Advent Calendar 2018

The Digital Craftsmen Silent Night Advent Calendar

Welcome to our Silent Night Christmas advent calendar blog post

For the next 24 days we’re going to publish a daily security themed post – yes it’s our first Digital Craftsmen Security themed advent calendar.

************************************************************

Day 24 - Work with trusted partners

As we get to the end of the advent calendar it seems a bit of a scary list of threats, vulnerabilities and onerous tasks. This is why working with a trusted partner is vital to ensure that all the bases are covered. It takes a lot of experience and knowledge to keep things secure 24x7 and if it’s not someone’s full time job it’s difficult to keep up. We apply our learning across all of our clients and our team lives and breathes security all day, every day. Our clients rely on us to look after their systems so they can concentrate on their core business, with the peace of mind that comes with having a trusted partner on their side.

************************************************************

Day 23 - Don't rely on SaaS backup

All SaaS providers say they back up your data but what happens if they suddenly cease trading or have a massive systems failure? It is vital to be able to back up your SaaS data to somewhere off the supplier’s platform. Tools such as Cloudally can make backing up popular services very easy but all SaaS providers should allow you to export or backup your data off to some other place. If they don’t, then you should seriously consider whether doing business with them is worth the risk…

************************************************************

Day 22 - Sign up for security advisories

All OS vendors have mailing lists which notify you of security related updates including Microsoft, Apple, Linux and also popular website platforms including WordPress and Drupal. Most also have twitter accounts too. Being aware of security issues as soon as possible allows you the most time to patch affected systems, or mitigate the threat in some other way.

************************************************************

Day 21 - You want restore, not backup

There’s very little worse in the IT world than finding out that your backups haven’t been working properly just when you’ve lost a load of data and need to restore it. As one of our senior cloud engineers likes to say “you want restore, not backup” so it’s very important to test that you can restore your backups and to do it regularly. Firstly, make sure you check that your backup has run successfully and, if it has a verify mode, that you’ve used it to check the backup. Now make a list of all of your backup jobs and schedule a test restore on a frequency that works for you. Usually this depends how often it gets backed up and how important it is, a daily backup should probably be tested weekly and that weekly full backup tested every month. Make sure this is independent of any backup job, we know of one company that always verified its backups within the same job and it was only when they needed to restore it that they discovered the password on the encryption had been changed, and they didn’t know it. If you can, automate the restores so that they happen with the same rigour as your backup jobs. Backup and restore is all part of our service so if you need help with managing your backups, we’d be happy to help.

************************************************************

Day 20 - Use multi-factor authentication

Multi-factor authentication (MFA) is an increasingly popular way to add additional protection to a user login. For those unfamiliar, MFA is a collection of techniques for making username/password combinations more secure. Often described as something you know (password) and something you have (a token or other device). If the password is compromised, it is useless without the physical token. The thing you have generates a new confirmation code every time it is used so it cannot be guessed by an attacker. Some systems support the use of a physical key, such as YubiKey or the enterprise stalwart RSA SecurID whilst many others support the use of a one time password (OTP) which is generated by using an application on your phone. Google Authenticator and Microsoft Authenticator, on both Android and iPhone, support the use of OTPs. As long as your phone is properly secured, it is just as safe as a physical key. If your SaaS vendors support MFA you should use it, it’s very easy to set up and will give you that added peace of mind of additional security.

************************************************************

Day 19  - Check up on your suppliers

Would you build out your own infrastructure without checking you have the right security and maintenance procedures in place ? Of course not, so why commit critical data to a supplier without checking on them too ? Don’t be afraid to ask searching questions of your suppliers before you sign up with them. If they can’t (or won’t) answer your questions, particularly around data access, backup and recovery then be very careful how you proceed. There are some good suggestions here, here and here. Ask to see copies of the certificates they claim on the website, such as ISO27001, PCI/DSS, SOC2 or Cyber Essentials. Ask to review their procedures for granting access to your data, who has access, how it is controlled and how it is audited. Ask about their backup strategy and how it is tested, when it last failed and what they did about it. Ask about their DR plan and how the last test went. Once you’ve signed up and are using them, it’s wise to go back on an annual basis to ask how things are going. Revisit the certificates (they can lapse), ask about outages and serious incidents in the last year, even if not visible to the clients. Ask to see the access logs for your data and verify with them that the procedures have not changed. A good provider will be happy to share these details with you once you’ve signed an NDA. For help managing Cloud and SaaS providers, contact a craftsman.

************************************************************

Day 18 - Your users are almost as bad as hackers

A report earlier this year suggested that over 40% of data breaches were caused by employee negligence so what’s to be done ? Deploying a lot of the tips in this advent calendar will certainly help, as will regular training and awareness building with your staff to develop a Security Mindset. You should also look to control who has access to what data, particularly personal data that comes under the remit of GDPR. Use a policy of least access and ensure you regularly review users’ access rights.

************************************************************

Day 17- Use Configuration Management

Yesterday we looked at poor patching as a vector for attackers. Using a configuration management (CM) tool such as Puppet, Chef, Ansible or SCCM will drastically reduce the amount of work you need to do in managing any more than a handful of servers. Configuration Management systems can not only ensure that patches are installed but just as importantly, they allow changes to configuration to be deployed from a central location. For instance, when Heartbleed was discovered we were able to use our CM tools to identify vulnerable servers and then deploy an update to them all to neutralise the threat. CM tools can also tell you when someone has made a change to the configuration outside of the CM tool. Sometimes this is just human error but it can also indicate that a server has been compromised.

************************************************************

Day 16 - Patch, Patch, Patch

So many successful attacks that get reported in the press are down to poor patching regimes. Internet facing servers are prime targets for hackers who often trawl the internet probing for versions of popular software so as soon as they find a new vulnerability they can immediately attack known vulnerable systems. Always install operating system patches as soon as you can. If you have test systems, it’s a good idea to test updates there first but don’t delay updating your production systems. It’s important to get into a routine of regular patching. Make a list of all your internet facing software and check at least once a month to make sure there are no new patches available. This is all part of the service we offer to our Managed Services customers.

************************************************************

Day 15 - Follow the Cloud Security Principles

As you may have gathered from the advent entries so far, staying safe in the cloud isn’t easy. Luckily, the National Cyber Security Centre have published some excellent guidelines for those building, or buying, cloud services. The NSCS contains 14 Principles which covers everything from Data in Transit Protection through to ensuring a provider has good Governance in place finishing with guidance on using cloud services securely. They also have a great Introduction to Understanding Cloud Security which is full of useful advice– for help with understanding and implementing the principles, give us a call.

************************************************************

Day 14 - Centralise Logging

All servers generate lots of log information that is useful in detecting break ins. The bad guys know this and one of the first things they will do is try to hide their tracks by altering the logs. Using a centralised log server, to which all of your other servers send their logs, means that it’s much harder for an attacker to cover their activity. Configure alerts for certain types of unexpected behaviour and you’re one step ahead of the intruders. There are a number of SaaS solutions for centralised logging, such as Logz.io and Loggly.com or you can build your own using tools such as Splunk, Manage Engine, Solarwinds, or Elastic Stack. In the public cloud AWS Cloudwatch and Azure Monitor are both very capable.

************************************************************

Day 13 - Use an Intrusion Detection System

No matter how good your boundary defences, eventually someone will get in. We’ll talk about rogue staff in a later calendar entry but to detect malicious behaviour inside your network you need an Intrusion Detection System (IDS). Deployed correctly, an IDS will alert you to unusual activity in its early stages whilst there’s still time to do something about it. Someone accessing systems they should not ? Running code on their workstation that they don’t have permission for ? Someone running a port scan on the local network ? An IDS will catch all of these and allow you to respond quickly to neutralise the threat. Intrusion Detection is big business at the moment and the landscape is changing quickly as new products come onto the market making it easier for less technical staff to deploy and manage. Alienvault is the market leader but Qualys is a very capable contender. If you’re comfortable with the technology, OSSEC provides a good, and open source, Host Intrusion Detection system. If you need your hosted infrastructure to be better protected, speak to a Craftsman.

************************************************************

Day 12 - Encrypt You Hard Drive

Lenovo just lost personnel records for 54,000 staff in Asia because a stolen laptop had unencrypted data on it. In the UK that would probably lead to a large fine from the ICO under GDPR legislation. It would have been easily prevented by using disk encryption. Bitlocker is the standard for Windows and available in most versions of Windows from v8 onwards, if you have a TPM chip installed. Learn about enabling it here. On a Mac, Filevault is included from v10.6 (Lion) that achieves much the same thing. Read about it here. If Bitlocker or Filevault is not available on your device, then VeraCrypt is a good alternative. It’s not as seamless as the native tools but it very capable and well regarded. More details are available here.

************************************************************

Day 11 - Monitor all the things

It was Peter Drucker who first said “If you can’t measure it, you can’t improve it”. If you run any kind of IT system you should be monitoring it. Not only will it give you a timely warning if a disk is running out of space but it will also allow you to understand what “normal” looks like. Server slows down and it looks like a huge spike of traffic, is that normal, or indicative of something else afoot ?

There are many different types of monitoring systems from SaaS based offerings like NewRelic  and Rollbar, cloud specific monitors such as Cloudwatch in AWS or Azure Monitor in Azure through to advanced infrastructure monitoring tools including Opsview and PRTG. Choosing the right one for you can be a daunting challenge. Contact a Craftsman for help with specifying a monitoring solution.

************************************************************

Day 10 - Make sure you're GDPR compliant

Keeping everything secure is a mindset to be adopted by everyone in the company as well as a set of technical tools. Taking GDPR seriously and following the proper processes to audit, understand, protect and manage the data you hold about individuals, leads to good practices that benefit all of your data and systems. We work with organisations big and small to help protect their server infrastructure, just one part of the overall GDPR compliance landscape. There are no official standards yet in place for GDPR compliance but a good place to start is the guidance provided by the ICO for small businesses.

************************************************************

Day 9 - Set your devices to auto-lock when inactive

Never, ever leave your devices unlocked in a place where unauthorised users may get access to them. Sounds obvious but I’m constantly amazed by the number of screens I see unlocked around office buildings. It only takes a minute to install malware on an unattended laptop or phone. We instil a habit of always locking screens into our team but as a back stop, configure your devices to auto-lock after a few minutes of inactivity. You never know when it might protect you from an opportunistic bad guy.

************************************************************

Day 8 - Set up a leavers procedure to protect your SaaS applications

Software as a Service (SaaS) is a great way to reduce the costs of IT and improve business continuity. The downside to this, however, is that SaaS access is available globally. This means that when people leave your business the old defence of them being outside the building no longer works. If it’s available, you will have single sign on enabled, so as soon as their internal account is deactivated, their SaaS access is too. Unfortunately, these integrations are usually only available on the most expensive plans and it’s still necessary to remember to block their internal account. Although this may seem simple, a written checklist of SaaS applications as part of a formal leavers procedure really helps to remind you of which applications need to be updated when someone leaves. A formal leavers process can include much more, including recovering company assets, renewing NDAs and getting GDPR compliant permission to respond to reference requests.

************************************************************

Day 7 - Get Cyber Essentials to protect your systems

The Cyber Essentials standard is a really good way to help businesses adopt a security mindset. Created by the UK government, Cyber Essentials is a pragmatic and achievable standard that demonstrates good security practice and helps your customers to feel confident that you take cyber security seriously.

************************************************************

Day 6 - Use a password manager to keep passwords safe

If you follow all of the advice to create strong passwords and make them unique on each site, you quickly run into a problem of safely managing all of those passwords. A spreadsheet on your laptop is not secure, even with a password. You could use the password manager built into your browser but that only covers one class of passwords (for websites). We recommend the use of a separate password manager to store ALL of the credentials that you use. These applications use a strong master password to encrypt all the other details so you only have to remember one password.

************************************************************

Day 5 - Keep your login credentials private

Sounds obvious but you might be surprised at how readily people will give up their access credentials. NEVER share your login credentials. It’s incredibly rare that a software provider will need your access details. When you get asked, it’s a really good sign that it might be an attempt at phishing, sending legitimate looking and plausible emails in an attempt to get you to give up your credentials. At work, it’s not a good idea to share your passwords with colleagues either. You risk getting the blame if something bad happens.

Want to know one of the best tools for managing passwords? Come back tomorrow when we publish our recommendations.

************************************************************

Day 4 - Create unique passwords for all your accounts

Sharing passwords across multiple accounts is a really bad idea. Once a hacker gets hold of one password, they will use it to try and gain access to other accounts. Creating unique passwords helps ensure that any damage caused by poor security elsewhere doesn’t jeopardise your other accounts. Dunkin Donuts recently revealed a data loss caused, it is believed, by a password reuse attack.

************************************************************

Day 3 - Use a secure internet connection

 

Google has been championing “HTTPS Everywhere” for several years. The launch of Let’s Encrypt in April 2016 made free certificates widely available and the SSL certificate industry has had a huge shakeup in the last 12 months. Even paid-for certificates with warranties and trust marks are now available for just a few pounds. There is now no reason at all not to run your entire site under https and you will be ranked better by the search engines when you do. If you need implementing https site-wide, get in touch.

************************************************************

Day 2 - Check your webpages are secured

 

Once you have secured the data in transit (see day 1) the next step is to make sure that you have secured the web pages themselves from being altered or interfered with in the browser. We recommend this analysis tool to confirm that the latest best practises have been implemented on your site. These include headers such as X-Frame-Options which tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Implementing these measures can have some side effects so if you need help, get in contact.

************************************************************

Day 1 - Check your website configuration

 

Configuring a website for SSL can be complicated, what with multiple software libraries, insecure default settings and many new configuration best practices. Qualys (a DCL partner) provide a free to use tool that checks the configuration of your website and can help identify misconfigurations that make the traffic more vulnerable in interception and unauthorised decryption. Give it a go and see how secure you are. If you need help, contact us.

************************************************************

24 days of security tips, advice and useful tools to check your website …. As we believe peace of mind is the best present we can offer to help you make sure your business keeps secured from the risk of hackers and potential data breaches.

24 days which we hope can bring you a December filled with Silent Nights and a Peaceful Christmas break.

It starts this Saturday, so stay tuned to this blog post, or follow our social channels Twitter, LinkedIn, Facebook for the latest posts.

**********************************************************************************

Want to improve, increase and build stronger defences around your business online operations, then speak to one of our security experts.

Our team are fully ISO270001 verified and run an ITIL certified helpdesk. It’s our mission to keep clients secure online.