Security Meets Cost

I was recently asked by a small business how could they secure their IT on a budget this made me stop to think about that tricky subject "security meets cost". It is in these terms that a business must be practical, you need to stand back and identify your actual financial loss were a cyber attack or unforeseen event to occur resulting in the loss of data. And to be quite honest if your spending thousands on perimeter controls and don't have anyone in your business who can properly configure, monitor and maintain these devices then your really just throwing money down the drain.

After going through the business I advised them to put in place a number of steps that would go a long way towards protecting them. It must be noted that the business in question did not deal with any payments card information (PCI), personally identifiable information (PII) or personal health information (PHI) if your business is dealing with the above then you will need to put more controls in place.

My plan for the business was pretty simple and I will lay it out below.

1) Education:
This is one of the fundamental roles that small businesses neglect, there are hundreds of services out there that will do training days on different areas in an easy to understand and education manner. If you can train staff to identify Phising, Smishing and other everyday threats then you are starting to win a war on the front line. Education helps get employees to think before opening an attachment or giving out "harmless" information over the phone. For the more adventures small business there are packages available for you to run harmless attacks that contain educational videos when clicked. PhishMe would be one such company that comes to mind in that regard.

2) Backups:
This one is quite simple but often forgotten, with the rise of ransomware every small business should keep daily or weekly backups. These backups should be occasionally tested to ensure that they can restore systems in the event of an emergency such as a ransomware infection.

3) Business Continuity Plan:
 Every business should have one and should test it, you can work on building this up over a period of time but you need to start somewhere. EG. if the building floods are our desktops on the floor? Maybe we should elevate them to mitigate this problem. During this flood do employee have the ability to work from home? Yes we have remote access to the building over our companies VPN.

The above are just suggestions but you get the drift if you start to disect your company and compare it to potential events you might be surprised what you come up with. Fail to prepare then prepare to fail.

4) Virus and Anti- malware protection:
Again this is simple but neglected in many small businesses, buy a good antivirus and anti-malware package and set the updates to times you know your employees wont shut them down eg lunch time or after working hours. A good antivirus and malware solution is like having a security guard in your network throwing out all the bad guys.


5) Enable Bit-locker or the equivalent:
Bit-locker encrypts your disk so if someone breaks in and robs your physical machine in theory bit-locker will keep that information safe, unless of course the thief is Homeland security or the equivalent in which case your data is the least of your worries.

6) Password Policy:
Put in place a robust password policy that includes the rotation of passwords regularly and password history check to prevent the re-use of passwords.

7) Third party checks:
If you are using a third party to store data or to provide remote support ask them to provide you with a list of controls that are in place to protect you from a security point of view. If they tell you they are super secure and you need to trust them get worried because this means they haven't got anything to give you and your cloud solution is some guy with a laptop and 15 housemates that use it to stream illegal movies.

8) Document everything!
You should document all of your procedures and workflows because if one guy has all this information and gets hit by a bus your knowledge is dead. Good documentation is key to smooth transition and helps aid security through clarity.



If you get all the above in order you will have made a decent move towards securing your business at a minimal cost, of course there is plenty of room to do more but the hardest part is always to make a start.

Is Facebook tracking me?

Have you logged onto Facebook in the past few months and been targeted with an advert relating to something you recently looked up on your device? For the majority of people the answer to this will be yes. Only a few days ago I searched for the new Jaguar using safari on my iPhone, that evening when I opened the Facebook app I was met with an advert for the new Jaguar XF. This was a very strategically placed targeted advert, and you need to remember that the reason Facebook is free is because we the users are the product. It was reported in the states that Facebook makes approx $7 a year for each and every user by giving marketers access to a defined market based on search history and social patterns of users. Now I have no issue with this, my issue however is I was carrying out searches for the above Jaguar car on safari and not through the Facebook app and this is where it gets a little scary. If I did not use the Facebook app to carry out a search how did I get an advert targeting me for this item? Well my guess is that Facebook is actually monitoring my activity on my phone even though I have it pretty well shutdown. You will notice on all of these adverts that at the top right hand corner there is a little arrow when you click this you get a drop down menu. On this drop down menu you will see the option "why am I seeing this?" This is Facebook's way of telling you why you have been targeted with a specific advert when I clicked on this I got the below information.

As you can see it specifically notes that this information is based on information from your profile and here is the important part AND YOUR DEVICE! Now you can limit Facebook right down by enabling all of your privacy setting but there is no option to click that says "stop spying on my applications outside of Facebook". The issue is if I have limited all of my privacy setting to the highest level how is this information still been obtained? And what information is Facebook gathering from my device? We know that tracking cookies are more than lightly the reason that Facebook can obtain this information so there is one way to stop this, you could stop your device from receiving cookies. This however is not a great solution as you need cookies enabled in order to log into any site where you may have a user account otherwise your session won't run so you can see where the issue lies if you were to turn them off. This means that until someone comes up with an iron clad way to stop tracking cookies from monitoring your online activity it's up to you how much information you really want to share. 

                                     

  

  

5 golden rules for staying safe online

If you have been reading my posts you will notice that a number of points keep popping up. The reason for this is of course that these particular points are vital to keeping yourself safe online. For the few out there who want to do the minimum in order to stay safe I am laying out 5 golden rules to follow.

1) Keep your software updated

Updating software, whether it be on your phone, laptop, or television, is extremely important. When hackers discover new ways to steal your data, gadget and software companies usually work quickly to release fixes for those vulnerabilities. Once a fix is in place an update becomes available and you should download this update, I try to set as many applications as possible to do automatic updates or in the case of my phone I set it running at night time when its not been used.

2) STOP using the same password everywhere

You are living in an age of big hacks and data breaches if you use the same password everywhere once your details are stolen once all your accounts are compromised. And you can be guaranteed that there is a high possibility your details have already been stolen from somewhere.  

3) Don't fall for phishing scams

These scams are getting more and more frequent and the attacks been used are becoming more professional. I recently received an email claiming to be a free password security tester, the email asked me to enter my password to test how strong it is and of course I deleted it as its purpose was of course to steal my password. Be smart when you receive phone calls and emails that you are not expecting and never open an application you receive in an email with the file extension .exe.

4) Add recovery contact information to your accounts

This is important you should always have two different contact methods on your accounts. The reason for this is if you forget your password and lose your phone well then your snookered and you may be locked out of that account forever, leaving your information hanging in cyber space. The second reason for this is If your account is compromised, companies will probably try to let you know. But that’s only possible if they have some means of getting in touch with you on file.

5) Enable two factor authentication 

Two-factor authentication adds an extra layer of security to your accounts by requiring another code in addition to your memorized password. That code can be sent to your smartphone via a text or generated by an app. With two-factor authentication, even if a hacker has your username and password, he or she won’t be able to access your account unless they also have your smartphone — not a likely scenario. I ask if you don't do any of the above at least do this one and give yourself some chance of staying protected.

How safe are messaging apps

With the massive rise in popularity of messaging apps in the past few years with Snapchat said to have at least 30 million active monthly users while WhatsApp and LINE sport 400 million and 300 million registered users, respectively. The ever increasing risk of cyber attacks against such accounts and there retrospective servers is a given. The issue with a lot of these apps is they request a mountain of personal information in order for you to be able to use the service. Giving this information requires a lot of trusting of the application developer and from past exploits its hard to say a lot of these developers deserve your trust. The question now is "how do you protect yourself whilst using such application?"

Well in order to help you with this I have compiled a number of steps that if followed should help minimize your risk of exposure if your account becomes victim to a cyber attack.

1) Be discreet. If you want to use messaging apps as a way to contact certain people, avoid using real-life identification details that can be traced back to you. If that can’t be avoided, use as little real information as possible, depending on the app you’re using. Avoid linking your social networking profiles to your messaging app accounts.

2) Secure your messaging app accounts. Use a unique email account for your messaging app. Don’t reuse passwords.

3) Don’t share anything you wouldn’t want the public to get wind of. Oversharing is one of the biggest mistakes you can ever make online; using messaging apps is no exception. Be aware of what you share. And when in doubt, keep sensitive information to yourself.

4) Limit what access you give your messaging application eg don't give access to your location or photos unless you need to.

Staying anonymous online (The Basics)

This is a topic that seems to keep popping up over and over again for many different reasons some good and some bad. In my opinion everyone should have the right to remain anonymous online if they choose to do so. I know in the extreme cases Governments are claiming that terrorists and criminals are using encryption of a means to carry out organised crime and nation attacks, however does this mean the rest of free society should give up the right to remain anonymous online? If you believe that the answer to this question is no then you can take a number of steps to help keep your     online identity non-existent. The steps below in no way mean that the FBI won't know who you are if you start doing some illegal shit like hiring an assassin on the dark-net so I strongly advise against doing so.

1)  If you are the type of person who wants no digital footprint then you might not want to join social media sites. The amount of personal data that social networking sites like Facebook, Google Plus and Twitter have harvested from their billions of users is shocking. Head to facebook.com/settings and click ‘Download a copy of your Facebook data’ and you might be surprised to see just how much information is on file. More or less everything you have ever done on Facebook is saved in this file so you can kind of get a feel for just how much information these sites hold on you.

2)  My second tip is another rather simple approach, go incognito The top four most popular browsers - Google Chrome, Mozilla Firefox, Internet Explorer and Safari - have a private browsing mod. With private browsing activated, your browser will not store cookies or internet history on your computer. This is quiet a limited function and is really only of use to hide information from others such as a significant other. I say this because Private browsing does not securely hide your identity or browsing activities beyond your local machine as your IP address can still be tracked.

3)  It is a known fact that many websites track and monitor their users activity, this can actually cost you money. An example of this is that plane ticket that you want to buy so you regularly check to see if its sold out, then when you have the cash the bloody ticket has gone up in price, the reasons for this could very well be website tracking. The issue with website tracking is you can't see if the websites you are visiting are actually tracking you. Ghostery is a free browser extension - available on all major web browsers - that will reveal these trackers, also known as web bugs. You can then decide which web bugs you’re comfortable with tracking you and which ones you’d like to block.

4)  Stop using Dropbox, I know that its a handy tool but as Edward Snowden once stated about Dropbox "they are a cloud service hostile to privacy". Lucky enough if you still want a way to share your files Snowden himself recommends that you use Spideroak to do so. The reason for this being that Spideroak is a zero-knowledge encrypted data backup, share, sync, access and storage service.

5) Use an alternative search engine to the mainstream, I suggested in a previous post that the best search engine for this is DuckDuckGo, which promises never to track your searches and “emphasizes protecting searchers’ privacy and avoiding filter bubble of personalized search results.

6) Reconsider your phone options, if you have a smartphone then staying anonymous just became a whole lot harder. The reason for this is for some reason every app you download these days wants access to your location,contacts,camera,microphone etc which makes staying off the grid impossible really. If you are super parnoid may I suggest investing in the super cool name "Blackphone" This is an ‘NSA-proof’ smartphone that claims to provide privacy features for texts, emails, web browsing and phone calls.

7) Use a Virtual Private Network (VPN)!!! I am sick of repeating this and if you really are serious about staying anonymous online this is simply a must have. You ask what is a VPN? Well essentially it hides your IP address and runs all your online data via a secure and encrypted virtual tunnel, which can keep websites from tracking your online activity or even knowing which country you’re browsing from (which is great for American Netflix). The catch with a using a VPN is don't ever trust a free one so you will need to shell out a few quid every month for the privilege of the service. Their has been a lot of talk recently about how secure certain VPN's are so do some of your own research and find the best one for you.

8) If you are using a popular webmail service such as Gmail then you might want to either change to a more secure provider or else add some security to your current provider. To do this I would suggest installing Mailvelope. Mailvelope is a browser extension for Google Chrome or Mozilla Firefox that brings OpenPGP encryption to your webmail service. Similar extensions exist, such as SecureGmail, which encrypts and decrypts emails you send through Gmail. Alternatively you could start using a webmail service such as Hushmail. Hushmail is currently very popular, it provides a private email account with no ads, built-in encryption and unlimited email aliases. Their is a limited free version of Hushmail however like everything you need to pay to get all the bells and whistles. For the more paranoid their is always the option of Disposable Email Addresses (DEAs). These are anonymous and temporary. They allow users to quickly create new email addresses as-and-when they’re needed, which can then be disposed of after use. There are many companies that provide this type of service however the more reliable one may come in the form of Guerrilla Mail and Mailinator.

Securing your laptop

For most people laptops are a normal part of their daily lives, however how much thought do people actually put into how secure these devices are? We use laptops for work, banking, our personal data photographs etc so why don't we spend more time securing the devices that we spend so much of our lives on? The main reason is probably effort, it just takes to much effort to worry about all that crap. Whats the worst thing that could happen anyway? I suppose worst case scenario is identity theft followed by all your bank accounts reset to zero and an email to everyone in your contacts of that inappropriate picture you took on a late Saturday night and forgot to erase. But lets not think about what could happen as I am going to give you a list of 5 things you can do to hopefully prevent some of the above.

1) Patch your operating system/ applications

This one is pretty straight forward, Microsoft and Apple both send out regular patches for their operating systems you should take the time to install these and keep your operating system up to date. Most attackers will try and exploit weaknesses in an operating system so by keeping your system patched you are staying a step ahead of at least some attacks.

For information on how to do this on Windows click here

And for apple click here


Once you have your operating system all patched your focus should turn to your applications as the same applies here. A handy tool that I use for this is the free software vulnerability scanner Secunia PSI that can be downloaded here. I don't believe that this works with mac but the link above on apple explains how you can keep all of your iOS applications updated. You should also install an anti-virus software AVG is a good free one for malware you can also install malware bytes this is free for a trial period which should be long enough to get rid of any nasty malware on your system.

2) Create a backup

This is very important and with the flurry of ransomware attacks happening at the moment it may also save you losing a week or twos wages to get your data back. Creating a backup in Windows is actually pretty straight forward.

go to Control Panel - Backup and Restore - Create a system image

Once you get here you need to plug in a hard drive or multiple cds/dvds for your machine to backup to. It takes about 2 hours depending on your system but might save you a major headache long term!

Apple has a number of backup options that can be found here. 

3) Encrypt your hard drive

This is important it also takes a bit of time so do it last thing in the evening as it does effect the performance of your machine whilst running. Remember encrypting your hard drive will keep your data safe if your machine is ever lost or stolen. Windows uses BitLocker to encrypt drives and can be turned on by going to the search bar at the bottom of your screen and typing in "Manage Bitlocker"

this will open up the Bitlocker manager here you can turn bit locker on. If you get an error message about TPM you will need to do the following before you proceed:

1) Log on to Windows 10 computer with the account that has administrative privileges.

2) Click Start and at the bottom of the menu in search box type GPEDIT.MSC command and press enter key.

3) On the opened Local Group Policy Editor snap-in from the left pane expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption and from the expanded list click to select Operating System Devices.

4) From the right pane double-click “Require additional authentication” at startup.

5) On the opened box click to select Enabled radio button and ensure that under Options section Allow Bit Locker without a compatible TPM checkbox is checked.

6) Once done, click Ok button to allow the changes to take effect and close Local Group Policy Editor snap-in.

Once this is done return to the Bitlocker manager and turn Bitlocker on, it is very important that you keep the recovery password you are given in a safe place as you will need this if you ever forget your password.

Apple uses FileVault to do this and the instruction to do this can be found here.

4) Invest in a VPN

I know I have said this before but I can not stress it enough if you want to keep your online data away from prying eyes and protect yourself whilst using wireless networks a VPN is a must have!! There are tons of premium VPNs on the market so do some home work and find one that suits your budget and expectations. Like I said before I use AirVPN I haven't had any issues with it yet other than a few lingerings DNS issues that may be linked more so to Windows 10 than the VPN. My plan costs €30 for six months and I have unlimited bandwidth, but like I said do your own research and pick a VPN that suits your needs. Stay away from free services unless you really trust to provider even then be wary.

5) Lock-down Windows 10 

Microsoft has more or less given anyone who wants Windows 10 the operating system for free. Now when large multi-nations start giving their products away for free its only natural to ask why. I don't have the answer on this just yet but I am guessing it has something to do with the large amount of access and data their new operating system gives them if a load of options are not turned off. After researching Windows 10 I have altered my privacy settings from on to off as I do not want to share my location, microphone, camera or calendar with Microsoft or any third party applications. The fact that all of these settings are turned on by default is a bit worrying as many non-tech users are unknowingly sharing all of their private information with both Microsoft and third party applications. To turn all of these setting to off navigate to the bottom right of your screen and click on the notification manager. This is the little box that looks like a chat icon. From here select the all settings tab, you can now navigate to privacy and choose what setting you want turned on or off. I recommended turning everything off unless you rely on an application that requires some of these features left on. And next time you get something for free maybe consider what the motive is for such a generous giveaway in an age where data is the new gold.

If you want to read a bit more about Windows 10 and get more indepth advice on how to lock down certain features I suggest reading: How to secure Windows 10: The paranoid's guide