RSA Clusters Group

1. Keep your systems updated!

​

The idea of installing updates may leave a bad taste in your mouth. Aggressive attempts from Microsoft and others to force updates on users has certainly soured people on the whole process. However, updating your equipment is vitally important! Whether it be a computer, server, smart device, or networking equipment, it is essential that you keep them up-to-date and regularly patched.

 

With every update, several vulnerabilities get patched. These are massive potential attack vectors that no longer exist when you have updated your system. Some months, Microsoft would patch over 100 vulnerabilities, with a dozen of which being considered critical vulnerabilities currently being exploited globally. Any of these vulnerabilities could be the one used to cripple your business.

​

Regardless whether a threat actor (the bad kind of hacker) has the tools ready to attack a particular vulnerability right now, they can easily develop them in the following way. Every time an update is released, threat actors get working to discover and reverse engineer the fixes, so they can write malware that can exploit those that have not yet updated. They will scan the internet for out of date systems and hit them with this malware. A large majority of cyber attacks you hear about, happened by exploiting known flaws that have already been patched by the manufacturer or developer.

​

2. Considerations need to be made for old equipment and software.

​

For similar reasons to those stated above, we need to be very careful of old equipment and software that is no longer serviced by its manufacturer or developer. These will not receive a patch to protect them from vulnerabilities that have been discovered since they reached their end of life date (when they are no longer officially supported). What can be done about this, you may ask?

​

a. Consider upgrading to a newer offering.

b. Isolate the existing offering - it should have no way to interact with the internet or company network.

​

Generally speaking, it is best to upgrade your current solution. That being said, sometimes you have a critical piece of equipment that newer systems simply do not support. In this case, it is essential that you completely isolate this piece of equipment. It should not be connected to the internet in any way, nor should it be connected to your internal network. This piece of equipment should operate in its own bubble, even if that means you need to have a dedicated computer that is similarly isolated and never connected to the network. It may seem like overkill to some, but the weakest link in your network can become your undoing. Threat actors will take advantage of this weakest link and then move onto other systems once they have access to the company network.

​

3. Keep your protections enabled and up-to-date.

​

This one is simple. Make sure you are not turning off the measures you have in place to keep you secure. Anything that asks you to disable your firewall or make an exception in your anti-virus software must be treated as suspicious and investigated first! Similarly, make sure you are running the latest version of your anti-virus and anti-spyware packages.

​

It is still quite common to see people running old versions of anti-virus software that they bought a couple years ago. If these packages do not receive updates, they cannot effectively secure your system. Malware is constantly evolving. Threat actors keep adjusting their solutions to bypass anti-virus packages. If you are running old packages or old libraries in your existing package (i.e. you disabled updates for whatever reason), you are vulnerable to attack. 

​

4. Be careful what you download.

​

Malware can enter your system in many ways. The most common way in the modern age, is from being downloaded from the internet. This could be an attachment to an email, a browser extension, an installer for software downloaded from the internet, or something you download from a social platform (e.g. Facebook or WhatsApp). Threat actors have found ways to embed malicious code into all sorts of files e.g. software installers, PDFs, Microsoft Office documents, videos, images, etc. It is important to be careful when downloading something.

​

You need to ask yourself: Do I know and trust the source? Are they the originator/official source, or is this something that may have been forwarded or redirected at some point? Am I expecting this email, file, or message? Is this coming through the known and established channels? Is this something I can verify with the person or entity? Is there something out of place or odd (e.g. a new email address, a different domain name, seemingly out of character elements, etc.)?

​

Another aspect to consider here are your employees. Firstly, it may be that they do not have their own computer at home. They may be using their work computer for their personal use as well. This could mean that they would engage in activities such as visiting unscrupulous websites (e.g. torrent sites, pornography, free software sites, etc.). These kinds of activities can ultimately affect the security of your office. Initial access on one computer can spread to others on the same network. Secondly, if an employee felt that a piece of software is necessary, but cannot afford it personally or get the procurement department to pay for it, they may consider downloading a pirated copy from the internet. This is actually quite common. People download pirated versions of Photoshop, Microsoft Office, Windows, Games, etc. It is not uncommon for these pirated versions to have been manipulated by threat actors, who have added spyware or malware to the source code. Upon installation, they have access to the system.

​

5. Passwords and authentication

​

You have probably heard that proper password security is important. That should come as no surprise to you. Here are a few things you should consider:

​

1. Use a unique/different password for every service you use. Data breaches are common, and passwords are leaked in massive databases. No matter how good your password is, if it is leaked somewhere, hackers can use your email and that password on all the common platforms to see where they can get in. If you do not reuse passwords, they cannot compromise you further than the one service that was breached.

2. Use complex passwords. It is actually no longer relevant to call it a 'password'. We should actually be using a 'pass phrase' instead. If you are not using a random password generator built into a password manager, you need to be coming up with pass phrases that are several words long, also using capital letters and symbols. For example: S!llyBillJu$tLov3s$$

3. Avoid storing your passwords in a file on your computer, or on sticky notes on your desk. These are not only easy to lose, they are also easy for others to find and copy.

4. Do not share passwords or user accounts, unless it is absolutely necessary!

5. Use multi-factor authentication wherever it is available. This would require you to provide a one-time-pin or acknowledge a notification on your phone when someone tries to sign in. Without this second step of verification, the person attempting to sign in cannot gain access. Most accounts offer this option. Trust me, this is a must!

​

To solve the top three recommendations, it is generally advised to use a reputable password manager. These services securely store your passwords, are accessible on all your devices, and will automatically fill them in for you when you are trying to login. They use defense grade encryption and will even generate very strong passwords for you to use, should you choose to implement them. Recommended offerings include Bitwarden, LastPass or Dashlane.​

​

IMPORTANT: Talk to your IT department or provider for advice on effective rollout of password solutions.

​

6. Remove old users and accounts

 

People come and go. The business constantly needs to monitor who needs access to what. Many companies do not properly manage their user logins and accounts effectively. If someone leaves the business, they should not have access to the company computers, web logins, networks, files, emails, etc. This requires the IT team to delete their user accounts, change passwords of shared services and cancel unused internet accounts. Laziness or lack of a systematic approach is usually your downfall here.

​

Two major issues are routed in bad user and account administration.

1. Unknown or forgotten accounts standing dormant. If you have accounts running on computers that the IT team are unaware of, and therefore have not logged out or updated the software, you invite multiple attack vectors into your company network. An old, out of date version of Team Viewer, for example, can be used to gain remote access to a computer using a known vulnerability. Those familiar with remote desktop software, know that the user on the other end can do just about anything on that computer they have accessed.

2. Previous employees may compromise the company. Whether it be intentional sabotage, or neglect of their own security, previous employees still signed in or having access to company services, networks, etc could cause serious issues for the company. They may download data, sell important information, delete or damage company assets, etc. More than just deleting users and unused accounts, the IT team should interrogate their computer, change passwords they may have been using for shared assets and software, etc.

​

IMPORTANT: This is the job of your IT department. Make sure they are doing it.

 

7. Make sure that backups are being made.

​

Whether this is your job, or the job of your IT provider, you need to make sure that backups are being made of all critical data in your company. Not only should you be backing up, you should have regular backups in multiple locations.

​

If you have a failure, loss of data or a cyber attack, you should be able to fully recover from backups within a couple of days. If this is not the case, you do not have adequate backups in place. It is important to know, ransomware gangs often spend time scoping out your network and backup solutions before they start extracting and encrypting everything. This often means that your common backup solution is also compromised and encrypted upon attack. However, if you had regular backups stored in a way that was isolated from your network and "off the grid", so to speak, those backups would be your saving grace. Similarly, many companies have backup solutions with reputable cloud storage providers such as Amazon AWS, Microsoft Azure, Google Cloud, etc. These solutions secure against the kind of ransomware encryption you may see in your own network. If affected somehow, they also provide 'rollback' services, so you can restore from a previous day's contents of your cloud storage.

​

IMPORTANT: This is the job of your IT department. Make sure they are doing it.

​

8. Turn unnecessary computers off overnight.

​

While many IT Professionals will argue that this step is unnecessary, there is no arguing that threat actors tend to attack when they are least likely to be noticed. If someone were to notice their computer acting weird, they may take note of it and/or reach out to IT. This increased the likelihood of an attacker being detected, and cyber security first responders deployed to address the issue. It is best for a threat actor to go unnoticed. This gives them time to snoop around and get done what they set out to do. Simply put, it is much easier for an attacker to make their move at night, or over the weekend. That way, if what they were doing may even have the chance of being noticed, it would no longer be a concern to the threat actor. Nobody is there to notice it. They have free reign, as long as they keep the anti-virus at bay. An indisputable fact about computers is: when they are off, they cannot be actively hacked.

​

9. Clean up and inspect electronics laying around the office, especially if connected to your network or in the server room.

​

Cybersecurity does not only exist in the digital realm. One way you may be attacked is using a physical hardware device that someone installed in your office, without your knowledge. This may be a little hardware box that you find installed behind a cabinet, or mixed in amongst all the other little boxes and adaptors in your server room. It is a good idea to occasionally sweep the office for such devices. If you are unsure what a device does, reach out to your IT provider before simply disconnecting it.

​

You can also take a photo of the device (make sure you can see the text e.g. brand or product name) and search the web. This could be a simple Google Search, or you can use a tool like Google Lens on your smartphone to find out what the device may be. Consider what it may be doing on your network. A common example of a device that may be suspicious, is a device called a Raspberry Pi. These are mini Linux computers that can be programmed to do just about anything.

​

10. Avoid public Wi-Fi or plugging in devices you find laying around.

​

Computing in public can be a lot more dangerous than it appears. If you are a worthy target, two surprisingly simple ways threat actors may use is:

1. Spoofing and rerouting a public Wi-Fi signal using a piece of hacking gear called a Wi-Fi Pineapple. They set up their own router between the actual router and the end Wi-Fi user, essentially becoming a malicious man-in-the-middle. They use this setup to capture traffic going back and forth from the router. Any unencrypted traffic can be read and saved for later reference. Therefore, it is generally recommended that you use a VPN solution when expecting to use public Wi-Fi. Recommended offerings include Express VPN, Nord VPN or Private Internet Access.

2. Some hackers (both good and bad), like to leave flash drives or modified phone chargers laying around at conferences, in lobbies, or just on the ground in a parking lot. These are not regular flash drives (they are called The Rubber Ducky by the Cybersecurity community). They appear undistinguishable from regular flash drive you see everywhere, and the kind companies give out as promotional materials. However, when plugged in, they can be used for stealing passwords, dropping malware, or installing backdoors into your system. The modified phone charger does the same thing, potentially compromising your phone, and/or any computer you may plug the cable into. Any hacker will tell you to buy your own flash drives and cables. It is important that you consider whether you or your staff are likely to fall victim to an attack introduced in this manner. 

​

BONUS Tip:

​

Warning: Consult your IT department or managed IT service provider before implementing the following steps!

11. Turn on Controlled Folder Access Ransomware Protection on Windows

​

Path: Windows Security > Virus & Threat Protection > Ransomware Protection > Controlled Folder Access

​

Microsoft has developed a security tool within their Windows Defender solution, which is built into Windows. It will use behavioral analysis to prevent odd or suspicious behavior from making large scale changes to the identified protected folders that have been set up. Given the prominence of ransomware in the current cyber landscape, Microsoft will identify attempts to encrypt large amounts of files and folders in these identified locations, and shut down the process that is trying to carry it out. You will be prompted that it has done this, and you can decide whether or not the process may continue. For example, if you were getting ready to deliver to a client and encrypting files on purpose, you can allow the process to continue. However, if you are simply going about your daily business and see the notice... You may be under active ransomware attack. Microsoft's killing of this process will save you from massive heartache.