Tips for Protecting Your Network 2019
In 2018 we saw a 350% increase in ransomware attacks, a 250% increase in spoofing or business email compromise, and a 70% increase in spear-phishing attacks. (IndustryWeek)
The reason? More and more hackers are compromising networks and systems, and demanding more and more money.
The average cost of a breach for Small Businesses? $120,000. Enterprise? $1.23 Million. (TechRepublic)
Your business is too small to be affected by a breach? Think again. 90% of breaches impact small businesses. Small Businesses invest less in information security, and less in their users. This makes them soft-targets. (ComputerWorld)
The internet is a big, scary place. Relying on yourself and your users to be intelligent and diligent in such a place is not an effective way to safeguard your business, your network, and your data.
We’ve put together a few ways you can easily, and effectively, safeguard your information and increase your network security without incurring the costs of hiring a Chief Security Officer.
1. Password Manager
The most common attack vector for hackers and those with malicious intent is compromised usernames and passwords. Just check haveibeenpwned.com, which uses known black market lists to lookup your email address and reports whether you are listed or not. If your email address is over a year old, chances are its on that list.
Websites, banks, network managers, and that stupid account you had to open to watch your nephews baseball game are requiring harder and harder passwords. These are more difficult to hack, but they are also impossible to remember.
Enter the Password Manager.
Think of a Password Manager like the little book you keep for your passwords, just online and available anywhere you have internet. Its locked with a master key that only you know.
This reduces the required number of passwords for you to remember to one (1). This password can now be longer and more difficult, and changed more regularly, but because you only have to remember one, its not a big deal.
And it doesn’t stop there. Password Managers help you generate and save strong, unique passwords enabling you to make longer and more difficult passwords to crack. When you visit a website with a saved password, you can open up your Password Manager and copy and paste the username and password and login. Easy. Better yet, most Password Managers utilize browser plugin’s to automatically fill login forms for you!
At St. Aubin Technologies we use LastPass. LastPass enables us to protect our accounts, and yours, with strong random passwords we don’t have to remember… or write down on a paper. On top of which we utilize LastPass for Teams, which we use to save and share these complex passwords amongst ourselves, saving time when you need our help the most.
LastPass is built using AES-256 bit encyrption with PBKDF2 SHA-256 and salted hashes (really fancy talk for “you’d have to be better than a CIA spy and code-cracker to read this”) to ensure complete security in the cloud. This encryption can only be decoded on your devices, with only your password, so even LastPass admins can’t see your saved information.
For added security of your LastPass account, Multi-Factor Authentication is available, but we’ll go into more detail on that in a minute.
2. Basic Network Security and Monitoring
Just for starters a Basic Network Security and Monitoring plan should use a multi-pronged approach to endpoint and server security.
More fancy language, we know. What this means is you should not rely on a single form of protection, like antivirus. It means that businesses should invest in many forms of security, antivirus with web-filtering, user training, firewall-based antivirus & spam filtering, email server antivirus & spam filtering and spoof protection, etc.
“Implementing a data security solution is best done by considering all angles from the pre-attack phase through the actual attack to the post-attack phase” Joshua Foltz, Axcient
Good security approaches consider the failings and shortfalls of the system. Its great to have a firewall that scan’s for viruses, but what if the virus doesn’t come through the firewall, perhaps a laptop of an employee who is usually out of the office? Or the antivirus on a workstation, what if the breach happens on a cloud server?
St. Aubin’s Basic Network Security and Monitoring service utilize’s a multi-pronged security plan to protect our clients networks and information to the max. We use Unified Security Gateways to protect the edge of networks, stopping most attacks before they start. We install antivirus on every server and endpoint to maintain a strong defense from inside. We utilize web-filtering as a bumper to prevent minor miss-clicks from escalating to full on disasters.
3. User Security Awareness Training
An ever increasing attack-vector for 2018 was email. Email is a direct link from the internet to a user. Users have been trained, over many many years, to not trust websites and pop-ups when browsing the internet. Users have not been routinely trained to be just as questioning toward emails from their boss.
Lets take spear-phishing as an example. Spear-phishing is a form of spam where the attacker has done some research on the user and company. They may know things like names of important people, names of clients, who is in charge of money, etc. They use this information to create a believable email to ask for certain things or services, usually money to be wire-transferred. Many, and by many we mean mostly all, users believe these emails are legitimate, and start replying to the spammer or clicking links.
What can easily stop this?
An information systems first line of defense is the user. Sadly, this is generally the weakest. People can be manipulated, tricked, schemed, con’ed. It happens, a lot.
In 2016 a user in the financial department of a large manufacturing firm, Leoni AG, transferred 40 million Euros (US $44 million) because of a well crafted and researched email phishing scheme. They aren’t alone in the club of losing money. (TripWire)
An executive at Mattel, the US toy manufacturer, was so convinced it was the CEO asking for the transfer she sent $3 million to Chinese hackers. (TNW)
A Canadian university… $10 million.
So the answer to what stops this?
User Security Awareness Training. This works by sending fake fake emails to users. It uses many of the same tactics scammers and phishers use to trick users into thinking these are legitimate emails. If a user falls victim to the training email, they are then routed to required training materials explaining what happened, where they went wrong, and how to not fall victim in the future. Similarly to how you teach children life lessons; better they learn it from us and not “them”.
A great feature of Security Awareness Training provided by St. Aubin Technologies is you, as the decision-maker or site administrator, get a report from us showing how effective the campaign was. You get to see how many users opened the email, clicked the links, attempted to enter usernames or passwords, and completed the required training. Sweet!
4. Multi-Factor Authentication
One of the easiest security features to implement, but many consider it a pain and don’t. Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. Rather than just asking for a username and password, MFA requires other-additional-credentials, such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or facial recognition. You may already be using MFA on your bank account login.
Traditional usernames and passwords can be stolen, as proven by our writings above, and the vulnerability of these authentication methods is only increasing. MFA creates more layers of security, increasing system confidence that the user is who they claim to be.
Generally, when MFA does what it does best, that users username and password have compromised. MFA is the last line of defense in a circles of security. But not unlike the last line of defense for, say, the POTUS, it is probably our best line of defense.
LastPass and Office 365 both support MFA. Both also have authenticator apps for smart phones that are extremely powerful. We highly recommend either, or both.
Note that MFA is not a prevention method. This is more like the alarm in your house. Once its set off by an intruder, the building is compromised. Yes they have been stopped, but you still need to fix the damage by resetting your password, and possibly changing your username.
The Sum of it All
In short, no one security method is 100% fool-proof and perfect. But a security plan with many facets, like that of St. Aubin Technologies’ Network Security and Monitoring service, can prevent and stop attacks before they start, during the attack, or after attackers are in, and prevent/reduce the losses incurred.
All of the methods here are recommended and should be implemented during the 2019 threat season (all year long!). This keeps your network safe from the current and future attacks to come.