Friday, May 18, 2018

Cyberattacks And How To Protect Your Computer and Data by Cyber Expert Josh Moulin ~ Part 3

This is the final installment of Josh's 3-part series.  I hope you've found it as scary and as useful as I have.  Thanks, Josh, for your time and your expertise.  

If you have been following this blog series, you know that the first blog discussed the cyberattack kill chain and how hackers target individuals and systems and the second blog covered common cyberattacks and how they are perpetrated and identified. In this final post, I am going to discuss what users can do to harden their systems against attack.

Typically, criminals are lazy and take the path of least resistance. Just like locking your doors and having an alarm system will deter the majority of home burglars, there are preventative steps a computer user can take to cause a criminal to move on to someone else who is easier to compromise. The major caveat to this is if you happen to be specifically targeted by the attacker, who may not be easily deterred by basic preventative measures.

Cybersecurity is a fine balance between convenience and security; users and businesses must make an informed risk-based decision when determining the level of security that should be applied to systems and applications. Too much convenience and your systems are wide open to attacks. Too much security and work is inhibited

In no particular order, here are my suggestions and opinions on how to keep yourself cybersafe:

Multifactor Authentication

I have an entire blog post dedicated to Multifactor Authentication (MFA). If you want the details, please read it – but to summarize here, use MFA for everything that you possible can. Can it be a hassle to always have your phone with you? Yes. Does it make it nearly impossible for someone to access your online information without your phone? Yes. Use MFA like Google Authenticator or text messaging for banks, Dropbox, iCloud, Google, etc. If you are wondering what sites and services offer MFA, look at this website.

Physical Security

Equally as important as having good cybersecurity, you must protect your devices. Once an attacker has physical access to your phone, tablet, computer, etc. it is game over. Use strong passwords, use screen savers that require a password once they come on, don’t share your password with others, and don’t leave your devices unattended.
Never, ever, connect your phone or device to charging stations in public places or to a rental vehicle via USB cables. Studies have shown that in some cases, data is collected within rental car computers and in charging stations and malware can be implanted on the connected device. If you must charge, use power plugs or cigarette lighter chargers and never directly connect a USB cable to a hub. The only exception is if you buy a USB cable that has had the data wire removed or use a data blocking device in line like this one.

Password Manager

I have already mentioned in my second blog post what the dangers are of reusing the same password for everything, but it is impossible to remember multiple passwords. I have a few recommendations when it comes to passwords and it involves another risk-based decision. For instance, if you have enabled MFA on your accounts, then you have greatly reduced the risk of unauthorized access, so the complexity of your passwords is not as important as it would be if you didn’t have MFA (the convenience – security balance). Even reusing passwords on accounts with MFA is more tolerable because the one time password (OTP) used with your app or text message provides the extra security.
For me, I use a password manager to maintain all of my passwords. I don’t like having my browser save my passwords because if my system or browser is compromised, those passwords will most likely get stolen. I also don’t trust cloud password managers because if the cloud provider is compromised, my passwords may also be compromised (this has happened).

I recommend standalone databases that are installed on your system and encrypted themselves. I like KeePass and a lot of security research has been done on this program. It uses excellent encryption and you can place the database in a shared location if you want (such as a home network attached storage (NAS) device) and it is usable on mobile devices. It’s not stored in the cloud and allows you to maintain usernames, URLs, passwords, and other secure notes. It also has a password generator, which allows you to create very complex passwords immediately.

I actually do not know most passwords to websites, I use KeePass to generate hugely complex passwords for sites that don’t utilize MFA and just store them within KeePass. If I need to access the site I copy/paste the complex password into the browser and never see it.

Make sure you are using PINs, fingerprints, or complex passwords to access your mobile devices. There are pros and cons to using different methods, but make sure you are at least using something and preferably more than just a four-digit PIN.

Patch, Patch, Patch

Make sure that your Operating System (OS) (i.e., Windows, Mac OS X, iOS, Android, Linux) is setup to automatically download and install updates. Frequent patching is one of the best ways to prevent cyberattacks that leverage known vulnerabilities. In addition to patching the OS, make sure to patch all other third party software installed on your devices. This is relatively simple with iPhones for example because it will automatically update the OS as well as apps installed on the device. 

This becomes more complex with computers because although the OS may update, other software like Java, Adobe, Office, Chrome, Firefox, etc. usually don’t. Mac is generally better at third party app management than Windows, but Windows is getting there with Windows 10. There are apps available to help keep your Windows third party software updated, look at https://ninite.com/ for example.

Install and Maintain Security Software

Just as malware has come a long way, so has security software. Today’s (good) security software really does a lot more than the old antivirus software (hence calling it security software instead of just antivirus). Because of the sharing of common information and malware, the market for specialized security software is much different than it used to be and in fact many great products are completely free. Windows Defender for example is actually a decent security software tool and built in to Windows. The nice thing about Defender is that it updates as Windows updates and you don’t have to worry about an incompatibility with your security software anytime you upgrade your OS (used to be a common issue).

Although there are many myths around Macs being more secure than Windows computers, they face many of the same vulnerabilities as PCs. The difference really is that because Windows systems has the greatest market share and are more common in businesses, most malware is written and directed at PCs. There is plenty of Mac malware though and running a Mac without security software is no longer an option.

There is a mix of commercial and open source security software tools available and they range in price from free to an annual subscription of around $50 to $60. Ideally, look for a software that provides anti-malware, firewall, intrusion prevention, web protection, and crypto-attack detection. Here are a few examples of security software tools I would consider (these are my own personal opinions and I’m not endorsing any particular vendor, but have personal knowledge of the tools below).

If you really want to compare different security software vendors, check out this site.


Use Encryption

Encryption has come a very long way and is now built-in to devices and free to use. Encryption essentially scrambles the data on your device and without the key (a password in most cases) the data cannot be descrambled and read. Any Windows device and especially those that travel like tablets and laptops should be encrypted with BitLocker. Don’t discount your home computers though, because if they are stolen in a burglary you don’t want your data in the hands of someone else.

For Mac computers, use the built-in FileVault 2 encryption option. I would caution against having the key stored within Apple’s cloud though. Apple offers to store the key online as a backup (because if you forget your password, you will never get to your data), but this creates a vulnerability. Another option is to take a screenshot of the emergency backup key, print it, and maintain it somewhere like a safe deposit box (same is true for BitLocker and storing the key with Microsoft).

While no one wants a device stolen, if your device is stolen and you have ensured that it is always password protected (including auto-locking after 15 minutes of no use) and it is encrypted, you can rest assured no one will be looking through your data.

Maintain Backups

There are two primary reasons to have backups; one is for the accidental file deletion that you need to restore, and the other is for full disaster recovery. Backup software has also come a long way and both Windows 10 and Mac OS X have built-in backup solutions. My recommendation is to always have frequent incremental backups occurring at least once a day, if not hourly. These backups can be to a connected drive (such as a USB hard drive), or wirelessly to a device like a NAS. Windows and Macs both carve out a portion of the system’s hard drive for incremental backups too, for those times when something is accidentally deleted and just needs to be recovered immediately.

For disaster recovery though, I recommend having a completely separate portable hard drive that you do full backups on. You must decide how frequently you want these backups done (weekly, monthly, quarterly, etc.) and the question you must ask yourself is how much data are you willing to lose if something happens (this is called the Recovery Point Objective in IT-speak). For example, if I decide to do full backups monthly, am I willing to potentially lose a month’s worth of work, photos, etc. if my computer was stolen or destroyed? Remember that the disaster recovery disk is for those situations where you cannot access the original computer for some reason like a fire, flood, or theft. You may also do ad-hoc backups if you just completed some important work and you don’t want to wait until the next month to backup. Just put a recurring appointment on your calendar for full backups and make sure to stick with it.

There are two very important items to remember with your backups. First, the backup disk must also be encrypted. If your backup data is unencrypted and your home is burglarized, the criminals will just get your data off of the backup drive instead of the computer. Both Mac and Windows will allow you to encrypt external drives with FileVault 2 or BitLocker, respectively. Or, you can purchase hardware encrypted drives, such as an Aegis drive (https://www.apricorn.com/). 

Second, the disaster recovery backup needs to be stored offsite. Local backup drives are for convenience, but disaster recovery backups are used in the event the original data or system is unavailable. If your disaster recovery drive and computer are in the same place and they are both destroyed, you are completely out of luck. Some people may store an encrypted hard drive at their office, at a friend or family member’s home, in a safe deposit box, or somewhere else they have access to.

Some people may choose to back up to the cloud, which is certainly more convenient but may be less secure. There are ways to encrypt data within the cloud so only you can access it, but this takes additional steps and some advanced knowledge.

Do Not Ignore or Disable Security Settings

Read security warnings that pop up and don’t disable security settings are that designed to keep you safe. For example, automatic software downloads and installation, or user access control (UAC) may be frustrating, but they are extremely important. Also make sure your computer’s built-in firewall is turned on. Windows 10 and Mac OS X both have good firewalls.

Never Use an Administrative Account for Normal Use

This is called the rule of least privilege. Always use the least privileges on a computer necessary to do your work. Your computer should have at least two accounts on it and every user should have their own account (especially kids). One is a full administrator account that you can use to change settings, install software, do maintenance, etc. This admin account should have a password that is unique and hard to guess and should never be used for normal tasks such as web surfing or checking email. If a computer is attacked while logged in as the admin, the likelihood of malware being able to execute and install is much greater. The subsequent accounts should be normal user accounts and not have admin privileges. This is where you conduct the majority of your work such as email, web surfing, etc. If you need to install something under your normal account, you will be prompted to temporarily provide your admin username and password. This is good, as it causes you to think and make sure what is being done is something you requested and not malicious.

To make sure I am never logged in to the wrong account, I make the desktop background of my admin account a bright red solid color. Then, just by looking at my desktop, I know that I should not be doing anything online.

About The Author:

Josh Moulin serves as a trusted advisor to federal government IT and cybersecurity executives. Previously, Moulin was the Chief Information Officer for the Nevada National Security Site, part of the U.S. Department of Energy’s Nuclear Weapons Complex and before that spent 11 years in law enforcement including 7 years as the commander of a cybercrimes task force. 

Moulin has a Master’s Degree in Information Security and Assurance and has over a dozen certifications in law enforcement, digital forensics, and cybersecurity including as a Certified Ethical Hacker. For more information, visit JoshMoulin.com or connect with him on LinkedIn or Twitter.



7 comments:

  1. Wow, Josh!!!! What an incredible series of posts. Scary, super informative, and helpful.

    I have an automatic backup to Backblaze, with multi-factor ID. I make redundant backups on EHD’s, and I use other suggestions you’ve made, but now I know there is more to be done.

    Thank you for being here, and answering questions! AND that you’ll come back to give us updates and perhaps will write more blogs. ~L.A.

    ReplyDelete
    Replies
    1. You're very welcome and sounds like you are doing good things with your backups! I'm happy to do future posts and if your audience has specific questions or topics, send them my way and I can see what I can do to answer them in a future post.

      Delete
  2. Josh, I do have a question, natch, right? What about all the new brouhaha on having a secure site with a SSL cert? I just got mine, but it wasn't cheap. And I kinda resent that. But what can happen if you don't get one?
    Hugs, L.A.

    ReplyDelete
    Replies
    1. Good question...the down and dirty on this is that websites that don't use encryption certifications (like SSL) opens up its users to risk of other people capturing everything communicated between the webserver and the user's computer. So, if someone enters a username and password into a website that isn't using SSL (or TLS - transport layer security) If an attacker is positioned between you and the webserver, they can get your credentials in plaintext. Even if you don't have sensitive information or even require credentials to access your site, you should still acquire an SSL certificate and upgrade your site. Why? Because many browsers have begun marking non-encrypted sites as "not secure", giving users warnings, and eventually may even block access to non-secure websites altogether without further user interaction.

      Delete
  3. I had never thought of using an admin account to maintain my pc. How would a non-admin account know there were required updates? Would all users get a notice if there were?

    ReplyDelete
    Replies
    1. All users should get notified of updates, even if they are not an admin - but it generally takes an admin account to install the updates and patches. For Windows, Mac, and most types of Linux operating systems you can always go to the "updates" area and check for new updates. I recommend setting all computers to automatically download and install updates so then you don't have to worry about it. Remember though, this only helps for the operating system and does not account for third-party applications like most browsers, java, flash, adobe, etc. Those should just be checked occasionally or if they have an option to automatically download updates, enable that function. You can always setup a monthly recurring calendar appointment for technology updates and then go through all your devices to check security settings and updates as well as take care of any backups.

      Delete
    2. I have heard about Windows updates containing "snoop" software that lets Microsoft track you. How true is that? Should I be worried about this?

      Delete