Audience: Semi-Technical. Read-Time: 15-20mins
So much to do, so few to do it. That’s the plight of many new businesses.
Finding premises, arranging phones, business cards, websites – the list is endless.
Reflecting on this, I thought it may be worthwhile outlining some of the key steps many smaller businesses may inadvertently omit around cybersecurity.
Disclaimer: please note that the information provided herein is general and should be considered in conjunction with professional cybersecurity advice.
Websites
Spam Prevention
Spammers, Scammers and other miscreants will commonly scrape contact information from websites for their evil purposes. You can help to reduce this by either having a robust and secure web contact submission form or converting any scrape-able text into an image.
You can identify where your email address may be exposed by Googling for “@ +mydomain.com” or “intext:”@ +mydomain.com”. Then comes the process of having the information removed or redacted (or in some cases reporting those that have harvested and exposed the information).
If you are using iCloud, there is also an awesome email relay service that iCloud provides. This can enable location specific relay email addresses which can help to identify the source of any spam and enable the blocking or deletion should it occur.
Encrypting traffic to and from your website
Secure Socket Layer or SSL provides encryption (protecting data from prying eyes) and authentication (helping to ensure we are talking to the real website).
Digital certificates that support SSL are a great way of protecting your visitors as well as improving confidence in your website and brand. These can be obtained for free via the good folk at LetsEncrypt.
Protecting visitors against attack
Content Security Policy (CSP) helps to protect your website visitors against a range of nasty security issues (such as Cross Site Scripting etc). You can test your own website using the tool created by this fine security gentleman.
Creating a Content Security Policy for your website can be very challenging. There are a few good options to make life easier. You can leverage a paid service like the one provided by Sucuri or schlepp it out manually using workers and CloudFlare.
Security Testing your website
Security testing of your website should ideally be commensurate with the value of the site to your business and the value of the information it holds or collects. Testing is often the last line of defence to help reduce the risk of website compromise.
Assuming you have the necessary authorisation, you can conduct some free basic security testing of your website using Snyk. More comprehensive security testing can be provided by a professional testing company such as those referenced on CREST Australia‘s site.
DoS/DDoS Protection
Protecting your website against Denial of Service (DoS) can be complicated. Thankfully the awesome team at CloudFlare can help. Their free basic service can provide protection against a wide range of attacks, speed performance of your site and many other security features.
Basic spam prevention
Sender Policy Framework (SPF) seeks to fix some of the historical issues with email. It does this by helping an email recipient (or mail server) determine whether the email has been sent from an authorised source (usually a hostname or IP address).
Once implemented, this makes it harder for a spammer / scammer or attacker to spoof or forge email from your domain.
SPF is implemented through a special record in your domains DNS (Domain Name Services). Mimecast (a fine security vendor) have created a number of tools to help people implement this as well as some helpful guidance.
Email reputation and content protection
Due to the fact that email is often relayed and is usually in plain text, another issue with email is that it can be intercepted and modified in transit.
Domain Keys Identified Mail (DKIM) builds upon SPF (above) and adds some cryptographic protection to address this. This helps to validate that email has not been tampered with and is authentic. Mimecast have also provided some good guidance on DKIM implementation.
Domain-based Message Authentication Reporting and Conformance
Once you have both SPF and DKIM implemented as above you can look to implement the next layer of protection. Domain-based Message Authentication Reporting and Conformance (DMARC) provides a reporting mechanism that helps to prove authenticity of email from your domain as well as reporting on attempted abuse.
Details on DMARC and its implementation can be found here. In addition, the website provides very useful checking and validation tools.
Domains
Obtaining a domain is a good first step, however what should we do to prevent someone else taking over the domain, or creating a copy / alternate of our site?
Many registrars provide the option of locking or domain protection (some for a nominal fee). Ensuring that your domain contact information is up to date, that you know when to renew and ensuring that your domains are protected or locked can assist in protecting them from hijacking.
Open Source Intelligence Searches
Periodically searching for mis-spelled versions of your domain can help identify potential phishing sources. In addition, monitoring your website for unexpected mirroring and HTTP Referrers can assist.
Searches for your brand name on Google, Shodan and crt.sh can often reveal websites pretending to be you. There are also commercial services that will do some of this for you.
Cloud and Office Suite(s)
Anything hosted in the cloud can be subjected to a number of attacks. One of the most prevalent is Business Email Compromise (BEC). This typically occurs when one of your organisation’s users is targeted with a phishing email that is intended to steal their username and password for the Office suite (Google G Suite or Microsoft Office 365 etc).
Securing these services involves a combination of a number of things:
- Training your people to detect and report phishing attacks
- Implementing strong Authentication (see MFA below) wherever possible
- Being vigilant and periodically reviewing Cloud Access Logs for signs of unexpected activity or abuse
Strong Authentication
Multi-Factor Authentication (MFA) enhances security by combining something we know (i.e. a username and password) with something we have (such as an SMS with a code or rotating number etc.)
The combination of these things helps to make it more difficult for an attacker to simply obtain (through Phishing or other forms of trickery) a password and then use it. Without this second factor of authentication, the attackers access will usually be prevented.
Most modern platforms have options to implement this. Below are a few links as examples:
Recovery Accounts and Codes
As with all technology, there are things that can go wrong. Having recovery accounts and codes can enable you to regain control of a compromised account or service.
Using a password manager such as 1Password can be a secure and convenient way of storing these account recovery codes against a potential disaster.
Local Backup and Archiving
What happens when your Internet connectivity is lost or your cloud hosted service goes down? Well more often than not, this can mean a business outage.
Having local backups and archives can enable critical processes to continue. The value of Business Continuity and Disaster Recovery Planning means that these issues can be effectively managed and things can continue (albeit at sometimes a reduced level of service, performance or convenience).
Network Attached Storage
A Network Attached Storage (NAS) can provide a secure and convenient local backup mechanism. When combined with RAID (Redundant Array of Independent Drives) Technology, a NAS can provide some peace of mind and continued access to critical documents and records.
Many modern NAS devices can be configured to periodically and automatically mirror or backup cloud hosted information. In addition to this, most NAS devices can also perform automated Antivirus scanning.
Volumes Shadow Copies and Journaling
Another important consideration for workstations and servers is the ability to recover work from accidental or deliberate erasure. Enabling features such as Volume Shadow Copies and Journalling assist recovery by providing a faster ability to ‘undo’ a change to a file by keeping a copy or series of versions of changes to files.
Wireless Networking
Securing your wireless network is important to prevent against Data and Network compromise, theft of Internet bandwidth and Denial of Service.
Choosing a strong (and long) password
It stands to reason that using a strong (and long) password is important. This can help to reduce the likelihood of an attacker simply guessing (or cracking) it.
Utilising strong encryption and good wireless protocols
Due to security weaknesses in a number of basic wireless network protocols, it is important to choose an effective protocol with strong encryption. The challenge can be that some devices may not be fully supported, so the process may be an iterative one. Implement -> Test -> Tweak.
Authentication
If your user base / seat count is small (e.g. less than 10) you may like to consider adding username and password authentication to your wireless network such as 802.1X
Whilst this can add (yet another password) complexity to setup, it removes reliance on an attacker guessing / cracking a network key alone.
Monitor your network for unusual activity or signs of abuse
We used to recommend that wireless networks be restricted to only trusted hardware (MAC addresses) however this has often proven to be more trouble than it is worth (and trivial to overcome).
A better approach is to monitor the network for all unusual activity. At its most basic level, this involves logging network activity, however more sophisticated options (such as the use of an authenticated web proxy) can help further secure use of the network.
Malware defences
Protecting your business against malicious software can be the difference between normal operations and long outages and embarrassing data breaches.
Server
Server antivirus is a must for any business. The folk at SecureNetworksITC have pulled together a helpful list with some commercial and free versions.
Workstation
There are a myriad of anti-malware products on the market. Basic protection for windows based workstations is available for free with Microsoft Security Essentials. Commercial and more comprehensive solutions can be found care of the TechRadar folks.
Web browsing (Proxies)
What do you do when the threat is a malicious website that uses Phishing or Malware? Assuming you have trained your people and have effective desktop Antivirus, your risk is reduced but not removed.
One of the simplest and most effective technologies I have seen deployed utilises a safe browsing service such as that provided by Cisco Umbrella. Its simplicity obscures the sophistication of the service, however it can protect an organisation, individual or family against some nasty issues.
These services work by intercepting requests for webpages (either at the Website or DNS level) such that when a user requests a page it gets checked against a list of hostile websites and addresses. If the website is safe, then the person is safe to access it. Otherwise a warning is provided.
Cisco even provides a free version for home use, or if you are looking to try it out. Implementation is as simple as changing the DNS Server settings on your local workstation or router.