Good Social Media Hygiene

We’ve all started to get used to our “new normal” of working from home. There have been a lot of posts about how to do this effectively, and some of you may even have used some of the guidance I recently published on here. (A big thank you if you have!)

A quick heads up is probably in order here. As with my previous article, this one isn’t necessarily intended for cyber professionals: rather, it’s aimed at those who don’t work in the industry and will hopefully give them some insight into how to help their online health.

We now know that this is going to be how we live and work for – probably – months to come, so we best settle in and make the best / most of it.

It’s been great to see how we are making more use of collaboration tools, and there are any number of posts and videos about the pros and cons of the different solutions, as well as the creative ways teams are coming together. I’m not going to talk about that in this post. What I do want to talk about is how we use social media.

We’ve all (hopefully) got the message from our government that washing hands for 20 seconds is a good starting point in our efforts to slow the transmission of the coronavirus. We’re seeing initiatives such as supermarkets provide antibac wipes and gel so you can clean the handles on trolleys before going in. On my rare forays away from the house I’ve noticed so many more people cleaning their hands, and that’s been very reassuring.

But it seems to me that all this time at home has also led to much more engagement on social media, with many more helpful and inclusive posts on neighbourhood forums for example. There seem to me to be so many more people joining in online conversations etc, which seems to be helping build more of a community spirit. (Yes, I still see the backbiting and trolling too, but much more infrequently recently.)

Talking of people being online, it seems like every day we’re hearing about new scams, new ways which the bad guys and gals (I’m going to call them bad actors from here) are trying to get access to our systems and to our details.

I believe that now is a good time to apply good hygiene to our online selves, as well as our physical selves. With all this additional engagement, but also increase in time spent online, I think now is a good opportunity to encourage people to check their privacy settings and reduce them where appropriate.

Just as antibac wipes and handwashing help protect your physical health against the pandemic that’s assaulting us, locking down your social media profiles helps protect your online health against the bad actors mentioned above.

Restricting who can see your friends lists, or your latest posts, reduces the open sources intelligence (OSINT) gathering opportunities for the bad actors: this in turn reduces the information they have to try to use against you in phishing and spear phishing attacks for instance.

How do you do this? For each of your social media accounts the process will be slightly different, and if you’re unsure where to start, open Google (or any other search tool) on your internet browser and search for “privacy settings” and the name of the app you’re using. It should then be a case of following the instructions, but bear in mind that these could vary depending on whether you’re accessing your account from a PC, a laptop, an Android phone, an iPhone or other devices.

For most applications, it’s worth bearing in mind that they automatically open up your account as much as possible and may reset your settings every so often without warning. In general terms, making sure you use two factor authentication on each account, and restricting who can view your profile / posts to people you know are good things to do. For information on what each setting does, check them out on the application’s web site.

For example, I use an iPhone, and the initial steps are:

  • Facebook – Open the app, click on the three horizontal bars at the bottom right of the screen (next to the bell icon that shows you you have notifications), scroll down to Settings & Privacy and then click on Privacy Shortcuts. Go through each of the topics there in turn and amend your settings.
  • Twitter – Open the app, click on your account icon in the top left corner (typically that’s your profile picture), and click on Settings and Privacy. Again, go through each of the topics and amend your settings.
  • Instagram – Open the app, click on your account icon in the bottom right corner (the icon is a person, next to the heart icon), click on the three horizontal bars at the top right of the screen, then click on Settings. Go through each of the topics under Privacy and also under Security and make changes as necessary.
  • LinkedIn – Open the app, click on your account icon in the top left corner (typically that’s your profile picture), click on Settings, then amend the relevant items under the Account and Privacy tabs.

Repeat the process for other apps, but by now you should get the idea I hope. I appreciate that these appear to be convoluted and time consuming, but in reality they don’t take long and they help to reduce the amount of information you share, and who you share it with.

Working From Home during the pandemic: a simple guide for companies and individuals alike

There’s a lot of talk at the moment about enabling staff to work from home due to coronavirus / covid19. There are probably a lot of organisations that would like to make this happen, but who don’t know how to do this securely. These organisations may also have staff who will be working from home for the first time, so they probably need to provide some guidance and support to those staff too.

The intention of this article is to provide some high level suggestions of things to look at, which will have the most impact in terms of reducing the risk of security breaches and helping employees stay productive.

What can the organisation do?

The following points may help those with little knowledge in information security, or with little access to anyone with knowledge, to know where to start in order to keep themselves secure. It’s not an exhaustive list, and you may need to talk to your IT provider / security team for assistance with some of these.

  1. Make sure that you have implemented two factor authentication (2FA) for all users, and that they all know how to use it. This helps mitigate the risk of having unauthorised users accessing systems remotely.
  2. Make sure that all devices have been patched and have antivirus software installed and active. This is often achieved by using Network Access Control to carry out a health check on devices, only permitting access when they meet specific control requirements. Devices are held in quarantine while remedial action is carried out.
  3. Make sure that your remote access solution has been penetration tested recently, and that any urgent, high or medium issues have been resolved. This helps mitigate the risk that the remote solution is vulnerable to attack by malicious third parties, and helps ensure remote access for legitimate users is maintained.
  4. Consider stress testing the remote access solution, so that your organisation has a good idea of how many concurrent devices can be connected remotely without adversely affecting performance. It may be necessary to improve the capacity of the remote access solution for the duration of this period where higher numbers than usual of remote users are going to be experienced.
  5. Make sure that users know whether they can print when at home / out of the office and, if they are permitted to do so, they need to know how to securely dispose of any sensitive documentation they print off. For example, using a cross cut shredder may be acceptable while putting confidential documents in a recycle bin at home is probably not the sort of behaviour you want to encourage.
  6. Review your business continuity and disaster recovery plans. Are there key personnel who have to have corporate devices, and others who could be given extra leave instead? It may be that you decide to focus on providing key services to clients and choosing not to deliver all services all the time.
  7. If users are allowed to use personal devices, consider enforcing Network Access Control in the same manner as in point 2 above. Also, make a risk based decision whether non-corporate devices can be used if they do not have full disk encryption installed. It may be that a temporary waiver can be granted for these extraordinary times, or it may be desirable to issue users with corporate devices if they don’t usually have one at home instead, even though the device may not have the full specification the user is used to. 
  8. Consider issuing staff with privacy filters, so that if there are other people in the house / room, confidential data is not visible on screen to all. These are relatively cheap, and are a good idea for staff who often work away from the office anyway.
  9. Check contracts with clients to conform whether remote working is permitted, and under what conditions. If it is specifically excluded, talk to clients to develop appropriate acceptable working practices while we deal with the initial outbreak.

As mentioned at the beginning, this is not an exhaustive list, but may help focus on the important things from a business perspective.

What about the individuals?

Now, what about the employees who are now potentially going to work from home for the first time? They will also need support and guidance. As someone who has worked from home for many years, I’d suggest that the following are all points which staff may benefit from knowing.

  1. If at all possible, create a separate dedicated workspace, ideally in a room where you can close the door at the end of the working day. This will help keep work and personal life separate. Not everyone will be able to do this, so an alternative of setting up somewhere which is out of the normal areas of high use / footfall within the house is perhaps the next best option. For example, it is a good idea not to set up in the kitchen if possible, because other people in the house will regularly come in for food and drink. This will disturb you and could possibly lead to a breach of security if unauthorised people (i.e. family and friends) can see what you are working on.
  2. Make sure you take regular breaks. In the office you probably don’t think about going to grab a coffee, and working at home is no different. The regular break encourages you to get up and move around, to stretch and perhaps speak to others in the house: this is healthy for you. Take care not to spend all day chatting, obviously, but it’s very easy to fall into the trap of sitting still for hours at an end. I have a smartwatch which prompts me to get up and move every hour, and I find that very helpful.
  3. Try to stick to regular mealtimes, as you would do in the office. Many people go out at lunch to sandwich bars, cafes etc, and it may be that you can’t do that when at home. It’s a good idea to know what your normal lunch break would be and try to repeat it at home, bearing in mind you may have to prepare your food in that time too.
  4. Make technology work for you. Have video calls / voice calls as necessary. Some people find that switching on video and connecting to several colleagues, then leaving the video running, helps feel like you’re still in the same office. You don’t necessarily have to talk to your colleagues, but some find it helpful just to see and hear other people in the background.
  5. There’s always a question of whether to have the TV, radio or music on in the same room, or as background noise. That’s a personal choice: some people work well with that additional sound, others don’t. I find that I can’t work when there are those distractions, and I’ve been in offices where the radio is on all day and people seem to be able to work fine with it. Whatever works best for the individual is the right answer.
  6. Make sure you finish when you normally would, or at least when you would normally get home. It’s really important to have a break between work and personal time, so try to stick to your normal routine in terms of start and finish times.

These are some of my thoughts. I hope they’ve been useful. What works for you?

Unhelpful media headlines

Earlier this week an article appeared on the BBC website called How can we stop being cyber idiots?. I took umbrage at this for a number of reasons.

First, why alienate readers by calling them idiots? Most people who use computers (I won’t call them users because, as a friend of mine pointed out, users has negative connotations around drug and alcohol abuse) generally try to do the right thing. This doesn’t make them idiots.

Second, if people haven’t been educated about the risks of their actions, they may not understand the consequences of not following any guidance theyve been given. This is a failure on the part of information security professionals, not providing meaningul education which reaches everyone, and which informs on and encourages good behaviour. It doesn’t make the people using computers idiots.

Third, why assume that everyone knows what is right and wrong? As Rik Ferguson pointed out on a podcast I listened to last year, every day is someone’s first day online. So every day someone needs to be told the basics of information security. This doesn’t make those people idiots.

There seems to be a general assumption that everyone knows everything they need to about good cyber security practice, but that’s just not true. It’s an every day and ongoing challenge to help people understand the consequences of their actions. The risks are constantly changing and evolving, so security professionals like me need to make sure we’re spreading the right messages in the right way.

 

Gatwick Continuity Planning

It was reported on the BBC today that flight departure screens had failed at Gatwick airport for much of the day. The airport authorities implemented their contingency plans – whiteboards – and apparently no flights were delayed or cancelled. Some passengers have complained about a lack of information, but I think that the fact no flights had to be cancelled is a real credit to all involved.

This is a great example of good contingency planning in action. The authorities had obviously thought about what they’d do in advance, so when the screens were unavailable they knew what to do. I can’t imagine they had whiteboards and pens etc just sitting waiting to be used, but it’s a really good effort nonetheless.

What can we learn about this from an Information Security perspective? Business Continuity Planning is vital, but it doesn’t always hinge on having spare technology available. Take it back to basics: what is needed to keep the business running? In this case, electronic boards were replaced with whiteboards and marker pens, but what would be your equivalent?

Try to think about what could happen, and what you could do to react if there was a problem.

US names arrested Fin7 cyber-gang suspects

This story appeared recently on the BBC website.

Three members of a notorious hacking group, variously called Fin7, Carbanak and JokerStash, have been arrested and named. The three individuals were arrested in Germany, Poland and Spain: one has already been extradited to the US and extradition proceedings have begun against the other two. The hacking group had attacked targets in the US, UK, France and Australia, and is still active today.

The remarkable thing about these arrests is that law enforcement had to overcome one of the largest obstacles to law enforcement in the digital age: legal jurisdiction.  Where computers are connected to each other globally, with actions being carried out from different countries, often in different continents, it’s hard to know which laws have been broken, and which law enforcement agency takes priority / precedence.

In this case, those answers appear to have been solved. There has been a lot of collaboration between the various law enforcement agencies in the US and Europe, resulting in these arrests. It is to be hoped that this level of collaboration becomes the norm, and that countries are able to work together to bring criminals to justice, wherever they are active and irrespective of where their targets are.

Town dusts off typewriters after cyber-attack

This story appeared on the BBC website the other day. Basically the town’s borough council was hit with ransomware and their systems were brought to their knees.

It’s not unusual for one or two devices in an organisation to be infected with Ransomware. Typically those devices are isolated from the network and all other machines checked to ensure that patching and antivirus signatures are up to date. In this case, it would appear that the entire network, including servers, has been infected and devices are having to be built from scratch, with alternative technology (typewriters – some younger readers may need to look these up) being used in the meantime.

This incident immediately raises a number of questions:

  • How did the organisation allow all machines to get infected?
  • Did they have an incident response plan and did it include this scenario?
  • Were there patching and antivirus regimes appropriate, and was there any kind of reporting in place to identify gaps?
  • Does the organisation have a standard build, and were the build states of all 500 devices known?
  • If the ransomware has been dormant since May, does that mean that backups are also infected? How does the organisation know that restoring from backup won’t reinfect their network?
  • What scanning of incoming attachments was carried out?
  • What training have staff had in respect of phishing emails and incident response procedures?

From those questions, it is relatively easy to identify what good practice would be e.g. document and test your incident response plans, make sure patching is kept up to date, and train your staff.