J3media Cyber Security Education
- What is Cyber Security?
- Why is Cyber Security Important?
- What can I do?
- Defense in Depth
- What is an Admin?
- What is Ransomware?
- Password Management
- Updates and Security Implications
- Tips for Securing your Home Office
What is Cyber Security?
As more companies rely on computers, the internet and cloud-based technology for everyday business services, more and more threats to these systems emerge.
Cyber security is the body of policies, processes and technologies designed to protect networks, devices, programs, and your data from attack, damage or unauthorized access.
The CIA triangle is a tool that helps us understand and prioritize security of our data and systems
The CIA Triangle?
The CIA Triangle is a widely used cyber security model that helps businesses and organizations develop policies and procedures to keep its data secure, and available to authorized users.
Confidentiality: Only authorized users are able to access or modify the data.
Integrity: The data is verified correct and cannot be changed accidentally or maliciously.
Availability: The data is available to authorized users whenever they need it.
As we can see the CIA triangle is straight and to the point. We want access to our data, but we want to ensure that others are not able to access or change that data.
Why is Cyber Security Important?
Security may not seem that important at first glance, but depending on the industry you are in, it may have major consequences if you network or systems are breached. Generally, the government, military, corporate, financial and medical organizations, hold data the malicious actors would like for themselves or to sell to others on the “dark web”. In the last year though, traditional targets have been expanded upon as society is now being affected by mass misinformation campaigns, ransomware attacks and botnets.
Information and data bad actors look for can include:
- Embarrassing information that could damage the company’s reputation
- Digital services you and your company use
- Emails, passwords, account names, phone numbers
- Donor information, client lists, board information
- Financial Corporate Data
- Proprietary information
- Access to your hardware to do criminal activities or mine bit coin on your systems
- Personally Identifiable Information (PII)
- Credit cards, bank account info, addresses – fraud and identity theft
- Medical records, SSN, insurance, etc
What can I do?
If you have particular questions about cyber security for your business, J-3 Media is here to help. Feel free to contact us for a free consultation.
If you are looking for some tips to get you started check out the notes below.
People Are the Weakest Link in Security:
Unfortunately at the end of the day the, your staff, coworkers or supervisor is the most likely way your company will be compromised. Sixty percent of successful attacks on bussinesses are carryed out by not attacking the hardware or software, but the social infrastructure of businesses. That’s the people.
There are many types of attacks in which scammers impersonate a company member or a boss trying to get somone to disclose information about the business, passwords, or Personally Identifyable Information (PII) on clients, customers, boardmembers etc..
These attacks are wildly imaginative and generally contain some exigence or reason to hurry, getting the targeted person to overlook strange signs or “flags” regarding the encounter.
Common tactics used to accomplish this are called “email spoofing” or url spoofing”.
Proper Hardware & Network Configuration:
Before we can secure a system, we need to know the components of that system. The foundation of network security is knowing and maintaining an inventory of all the hardware that is on the network. This includes the endpoints (desktop computers, laptops, mobile phones, sensors, cameras switches routers, databases) that are on your network.
It can also be helpful to draw a “Network Diagram” showing how all the “end-points” or individual devices on your network are linked together and where your security controls are placed.
Quick Network Security Tips:
- Inventory everything in your network
- Keep all operating systems up to date and all software and services up to date
- Implement Network Access Controls (NAC) to keep unauthorized devices off the network
- Implement an Intrusion Detection System (IDS) to alert you of suspicious activity
- Maintain an antivirus/malware scanner
- Subscribe to newsletters for the services you use (they will let you know about vulnerabilities)
Policies and Procedures:
- Create a Policy around securely backing up your data (daily, weekly, monthly, quarterly, annually?)
- Have a policy for testing the integrity of data backups.
- Create a policy for updating all hardware, and software, apps and services on all endpoints
- Phishing Awareness – Have all of your staff and company members including owners, upper management and board go through Phishing Awareness Training on a regular basis
- How does Phishing hurt businesses?
- How to identify suspicous looking emails?
- What to do and not do with suspicouse looking emails?
- How do you respond out of chanel
- What is the policy and proceedure for reporting emails to IT and management, to alert other staff?
Defense in Depth
Employing just one defensive strategy in the complex environment of the internet would not be that helpful. Thus, the cyber security industry prefers a “defense in depth” approach, which employs “layering” security controls on top of each other.
That way, if a malicious actor does breach or attempt to breach part of your network there are additional hurtles and alarms set in place to limit, detect and deter them.
Below are some examples when all implemented together constitute a defense in depth strategy:
- Utilizing a Web Application Firewall to block and detect attacks towards internet facing infrastructure
- Utilizing an Intrusion Detection System (IDS) to be alerted about vulnerabilities and attacks or anomalous behavior
- Malware scanner on you host network computers
- Maintaining and updating all end point operating systems and software
- Utilize a SIEM or log management system
- Ensure you have full backups of your system that have been tested
- Network Access Controls – to ensure devices not authorized are not able to access the network
- Having a strong password policy and passwords are updated every 90 days
- Enable Multi Factor Authentication (MFA)
These are just some tips and security controls that can be put into place to help enhance your business’s security posture. This is not an exhaustive list and should be customized and adapted based on the systems your company uses and the needs of your business.
If you have more questions feel free to reach out to us.
What is an Admin?
When considering computers and network apps like websites, it’s important to consider the idea that not everybody should have the same capabilities editing and managing a system. Some people just need to interact with the software, like a customer buying a product online. Thus, in networking we segment the user types by role, and the permissions they need to accomplish certain tasks. We wouldn’t want a customer to be able to see valuable company information like sales reports on your website, would we?
One of the most important roles to remember and manage appropriately is the Administrator or Admin role.
The Admin of a computer or a website is a the highest privileged “role” designated giving that user the ability to make changes on that system.
Admins can change security settings, install hardware and software, access all the data and files on a system and add or delete other user accounts of lesser privilege and capability on the network.
Below is the list from most to least privileged user types commonly found:
1 Admin – Most Privileged
2 Shop Manager
3 SEO Manager
7 Subscriber – Least Privileged
Ok, why Should I care who is Admin
Since the Admin has the capability to add and delete users, view, change or delete all the data on a system it is imperative to have the Admin account locked down and managed. Gaining access to the Admin account is the first thing a nefarious actor would do, to steal information from your business or ransom your hard drives.
The Admin should be in charge of security and updates and understand how to create less privileged users to accomplish tasks. I.e. the Shop Manager role, would be appropriate for someone who manages orders and inventory on an ecommerce store. The shop manager should not have the capability to update plugins, possibly breaking the site or leaving it vulnerable to exploitation. The goal is to clearly separate the account permissions based on the needs of the user.
How Many Admins should there be?
Ideally there should only be one or two Admins on any given system, and the rest should be users of different roles. Separation of roles and privilege is what we want. In a restaurant, a waiter doesn’t need access to the deposit box, or the bank accounts – they need access to the till to make change.
The Most Dangerous – Default Admin Accounts
Most devices you buy these days have a default Admin user set up to run the software. This is included in cameras, smart TVs, wifi routers, home surveillance cameras, cell phones, your car engine, any piece of technology in it that has a processor, also has an associated Admin account.
This gets terribly dangerous when new owners of these devices do not change the default Admin and password credentials. This is how people can sneak into your home from the other side of the world and watch your kids play on your security camera or, hack your tv, microwave, phone or camera to be used in numerous ways.
Make sure that all devices in your home have had the default Admin user and password changed. We recommend starting with your router.
What is Ransomware?
A malicious actor may not be satisfied with just entering, and stealing information from your company’s network or your private network. Ransomware is encryption software a malicious hacker uses to encrypt your files. Effectively locking you out of your device.
Once all of the files on your computer are locked, you are notified that you must pay a fee usually in Bitcoin or some other cryptocurrency, to have your hard-drive unlocked/decrypted. Ransoms in 2020 were measured in the $10’s of Millions of dollars as institutions were brought to their knees by these state sponsored bad actors. Ransomware is increasingly being used across all sectors including the medical sector.
Like with email Phishing campaigns these scams can be very imaginative and generally all have some either “to good to be true” story line like a, “$500 refund from Microsoft”, or some type of threat, like pursuing legal action if an invoice isn’t paid immediately.
Sadly, if you do not have relevant backups of your data and systems, there is generally nothing that can be done, to either unlock these devices or get ransom money back.
Who is Targeted by Ransomware?
Generally no one is immune to being ransomed for their device or data.
Institutions like municipal police departments, libraries, schools, universities, and hospitals are being targeted more and more by domestic and foreign actors. If the ransom is not paid, generally these bad actors will start disclosing Personally Identifiable Information they harvested on the open internet, until the ransom is paid. Or, they will inhibit the systems from being used.
Along with municipalities and other institutions, the “grid” of infrastructure that manages our towns and cities, electrical, oil & gas, hydro-logic and energy generating infrastructure are vulnerable as well. Most infrastructure in the US was designed for all analog systems. These systems have been adapted to communicate with computers and thus “hack-able” and vulnerable to external manipulation. The consequences of ransoms like this could cripple entire states and economies, as seen with the Colonial Pipeline Attack in 2021.
Lastly, people who are not privy to online safety, may be taken advantage of. Generally the elderly population in the U.S. is targeted by phone scammers saying they can provide a refund for a product or service, the person never bought and says yes. The scam generally includes the scammer being allowed access to the victims computer under the guise of helping. Then the attacker downloads encryption software, encrypts the victims computer and retains the keys, and will not unlock the computer until the ransom is paid. It is common for these scammers to be very pushy and rude to people, forcing them to cave emotionally and pay the ransom to end the interaction.
Password management is an essential part of developing a more advanced security posture. With current computer technology, a six character password can be “brute forced” in a matter of minutes or seconds. Requiring passwords that are 12-16 characters long and that use special characters and upper and lower case can increases the time needed to crack these passwords to ~250 years.
So, requiring your customers, staff and faculty to have strong passwords significantly hardens the attack surface malicious users have access to.
Strong Password Tips:
- Try to think of a “passphrase” to make your password longer and easy to remember
- Don’t ever use the same password for multiple services, if one is compromised, they all could be.
- Don’t like remembering long passwords? Use Lastpass the industry standard for password management, check them out here: https://www.lastpass.com/
- Rotate your passwords every 90 days
- Enable Multi Factor Authentication (MFA)
- Use the “have I been pwned” service to see if your email and password information was breached in the past: https://haveibeenpwned.com/
- If your information is on the haveibeenpwned.com site, be sure to update all associate information with those accounts or other accounts with the same passwords.
Updates and Security Implications
We all see those pop-ups on our mac or windows operation system, or mobile device telling us it’s time to update the software or operating system.
It may seem convenient to do it later, but the reality, by leaving your device or service out of date, your personally identifying data are vulnerable to be sold and/or ransomed.
The sooner you update the more secure your data will be and your device. You will have more peace of mind and better functionality as well.
Note – PCI Compliance: Businesses that process transactions or personally identifiable information online are required to update and patch systems within one month of critical release.
What do Software Update Do?
There are plenty of benefits to updating your software. These include, filling holes in the infrastructure for security reasons, updating functionality and removing bugs. Since there are so many users now, big companies like Microsoft and Apple get lots of data on user feedback and experience so in general the software is getting better, more user friendly and more secure.
How do Updates Help Patch Security Flaws?
Just like any criminal, a hacker is looking for flaws in your security system. Bad actors can take advantage of the “gaps”, in your security and do many things. They can download malware, or back doors into your systems allowing complete access and steal the information, possibly sell it, or locking you out of your own system and ransoming the information back to you.
The community of software engineers and benefical hackers helps find these errors in security in different applications and they are reported and “patched” in the next update. In some cases, there can be major flaws not seen upon initial release, that are discovered in the wild, and then multiple critical patches can be pushed out in one subsequent update. If you haven’t updated in a year, there could be multiple critical known vulnerabilities on your system.
It’s also important to note that some software is so old it is no longer supported or deprecated. A good example of this is Windows 7. Windows 7 is a highly vulnerable operating system used in teaching the next generation of hackers how to hack. It should not be used in the business environment.
How do Software Updates Protect my Data?
We all keep lots of important documents on our computers and mobile devices. We keep copies of things like our taxes, passports, all of our account login information, photographs and videos. These documents hold important details about our lives.
It’s called Personally Identifying Information, with this data, people commit identity theft and fraud. They can take out loans in your name, guess your security questions, and possibly ruin your credit, which can take years to fix.
Think of the Community
The internet is a community of devices that delicately interacts to perform all the tasks we ask of it. We ask it for information, products and media and data constantly. By keeping our own software and operating systems up to date, we help ensure that we are not means of transmission of malware and viruses.
In summary, we recommend updating your systems after being notified of critical vulnerabilities, or quarterly, every 90 days. The longer you wait, the more vulnerable your systems are. Also, waiting too long may mean your software licenses have expired or, that other services you use may not be compatible with the updated software. So update often to avoid being hacked or having your system fall apart because its not supported any longer.
Tips for Securing your Home Office
Just because you are working from home does not make your data safer. In 2020 there was in major spike in Phishing scams averaging to 1,185 phishing attacks per month per organization. Malicious actors are capitalizing on the global pandemic crisis to get people to give up personal information online or click a link that downloads malware to your computer.
Due to the fact that people are working and studying from home and using new services, the hardware that you use, companies may have less control over, and may not be maintained as consistently. This environment is ripe with opportunities for malicious actors to steal your personal information, identity, and possibly ransom your data or allocate your hardware to a bot-net used for criminal activity or mining Bitcoin and other cryptocurrencies.
Watch out for Phishing Scams: Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an email, text or phone call. Never click on links or attachments in emails that look suspicious and especially if you don’t know the sender.
Scammers may try to impersonate email addresses or url addresses you may recognize.
Be on the watch for misspelled names and email addresses. If you are in doubt, reach out the person “out of chanel”. Which means, if they sent an email that looks suspicous, call them on the phone.
Also, never respond to unsolicited emails. If it is a suspicous email from a person you know, never “reply”. Start a new email using you address book and start a new thread notifying them.
Remove Unnecessary and Risky Applications: If you don’t need an application or service it should be removed. Also remember that your favorite free game, or a free, font or free service you need may be also set up your computer or phone as part of a botnet and be mining cryptocurrency for someone else, or they could be commiting crimes using your servers.
Antivirus and Malware: Antivirus and Malware scanners are a great tool for discovering if known malware, adware or viruses are on your systems. The limitation is that they don’t always catch “new” exploits or viruses that are released.
Enable your Firewall: A firewall is a list of rules that allow or deny traffic through your network. Enabling your firewall will allow it to reject network information that could be malicious or seems anomalous.
Updates and Software Patches: Updating your host machines operating system and keeping all software up to date and patched is an important part of your home office cyber security posture. Updates fix bugs and vulnerabilities and retire old code so that your machine can run more efficiently and securely.
Keep your Network Secure: Maintaining a strong password on you home network and changing it annually is a good start. If you have lots of guests using the network, you could set up a separate network for guests, so they wouldn’t have access to any tools like cameras that would be connected to your network. Your networks name or SSID can also be hidden.
Regularly Schedule Backups: Backups are an essential part of a home office. Make sure you have on site, or cloud-based backups and that you’ve tested them.
Switch off voice controlled smart devices at your home workstation and cover the webcam when you’re not using it: Personal Privacy in the digital age is a huge issue and now more so with people working remotely from home. Cameras and microphones in smart devices can be attacked and your data could be stolen. Ie. Pictures of the inside of your home office and audio recordings in your home.
Public WIFI? Use a VPN: All the traffic that goes through the router at your favorite coffee shop is available for others to see. Before you log into your bank account, remember that, and make sure you are using a secure HTTPS connection and ideally using a Virtual Private Network (VPN) to both encrypt the data your sending and hide your physical location.
Log off and secure devices when not using them: Even if you’re only walking away for a second log off from your machine so that it is not accessible during your absence. And, when you are done working log out and put all of your devices and hard drives in a secure location. This is imperative not only from the malicious actor standpoint, but also accidents happen… Water or a pet could damage your computer or hard drive.