Advent Calendar 2018

The Digital Craftsmen Silent Night Advent Calendar

Welcome to our Silent Night Christmas advent calendar blog post

For the next 24 days we’re going to publish a daily security themed post – yes it’s our first Digital Craftsmen Security themed advent calendar.

************************************************************

Day 17- Use Configuration Management

Yesterday we looked at poor patching as a vector for attackers. Using a configuration management (CM) tool such as Puppet, Chef, Ansible or SCCM will drastically reduce the amount of work you need to do in managing any more than a handful of servers. Configuration Management systems can not only ensure that patches are installed but just as importantly, they allow changes to configuration to be deployed from a central location. For instance, when Heartbleed was discovered we were able to use our CM tools to identify vulnerable servers and then deploy an update to them all to neutralise the threat. CM tools can also tell you when someone has made a change to the configuration outside of the CM tool. Sometimes this is just human error but it can also indicate that a server has been compromised.

************************************************************

Day 16 - Patch, Patch, Patch

So many successful attacks that get reported in the press are down to poor patching regimes. Internet facing servers are prime targets for hackers who often trawl the internet probing for versions of popular software so as soon as they find a new vulnerability they can immediately attack known vulnerable systems. Always install operating system patches as soon as you can. If you have test systems, it’s a good idea to test updates there first but don’t delay updating your production systems. It’s important to get into a routine of regular patching. Make a list of all your internet facing software and check at least once a month to make sure there are no new patches available. This is all part of the service we offer to our Managed Services customers.

************************************************************

Day 15 - Follow the Cloud Security Principles

As you may have gathered from the advent entries so far, staying safe in the cloud isn’t easy. Luckily, the National Cyber Security Centre have published some excellent guidelines for those building, or buying, cloud services. The NSCS contains 14 Principles which covers everything from Data in Transit Protection through to ensuring a provider has good Governance in place finishing with guidance on using cloud services securely. They also have a great Introduction to Understanding Cloud Security which is full of useful advice– for help with understanding and implementing the principles, give us a call.

************************************************************

Day 14 - Centralise Logging

All servers generate lots of log information that is useful in detecting break ins. The bad guys know this and one of the first things they will do is try to hide their tracks by altering the logs. Using a centralised log server, to which all of your other servers send their logs, means that it’s much harder for an attacker to cover their activity. Configure alerts for certain types of unexpected behaviour and you’re one step ahead of the intruders. There are a number of SaaS solutions for centralised logging, such as Logz.io and Loggly.com or you can build your own using tools such as Splunk, Manage Engine, Solarwinds, or Elastic Stack. In the public cloud AWS Cloudwatch and Azure Monitor are both very capable.

************************************************************

Day 13 - Use an Intrusion Detection System

No matter how good your boundary defences, eventually someone will get in. We’ll talk about rogue staff in a later calendar entry but to detect malicious behaviour inside your network you need an Intrusion Detection System (IDS). Deployed correctly, an IDS will alert you to unusual activity in its early stages whilst there’s still time to do something about it. Someone accessing systems they should not ? Running code on their workstation that they don’t have permission for ? Someone running a port scan on the local network ? An IDS will catch all of these and allow you to respond quickly to neutralise the threat. Intrusion Detection is big business at the moment and the landscape is changing quickly as new products come onto the market making it easier for less technical staff to deploy and manage. Alienvault is the market leader but Qualys is a very capable contender. If you’re comfortable with the technology, OSSEC provides a good, and open source, Host Intrusion Detection system. If you need your hosted infrastructure to be better protected, speak to a Craftsman.

************************************************************

Day 12 - Encrypt You Hard Drive

Lenovo just lost personnel records for 54,000 staff in Asia because a stolen laptop had unencrypted data on it. In the UK that would probably lead to a large fine from the ICO under GDPR legislation. It would have been easily prevented by using disk encryption. Bitlocker is the standard for Windows and available in most versions of Windows from v8 onwards, if you have a TPM chip installed. Learn about enabling it here. On a Mac, Filevault is included from v10.6 (Lion) that achieves much the same thing. Read about it here. If Bitlocker or Filevault is not available on your device, then VeraCrypt is a good alternative. It’s not as seamless as the native tools but it very capable and well regarded. More details are available here.

************************************************************

Day 11 - Monitor all the things

It was Peter Drucker who first said “If you can’t measure it, you can’t improve it”. If you run any kind of IT system you should be monitoring it. Not only will it give you a timely warning if a disk is running out of space but it will also allow you to understand what “normal” looks like. Server slows down and it looks like a huge spike of traffic, is that normal, or indicative of something else afoot ?

There are many different types of monitoring systems from SaaS based offerings like NewRelic  and Rollbar, cloud specific monitors such as Cloudwatch in AWS or Azure Monitor in Azure through to advanced infrastructure monitoring tools including Opsview and PRTG. Choosing the right one for you can be a daunting challenge. Contact a Craftsman for help with specifying a monitoring solution.

************************************************************

Day 10 - Make sure you're GDPR compliant

Keeping everything secure is a mindset to be adopted by everyone in the company as well as a set of technical tools. Taking GDPR seriously and following the proper processes to audit, understand, protect and manage the data you hold about individuals, leads to good practices that benefit all of your data and systems. We work with organisations big and small to help protect their server infrastructure, just one part of the overall GDPR compliance landscape. There are no official standards yet in place for GDPR compliance but a good place to start is the guidance provided by the ICO for small businesses.

************************************************************

Day 9 - Set your devices to auto-lock when inactive

Never, ever leave your devices unlocked in a place where unauthorised users may get access to them. Sounds obvious but I’m constantly amazed by the number of screens I see unlocked around office buildings. It only takes a minute to install malware on an unattended laptop or phone. We instil a habit of always locking screens into our team but as a back stop, configure your devices to auto-lock after a few minutes of inactivity. You never know when it might protect you from an opportunistic bad guy.

************************************************************

Day 8 - Set up a leavers procedure to protect your SaaS applications

Software as a Service (SaaS) is a great way to reduce the costs of IT and improve business continuity. The downside to this, however, is that SaaS access is available globally. This means that when people leave your business the old defence of them being outside the building no longer works. If it’s available, you will have single sign on enabled, so as soon as their internal account is deactivated, their SaaS access is too. Unfortunately, these integrations are usually only available on the most expensive plans and it’s still necessary to remember to block their internal account. Although this may seem simple, a written checklist of SaaS applications as part of a formal leavers procedure really helps to remind you of which applications need to be updated when someone leaves. A formal leavers process can include much more, including recovering company assets, renewing NDAs and getting GDPR compliant permission to respond to reference requests.

************************************************************

Day 7 - Get Cyber Essentials to protect your systems

The Cyber Essentials standard is a really good way to help businesses adopt a security mindset. Created by the UK government, Cyber Essentials is a pragmatic and achievable standard that demonstrates good security practice and helps your customers to feel confident that you take cyber security seriously.

************************************************************

Day 6 - Use a password manager to keep passwords safe

If you follow all of the advice to create strong passwords and make them unique on each site, you quickly run into a problem of safely managing all of those passwords. A spreadsheet on your laptop is not secure, even with a password. You could use the password manager built into your browser but that only covers one class of passwords (for websites). We recommend the use of a separate password manager to store ALL of the credentials that you use. These applications use a strong master password to encrypt all the other details so you only have to remember one password.

************************************************************

Day 5 - Keep your login credentials private

Sounds obvious but you might be surprised at how readily people will give up their access credentials. NEVER share your login credentials. It’s incredibly rare that a software provider will need your access details. When you get asked, it’s a really good sign that it might be an attempt at phishing, sending legitimate looking and plausible emails in an attempt to get you to give up your credentials. At work, it’s not a good idea to share your passwords with colleagues either. You risk getting the blame if something bad happens.

Want to know one of the best tools for managing passwords? Come back tomorrow when we publish our recommendations.

************************************************************

Day 4 - Create unique passwords for all your accounts

Sharing passwords across multiple accounts is a really bad idea. Once a hacker gets hold of one password, they will use it to try and gain access to other accounts. Creating unique passwords helps ensure that any damage caused by poor security elsewhere doesn’t jeopardise your other accounts. Dunkin Donuts recently revealed a data loss caused, it is believed, by a password reuse attack.

************************************************************

Day 3 - Use a secure internet connection

 

Google has been championing “HTTPS Everywhere” for several years. The launch of Let’s Encrypt in April 2016 made free certificates widely available and the SSL certificate industry has had a huge shakeup in the last 12 months. Even paid-for certificates with warranties and trust marks are now available for just a few pounds. There is now no reason at all not to run your entire site under https and you will be ranked better by the search engines when you do. If you need implementing https site-wide, get in touch.

************************************************************

Day 2 - Check your webpages are secured

 

Once you have secured the data in transit (see day 1) the next step is to make sure that you have secured the web pages themselves from being altered or interfered with in the browser. We recommend this analysis tool to confirm that the latest best practises have been implemented on your site. These include headers such as X-Frame-Options which tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Implementing these measures can have some side effects so if you need help, get in contact.

************************************************************

Day 1 - Check your website configuration

 

Configuring a website for SSL can be complicated, what with multiple software libraries, insecure default settings and many new configuration best practices. Qualys (a DCL partner) provide a free to use tool that checks the configuration of your website and can help identify misconfigurations that make the traffic more vulnerable in interception and unauthorised decryption. Give it a go and see how secure you are. If you need help, contact us.

************************************************************

24 days of security tips, advice and useful tools to check your website …. As we believe peace of mind is the best present we can offer to help you make sure your business keeps secured from the risk of hackers and potential data breaches.

24 days which we hope can bring you a December filled with Silent Nights and a Peaceful Christmas break.

It starts this Saturday, so stay tuned to this blog post, or follow our social channels Twitter, LinkedIn, Facebook for the latest posts.

**********************************************************************************

Want to improve, increase and build stronger defences around your business online operations, then speak to one of our security experts.

Our team are fully ISO270001 verified and run an ITIL certified helpdesk. It’s our mission to keep clients secure online.