Category: Information Security For Organization

The importance of preparation

I started wondering how people can prepare themselves for such times, given the recent events. Military clashes are happening in the real world and the cyber one in modern times. The are many parallels between defending assets in both of these worlds. In this article, I shall try listing the different approaches one could use to harden their defenses. At the same time, I shall try giving a clear picture of the target goals of the defenders. 

So what is the ultimate goal of every defender? By default, it is to make the cost of the attack too high, and this way to diminish the gains of that attack. This kind of narrative is often seen in many books focused on the defensive side of cybersecurity. It is important to note that sometimes, people attack other people for personal reasons or even because of emotion. In these cases, attackers usually do not care how much it will cost them to perform the attack. As a defender, we should consider these reasons during the design phase of our defense.

You can see a sample architecture of an off-grid data center on the diagram. Such data centers have much better resilience during any events

There is one exciting proverb regarding the importance of preparation – more sweat in training, less blood in the fight. If we transfer this to the realm of cyber security – the more efforts we put into preparing the infrastructure, the less likely it is to be penetrated. So how we can prepare ourselves for an attack:

  • Buy quality equipment: Your equipment shouldn’t be the most expensive or cheapest. You need gear that can do the job and have a lifespan of at least five years. It is a good idea to buy multiple pieces, so you have hot swaps in case of failure. Items in the middle price range usually are good candidates. 
  • Plan and train: There is little sense in having great gear without using it. Regular training sharpens the skills and decreases the reaction time during the use of the equipment. At the same time, testing the items help check their limits and allows the designer to prepare a better defense. In the realm of cybersecurity, we could do regular red/blue team games where the red team will try to penetrate the infrastructure, and the blue team will defend it.
  • Be realistic: If your attacker has much more resources (money and time) than you, they will penetrate you. There is no great sense in making sure your electronic infrastructure survives an EMP wave coming after a detonation of a nuclear warhead. At the same time, it makes excellent sense to make sure your data is backed up into a protected vault and that you have replacement units if such an event happens.
  • Hack and Slash: Don’t be afraid to modify your equipment if it does not suit your needs. Many security units prefer buying cheaper equipment and rigging it for double or triple purposes. Play around with your gear, and don’t be afraid of breaking it. Sometimes you can find real gems by doing that.

In conclusion, preparation for any defense activity comes with a lot of research. The primary goal of every defender is to increase the cost of attack. The higher the price is, the less motivated the attacker will be. Often the resources of both sides are asymmetric, and thus, some defenders must think such as guerilla fighters or even as Start-Up owners. They have to squeeze the last piece of efficiency provided by their infrastructure.

Should countries hire hacker-privateers to engage other coutries in cyber wars?

Unfortunately, during the last two years, we saw quite a rise in the number of cybercrimes worldwide. Many attacks allegedly came from nation-state actors, and we observed much blame in the public media space supporting this statement. Life is indeed a challenge, and the strongest ones almost always win. Still, there is a subdue difference between being aggressive and attacking foreign countries and defending your interests and infrastructure. 

As a matter of fact, we could categorize the last couple of years as a series of standalone cyber battles, which could finally end in a fully-fledged cyberwar. And in such situations, some people start fantasizing about hiring hackers-privateers and starting a Cyber World War, where teams of the best hackers will fight each other. It sounds like an incredible plot for a sci-fi novel, but there are reasons why such actions could lead to disaster in reality:

On the diagram, you can see the standard military uses of electrical and communication equipment. Cyberwarfare privateers can use their skills to attack many targets without even going near the real battlefield
  • Global World: We live in a global village. The world is no more disconnected, and one crisis can quickly affect it. Check the COVID-19 situation, for instance. Despite its allegedly natural origin, it blocked the global economy and opened many old wounds. Now, believe me, if a worldwide cyberwar happens, we shall have much more complex problems, which could easily lead to conventional or even a nuclear, large-scale war.
  • Ethical Reasons: An old proverb states that one is to be able, another is to have the will, and the entirely different thing is to do it. Ethical hackers could start a fully-fledged cyberwar suitable for their businesses. However, I believe that cybersecurity must be more oriented to stopping criminals rather than achieving political agenda or starting conventional or nuclear wars. 
  • Willingness: Most white hat cybersecurity specialists will not act of aggression for any sum of money. As patriots, they care for the well-being of their country; however, one thing is being a patriot, another is doing destructive actions versus another country or organization. At the same time, most hackers are criminals. Working for state actors will reveal their personalities and end them in jail. These statements reduce the number of individuals willing to work, such as hacker-privateers, to a tiny number.

In conclusion, cybersecurity and hacking are not similar to conventional armies. Sure, we can use the same terminology and ever do “war” games. But essentially, the whole sector is more identical to the standard private security companies, which defend infrastructure perimeters and fight crime. The role of pentesting companies is to test these defenses acting like criminals. Everything other than that should be categorized as cyber warfare and be forbidden. 

The good, the bad and the ugly of the proprietary software model

The last article discussed the advantages and disadvantages of the Open Source software model. We even listed some uncomfortable truths regarding its economic viability and how it could be more expensive than many proprietary products. Despite being an Open Source zealot, I want to start with the statement that I still think proprietary software is sometimes better than Open Source ones. We can not compare my case with the average customer because I have spent the last 18 years working in IT – aka I want much more control over my system than the standard PC user. At the same time, when I can, I strongly avoid using proprietary software because I want to know what runs on my device or have the ability to review it if I wish. But let me list the good, the bad, and the ugly of using proprietary software:

The good

  • Legal responsibility: Wishing or not proprietary software vendors are obliged by law in most countries to take care of their customers and the data coming with the usage of the software. And yeah, many governments try defending their citizens and their data.
  • Better support: No one will pay for proprietary software if support is not included in the price. The difference to the Open Source vendors is that you receive some hours of first-level support with the cheapest plans, which is better than nothing.
  • Centralization: Having a more centralized way of management has advantages such as faster development speed, faster decision-making process, and fewer intrigues. 
You can see a comparison between BlackBox and Whitebox software on the diagram. Open Source software is considered Whitebox because everyone can see and review its logic. On the other side, proprietary is considered as BlackBox because to analyze its behavior, analysts must use reverse engineering techniques

The bad

  • You should pay for it: One of the bad things regarding proprietary software is that people should pay for it. And the main problem is not the cost but businesswise; when you are using something you don’t have access to, you introduce a critical business dependency. What happens if suddenly this software vendor disappears?
  • Closed ecosystem: Decisions are made by the company’s owners producing the software. Customers usually do not have control or involvement in feature design and implementation. 
  • More complicated collaboration: If two companies want to work together, they should sign a contract, and by signing this contract, they “decide” how their partnership will happen. By not having a ready-for-use framework, lawyers must review every agreement and make sure that both sides are happy with it.

The ugly

  • Sometimes less secure: Proprietary software has the same security problems as Open Source software. Many hackers are pretty adept in reverse engineering and finding security holes. Additionally, proprietary vendors must pay for security audits and could not rely on an ecosystem of hardcore software engineers to do that for them.
  • Lousy support for smaller customers: The bigger a software vendor becomes, the lousier its support becomes for its small customers. And this equals them to the Open Source software vendors without support for their free plans. And yeah, there is a reason for the number of jokes regarding the quality of support provided by given operating systems manufacturer :-).
  • Weaker legal defense: The bigger a software vendor becomes, the more legally powerful it is. And this leads to fewer opportunities for its small customers to search for justice. Usually, the side with the bigger pool of resources is the winning one in legal battles.

In conclusion, there is no significant difference between proprietary and Open Source software models. The only meaningful difference is that customers could legally claim stuff easily from smaller proprietary vendors. However, once the vendor becomes too big, they hire better lawyers, and experienced lawyers are pretty good at defending corporate interests. Other than that, the tradeoff for the end customer is first-level support versus free usage.

Cybersecurity tactics for small teams – Public Image

And this is the last article on cybersecurity tactics for small teams series. We have already finished the hardware computer-based parts, and I shall use this last article to cover more the social side of cybersecurity. We shall spend the following paragraphs speaking about your organization’s public image and how it can be affected by your cybersecurity defenses. At the end of the article, we shall present a summarized budget using all the budgets we created during the last couple of months. So let’s start.

Social media

During the last decades, we witnessed the rapid growth of various social media platforms. These days every organization has to show a stable social presence to improve its marketing. It is fascinating how virtual space can reflect on real people and places with its data and information. Having this in mind, we have to treat all the social accounts of a given organization as assets, and by assets, we have to find a strategy to keep them safe and secured. 

Imagine what will happen if an attacker takes control of your team accounts. Usually, these accounts are used to have private chats with clients or customers in different social media systems. Data dump consisting of such talks can sometimes be quite hazardous to your organization.

You can see a Venn chart representing the different social media platforms on the diagram. As you can see, almost all of our digital life is located there, and this data is an asset

Internal Team Communication

As we discussed in the previous article, teams must communicate. In remote-first groups, this communication must happen in some virtual place, where team members can coordinate and write. By default, every email server, chat server, and video conferencing server record things into a historical log. It is essential to take into account that these logs are information and company assets. 

Sometimes the tone there is inappropriate, and thus dumping them over the Internet can cause significant problems to your organization. It is essential to understand that a cultural change must happen to make your organization understand the effects such an attack can have. 

Personal Space

Unfortunately, with the rise of digitalization, the following tendency started to emerge – your personal digital life can affect and hurt your professional one. It means you have to be aware that simple private communication can be leaked and can cause tremendous problems to your persona and your organization. 

Influencer economy and personal branding changed over the Internet during the last decade. Despite its asymmetric nature, the personal brands managed to keep going with the big enterprises. It is more and more common for companies to start using their employees’ brands to promote themselves. Which, in short, we can phrase as an asset’s loan. Employees loan out their assets to their employer during the period of working together. From a cybersecurity point of view, your organization must understand that now you defend company infrastructure and personal ones.

Now, after we covered the effects that public image can have on your organization, it is a good idea to cover how you can defend yourself from penetration:

  • Security awareness course: A good security course will cover all these topics and many more. Still, it is good to touch some information security, not only cybersecurity topics, during the period. I would advise you to search for vendors providing information security business-based courses.
  • 2FA: Especially for an account that is not part of your infrastructure, a 2FA is a must, including the organizational accounts and the personal accounts. 
  • Personal Development: Personal development of your team members can help a lot to avoid such attacks. There are multiple use cases and stories on the Internet from which you can take inspiration. 

Budget

As we already discussed in the final paragraph of this article will be a combined budget from all the previous articles together with this one. The budget will have two categories – per team and person. The per team will be for your whole team, and per person will be for one team member. The budget will be for two years because this is the service life of most of the hardware equipment. The team will be five people. So let’s do it.

Per team

  • Hardware toolkit (100$)
  • Paper Shredder (50$)
  • Camping Gear (50$)
  • Safe (500$)
  • Office Security System (4000$)
  • SIEM System (0$)
  • Email And Chat Server(85.68$)
  • VPN Server(85.68$)
  • GitLab Server(85.68$)
  • Video Conferencing Server(85.68$)
  • Cloud Storage(222.44$)
  • Security Awareness Course(1000$)

Total per team: 6266$

Per person

  • Router (180$)
  • Switch (150$)
  • Group Policy Server (150$)
  • Pacsafe Backpack (190$)
  • Business Series Laptop (1000$)
  • Laptop Operating System(0$)
  • Smartphone(200$)

Total per team member: 5 x 1870$ = 9350$

With a total budget of around 15616$ for two years, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. The budget is almost less than 3300$ per team member and around 140$ per month. 

And this brings our series to an end. I hope you enjoyed our journey, and in case of questions, you can always book a session with me. I shall be more than happy to answer.

Cybersecurity tactics for small teams – Business Security

In the last couple of months, we discussed how you could achieve a good level of personal security for your team members. We covered the topics of physical information security, home network security, and finally, your hardware devices cybersecurity. With this article, we shall cover the issue of how you can upgrade your cybersecurity defenses as a team. The article will cover the necessities of remote-first groups because they are harder to defend. You can use the same approach to protect your office or shared space-based team. Still, the focus will be on underfunded small groups. At the end of the article, I shall present a sample budget for your team infrastructure.

But before going to the budget, let’s analyze how a remote team of workers communicates and collaborates. I shall list down the different infrastructure requirements for a technical IT team. Keeping in mind how digitilized our World is, they will work fine for any other distributed team.

Communication Channels

For every remote-first team, it is essential to have a communication channel. We can categorize the different communication channels by their speed. But let’s do this in the following list:

  • Email: Email is usually categorized as an official communication channel, which we can use for communication inside and outside of your organization. It is heavily asynchronous, with messages response going from minutes to days. Usually, this kind of communication is used for strategic discussions and long-term plans. That’s the reason it could be the most valuable target for an attacker.
  • Online Chat: Online chats are a faster way of exchanging messages. Usually, they are used when you need a quicker response from your peer, and there is no good time for a short, not planned call. Usually, the rule of thumb is to spend no more than 15 minutes chatting, and if the issue is not resolved, move to something faster. This one will be the second most significant target after the email for an attacker.
  • Video Conferencing: This one is the fastest. Usually, it is used to exchange a burst of already prepared information. Most of the time, the data is a tactical one, and thus this way of communication is with the lowest priority for attackers.
You can see a standard corporation infrastructure on the upper part of the diagram, where you have multiple zones and a load balancer. On the lower part is the typical small team setup, where all the data for communication is going through one cloud provider and one zone

Information Storage and Sharing

These days everything is done using information and files. But, you must store these files first and, after that, share them with your team members. Doing this using the standard communication channels is no good because there are no excellent categorization and tagging tools implemented in these systems. In short, they are not appropriately tailored for this kind of activity. That’s the reason the IT industry created a good amount of tools for solving this problem. Our small team will use them as well. So let me list them:

  • Project/Product Management System: Project management software (PMS) can help plan, organize, manage resource tools and develop resource estimates. Depending on the sophistication of the software, it can manage estimation and planning, scheduling, cost control, and budget management, resource allocation, collaboration software, communication, decision-making, quality management, time management, and documentation or administration systems. As you can see, most of the vital information for your project/product will be in this system, making it an excellent target for an attacker.
  • Cloud Storage Solution: Project management systems are outstanding in documentation storage, but they lack some of the features a full-scale cloud-based storage solution can offer. In this kind of solution, you usually store big files in a format such as video, audio, high definition graphics, etc. As such, you can leave a big part of your intellectual property lying in such cloud storage, making it a good target for an attacker.
  • Automation System: Especially in IT teams, sometimes your team will need automated jobs to happen. If you have automation specialists, know how to write scripts, you can automate a big part of your daily routes. In the case of programming teams, this is usually building, deploying, and testing procedures for a new version of your product/project. It means that you have to give access from your automation system to your programming code, for example. And this makes it an excellent target for an attacker. 

As we already discussed in the upper paragraphs, you need at least these six types of systems working and secured to have a functional remote-first team. Coming back to our knowledge of network defenses, the ideal solution for these systems is to be defended by VPN or a similar solution and expose only port 25 of the email server to support external communication. 

Unfortunately, this kind of setup will be possible only if you deploy the services in your infrastructure. In the case of cloud providers, you don’t have much control of what is exposed to the Internet and how the cloud provider takes care of your security. Plus, the infrastructure is shared between multiple organizations, and there is no guarantee that these organizations follow such strict cybersecurity rules, such as your team.

Budget

 But anyway, let’s create a budget for on-premise deployment of your infrastructure, and we shall use a VPS provider because it will be cheaper for us. A virtual private server runs its copy of an operating system (OS). Customers may have super user-level access to that active system instance, so they can install almost any software that runs on that OS. For many purposes, it is functionally equivalent to a dedicated physical server and, being software-defined, can much more easily be created and configured.

The most famous VPS providers are Amazon Web Services and Microsoft Azure. Still, there are some smaller players, such as Digital Ocean and Hetzner. As we shall do the infrastructure for a small team, we shall need a VPS with a not big pool of resources and go for the lowest price, which means CX1 instance in Hentzer. So let’s list now the different servers we shall need. All the prices are per month.

  • Email And Chat Server(3.57$): As there will be no significant demand for these two services, we can place them on the same machine.
  • VPN Server(3.57$): We shall have one machine for the VPN server, and all of the services without port 25 will be behind this VPN.
  • GitLab Server(3.57$): Gitlab is a project management/automation system. As it can become quite a hungry beast, a standalone instance is a way to go.
  • Video Conferencing Server(3.57$): One more hungry beast, it is a good idea to have it as a standalone server.
  • Cloud Storage(9.31$): This one will be a CX1 instance + an additional 100GB to store larger files. For a small team, a total of 120GB will be enough.

With a total budget of around 23.59$ per month, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. We shall use the standard VPS provider firewall. Still, if we want to achieve a higher level of security, we could add a server that will serve as a software-based firewall and IPS solution. Additionally, there are Open Source solutions for all the services types, and they will cost us 0$ per month.

Cybersecurity tactics for small teams – Hardware Device Security – part 2

As you can see from the previous paragraphs, there are multiple ways to penetrate your devices. In the following sections, I shall list some methods of making your devices more secure. You can find the previous part – here.

Hardware Security

There are multiple options for physically securing your laptop and smartphone. At the end of the article, I shall give multiple variants for your budget, but ideally, the essential hardware security upgrades are:

  • Secured Notebook Backpack: There are multiple hardware vendors for securing your laptop backpack. It is essential to know the standard branded bags do not offer enough security options. For example, most backpacks do not provide RFID protection and proper locking mechanism.
  • USB Port Lockers: Port lockers can keep your laptop safe from Rubber Ducky-based attacks. At the same time, port lockers are pretty interesting because they make attackers’ lives more complicated in case of steal. To access the USB port of the device, they have to break the locker, which can damage the USB port and make it unusable.
  • Hardware Tokens: Bussines series laptops usually come with internal TPM chips, which can encrypt your entire hard drive. It is terrific, but if you want better security, it is advisable to encrypt your most critical files using external USB hardware tokens.

Antivirus Software

The average number of new malware programs per day is around 450 000. It is an astonishing number and almost destroys the necessity of antivirus software. Still, it is crucial to understand that the goal of your Antivirus Software is to stop the most critical pieces of malware, but not all of them. Let me list some of the mechanisms your Antivirus Software uses to keep you safe.

  • Malware Database: Every Antivirus program comes with a malware database with different strains of already analyzed computer malware. As we already understood, there are around 450 000 new strains per day. Antivirus companies’ teams keep only the most dangerous strains in the database to keep with the speed of making new strains.
  • Malware Scanner: Usually, every malware tries to gain access to resources, which are not part of its resources pool. Antivirus software can monitor your operating system for such activities and can block them and finally notify you.
  • Operating System Files Hash Check: Some antivirus software can check whether there are changes in your operating systems and notify you and revert the system files for the previous state. It is especially true with Red Hat-based Linux distros.

Open Source

One of the reasons people choose Open Source is the level of security it offers. You can perfectly set up your business to use an open-source stack from the beginning. And this is not only the applications but the operating system and even your hardware. Especially Linux is a beautiful example of how an Open Source ecosystem can increase its security by being open. Instead of using pirated software, you download it from a free repo, which has the source code of the app already reviewed. Every major Linux distro has all of its packages signed, and the repo can verify them. But let me list the different advantages an open-source operating system has.



On the diagram, you can see a sample architecture of a Linux system. Usually, SELinux and AppArmor are working on the Kernel level. After version 4.4, Android has SELinux enabled by default.
  • SELinux and AppArmor: SELinux and AppArmor are kernel modifications and user-space tools added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy and streamlines the amount of software involved with security policy enforcement. Significantly, the fundamental concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency (NSA).
  • Open Source Repos: All the packages are part of the software repos, maintained by the distro authors. Bigger Linux distros such as Red Hat and SUSE support big security teams to find and patch holes.
  • Open Source Hardware: There are multiple open-source hardware initiatives, including PowerPC and ARM-based processors. It is essential to know those hardware devices attached to your PC come with drivers, and sometimes these drivers can be an entire operating system. For example, server-based Intel Xeon processors come with network-based remote access control.

Budget:

So after we have listed most of the penetration vectors which an attacker can take, we can finish the topic by creating a budget. We will focus the funding towards underfunded organizations with a limited budget for their cybersecurity program. The budget will be per employee.

  • Pacsafe Backpack (190$):  Pacsafe is a brand of travel equipment emphasizing anti-theft features. The company’s products include adventure backpacks, urban and leisure bags, women’s bags, photography bags, luggage, and travel accessories such as straps, cables, and locks. Their middle-end backpacks offer a pretty good level of security.
  • Business Series Laptop (1000$): For this one, I would choose Lenovo Thinkpad-based laptop. It supports TPM and will offer a good level of harddrive encryption. It is essential to mention here that you have to encrypt all of your storage drives, no matter SSD or HDD ones.
  • Laptop Operating System(0$): Here, we shall go with either CentOS or OpenSUSE. I would personally go with CentOS here because of the native SELinux support. If you want to use the Ubuntu operating system, you should live with AppArmor or set yourself SELinux. CentOS additionally support free Antivirus Sofware supporting all the listed features in the previous paragraphs.
  • Smartphone(200$): Here, we shall use any device, which supports LineageOS. LineageOS is an operating system for smartphones, tablet computers, and set-top boxes, based on Android with primarily free and open-source software. It is the successor to the custom ROM CyanogenMod, from which the devs forked it in December 2016. It offers a good level of privacy, including the complete removal of the Google Play Store for the most paranoid ones. Most of the devices officially supported are in the 200$ range.

With a total budget of around 1390$, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. If you want to improve this setup further, you can add USB locks and hardware tokens. But, again, the improvement will not be much because, in case of hardware steal, hackers would have to break your TPM module, and the TPM modules are designed to resist this kind of attack.

To be continued

Cybersecurity tactics for small teams – Hardware Device Security – part 1

Please check the previous part – here.

After we already discussed how to assure your physical security and your network perimeter. The topic for the following two parts is the security of your hardware devices. And especially, I shall give you some ideas on how to secure your personal computer and your mobile phone. I shall provide a sample budget for a security-oriented personal computer, laptop, and mobile phone at the end of the parts. In the budget, I shall put the software appliances as well.

But before doing this, let’s have a short discussion of what a computer is and how we use it. The formal definition of a computer is:

A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations automatically. Modern computers can perform generic sets of operations known as programs. These programs enable computers to perform a wide range of tasks.

In other words, we have a machine, which works with data and can perform operations on it. It is similar to what our brains do for us but in a different way. In terms of computer security, it is essential to understand that your computer is a data carrier and data generator. The goal of your security awareness model is to protect the data and the generator logic. So we have to treat our computers the same way we treat our brains when we don’t want to share data. Aka by making sure we took all the necessary steps to secure access to our information.

So let’s do it. We start with:

Personal Computer/Laptop

We shall discuss the security of laptop computer because it has a more significant amount of attack vectors. We can apply the same list of attacks to workstations.

By definition – A laptop, laptop computer, or notebook computer is a small, portable personal computer (PC) with a screen and alphanumeric keyboard. It is important to note that a laptop is a total nightmare for your computer security policy in the physical security realm. It inherits the traits of all the hardware devices, including the ones related to garbage. Securing laptops is almost impossible, and a dedicated attacker most probably will manage to penetrate the defenses of your laptop one way or another. But let’s list the different attack vectors your laptop has.

On the diagram, you can see a standard data exfiltration workflow. The attacker makes the victim network sending data to a malicious service and, after that, reroute the data to his/her infrastructure
  • Theft: By being mobile, any laptop is a mobile data carrier similar to your paper documents and USB flash sticks. And by that, a dedicated attacker can steal the computer and gain access to your data. It is essential to mention that any encryption mechanism can slow down your attacker, but you can not determine whether it will stop him.
  • Location-based attacks: Companies such as Hak5 promote an exciting set of tools used for location-based attacks. They can penetrate your WiFi network, and even there are devices named RubberDucky. They look like a standard USB flash, but essentially they are cheating your computer that they are keyboard devices and execute a penetration script.
  • Malware: There are many types of malware, but these are most dangerous in terms of cybersecurity: trojan horses and ransomware. Both of them steal your data. In case of ransomware, you have to pay, and at least you receive notification that something wrong happened. In the case of trojan horses, you have no idea what is going on with your data.
  • Misconfiguration: Most of the laptops do not come with proper security configuration by default. Users without formal training can not configure the system, and it remains unsafe until a hacker penetrates it.
  • Pirated Software: Torrent trackers are a terrible place to download software. Usually, the cracked versions of the popular software come with already preinstalled malware. It is highly advisable to use open source or paid products.

Listed threats are only part of a long list of attack vectors an organization must take care of. Still, they are a good starting point, and if your small team manages to stop them, it can reach a good cybersecurity level.

Smartphones

After the introduction of IBM Simon, the smartphone industry had rapid growth. These days, devices are as powerful as a ten-year-old computer and can perform various tasks, which people kept only for computers for a long time. It is fantastic, but they are even worse in terms of cybersecurity than your laptop. They inherit all of your laptop’s problems with even smaller size and limited control over the hardware. They are a nightmare in terms of computer security. But let me list the different attack vectors which your smartphone can introduce:

  • Outdated Operating System: To further push technical progress, hardware vendors usually discount older than four years old devices. And by discount, it means that these devices do not receive security patches and the latest version of their operating system. This approach leaves thousand of people without proper cybersecurity defenses.
  • Laptop Attack Vectors: As a less powerful computer, every smartphone inherits a laptop’s security problems. Even worse, once you store your data in your smartphone’s internal memory, it is almost impossible to erase it securely.
  • Conversation Sniffing: Hackers can use your smartphone to sniff your daily conversations by being constantly held near to you. Many hardware vendors implement security measures versus this kind of attack, but people must still be aware that such an attack is possible.

Next part is here

Cybersecurity tactics for small teams – Network Security – part 2

Please check the previous part – here.

Now, as we can see, attackers can penetrate all of the hardware network devices we reviewed. How easily it depends on how do you set up your cybersecurity and patch policy. 

It is clear that despite your best effort, you must not blindly trust your routers and switches. Lack of trust is precisely the paradigm behind the zero trust model. At the same time, to make attackers’ life harder, it is important to mention three types of defensive cybersecurity tools, which can help you increase your defenses and trust in your local network. 

Until the end of this article, I shall describe them. As a final, I shall give a sample budget for both router and switch devices. Both of them will use open-source software. Usually, they receive software updates quite often and can offer your a good level of security.

Firewalls

A firewall is a network security service that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

Firewalls have been the first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that you can trust and untrusted outside networks, such as the Internet. 

Usually, in the case of home networks, this service is deployed in your hardware router. The last sentence means that the attacker will expose your entire local network to the Internet in case of router penetration.

Intrusion Detection/Prevention

An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents and capturing information about them. The IPS reports these events to system administrators and takes preventative action, such as closing access points and configuring firewalls to prevent future attacks.

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or breach is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

At home routers, intrusion prevention systems can be deployed on the router device and inspect all the incoming network packets from the Internet. On the other hand, an intrusion detection system is deployed on all the hardware devices connected to your local network. In simpler words, prevention systems monitor your incoming traffic, and detection systems monitor your local network for anomalies. 

On the diagram, you can see a standard SIEM system. The idea of the system is to aggregate all of your logs and data and offer analytics to your security engineers

Group Policy

Group Policies, in part, control what users can and cannot do on a computer system. For example, a Group Policy can enforce a password complexity policy that prevents users from choosing an overly simple password. Other examples include allowing or preventing unidentified users from remote computers to connect to a network share or block/restrict specific folders. A set of such configurations is called a Group Policy Object (GPO). 

Now, group policies can be a powerful instrument for system administrators to define how the organization computers act to different security threats. Unfortunately, Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function of accessing it. Alternatively, a malicious user can modify or interfere with the application to not successfully read its Group Policy settings, thus enforcing potentially lower security defaults or even returning arbitrary values.

For home-based local networks, the usage of group policies is usually limited. Still, I would advise system administrators of small teams to think carefully, how to add group policies to their remote office deployments. In combination with VPN, Group Policies can add much value to your cybersecurity workflow.

Budget

As I promised at the beginning of this series, I shall give a sample security budget for every topic we discuss. Again I will tailor the budget to small teams with an underfunded budget for cybersecurity defenses. 

  • Router (180$): I would go for Pfsense or IPFire based hardware appliances. Both provide reasonable protections, even though the first is based on FreeBSD and the second is a Linux distribution. Both have state-of-the-art firewalls, and both support Snort and Suricata, which are the best intrusion prevention systems. Additionally, they have Syslog support so that the router can become a part of an intrusion detection system.
  • Switch (150$): SwitchBlox Rugged is a good option here. It is a little bit more expensive than the standard network switches. However, it comes with an open-source networking operating system and can work in harsh environments. Two switches can be stacked together.
  • SIEM System (0$): MozDef is a SIEM system developed by Mozilla. It is open-source and supports all the necessary features for SIEM systems. 
  • Group Policy Server (150$): We can order PC Engine’s apu4d4 unit and install on top of it Univention Corporate Server. With it, we can create policies for Ubuntu and Windows-based computers.

With a total budget of around 480$, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. The switch is optional, but it will help if you want improved security and choose to have a WiFi network for guests only.

In conclusion, setting up a network perimeter can be done effectively on a budget. Still, it is essential to note that the budget does not include the human hours needed to set up the equipment and your local network.

Next part is – here.

Cybersecurity tactics for small teams – Network Security – part 1

Please check the previous part – here.

After we finished our two pieces for physical cybersecurity in this and the next one, we shall discuss how to defend your computer network. For a long time, I wondered whether to start with computer and mobile phone devices security first or start with the network security perimeter. In the end, I decided to follow the standard technical approach a computer hacker will use to penetrate your defenses – intelligence recon, network penetration, and finally, device exploits. In social engineering, the hacker will skip network penetration and directly exploit your devices.

So network security, here we go. 

Computer network protocol design is not with security and privacy in mind. After decades of cybercrimes and research on how to stop them, we finally have a solution for these problems. The zero-trust security model is almost 12 years old, with Google using it since 2009. However, despite the good news, the model has its use mainly in big corporates so far. I firmly believe that small organizations and teams can use this model or parts of it. 

But what is the idea of this approach? It is not something new – you have to understand that you can not trust any data in transit, including your own smartphone or laptop apps. Zero trust dictates that the whole network or application path between your application and the server could be malicious, including all the hardware devices along this path – network routers, switches, servers, laptops, and smartphones. 

Still, despite the zero-trust paradigm, I think that people must make sure that the hardware devices under their control are as secure and patched as possible. I market this work approach because the more layers of security you have, the harder it will be for an attacker to penetrate you. Or in short, zero trust does not invalidate other security practices. It just adds new tools to your defensive cybersecurity toolset.

So let’s start with the different network devices and their attack vectors:

Routers

So what is a router? A router’s standard definition is a hardware device, which connects different computer networks and forward packets between them. In the case of your home or office router, this is your home/office network and the Internet. Every network packet going to or from the Internet comes and goes through this router. 

In terms of network security, routers are your first line of protection versus network penetration attempts. Or, in simple words, they are your cyber gateway to cyberspace. Additionally, they offer a different range of services regarding your protection. Such services are Firewalls, Intrusion detection systems, NAT service, Syslog server, and many more. 

It is essential to treat your router as a highly specialized computer system. As a computer system, it inherits some of the security problems your personal computer has. Let me list the different attack vectors, which an attacker can use to penetrate your router.

On the diagram, you can see a standard small office deployment. Both of the firewalls are connected in CARP mode, and they become a virtual router. Usually, every firewall is deployed on a standalone hardware device. 
  • Misconfiguration: Sometimes, routers not come with the best configuration in terms of cybersecurity. For example, enabled remote access functionality can be pretty helpful for system administrators, but at the same time, it exposes your router to attackers.
  • Outdated software: Usually, home routers run on quite obsolete software. It is rare, a home user to upgrade the software version of their router. Unfortunately, this leads to systems without proper security patches and gives the attackers an excellent opportunity for hacking the router.
  • Exposed services: Most of the modern routers support additional services such as VPN and IPSec servers. It is essential to understand that every exposed service can be an attack vector for our attacker. In the case of VPN, this is usually not true, but there are exceptions.

Switches

Next in line is the network switch. By definition, a network switch is a network device, which connects different network devices into a local computer network by using packet switching to forward and receive data to the destination device. The network switch learns the identities of connected devices and then only delivers data to the port connected to the device to which it is addressed.

In other words, think about the router device as a controller of the local network and about the switch device as an intelligent extender of a local network segment. Still, every switch is a highly specialized computer system, and it inherits the cybersecurity problems other computer systems have. Let me list them.

Most modern companies use cloud providers for their services and do not waste their time deploying hardware. However, the bigger your become, the more hardware you have to set up because it becomes cheaper for you. However, the same principles for cybersecurity apply both to your home office and a multi-national corporation.
  • Network Flood: A malicious actor can try flooding the local network with packets and making it not responsible. Usually, this happens with older switches. Most of the modern ones have protection in place.
  • VLAN sniffing: Most modern switches support network isolation by tagging the packets. This way, different computers in your local networks can not listen to packets living in other virtual networks. Still, if the switch tagging the packets got penetrated, the attacker can listen to all network packets.
  • Remote Access: Newer and more expensive network switches have an entire operating system built inside. It supports remote access features for system administrators and many more. Still, the more one device is intelligent, the bigger the attack surface it has. 

Next part is – here.

Cybersecurity tactics for small teams – Physical Security – part 2

Please check the previous part – here.

The same concerns as to real estate apply to all vehicle-related threats. Hackers can use your vehicle to track your activities and to decide when to execute an attack towards you. As a final list of perils, I would like to mention the dangers related to garbage. Most people do not consider their garbage as a cybersecurity threat. However, the truth is – this is usually the best source of intel for a given hacker organization. Let me list the different threats your garbage generates, and after that, we can create a simple budget of how to keep your and your devices secure:

  • Paper: Every paper document with personal data, addresses, or buying preferences leads to information leaks, which any hacker group can use to penetrate your defenses. A paper retention policy is a must for every organization these days.
  • Hard Drives: Techniques for data forensics become more and more advanced. Hackers can use these techniques to retrieve data from hard drives and SSD drives found in the garbage. It is better to treat your Hard and SSD drives as paper documents and not resell or throw them away.
  • Mobile Phones: Modern mobile phones are computers. Deleting data from them is pretty tricky. To keep your organization safe, you must treat them similarly to paper documents and hard drives. 
  • Electronic Devices: Every smart device in your home and office is a low-level mini-computer that stores and records data. Hackers can read the storage chips of these devices with proper machinery. They can use the data stored there for malicious activities.
You can see a diagram showing how a small organization or even a freelancer handles their priorities in terms of cybersecurity. Everything starts with the digital garbage and its retention policy.

You can notice that the number of attack vectors to your persona is quite significant. And we are only in the physical security realm, without mentioning any digital space. As promised at the beginning of the article, I shall present a simple list of tools and activities, together with a budget. Using them, you can set up your cyber defenses on a limited budget:

  • Hardware toolkit (100$): This toolkit will give you the availability to disassemble all of your electronic devices and destroy them. If you have better knowledge of electronics, you can cut the power of your laptop microphone and camera. 
  • Paper Shredder (50$): A shredding machine can destroy paper documents, credit cards, and everything which looks like a paper-sized card. Still, cutting through the papers is just a first step, but not enough.
  • Camping Gear (50$): There is no better way of document destruction than burning them. With camping gear, you can go to the woods, have a barbecue, and meanwhile destroy all of your not-needed documents.
  • Safe (500$): Paper is the ultimate data storage. With proper care, it can survive over 100 years or more. Still, you must keep the paper somewhere, and there is no better place than a safe. For this money, you can get a safe the size of a standard desktop drawer unit. It is more than enough to store all of your documents.
  • Home And Vehicle Security Systems (4000$): Still using security systems without a network system can be pretty advantageous for you. An isolated security system can send you SMS messages when an event happens. Sure it is a little bit more expensive, but the only way of disabling such systems is by bringing a Faraday cage.

With a total budget of around 4700$, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. To break a safe, you should cut through it. And this generates sound. Sound is terrible for attackers, and it can alert neighbors.

In conclusion, just one more piece of advice. When you choose electronic devices (including a car) for your home, please research how smart the device is. The more intelligent it is, the more prone it is to hacking. Devices without Internet access are the best because the chance of hacking is relatively low or nearly zero.

Next part – here.

Photo of my last garbage destruction event. You can see the old paper documents burned.