29 Sep Data Security in Modern Computing
I’ve been writing this article on data security, primarily around breaches and ransomware, for about two weeks now. As such, I have lost all perspective. Please forgive me if the article starts in one direction and ends in another; I’m not an author by any stretch of the imagination, and this is my first professional piece.
Why am I writing this and giving my valuable knowledge away for free? Because I believe in open-source everything. Yes, that is a point of contention for some, and definitely an opinion piece for another time. I believe in this because I believe in the benefits that come with sharing. Add to that; my business investments all rely on other businesses as customers; if small to medium businesses fail, mine will too.
Data breaches and ransomware are everywhere these days
Simply enter your info here. You may find that your email address, and other personal details, have been exposed at some point in time without you even knowing.
Equifax is a company in the public spotlight that’s recently been affected in this manner, and things are not going so well for them at the moment. You may be thinking that because you’re a small or medium business, in a regional location, as opposed to a public company or being located in a major city, you won’t be affected. Unfortunately, that is not the case. Viruses and similar threats can impact any device that’s attached to the world wide web, has human input, or even has a USB port. Malicious intent on the internet knows no tyranny of distance and is unlikely to scrutinise your turnover. The code – the people behind the code – simply knock at every
IP address digital door available and attack anything that answers.
In the case of the infamous WannaCry ransomware, which made its international debut in May of this year, a known vulnerability in a feature of Microsoft Windows called SMB, or Server Message Block (aka File Sharing), affectionately known as ‘EternalBlue‘, was exploited to spread to systems before encrypting valuable data and holding it for ransom. Microsoft had released a patch to mitigate the vulnerability two months prior, however, many networks were still open to attack. One of the most pervasive reasons that computers remained susceptible to infection was either because the latest Windows Updates had not been installed, or, as a result of utilising long-since-departed and hence unsupported operating systems. Significant examples of this include Windows XP and Windows Server 2003, with a combined market-share still over 7%. Following this outbreak, Microsoft then released a patch for older operating systems in order to prevent further spread of this disastrous digital plague.
Once your files are encrypted, you are typically left with three options:
- Restore from a backup and patch the vulnerability before bringing the system online again;
- Pay the ransom and hope that you are provided with the decryption key, or
- Start from scratch as your data, and in turn, your business had not been properly protected.
Can you see the problem and potential preventative measures here? Patch and lifecycle management spring to mind for me, and I, of course, have a problem with the aforementioned option C. I’m also not at all comfortable with option B, either, as at that point you’re basically enabling the criminal activity.
Every day in the industry
If you work in ICT you can probably relate to this scenario: customers, usually business owners, adamant that their IT infrastructure and data are safe because they purchased an antivirus product… I’m not even going to touch on if it’s installed, up to date, or deployed across the board. Here, I struggle to contain myself, but it’s a great opportunity to educate people, and ideally, make a good sale and valued customer at the same time. Don’t get me wrong; high-quality endpoint protection software such as Webroot, Bitdefender, or Kaspersky (interestingly questionable for some) can significantly mitigate these risks, however, the concern is that when it’s a “zero-day“, aka previously undisclosed, vulnerability, you’re usually left cleaning up or recovering, rather than archiving the email alert and getting on with your otherwise productive, and hopefully profitable, day.
Ransomware is just one example of malicious software that can be drastically damaging to a home user or business. It can be one that doesn’t result in your data being publicly released or sold to unknown third parties, but it still damaging, and easily avoidable.
You can probably take four major points from what I have covered so far: deploy and maintain reputable endpoint protection; replace your outdated systems; review and apply your vendor updates, and backup your data. For businesses that rely on IT, which I’d guesstimate is nearly 100% these days, what if your building burns down or floods? You have an insurance policy to cover income losses and costs incurred, and your data may have been backed up onto Network Attached Storage (NAS) on premises, however, the NAS would be ruined too! In that case, you replicate the data to an external drive that you take home each day. But then what if someone breaks into your car and steals the shiny metal device to swap for a few grams of their favourite substance? Suddenly you’re in a small-scale position similar to Equifax; your customers’ and your own data is now in the wild, out of your control, and you have no idea how it’ll be used.
These examples are scare tactics to make a sale. They’re seen every day and they are endless – a server may fail and you attempt to restore data from a backup, only to find that your backups have never completed successfully as they’ve never been tested. Being scare tactics does not mean that these examples are not valid, and, in a modern digital world with digital currencies, Single-Sign-On (SSO), and cloud services, losing your data is a potential reality which can subsequently result in losing your money, business opportunities, professional reputation, and so much more.
It’s completely preventable!
I’m not going to rant on about what could go wrong and what to take from it. Not anymore at least. I think I can safely assume that most of you will be technically minded or business savvy enough to be able to infer this for yourself. Instead, I’m going to make a point list of recommendations and preventative measures that I’ve built up over the years and now use to educate my colleagues and clients:
- Install and activate endpoint protection on every device. If it takes any input, user or otherwise, it is an endpoint and needs protection;
- Implement malware scanning and Intrusion Prevention (IPS) at your network perimeter, such as with a security appliance;
- Route all your traffic, including branch and client VPN, through content filtering;
- Review and install your vendor updates at least once per month, if not weekly;
- Create and use long passwords as opposed to complex ones. ForExampleThisIsAGreatPasswordIn2017, and much more easily remembered;
- Replace your business infrastructure when its vendor warranty or otherwise supported lifetime expires;
- Use enterprise authentication on non-guest wired and wireless networks;
- Do not allow guest or customer devices to connect to your corporate network;
- If you’re running a BYOD structure, implement a Network Policy Server (NPS) to ensure that the connecting devices are safe;
- Filter your incoming emails, outside of your network, before they get in;
- Use Two-Factor Authentication (2FA) and SSO wherever it’s supported;
- Configure backups to occur every 15 minutes or hourly to a non-attached storage device such as a NAS;
- Use a unique account and password for your NAS backup destination, e.g. do not use ‘admin’;
- Do not ‘map’ your NAS backup storage to any computers; ransomware will find it and destroy it;
- Ensure that your backups are encrypted using a modern encryption cypher such as AES-256;
- Replicate your backups to an offsite location, or USB storage to be taken offsite;
- Setup email alerts for your backup, verification and replication systems;
- Have these systems monitored from the outside-inwards in case email alerts fail for any number of possible reasons;
- Consider that cloud servers and services still need the same level of backup, protection and monitoring;
- Educate your customers and staff on phishing, spear-phishing, related social engineering hacks, and password complexity, and finally
- Always ask someone experienced in these matters if you are not sure!
While it may sound complex, these points are relatively simple to make a reality, as they’re provided by only four different product suites, all of which can work in harmony together if configured and maintained correctly.
Where to start
If you want to take the first step towards protecting yourself and your commercial interests, you more than likely have a vendor-qualified Managed Service Provider (MSP) in your area who can provide these solutions.
It costs money, as all professional services do, and it’s an important one that should be carried out by experienced engineers who are trained in modern best practices. Because of this, it’ll also cost more than a typical service technician upgrading your computer. It is, however, it’s both an investment and an insurance with a very clear and measurable return when implemented properly.
Contact us today, if you’d like to find out more, or ask any questions that come to mind.
Final thought provoking datums
- Let’s say you have 15 staff who you pay an average of $26 per hour. Those staff work 7.6 hours per day, 260 working days per year, resulting in an annual wages expense of $770,640. This is not taking annual leave impact, superannuation general overheads into account. If those employees must wait one second out of every minute for technology to do what it’s supposed to do, that’s $12,844 you’re throwing down the drain every year. For no good reason. When data is lost, or the technology gets old, the cost to remedy or replace is less than the cost to operate.
- How would you cope with your work computer being completely taken away from you? Power surge, hardware failure, malicious software, disgruntled employee…
About the author
In short, I’m the devils advocate with over a decade of industry experience and over a dozen vendor certifications, focusing on reliability, performance and security across server and network infrastructure, along with virtualisation at all levels. I’m also a hobbyist programmer and avid lover of the outdoors, sci-fi movies, and music.
In the last six years, having stepped into business management and ownership, these security-centric topics have become more of a reality to me than just a concern. To date, I’ve been lucky. I can only attribute this to caution, sharing of knowledge, and research.
My personally and professionally preferred solutions include QNAP NAS products, StorageCraft backup solutions, Cisco Meraki network infrastructure and Webroot endpoint protection. I’m not sponsored by these vendors, they are simply what I’ve found to have the best security, performance, reliability, feature-set, support and comparable price point after years of research and experience.
Be diligent, be open-minded, ask questions, share your lessons learned, and be safe.