increasing. These emerging threats can outpace the ability to detect, develop countermeasures, and modify risk mitigation plans.
Hackers use several methods to go undetected in your environment and hide from the typical detection methods. We have to keep in mind that it is to the hacker’s advantage to go undetected, and they spend a lot of time and money to learn and perfect their hide-n-seek countermeasures to detection. According to WebProfessionals.org, here are some of the ways that hackers go undetected:
- Adding Layers of Virtual Machines – Hackers typically utilize Linux and are careful to make sure that they add layers of infrastructure between them and their targets. Before launching ransomware, crypto, or other cyberattacks, a hacker will likely connect to your system through a maze of virtual machines that could, in all likelihood, be hosted in different regions of the world. These virtual connections are sometimes called ghost machines and are removed and rebuilt regularly to cover their tracks.
- Spoofing IP and MAC Addresses – when you connect to the Internet or when any device connects to the Internet, it must have an IP address that typically is assigned by the Internet Service Provider (ISP). The IP address identifies that device on the Internet and can connect to resources through your web browser. IP addresses and MAC addresses are the most common way people and devices are tracked online. Hackers use various tools to spoof addresses to disguise their location and devices to get around this.
- IRC Communication – From the hacker's perspective, there is a good reason they don’t communicate on traditional social media as we all have learned they are prone to eavesdropping and don’t offer a high level of secured communication. Most hackers prefer to use Internet relay chat (IRC). IRC communication is typically run on individual servers, and they don’t interface with the public cloud, which would be sites like Facebook, LinkedIn, and Instagram; since there is no interface to the public cloud, they are considered secure and can be difficult to trace.
- VPN – Investing in a VPN when connecting to a corporate network or just browsing the Internet is one of the smartest things companies and individuals can do to protect themselves. However, bad actors can also use VPN to help facilitate their deeds. Hackers often have accounts with many VPN providers, and they commonly switch between them. Remember, it is about remaining hidden in the shadows, here one moment gone the next. Hackers want to make it as difficult as they can to identify, track, and determine their location.
- TOR Browser – Hacker's primary choice of web browsing is through TOR, similar to Google, Mozilla, or the multitude of other common web browsers. TOR offers more built-in privacy advantages that work with the unindexed part of the Internet, more commonly known as the Dark Web. When using a TOR browser, the traffic is passed through several relays spread across the globe. The traffic is encrypted and then passed to another relay at each relay, making it almost impossible to track a user session or their activity.
These are just ways that hackers hide their movements and activities on the Internet, making it almost impossible to track, capture, and prosecute bad actors if you have become a victim. However, you have to be aware of them to develop a security matrix that accounts for them and implements security countermeasures.
Before we get into protecting ourselves, we need to review some of the tools hackers will use to gain access and explore your system for weaknesses to exploit. However, I want to point out that some tools utilized by hackers are also legitimate tools used by IT people to secure your system, patch workstations, and monitor the overall health of your network. It results in confusion on if you have been hacked or an everyday tool used on your system by your legitimate IT support people. You can use a hammer to build or destroy depending on your objectives.
According to TechViral.com, here is a list of the most popular hacker tools; some can be acquired free, and others are paid. The free versions don’t have all the bells and whistles that the paid version does, but depending on the bad actor's goals and objectives, the free versions might be adequate to meet their needs. Knowing and understanding the tools hackers use is essential within this article because if you don’t know what you are looking for, it becomes easier to hide, so understanding what and how will help you discover if a breach has happened.
- Aircrack – Aircrack is a WEP and WPA-PSK breaking tool. Basically, it attacks your security settings on your network and wireless and tries to break the security keys you entered when you set up your WIFI. Aircrack also provides a variety of tools to evaluate remote systems and access.
- Sqlmap – Sqlmap is a tool used to perform SQL injection, which allows you to take over a database. Once loaded, this is an automatic tool that searches for weaknesses in SQL by taking advantage of the imperfections that already exist within SQL databases. Sqlmap can exploit several SQL databases such as Microsoft SQL, PostgreSQL, Oracle, SAP, and MySQL, to name a few.
- Nmap Network Mapper -- Nmap is a network mapper; it is utilized to examine the security of your system, open ports, which hosts are accessible on the system, administration accounts, frameworks, Operating systems, and patch information, to name a few.
- Wireshark – This is an excellent example of a legitimate tool used by thousands of IT professionals to troubleshoot networks and determine performance issues, end-user issues, and programmed issues. However, in the wrong hands, it can also be used for nefarious purposes to monitor network traffic and identify workstations and servers that can be used to pivot between systems.
This is a tiny sample of the hacker tools used by bad actors for all kinds of reasons, and again the reason this is important is that you should know what legitimate tools are loaded on your system, so you can scan for some of these others and remove them as soon a possible.
"Don’t lull yourself into a false sense of security just because you use Mac."
Before we go any further, let’s tackle the long ongoing debate that Apple is more secure than Windows. Macs have a long-held perception that they are more secure than Windows. They used to run TV ads stating that; however, in reality, according to a State of Malware Report, Macs are now under attack more than the average Windows computer. According to the State of Malware Report 2019, Mac’s outpaced threats almost 2:1 over Windows PCs. One of the reasons is that in the mind of a hacker, if you throw out a challenge, they will more than likely pick it up and prove you wrong. Another reason might be that in 2018 Mac’s actually exceeded 10% of the computing market for the first time, so again, in the mind of a hacker, they have become legitimate targets. Another big reason is that Microsoft has become very proactive in the security side of things and improved its security in recent years. In contrast, Mac has taken a less proactive position, although improving as threats emerge. Bottom line, I’m sure that the debate will continue, but securing either platform will continue to be the customer's burden. However, the standards of security and prevention are the same regardless of the platform you are using, so don’t lull yourself into a false sense of security just because you use Mac.
I get another common question: Can you still get ransomware or crypto-type viruses if I’m on Microsoft 365 (Office 365). The answer is yes; you can; simply being in the cloud, any cloud, or Microsoft 365 does not mean that you can't or won't get ransomware or crypto viruses. That is the short answer, but there is more to the story. Microsoft 365 provides protections from ransomware encryption, which is done through file versioning and post-deletion recovery tools to help recover from attacks, which doesn’t mean you can’t be encrypted; Microsoft gives you a path to recovery. Although file versioning provides you a layer of encryption protection, the built-in Microsoft 365 tools provide less protection against a hacker stealing and selling your data. Historically there were no known ransomware types that specifically targeted Microsoft 365. However, over the last year, some identification of ransomware and crypto viruses have successfully encrypted data stored in Microsoft 365. It is believed that the organizations that write and launch these ransomware and crypto viruses will continue to adapt to a cloud-based system which will include Microsoft 365.
The bottom line with Microsoft 365 is don’t take for granted that you can lighten up your security because you are in Microsoft 365. There have been cases where encrypted files on the local machine were synced with OneDrive. Once that communication link was opened up again, the infection re-infected the rest of the network again. Emerging threats, new ransomware viruses, and the increased destructiveness of the newer viruses mean you have to stay vigilant and invest in securing your entire network, which would include your Microsoft 365 environment.
There are many types of hackers, and hackers' motives vary widely. The labels we put on the different types of hacker goes back in American history and our perception that black hat cowboys are the bad guys, and we will all be saved by the white hat cowboy. There is no real truth that it is just a stereotype that Hollywood came up with to identify the good guys and bad guys, and it has become part of our perception of the old west. However, they have some meaning in the hacking world to identify the supposed good versus the bad guys.
- White Hat Hacker – Some people are dedicated to legitimately helping companies, individuals, and governments better secure their systems. So, it is not all bad, and there are many cybersecurity heroes out there doing their best to protect us all from current and emerging threats. However, it is an uphill battle; as we all are spending more on security and countermeasures to threats, the organizations and countries supporting cybercrime are also spending vast amounts of money to continue their efforts. So, it will take us all doing our part continuously to contain these security issues and be vigilant and create a security culture within our organizations.
- Black Hat Hacker – Then there are the Black Hat Hackers, who have, in some cases, a very organized approach to their goals and objectives. Depending on where you are standing in the world, the activity of Black Hat Hacking may and may not be illegal. Tracking and arresting them is extremely difficult, primarily if they operate out of a country where this activity is not considered illegal or is supported by their government. In most cases, the legitimate computing world would consider the activities of a Black Hat Hacker outside of the legal and moral standards that we all operate within. However, from their perspective, it is a job; they are motivated by the financial gain, which is enormous and estimated $400 Billion per year, so expecting that you can shut down that type of industry is not reasonable.
- Grey Hat Hacker – You got it, these people play both sides, the good and the bad. By in large, Grey Hat Hackers look for vulnerabilities in operating systems, firewalls, and other devices or software, then for a fee, they will publish the vulnerabilities. Grey Hat Hackers typically don’t participate in the actual ransomware attack or other cyberattacks, and they benefit from discovering the new vulnerabilities and the sale of that knowledge. Grey Hat Hackers may go as far as to contact the manufacture of the software and demand payment not to publish the found vulnerabilities; however, even after payment is made, they typically publish anyway.
- Red Hat Hacker – This is an interesting group of guys; these are typically government operators or companies that specialize in tracking down and destroying the efforts and infrastructure of Black Hat Hackers. You don’t hear much about this group, but these are the real cyber-heroes that we need and want to disrupt and develop countermeasures that we can all use to protect ourselves.
- Blue Hat Hacker – This group of hackers, if you want to call them that, are typically people who want to take advantage of social media to in their minds destroy the reputation of a company, so the historical disgruntled employee might be one example. It could be a relationship that ended badly, so they post what might be factual information in their minds, but it is only from their perspective. An employee rarely wants to take responsibility for their actions. Blue Hat Hackers, as novice hackers, might attempt to get into your personal or corporate social media sites or website because often, companies overlook the need and importance of securing those sites.
- Green Hat Hackers – Green Hat Hackers are hackers in training; these people typically browse the hacker forums, websites, and Dark Web to learn the trade tricks. These are amateurs, but typically they are very eager to learn the hacking trade and can cause a considerable amount of damage to corporate networks; because of their inexperience, they haven’t made the connection that the value is in not being discovered until the financial advantage swings in their favor.
What does an end-user see when it comes to hacking? Most of us know many hacking attempts or have heard the terms before. Nefarious actors use a variety of tactics to get the end-users attention and prompt them into making a security mistake that will result in unintentional system access. According to BitIdentify.com, some of the more common tactics used by hackers are:
- Phishing – This is one we all love; most of us call it SPAM. However, you have to be very careful with phishing because the sophistication that phishers are using now is extremely good; it can sometimes be challenging to identify the differences between phishing and legitimate email. Phishers are hoping you don’t take the time to look closely at the email, you're busy, you are distracted, or you have just gotten complacent, and you click on the link, which asks you to build an account or try to login to a site that you typically have access. These simple mistakes can start a chain reaction resulting in a ransomware or crypto attack.
- SQL Injections – Most websites and almost all companies use SQL of some kind for critical operations within your business. These applications could be your ERP solutions, CRM solutions, accounting system, or HR database. These are all key targets for hackers, so it is essential, especially if you do custom programming to ensure that your programmers are accounting for and protecting against SQL injection. The process of SQL injection is to use a field, a search box, name, address, or some other active field and then use that access point to gain access to the backside of the database, allowing for exporting the data contained within the database.
- Fake WAP or WIFI – Free WIFI is everywhere now; go to any restaurant or bar, and there will most likely be free WIFI access. It has simply become part of our culture and our expectations as we travel and go about our lives. A common tactic is for a hacker to create a fake WAP or Wireless Access Point, mimicking the real WIFI name; when users connect to it, the hacker can trap all the information through the fake WIFI and capture it credit card information, login credentials, and other personal messages. This is where the tug of war between convenience and security comes into play, and you should never connect to a free WIFI and use the cellular network on your phone to connect to the Internet; it is far more secure than free WIFI.
- Bait and Switch – Hackers will buy advertisements on legitimate websites; however, they will redirect you to a malware site when you click on them. Then at that point, there are many methods to infect your local machine, sign up for an account, click on a picture, and click on another link that takes you to another page. These sites all look legitimate but what is going on is you are being passed around. Your system is being searched for vulnerabilities that can be taken advantage of on your computer due to lack of patching or old operating systems. You may not be aware that this is going on until it is too late, then the game is afoot to see where they can go from there.
These are just a few of the more common tactics used by hackers to trick you based on your interests into assisting them in gaining access to personal information or maybe a more significant target like corporate networks or even to use your system to attack another personal computer or corporate network.
I get a lot of questions regarding the security of mobile devices such as smartphones. Remember that a typical smartphone has more computing power than NASA used to send a man to the moon; they are essentially powerful handheld computers. The good news is that typically they are pretty secure by nature, more so than your standard computers. The bad news is that Smart Phones do have an operating system, and in a recent Verizon report, there has been a 64% increase in mobile threats. There is a lot of other evidence to show that mobile devices are being targeted more and more through emerging threats and technologies that specifically target mobile devices. These emerging threats focus on stealing text messages, photos, recording calls, and using the device to pivot to corporate networks through CRM and ERP systems or email.
A Verizon report specifically targeted five types of threats commonly targeting Smart Devices.
- Trojans are malicious applications designed to look and act like legitimate applications or apps and can even be downloaded through the app store on Android-based devices or the Apple App Store. These apps can be used as a backdoor to your device, allowing the hacker to pivot to your corporate network.
- Spyware – These types of applications run in the background, and you may and may not know that you have one on your Smart Device. Spyware collects data on your browsing history, username, or other personal information that may be contained on your device.
- Riskware – These applications can be downloaded or ghost-loaded on your Smart Devices. Riskware can decrease the performance of your Smart Device, and it attacks the security protocols that you have set up on your Smart Devices to load other applications that allow more access potentially.
- Chargeware – These are valid-looking apps that can charge for different services or apps without the users' knowledge.
- Adware – We all love the ads that pop up; most of these ads are simply frustration points; however, some contain Malware or spyware that will be loaded on your Smart Device if you click on them.
All of this does seem very scary; however, as I mentioned before by design, Smart Devices have a lot of built-in security if you choose to use them. Features like auto-locking, password protection, biometrics, and facial recognition, you can also load VPN technologies on them, along with Multi-factor authentication. There is also Anti-Virus that you should load on the Smart devices to give you an extra layer of protection. With all the press in recent years, you would think we would all be more proactive in protecting Smart Devices. However, within the Verizon report, 90% of respondents consider Smart Devices a growing threat; only 39% have done anything to mitigate the threats posed by Smart Devices.
According to Seniorplanet.org, here are some steps you can take to secure your Smart Devices:
- Know what security features are on your device and set them up: Set up the auto-locking feature on your Smart devices, set passwords, use biometric and facial recognition, turn on anti-theft apps, and use privacy controls.
- Don’t leave them lying around – Don’t leave them unattended; if you leave your phone unattended in a public place or a bar, restaurant, or airport, phones can be cloned or stolen, so don’t leave them lying around.
- Do updates – Android and Apple are pushing updates for a reason, sure new features and functionality, and security patches and closing vulnerabilities that can put your data risk or your corporate environment. It would be best to use an MDM (Mobile Device Management) software that your carrier might provide, or you can purchase an MDM program that meets your specific needs. MDM programs will allow you to push and install updates when they become available.
- Make sure that you log out of programs and apps when you are not using them….for obvious reasons.
- Load anti-virus and MDM programs on all corporate devices and personal devices if you allow them to be used for business reasons, which I would not recommend.
- Don’t click on links in text messages unless you expect a known sender.
- Educate users of the threats to mobile devices as part of your employee onboarding.
With all the gloom and doom, how can we really protect ourselves and our corporate networks from hacking, with the trick of making sure that we keep our employees productive? The authentic tug of war is convenience on one end of the rope, security on the other end, and budget and productivity in the middle. Let’s get into many options you have for security, which we have already covered mobile devices; now let’s look at the rest, which some would say are the most vulnerable of them all, or at least they are the biggest target with the biggest reward. When it comes to security, you have to understand that there is going to be end-user noise, people resist change, so it does take some level of grit to ensure that security and a culture of security are explained to the end-users and end-users are trained and tested on how to identify security risks, and who to report those events too.
Understanding that there is no such thing as 100% secure, the human factor will ensure this; however, here are some products and methods to increase your overall security and reduce the impact of a cyberattack, such as ransomware, crypto, or an old one fashion unauthorized hack.
- Keep Corporate Firewalls current – One of the most critical devices on your network is often overlooked when it comes to updating and life-cycle replacement. Firewalls typically, once configured, continue to run; however, the manufacturers update the operating systems, upgrade CMOS, and at some point, the device needs to be replaced due to limitations in the OS and lack of support from the manufacturer. It is also critical to ensure that the firewalls you are implementing are a suitable class of firewalls. Not all firewalls are created equal, so do some research and pick the right one to meet your business requirements.
- Install Anti-Virus – Anti-Virus is critical to your security plan; it should be loaded on all your workstations, laptops, and mobile devices. Most of the major players when it comes to Anti-virus can cover all these access points, programs like Trend Micro, MacAfee, Symantec, and Webroot, to name a few quality products. In the corporate environment, ensure that you purchase the corporate version of the software. You can review updated and when, push out from the console updates, and new virus signatures.
- Sentinel One or CrowdStrike Falcon – Sentinel One and CrowdStrike Falcon are competing products, and they are great products; however, as with every software, differences and preferences depend on your overall goals and objectives. These products offer expanded protection through detection, containment, and resolution automated processes. Using this type of Business Intelligence and Artificial Intelligence to counteract the processes of hackers has become more and more critical.
- Multi-Factor Authentication – This is a must in today’s computing world; if you are not using two-factor authentication, it is just a matter of time before your business is a victim. Products like DUO or Microsoft 2 Factor Authenticator are two examples of two-factor authentication programs. All programs have their plusses and minuses, so it is essential to ensure that whichever program you use applies to your business gives you maximum protection.
- Auto Logout on Servers – IT people have a terrible habit of not logging out of servers; I’m not sure why this happens, being we are the ones that are supposed to enforce security on the network. However, there is a solution: setting up auto log out on the servers. There are some risks to this because sometimes the IT people are running updates or patches or other activity, so you have to weigh the good and bad, but it would be recommended to set this up. There is more good than bad in this.
- DNS Protection – DNS hijacking is on the rise, and it is complicated to know if you are a victim or not; DNS is the human interface to how people find websites, email addresses, and IP addresses. Once your DNS has been hijacked, they can change your IP address, which could be used to send people to a different site when they enter their login credentials; products like Sentinel One, CrowdStrike Falcon, and OpenDNS all prevent DNS hijacking.
- End-User Training – End-user training is critical to the security of your network and building a culture of security within your organization. KnowBE4 is an excellent tool for testing your users’ willingness to respond to phishing attempts and Malware, and other threats. KnowBe4 also can educate if a user responds to a fake phishing attempt; the software will show them a video on how to recognize phishing and other security threats better. Human Resources can also report on repeat offenders so you can identify the most significant risks within your business. Ongoing and repetitive training is key to building your security culture.
- DarkTrace BI Systems and Monitoring – DarkTrace is an Autonomous Cyber Artificial Intelligence device and service. DarkTrace can interrupt cyber-attacks in real-time outside your network and internally to your network. DarkTrace can track cyber attackers back to the source and protect you against ransomware, email phishing in both the cloud and on-premise systems through automated business and artificial intelligence. The DarkTrace Network Operation System actively monitors your DarkTrace device to ensure that any alerts are handled instantly and protected by your system. DarkTrace is a great complementary product with Sentinel One or CrowdStrike Falcon.
- Remote Backup Systems even in Microsoft 365 (Datto) – Don’t lull yourself into a false sense of security if you use Microsoft 365 (also known as Office 365). It is critical to ensure that you are backing up through an independent source such as Datto or Barracuda using their cloud-to-cloud backup processes. Although we want to believe that Microsoft is backing up our data, the truth is they don’t; however, Microsoft does offer a limited backup process, but it is not equivalent to the products and independent operation of Datto or Barracuda.
- Password Policies End-Users -- In 2020, the NIST the National Institute of Standards and Technology changed their guidelines for end-user password management (SP 800-63-3). The new guideline simplifies password management by leaving out overly complex security requirements. Research has found that users don’t like complex passwords, nor do they like changing them regularly. The research showed that passwords became predictable, and the environment became less secure due to the predictability and the use of dictionary words, along with sequential number patterns. The NIST now recommends the following for end-user passwords, with the caveat that Multi-Factor Authentication is in use and active.
NIST Password Requirements:
- Set an 8-character minimum length – we recommend a 12 character minimum length.
- Change password only if there is evidence of a compromise
- Screen new passwords against a list of known compromised passwords
- Skip Password hints and knowledge-based security questions
- Limit the number of failed authentication attempts
NIST Password Recommendations:
- Set the maximum password length to at least 64 characters
- Skip character composition rules as they are an unnecessary burden for end-users
- Allow copy and paste functionality in password fields to facilitate the use of password managers.
- Allow the use of all printable ASCII characters as well as all UNICODE characters, including emojis.
- SPAM and Malware Protections – If you are a Microsoft 365 company, ensure that you have the full suite of Advanced Threat Protection turned on and configured. Even though you are on the Microsoft 365 platform, it is still your responsibility to secure your system and data; Microsoft is not proactively monitoring your system for security. You can also use Barracuda SPAM and Malware protection and web filtering as an additional layer of protection.
- Routine Password changes (Routers, Firewalls, Switches, Administrator and Service Accounts) – When it comes to passwords, there is more to it than user passwords or administrator passwords; there are switch passwords, router, and firewall passwords and service accounts which are copiers, printers, phone systems and in some cases software that requires a username and password on your network. Since most of these devices are behind your firewall and not exposed to the Internet directly, that doesn’t reduce the need to secure these devices, and annually at a minimum, change their passwords. Firewalls, Routers, Switches, Copiers, printers, and other devices should never be set up under that domain administrator account or tied to a specific user account. Each device should have its service account with only the permissions required for proper operation.
- Routine Vulnerability Testing – Networks change all the time, hardware upgrades, software upgrades, patching, legacy software, many things change on a network that can affect your security regularly. Scanning your network for vulnerabilities that can expose your business to risks should be part of your routine security program. These vulnerabilities don’t have to be something a human did. Some software will change the operating system or need elevated permissions to operate correctly, which a bad actor can take advantage of. Routine scanning of your network can identify those risks, which then you can put countermeasures in place to protect that weakness or resolve that weakness.
- Advanced Threat Protection in Microsoft 365 -- If you are using Microsoft 365, turning on the Advanced Threat Protection within Microsoft 365 can provide you with an added layer of protection through its cloud-based email filtering service. Microsoft 365 Advanced Threat Protection also protects you against unknown Malware, phishing attempts, and unsafe links, all in real-time. Microsoft also, as part of their Advanced Threat Protection Microsoft Defender advanced. Microsoft Defender works with Windows versions and can provide protection locally and for cloud-based services. Microsoft Defender automates alerts and remediation of complex threats. Microsoft Advanced Threat Analytics can help protect you from advanced targeted cyber-attacks and inside attacks. If you are a Microsoft 365 user, you might consider taking advantage of these additional protection layers that complement the layers of security you already have in place.
- System Auditing – System auditing is something I encourage companies to do all the time; it is essential to understand your technology's state from an objective perspective. However, there are many types of technology audits, from the ones that have been cooked up in a basement to more formalized audits. One of the standards that I follow when doing technology audits is the ISACA CoBIT 5 format. This format is a governance model on how technology supports your business plan. Before you sign up for a technology audit, make sure that you know which format they will use so the value of the audit will meet your expectations and needs.
- System Air Gapping – Air gapping within your network is a method of isolating the different areas of your system to protect them from hacking, the spread of viruses, and containing and limiting the effects of a ransomware virus. In some cases, you are entirely isolating the different operating segments of your network from each other, meaning they don’t see each other and can’t access each other. This physical separation or even logical separation is called air gapping; if you get hacked or get infected with a virus or ransomware, you have limited the exposure unless they have figured out how to get across the air gap. Having air gaps is mission-critical when it comes to your backup; your backup should not in any way be connected to your production system; one gets infected, so does the other, so as one example, make sure your production systems and backup system are entirely separate.
- Proactive Patch Management – A critical part of any security program is the ongoing patch management and the application of those patches, hotfixes, and upgrades. This process can be automated; however, you should review them to ensure that you are not applying unnecessary patches with servers. If you are not using a specific feature and it is disabled within your setup, why load it if you don’t need it? It could expose you to an unnecessary vulnerability.
- Auto Locking – This feature in the Microsoft operating system should be enabled on all your workstations. You can set how long the system will wait before it locks the screen; it is typically recommended to be somewhere between 15 and 20 minutes of inactivity before the screen locks. It is also recommended that no work in progress is lost to turn off sleep mode and turn off the setting for shutting down the hard drives.
- Local Firewalls – Within the Microsoft operating systems can turn on local firewalls. If you have mobile people who routinely connect to customers' systems, WIFI, or work out of home offices, or hotels turning on the local firewall could add a layer of protection for those on the move. However, it also could interfere with pushes of new Anti-Virus signatures and operating system patches and upgrades.
- Removing Local Administrator Rights – This is always a tough one for end-users who are used to having complete control of their local computers to accept. In some cases, removing local administrator rights doesn’t allow the end-user to load driver updates or other routine items. Some legacy software applications require the end-user to have local administrator rights in some cases. However, ransomware, crypto, and other Malware also require the user to have local administrator rights because removing local administrator rights prevents the user from loading software. Since ransomware, crypto, and malware viruses are programs, they are contained if they can’t load. However, doing this could create a lot of end-user noise for the management, where the grit of holding the course of security over convenience is required.
- Data Encryption (BitLocker) – According to Computer Forensics World, BitLocker cannot protect you from ransomware, and in some cases, could make the situation worse by encrypting already encrypted files. BitLocker will protect your system against unauthorized changes, which some firmware-level malware attacks. BitLocker does have its weaknesses a recently discovered virus extracted the BitLocker encryption keys, which then exposed the data to theft. BitLocker should be one layer of protection within your security program and policies. It will protect your lost or stolen data stored on the hard drive, or at least make it more difficult and require a higher level of expertise to extract that data. As more and more viruses are discovered, BitLocker is essential in protecting against cold boot attacks and other emerging threats.
- Workstation Backup – As important as backing up your servers are backing up your local workstations. If you are a Microsoft 365 user, this is very easy simply by turning on the automatic sync with OneDrive within the Microsoft Office 365 environment. Then through backing up of the Office 365 environment, you are now catching all your corporate data within your corporate backup. If you are not using Office 365, you can set up the My Documents directory to sync to your local file server; whenever the workstation is connected to your network, the file server will be backed up as part of your corporate backup.
- Workstation hardware and Operating systems – it is critical to make sure that you are managing your workstation hardware and keeping it current. There are vulnerabilities in hardware that can be hijacked and exploited by a hacker or bad actor. Typically it is recommended to put your hardware workstations, laptops, and mobile devices on a life-cycle replacement program of 3 to 4 years. Operation system may have more limitations; some of the newer Microsoft operation systems won’t run on the older hardware, so check before you upgrade only to find out it is not supported. However, proactive patch management on local workstations is critical to any routine security program and ensuring that patches are current.
Policies and Procedures:
- Data Retention and Archiving – There comes a time within every company that it is time to either archive data or purge old data. Depending on your industry, local, state, or federal regulations may dictate how long you have to maintain data. However, once that time has passed, what do you do then? Having data retention policies in effect is an essential part of overall data management; however, that data doesn’t need to disappear; it just needs to be moved and secured as a long-term record archive. It is essential to have this data on an independent system, isolated away from your production system, and the rights to change the data limited to only a few people. If you need one to start the thinking process, I have data retention policies. Data retention policies are essential within your security processes. The more data you have, the longer it can take to recover, ensuring that old data doesn’t become a victim of stolen data if your production system is compromised.
- Computer Use Policies – Every company should have a computer use policy that outlines the acceptable use of computer resources within your company. If you have an employee who does something using your computer system, these policies give you teeth that could create a legal issue for your business. It protects you and provides your users with boundaries that you can enforce later.
Security is an ever-evolving and changing business, and the critical thing to remember system hacking and ransomware is a business and a job, much like the job you have. They invest in technologies to hack into systems, infect systems, and get paid by holding you hostage to your data and system. The people and organizations continue to invest in new technologies to exploit weaknesses in systems, software, and operating systems, and these issues don’t just happen; it is an organized effort, and the investment they make to get in, typically is more significant than the investment corporations make in keep them out and securing their networks.
By Scott M. Lewis, President / CEO Winning Technologies, Inc.
About the Author: Scott Lewis is the President and CEO of Winning Technologies Group of Companies, including Liberty One Software, Lingo Telcom, and XpressHost LLC. Scott has over 40 years of experience in the technology industry, managing systems as small as a few and as large as thousands of users. Scott is a nationally recognized speaker and author on technology subjects. Scott has worked with thousands of large and small businesses to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed over 2000 thousands of systems for large, medium, and small companies. Winning Technologies aims to work with companies to select, implement, manage, secure and support technology resources. If you are interested in Scott doing Security Awareness Training, Technology Auditing, Winning Technologies MSP services, or learning more about Arctic Wolf, Darktrace, or Mantix4. In that case, you can contact him at www.winningtech.com or call 877-379-8279.