Iran Cybersecurity National Terrorism Bulletin
Today I was going to sit down and write our latest blog about using multi-factor authentication & complete our monthly newsletter but then something caught my eye and I needed to get this out to everyone as soon as possible.
On Saturday January 4th 2020, The United States Homeland Security released a National Terrorism Advisory System Bulletin warning us of a possible cyber-attack. You can read the bulletin here: https://www.dhs.gov/ntas/advisory/national-terrorism-advisory-system-bulletin-january-4-2020.
I am very concerned that the media, the government and some vendors are going to use this situation to spread fear, uncertainty and doubt (FUD). This situation is no different than what IT Security teams typically spend their days combating. The situation has always been trending upwards on number of attacks and the complexity of the attacks. However, the fact remains is that you need to do your part not only for the potential threats mentioned in the bulletin but to protect your organization and yourself from fraud and ransomware. This doesn’t mean you need to rush out and spend hundreds of thousands of dollars on hardware and software either.
The bulletin mentions some cyber-hygiene practices at https://www.dhs.gov/be-cyber-smart that I think are worth discussing (and a little more commentary from myself).
If your business is using Office 365 or G-Suite/G-Mail you need to turn on Multi-Factor authentication immediately. If you are using Facebook, twitter, or any other social media you need to turn on Multi-Factor authentication as soon as possible. Why? Because this will stop you from being an easy target. Easy targets are used for fraud and to launch attacks on others. There are many different methods to doing this. I (and Concensus) will help you choose… Just ask! The methods include security keys (a physical key you insert into a usb port, or tap on a cell phone), An authenticator app on your mobile smartphone and finally a text message or phone call method. I personally use a physical Yubikey when I can, We use and sell DUO as an authenticator app (which has built-in text messaging).
I am going to provide a few links below for more information:
- G-Suite – https://support.google.com/a/answer/175197?hl=en&ref_topic=2759193 Note that Google calls this 2 step verification.
- Gmail – https://www.google.com/landing/2step/
- Office 365 – https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
- Facebook – https://www.facebook.com/help/148233965247823
- Twitter – https://help.twitter.com/en/managing-your-account/two-factor-authentication
For an organization we do recommend more than just Office 365 and/or Google for Multi-Factor authentication. That could turn into a very long blog post about Identity Management so we are going to forgo that today.
This is personally my number 1 pet peeve online. I love Facebook (when it’s not political that is). You will have a hard time finding me on there because I have very few posts that are public (https://www.facebook.com/daredl if you want to check up on me) for a reason. While I love to post pictures of the family, food and funny jokes but there are many things on Facebook that “hackers” find useful. Today at least two of my friends filled out a chain letter that contained personal information publicly. Stop being an easy target! Personal information only gives those “hackers” a way into your account. There are over 600,000 accounts “hacked” everyday at Facebook. Here is how they use that information that anyone can find it. 1) Create a fake facebook profile. 2) Start friending people or look up personal profiles that are public, 3) Look for those quizzes where you fill out information. 4) take that information and reset your password and take over your account.
How to stop this:
- Stop taking quizzes that ask for things like date of birth, favorite colors, actors, where you grew up. – Why do you ask? Because when you created your Facebook account you answered some questions to reset your password in case you forgot. Hackers love this.. they can reset your password for you.
- Make your posts private to your friends only.
- Watch who you friend. Especially if you are already friends.
- Never click a link in facebook messenger that asks you to login again (I have a relative who lost $$ because they had a bank card attached to their facebook account and when they logged in again they got access to buy things because of it)
- Go back and make all of your posts private (to friends that is) and stop posting publicly: https://www.facebook.com/help/236898969688346?helpref=uf_permalink
- Another good one is to wait until you return from vacation to post those great pictures you took. Never post that you are away from home.
I am not going to keep going on with twitter and the others as the same rules basically apply.
If you know me you have likely heard some of my golden rules (Ok I just named them golden rules) for passwords:
- The longer the better – 12 characters or more.
- Think about the oversharing rules above. Do not use personal information in your password – i.e. I post pictures of my cat fluffy – do not use FluffyCat1 as your password.
- I love to use things around me when creating a password and put them together. Example PenAAAKleenexWatch#7 – This is way easier to remember than P1tt3urG%17cx71 and is still hard to crack because of it’s length.
- Always use a PIN number for challenge response questions. Lets say when you create an account on a website it asks for your first car. Answer truthfully but put the pin number at the end or beginning: “Mustang1234”. A hacker might be able to guess Mustang from your social media posts but will not know the PIN number.
- Do not use the same password everywhere. Have at minimum a set of personal passwords and a set of work passwords.
- Utilize a password manager (For personal use I just started to use LastPass).
- Check out your email addresses at: https://haveibeenpwned.com/ this will tell you if your email/password/private information has been compromised.
I like simple. I like my backups simple too.
For your Organization:
- 1st backup – to a physical disk (locally we recommend a NAS or other direct attached storage)
- 2nd backup – to the cloud (I am biased… consensus cloud)
- 3rd archives – some use tape, some use blob storage in the cloud or some just use another set of disks (This one primarily is based upon your retention policies)
- Keep your backup server and passwords different than your active directory. As a matter of fact keep your backup server and everything about them as far away from your Active Directory environment as possible. Why? If an admin account gets compromised so do your backups. Also if possible the passwords to the storage associated with your backups should be different and out of the directory as well. I have personally seen this save an organization from a ransomware attack that took place on Christmas day and only took minutes to lock them out of their production systems. However the backup server was a separate device with it’s own password.
- Use a service like google drive (Gmail), OneDrive (Microsoft), box.com, dropbox.com. There are many many others. Personally I like ones with a recycle bin. These are free and can help you restore files that might have been hit by ransomware.
- Use a backup service that does a backup of your entire system. Just note that most of these will take awhile to restore a full system (carbonite comes to mind here).
I have been writing blog posts on different layers of security. Our managed services customers are protected with multiple layers of security. Here are a few of the posts and a few coming:
- DNS Protection/Web filtering. This helps protect a device inside and outside of the network. It allows you to block bad sites (malware/spyware along with categories such as adult, gambling etc). https://www.concensus.com/what-you-need-to-know-about-dns-protection-services/
- Modern workplace management. Think of this as patching, anti-virus, backups, encrypting, and even policies: https://www.concensus.com/preventing-it-attacks-with-modern-workplace-management/
- Firewall We will have a blog post this coming week about using a modern firewall for your business
- Physical Security – Keep your systems safe by keeping them physically locked down in a secure location. https://www.concensus.com/for-full-scale-security-solutions-have-to-go-beyond-the-cyber-world/
- Identity Management – Well most of our customers know what this is. I have written many blog posts and we partner with great organizations such as Micro Focus, OneLogin, DUO/Cisco and Identity Automation
- Email Security – You need a third party spam/av/malware platform – https://www.concensus.com/email-security-solutions-to-stop-threats-in-their-tracks/
- Security Awareness Training – This will be a future blog post where we discuss how you can train your staff to have better personal and work related cyber habits.
- Dark Web research – This is where I will talk about things like haveIbeenPwnd.com and alert you on compromised personal data and passwords
- Creating an incident response plan – What happens if we get hit with ransomware? What happens if we leak personal information about our clients?
- Log Management – Do you review your logfiles? Can we detect a threat already present?
- Security Assessments vs. Vulnerability scans? Do we need to do them? What is the difference between them?
- Cybersecurity Insurance – Am I covered? Did I meet the requirements for the coverage?