Good Social Media Hygiene

We’ve all started to get used to our “new normal” of working from home. There have been a lot of posts about how to do this effectively, and some of you may even have used some of the guidance I recently published on here. (A big thank you if you have!)

A quick heads up is probably in order here. As with my previous article, this one isn’t necessarily intended for cyber professionals: rather, it’s aimed at those who don’t work in the industry and will hopefully give them some insight into how to help their online health.

We now know that this is going to be how we live and work for – probably – months to come, so we best settle in and make the best / most of it.

It’s been great to see how we are making more use of collaboration tools, and there are any number of posts and videos about the pros and cons of the different solutions, as well as the creative ways teams are coming together. I’m not going to talk about that in this post. What I do want to talk about is how we use social media.

We’ve all (hopefully) got the message from our government that washing hands for 20 seconds is a good starting point in our efforts to slow the transmission of the coronavirus. We’re seeing initiatives such as supermarkets provide antibac wipes and gel so you can clean the handles on trolleys before going in. On my rare forays away from the house I’ve noticed so many more people cleaning their hands, and that’s been very reassuring.

But it seems to me that all this time at home has also led to much more engagement on social media, with many more helpful and inclusive posts on neighbourhood forums for example. There seem to me to be so many more people joining in online conversations etc, which seems to be helping build more of a community spirit. (Yes, I still see the backbiting and trolling too, but much more infrequently recently.)

Talking of people being online, it seems like every day we’re hearing about new scams, new ways which the bad guys and gals (I’m going to call them bad actors from here) are trying to get access to our systems and to our details.

I believe that now is a good time to apply good hygiene to our online selves, as well as our physical selves. With all this additional engagement, but also increase in time spent online, I think now is a good opportunity to encourage people to check their privacy settings and reduce them where appropriate.

Just as antibac wipes and handwashing help protect your physical health against the pandemic that’s assaulting us, locking down your social media profiles helps protect your online health against the bad actors mentioned above.

Restricting who can see your friends lists, or your latest posts, reduces the open sources intelligence (OSINT) gathering opportunities for the bad actors: this in turn reduces the information they have to try to use against you in phishing and spear phishing attacks for instance.

How do you do this? For each of your social media accounts the process will be slightly different, and if you’re unsure where to start, open Google (or any other search tool) on your internet browser and search for “privacy settings” and the name of the app you’re using. It should then be a case of following the instructions, but bear in mind that these could vary depending on whether you’re accessing your account from a PC, a laptop, an Android phone, an iPhone or other devices.

For most applications, it’s worth bearing in mind that they automatically open up your account as much as possible and may reset your settings every so often without warning. In general terms, making sure you use two factor authentication on each account, and restricting who can view your profile / posts to people you know are good things to do. For information on what each setting does, check them out on the application’s web site.

For example, I use an iPhone, and the initial steps are:

  • Facebook – Open the app, click on the three horizontal bars at the bottom right of the screen (next to the bell icon that shows you you have notifications), scroll down to Settings & Privacy and then click on Privacy Shortcuts. Go through each of the topics there in turn and amend your settings.
  • Twitter – Open the app, click on your account icon in the top left corner (typically that’s your profile picture), and click on Settings and Privacy. Again, go through each of the topics and amend your settings.
  • Instagram – Open the app, click on your account icon in the bottom right corner (the icon is a person, next to the heart icon), click on the three horizontal bars at the top right of the screen, then click on Settings. Go through each of the topics under Privacy and also under Security and make changes as necessary.
  • LinkedIn – Open the app, click on your account icon in the top left corner (typically that’s your profile picture), click on Settings, then amend the relevant items under the Account and Privacy tabs.

Repeat the process for other apps, but by now you should get the idea I hope. I appreciate that these appear to be convoluted and time consuming, but in reality they don’t take long and they help to reduce the amount of information you share, and who you share it with.

Working From Home during the pandemic: a simple guide for companies and individuals alike

There’s a lot of talk at the moment about enabling staff to work from home due to coronavirus / covid19. There are probably a lot of organisations that would like to make this happen, but who don’t know how to do this securely. These organisations may also have staff who will be working from home for the first time, so they probably need to provide some guidance and support to those staff too.

The intention of this article is to provide some high level suggestions of things to look at, which will have the most impact in terms of reducing the risk of security breaches and helping employees stay productive.

What can the organisation do?

The following points may help those with little knowledge in information security, or with little access to anyone with knowledge, to know where to start in order to keep themselves secure. It’s not an exhaustive list, and you may need to talk to your IT provider / security team for assistance with some of these.

  1. Make sure that you have implemented two factor authentication (2FA) for all users, and that they all know how to use it. This helps mitigate the risk of having unauthorised users accessing systems remotely.
  2. Make sure that all devices have been patched and have antivirus software installed and active. This is often achieved by using Network Access Control to carry out a health check on devices, only permitting access when they meet specific control requirements. Devices are held in quarantine while remedial action is carried out.
  3. Make sure that your remote access solution has been penetration tested recently, and that any urgent, high or medium issues have been resolved. This helps mitigate the risk that the remote solution is vulnerable to attack by malicious third parties, and helps ensure remote access for legitimate users is maintained.
  4. Consider stress testing the remote access solution, so that your organisation has a good idea of how many concurrent devices can be connected remotely without adversely affecting performance. It may be necessary to improve the capacity of the remote access solution for the duration of this period where higher numbers than usual of remote users are going to be experienced.
  5. Make sure that users know whether they can print when at home / out of the office and, if they are permitted to do so, they need to know how to securely dispose of any sensitive documentation they print off. For example, using a cross cut shredder may be acceptable while putting confidential documents in a recycle bin at home is probably not the sort of behaviour you want to encourage.
  6. Review your business continuity and disaster recovery plans. Are there key personnel who have to have corporate devices, and others who could be given extra leave instead? It may be that you decide to focus on providing key services to clients and choosing not to deliver all services all the time.
  7. If users are allowed to use personal devices, consider enforcing Network Access Control in the same manner as in point 2 above. Also, make a risk based decision whether non-corporate devices can be used if they do not have full disk encryption installed. It may be that a temporary waiver can be granted for these extraordinary times, or it may be desirable to issue users with corporate devices if they don’t usually have one at home instead, even though the device may not have the full specification the user is used to. 
  8. Consider issuing staff with privacy filters, so that if there are other people in the house / room, confidential data is not visible on screen to all. These are relatively cheap, and are a good idea for staff who often work away from the office anyway.
  9. Check contracts with clients to conform whether remote working is permitted, and under what conditions. If it is specifically excluded, talk to clients to develop appropriate acceptable working practices while we deal with the initial outbreak.

As mentioned at the beginning, this is not an exhaustive list, but may help focus on the important things from a business perspective.

What about the individuals?

Now, what about the employees who are now potentially going to work from home for the first time? They will also need support and guidance. As someone who has worked from home for many years, I’d suggest that the following are all points which staff may benefit from knowing.

  1. If at all possible, create a separate dedicated workspace, ideally in a room where you can close the door at the end of the working day. This will help keep work and personal life separate. Not everyone will be able to do this, so an alternative of setting up somewhere which is out of the normal areas of high use / footfall within the house is perhaps the next best option. For example, it is a good idea not to set up in the kitchen if possible, because other people in the house will regularly come in for food and drink. This will disturb you and could possibly lead to a breach of security if unauthorised people (i.e. family and friends) can see what you are working on.
  2. Make sure you take regular breaks. In the office you probably don’t think about going to grab a coffee, and working at home is no different. The regular break encourages you to get up and move around, to stretch and perhaps speak to others in the house: this is healthy for you. Take care not to spend all day chatting, obviously, but it’s very easy to fall into the trap of sitting still for hours at an end. I have a smartwatch which prompts me to get up and move every hour, and I find that very helpful.
  3. Try to stick to regular mealtimes, as you would do in the office. Many people go out at lunch to sandwich bars, cafes etc, and it may be that you can’t do that when at home. It’s a good idea to know what your normal lunch break would be and try to repeat it at home, bearing in mind you may have to prepare your food in that time too.
  4. Make technology work for you. Have video calls / voice calls as necessary. Some people find that switching on video and connecting to several colleagues, then leaving the video running, helps feel like you’re still in the same office. You don’t necessarily have to talk to your colleagues, but some find it helpful just to see and hear other people in the background.
  5. There’s always a question of whether to have the TV, radio or music on in the same room, or as background noise. That’s a personal choice: some people work well with that additional sound, others don’t. I find that I can’t work when there are those distractions, and I’ve been in offices where the radio is on all day and people seem to be able to work fine with it. Whatever works best for the individual is the right answer.
  6. Make sure you finish when you normally would, or at least when you would normally get home. It’s really important to have a break between work and personal time, so try to stick to your normal routine in terms of start and finish times.

These are some of my thoughts. I hope they’ve been useful. What works for you?

Shadow IT

Have you heard of Shadow IT? Do you worry about it?

Many organisations have a defined IT policy and processes surrounding it. They may outsource provision to a Third Party, or they may have their own IT department, even if that’s just Billy sitting in the corner, who is totally self taught.

The organisation may have a standard build for all their equipment, and may use only one brand of equipment, which should make managing security risks quite well defined and limited.

However, there may be individuals or whole teams that don’t use the company standard. There might be an MD who really wants to do everything on a tablet device, but the company has a strict “no tablet” policy. There might be a team that installs its own network connection “just in case the company one fails”. And then there’s George in Marketing who prefers to use his Mac to the standard Windows machines.

The MD goes ahead and connects her tablet to the corporate network. The team with their own network connection leave it live and accessible 24×7: there’s no firewall and no way of blocking traffic coming in or going out. George brings in his own Mac and plugs it in to the network. None of these involve the IT or security teams, consequently the risk is unknown and therefore not managed.

These are all examples of Shadow IT – the unknown equipment attached to the corporate network which has little or no security controls in place. Many organisations have a problem with the proliferation of Shadow IT devices.

I think that we’re rapidly approaching – or may already have passed – the moment when we have to stop thinking of it as Shadow IT, and makes sure that our controls can take the plethora of unofficial devices and configurations.

For example, it may be prudent to create a kind of “internal guest network”, for non-standard / uncontrolled devices. This could be easy to connect to but provides an additional layer of control. Using some kind of Mobile Device Management (MDM) solution allows you to provide some services to personal mobile devices, while also giving the ability to remotely wipe the data on them if necessary.

I think we need to be having that conversation in the organisations we work in or encounter. Rather than calling it “rogue” or Shadow IT, call it uncontrolled then work out how to control it.

Careers in Cyber

Does this sound familiar?  You keep seeing headlines about cyber security, about information security, usually when there’s been a loss of passwords or data, sometimes about large fines being levied on companies for poor practice. You’ve heard that there are lots of vacancies in the world of cyber and would like to look at a career in security. But you don’t know what choices there are, you don’t have good IT skills and you don’t know what skills you need.

This article will answer some (though probably not all) of your questions.

Before looking at what roles there are, let’s get the first big concern out of the way shall we? Do you need to be an IT ninja to work in information security?  The answer is a resounding NO (though for some – not all – roles it helps). Read on to find out why…

Broadly speaking, cyber security is split into three main role groups:

  • governance, risk and compliance (GRC), which relates to policies, processes, and, in some cases, training. These roles include consultants, analysts, auditors and trainers
  • offensive security, also known as red teaming, with the aim of trying to get unauthorised access to systems. Roles in this group include ethical hackers (penetration testers), social engineers etc
  • defensive security, also known as blue teaming, with the aim of trying to stop those trying to get unauthorised access to systems. Roles in this group include digital forensics, incident response, Security Operations analysts etc

GRC roles

These roles typically require little to no technical skills, though an understanding of technology helps.

People in these roles will probably spend their time writing and reviewing policies and other documentation, carrying out audits to ensure the organisation is complying with policies and / or industry standards, working with other staff to help them understand and implement the policies. At a more senior level they also encompass consultancy, working with clients to help them understand and improve their security posture.

It’s likely that people in GRC roles will spend time looking at industry standards such as ISO 27001 and NIST, regulations such as GDPR and industry specific requirements such as PCI DSS.

In terms of training, people in this group will be more likely to develop and perhaps deliver general security training rather than specific courses for highly technical staff.

In terms of training, a good basis would be the BCS Certificate in Information Security Management Principles (CISMP), and if you’d like to add some technical knowledge passing the CompTIA Net+ and Sec+ exams would be really good grounding.  There are courses around data privacy which are becoming more common too. Ultimately you’d be aiming for something like the ISACA Certified Information Security Manager (CISM), (ISC)2 Certified Information Systems Security Professional (CISSP) or EC-Council Certified Chief Information Security Officer (C|CISO) qualifications, but they require at least 5 years of practical experience as well as an exam pass.

Red Team (Offensive Security)

This is where many people think the really exciting part of security sits, being paid to test other companies’ defences and helping them improve their security. This is the realm of the ethical hacker, more properly called a penetration (pen) tester.

Pen testers are, by necessity, quite technical. Typically they’ll be able to write scripts and code in several different languages, including Bash and Python.  They’ll understand toolsets such as Metasploit, which is available for free on Kali Linux. (Incidentally, the bad guys will use pretty much the same toolsets for much of their work, and both groups will probably learn a lot about how to use them from YouTube!) They’ll also be able to write exploits, perhaps for use in Metasploit or elsewhere.  Oh, and they better understand network protocols and how firewalls work too.  Essentially, they need to know a lot about a lot of things in order to be very proficient, though it is possible to run a lot of these tools with very little knowledge.

There is a form of red teaming where people try to physically get access to premises and systems using social engineering techniques.  This typically involves carrying out research on the target company using OSINT techniques, before creating some kind of pretext (cover story) or getting in through open doors and windows.  The goal may be to try to access a data centre or other sensitive room in a building, or it may be to leave some kind of listening / communications device in a meeting room, or to see what documentation can be obtained. This is the sort of work that you may have seen in films like Sneakers, where teams of people are testing an organisation’s security capabilities. Skills needed for this type of role are more related to acting / improv, calmness under pressure and the ability to think quickly.  A good understanding of human psychology, empathy, body language and non-verbal communication is really helpful in this field.

Training for the red team can be very technical, or not technical at all. If technical, you probably need to look at something like CompTIA Net+ and Sec+ as a basic grounding, before then looking at something like the Offensive Security Certified Professional (OSCP) or CHECK Team Member (if in the UK). It’s worth saying that when it comes to the technical aspects, lots of practice with different packages, scripting languages and exploits is probably more beneficial than lots of certifications, though having at least one industry respected certification will be helpful.

It’s also worth noting that many red team members will have experience of operating as a blue team member (and vice versa), and the skills gained there will be useful for them in trying to defeat their opponents.

If you know the enemy and know yourself you need not fear the results of a hundred battles.
– Sun Tzu, The Art of War

If looking at the non-technical courses, then typically psychology and sociology are very useful. Experience of acting / talking to lots of different people is also helpful, and an understanding of verbal and non-verbal communications is also very useful.

Blue Team (Defensive Security)

The defensive teams are also likely to have some very technical people in them. They may not write exploits like some pen testers, but some do need to have a very deep and detailed understanding of how things work.

Digital forensics is a highly specialised field, and there are individual specialities within it. For example, someone may only deal with mobile devices, so will need to understand Android, iOS (for Apple devices) and Windows Mobile, amongst others. Some may look mainly at memory stores, or disk drives etc. They also need to know how to capture, store and examine data in a methodical way which can be replicated in court, using the ACPO Good Practice Guide for Digital Forensics (in the UK – other countries may have other standards).

SOC (Security Operations Centre) Analysts look at information coming from a range of sources such as log files, and are skilled at looking at the big picture to identify attacks or other threats.  They need to understand networks, protocols and firewalls, how systems are configured and how the whole network interoperates.  They also need to understand patching and malware, to evaluate likely effects and the best methods of combating those threats.

Training courses vary, though SANS are renowned for their very detailed courses, particularly in the forensics arena.  Again, CompTIA Net+ and Sec+ are good courses to start with before building up experience and looking at the more technical material available. Many courses will relate to the toolsets that the team member uses e.g. when using a Security Information and Event Management (SIEM) application, firewall apps etc. Blue team members may also take some of the same courses that the red team members do – remember Sun Tzu!

Summary

There is a lot of scope for people who are not technical – and have no desire to be technical – to work in Information Security.  In many cases, the key skills / attributes include patience, attention to detail, concentration, focus, diligence and curiosity, as well as people skills like empathy and communication.

As someone who has worked in the industry for over 30 years, since before it was even called security, I’d recommend it to anyone. There are so many opportunities, so many different roles, that there is bound to be something for everyone!

I should also mention that the company I work for, PGI, runs many of the courses mentioned above, or equivalents of them: I’m one of the instructors on the awareness courses…

World Password Day

Did you know that today, May 2nd, is World Password Day?  To mark the event, I thought I’d post a quick update, based on a new approach to password management.

Both the UK National Cyber Security Centre (NCSC) and US National Institute of Standards and Technology (NIST) have published changes to their recommendations for managing passwords in the past two or three years.

  1. Whereas previously we were advised that changing passwords regularly eg every 30 or 60 days was a good thing, they both now suggest only changing them when they are compromised (i.e. if you think someone else might know your password). I have to confess this doesn’t sit easily with me, but I understand their reasoning. We all have so many passwords to remember that changing them less often means we’ll have a better chance of remembering them.
  2. Use a different password for every account, for every website etc. This is more tricky, and both NIST and NCSC suggest using a Password Manager (this is an app for your phone or that you can run from your laptop / desktop) which helps you track and maintain your passwords.
  3. Rather than using long, difficult to remember collections of upper and lower case letters, numbers and symbols, use three unrelated words and make sure the total length is more than 12 or 14 characters (I prefer a minimum of 15). The reasoning for this is simple. Suppose you used P4$$w0rd as your password: it meets all the criteria for complexity, but it’s obviously not secure. A simple to remember phrase like SunnyTreeRoad is not as easy to guess, and is less likely to appear on one of the many lists of known / common passwords.
  4. Enable Two Factor Authentication on your key accounts like email and banking / finance. This means the bad guys would have to have your phone or other source for 2FA as well as your password to get in to your account.

If you’d like to know more, check out the NCSC article here, or the NIST video here. They’re both short and won’t take much time.

Also, if you want to see examples of bad passwords, the NCSC have published details of the most hacked passwords here.

Finally, if you want to see whether your email password has already been hacked, head to https://haveibeenpwned.com/ and sign up. This free service will tell you if your account has ever been compromised, and will also alert you in future if someone hacks it in future,

A new approach for 2019

I know it’s a bit hackneyed, but making New Year’s resolutions is part and parcel of this time of year. Wouldn’t it be great if everyone in security could all make the same one, to commit to doing the same thing? We’d need to bring others with us, like our IT colleagues, our enthusiastic amateur friends, and also particularly the media and marketing people around the globe.

Let’s try to see, report on and celebrate the positives, not just focus on the negatives.

The press and online media seems to be full of stories about data breaches, ransomware, data losses and other information security related catastrophes. When these occur, my LinkedIn, Twitter and Instagram feeds fill up with people talking about the breaches, how terrible they are, how companies can allow things like this to happen etc. I’m sure you’ve noticed it too. It’s almost like people are glorying in, celebrating even, the misfortunes of others.

Yes, we security professionals have a responsibility to identify weaknesses in systems and people, and try to mitigate those weaknesses. However, I think we have a greater responsibility to provide encouragement and support to our colleagues, acquaintances, friends and family. They’ve become much more aware now of the impact of their online actions, as illustrated in this story from the BBC. But many people have little or no idea how to protect themselves effectively.

If it feels like we keep having to repeat the same messages over and over, there’s a very good reason for that, which Rik Ferguson highlighted in a podcast with Jenny Radcliffe last year (2017). He said “Every day is someone’s first day online”. This is true, and I think we often forget that fact. This is why we have to keep repeating the basics, because these are new to people, and will continue to be so for years to come.

How do we change the narrative, from highlighting the negatives, to emphasizing the positives? Rather than say “there was a breach because such-and-such happened”, can we say “the breach could have been worse, but controls x, y and z helped make sure it wasn’t”? Rather than castigating individuals for missing a patch, can we not praise them for applying as many as they do? Those in the know already appreciate how hard it is to do even the simple things consistently well over the course of a year, and some things are bound to slip through the net.

I think it’s time for change. I think it’s time we recognised the excellent work so many people do. I think it’s time to shine the light on the positives.

Let’s try to see, report on and celebrate the positives, not just focus on the negatives.

Z is for …

Zero Day

The time taken between a vulnerability existing and a patch being released to fix it can be several weeks, months or even years. An exploit written to take advantage of this gap is known as a Zero Day.

The bad guys are particularly interested in carrying out attacks against systems with vulnerabilities but no patches, for obvious reasons: it’s very difficult to defend agaisnt them.

Depending on the level of access the zero day can provide, or the damage a bad actor can cause with it, will have an effect on the value of each zero day attack on the Dark Web. Some may sell for “only” a few thousands of pounds, but some can fetch well into five figures, if not more.

A very famous attack carried out using zero days is explained in the film of the same name. It tells the story of an attempt to disrupt the Iranian nuclear programme some years ago, and is well worth watching.

X is for …

X-rated

It’s well known that the internet hosts a wide variety of pornography sites, from the legal on the surface web to the illegal on the dark web.

But what of other adult only material, which is also x-rated and may be illegal. Sites showing gore, mutilation, torture and worse? Again, they’re split between the legal and illegal, and hosted on the surface and dark webs.

Many companies use a technology called content filtering to prevent access to this sort of material. Automated tools trawl the surface web and categorise the websites they come across. Companies block access to certain categories, to help protect their employees.

You can usually do something similar at home. Service providers often allow you to add parental controls, which prevent access to sites showing adult material. Some antimalware providers also have add-ons for web browsers which can alert on or block access to potentially adult rated material.

Unhelpful media headlines

Earlier this week an article appeared on the BBC website called How can we stop being cyber idiots?. I took umbrage at this for a number of reasons.

First, why alienate readers by calling them idiots? Most people who use computers (I won’t call them users because, as a friend of mine pointed out, users has negative connotations around drug and alcohol abuse) generally try to do the right thing. This doesn’t make them idiots.

Second, if people haven’t been educated about the risks of their actions, they may not understand the consequences of not following any guidance theyve been given. This is a failure on the part of information security professionals, not providing meaningul education which reaches everyone, and which informs on and encourages good behaviour. It doesn’t make the people using computers idiots.

Third, why assume that everyone knows what is right and wrong? As Rik Ferguson pointed out on a podcast I listened to last year, every day is someone’s first day online. So every day someone needs to be told the basics of information security. This doesn’t make those people idiots.

There seems to be a general assumption that everyone knows everything they need to about good cyber security practice, but that’s just not true. It’s an every day and ongoing challenge to help people understand the consequences of their actions. The risks are constantly changing and evolving, so security professionals like me need to make sure we’re spreading the right messages in the right way.