Tag: organization

Cybersecurity tactics for small teams – Hardware Device Security – part 1

September 1, 2021 /

Please check the previous part – here.

After we already discussed how to assure your physical security and your network perimeter. The topic for the following two parts is the security of your hardware devices. And especially, I shall give you some ideas on how to secure your personal computer and your mobile phone. I shall provide a sample budget for a security-oriented personal computer, laptop, and mobile phone at the end of the parts. In the budget, I shall put the software appliances as well.

But before doing this, let’s have a short discussion of what a computer is and how we use it. The formal definition of a computer is:

A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations automatically. Modern computers can perform generic sets of operations known as programs. These programs enable computers to perform a wide range of tasks.

In other words, we have a machine, which works with data and can perform operations on it. It is similar to what our brains do for us but in a different way. In terms of computer security, it is essential to understand that your computer is a data carrier and data generator. The goal of your security awareness model is to protect the data and the generator logic. So we have to treat our computers the same way we treat our brains when we don’t want to share data. Aka by making sure we took all the necessary steps to secure access to our information.

So let’s do it. We start with:

Personal Computer/Laptop

We shall discuss the security of laptop computer because it has a more significant amount of attack vectors. We can apply the same list of attacks to workstations.

By definition – A laptop, laptop computer, or notebook computer is a small, portable personal computer (PC) with a screen and alphanumeric keyboard. It is important to note that a laptop is a total nightmare for your computer security policy in the physical security realm. It inherits the traits of all the hardware devices, including the ones related to garbage. Securing laptops is almost impossible, and a dedicated attacker most probably will manage to penetrate the defenses of your laptop one way or another. But let’s list the different attack vectors your laptop has.

On the diagram, you can see a standard data exfiltration workflow. The attacker makes the victim network sending data to a malicious service and, after that, reroute the data to his/her infrastructure
  • Theft: By being mobile, any laptop is a mobile data carrier similar to your paper documents and USB flash sticks. And by that, a dedicated attacker can steal the computer and gain access to your data. It is essential to mention that any encryption mechanism can slow down your attacker, but you can not determine whether it will stop him.
  • Location-based attacks: Companies such as Hak5 promote an exciting set of tools used for location-based attacks. They can penetrate your WiFi network, and even there are devices named RubberDucky. They look like a standard USB flash, but essentially they are cheating your computer that they are keyboard devices and execute a penetration script.
  • Malware: There are many types of malware, but these are most dangerous in terms of cybersecurity: trojan horses and ransomware. Both of them steal your data. In case of ransomware, you have to pay, and at least you receive notification that something wrong happened. In the case of trojan horses, you have no idea what is going on with your data.
  • Misconfiguration: Most of the laptops do not come with proper security configuration by default. Users without formal training can not configure the system, and it remains unsafe until a hacker penetrates it.
  • Pirated Software: Torrent trackers are a terrible place to download software. Usually, the cracked versions of the popular software come with already preinstalled malware. It is highly advisable to use open source or paid products.

Listed threats are only part of a long list of attack vectors an organization must take care of. Still, they are a good starting point, and if your small team manages to stop them, it can reach a good cybersecurity level.

Smartphones

After the introduction of IBM Simon, the smartphone industry had rapid growth. These days, devices are as powerful as a ten-year-old computer and can perform various tasks, which people kept only for computers for a long time. It is fantastic, but they are even worse in terms of cybersecurity than your laptop. They inherit all of your laptop’s problems with even smaller size and limited control over the hardware. They are a nightmare in terms of computer security. But let me list the different attack vectors which your smartphone can introduce:

  • Outdated Operating System: To further push technical progress, hardware vendors usually discount older than four years old devices. And by discount, it means that these devices do not receive security patches and the latest version of their operating system. This approach leaves thousand of people without proper cybersecurity defenses.
  • Laptop Attack Vectors: As a less powerful computer, every smartphone inherits a laptop’s security problems. Even worse, once you store your data in your smartphone’s internal memory, it is almost impossible to erase it securely.
  • Conversation Sniffing: Hackers can use your smartphone to sniff your daily conversations by being constantly held near to you. Many hardware vendors implement security measures versus this kind of attack, but people must still be aware that such an attack is possible.

Next part is here

Why startups experience is like being in the SAS (Special Air Service)?

August 5, 2021 /

Authors around the World publish tons of books on how to create your startup and how to scale it to a multi-billion company. People read these books, praise them and try mimicking the strategies written there. Even courses train you to present yourself in front of investors and get the next significant investment for your startup. All of these books give hope and motivation to the current and future generation of entrepreneurs.

Still, year after year, we see the same trend – 90% of the starting companies will fail until their 2nd year. Or in more human-readable wording – 90% of the new companies can not reach the sustainable revenue phase, and their bubble burst until their 2nd year. At the same time, 97% of the latest companies fail until their 5th year. This statistics is quite sad because it shows that all the courses and books on the World are not enough for your startup to succeed. You need experience and first point of view knowledge of how things are working and what is necessary for success.

On the diagram, you can see a standard corporation versus startup skills distribution. Startups team members need to understand the business side much more than the regular corporation employee

Many people do not realize how difficult it is to create a startup. It would help if you had lots of experience to make it happen. 99% percent of the population on our planet do not have this experience, and to gain it, they need to fail. And to fail hard and often. Let’s analyze why 90% of the startups fail until their second year of running.

  • The average length of an IT project is between 18 and 24 months. If you do not manage to scale your product for this period, then, most probably, your business model does not work, and it will not scale at all.
  • The average person has some resources put aside for this period. If you are trying to make a bootstrapped business, this period is your lifeline to achieving any progress.
  • In case you manage to gain traction for your startup idea. Many people do not know how to scale it out and make this traction a sustainable business. One of the biggest problems is customer support after you manage to get the initial traction.
  • Let’s analyze the stats about startups’ failure. 90% of the startups fail until the second year. It directly says – you will need, on average, nine failures to pass the second year of startup life. If we multiply this number to 18 months (average lifetime of one IT project), then we receive 9 * 18 = 162 months or almost 14 years of working in startups to make one of them successful. That’s why most of the time, one startup needs at least two or three co-founders with enough experience in startups to scale.

In conclusion, making a startup is hard. It is not for everyone, and many people lost time and money trying to create one. Without the proper experience and coaching, the failure of startups will continue. From my personal experience working in startups, some of them, relatively underfunded; if you pass the second year, your chances of success improve dramatically. And yes, the SAS drop rate is, on average, around 94%.

Cybersecurity tactics for small teams – Network Security – part 2

August 1, 2021 /

Please check the previous part – here.

Now, as we can see, attackers can penetrate all of the hardware network devices we reviewed. How easily it depends on how do you set up your cybersecurity and patch policy. 

It is clear that despite your best effort, you must not blindly trust your routers and switches. Lack of trust is precisely the paradigm behind the zero trust model. At the same time, to make attackers’ life harder, it is important to mention three types of defensive cybersecurity tools, which can help you increase your defenses and trust in your local network. 

Until the end of this article, I shall describe them. As a final, I shall give a sample budget for both router and switch devices. Both of them will use open-source software. Usually, they receive software updates quite often and can offer your a good level of security.

Firewalls

A firewall is a network security service that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

Firewalls have been the first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that you can trust and untrusted outside networks, such as the Internet. 

Usually, in the case of home networks, this service is deployed in your hardware router. The last sentence means that the attacker will expose your entire local network to the Internet in case of router penetration.

Intrusion Detection/Prevention

An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents and capturing information about them. The IPS reports these events to system administrators and takes preventative action, such as closing access points and configuring firewalls to prevent future attacks.

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or breach is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

At home routers, intrusion prevention systems can be deployed on the router device and inspect all the incoming network packets from the Internet. On the other hand, an intrusion detection system is deployed on all the hardware devices connected to your local network. In simpler words, prevention systems monitor your incoming traffic, and detection systems monitor your local network for anomalies. 

On the diagram, you can see a standard SIEM system. The idea of the system is to aggregate all of your logs and data and offer analytics to your security engineers

Group Policy

Group Policies, in part, control what users can and cannot do on a computer system. For example, a Group Policy can enforce a password complexity policy that prevents users from choosing an overly simple password. Other examples include allowing or preventing unidentified users from remote computers to connect to a network share or block/restrict specific folders. A set of such configurations is called a Group Policy Object (GPO). 

Now, group policies can be a powerful instrument for system administrators to define how the organization computers act to different security threats. Unfortunately, Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function of accessing it. Alternatively, a malicious user can modify or interfere with the application to not successfully read its Group Policy settings, thus enforcing potentially lower security defaults or even returning arbitrary values.

For home-based local networks, the usage of group policies is usually limited. Still, I would advise system administrators of small teams to think carefully, how to add group policies to their remote office deployments. In combination with VPN, Group Policies can add much value to your cybersecurity workflow.

Budget

As I promised at the beginning of this series, I shall give a sample security budget for every topic we discuss. Again I will tailor the budget to small teams with an underfunded budget for cybersecurity defenses. 

  • Router (180$): I would go for Pfsense or IPFire based hardware appliances. Both provide reasonable protections, even though the first is based on FreeBSD and the second is a Linux distribution. Both have state-of-the-art firewalls, and both support Snort and Suricata, which are the best intrusion prevention systems. Additionally, they have Syslog support so that the router can become a part of an intrusion detection system.
  • Switch (150$): SwitchBlox Rugged is a good option here. It is a little bit more expensive than the standard network switches. However, it comes with an open-source networking operating system and can work in harsh environments. Two switches can be stacked together.
  • SIEM System (0$): MozDef is a SIEM system developed by Mozilla. It is open-source and supports all the necessary features for SIEM systems. 
  • Group Policy Server (150$): We can order PC Engine’s apu4d4 unit and install on top of it Univention Corporate Server. With it, we can create policies for Ubuntu and Windows-based computers.

With a total budget of around 480$, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. The switch is optional, but it will help if you want improved security and choose to have a WiFi network for guests only.

In conclusion, setting up a network perimeter can be done effectively on a budget. Still, it is essential to note that the budget does not include the human hours needed to set up the equipment and your local network.

Next part is – here.

Must companies be afraid of internal cyber attacks?

July 15, 2021 /

One of the biggest cybersecurity threats for companies is internal attacks. To function correctly, companies need trust. You could have the best access control level system in the World, but this will not help you if your system administrator is compromised. Yes, multi-factor authentication and secret key split algorithms can help you mitigate part of these threats. However, they are not widely used. Most SMEs do not have the resources and knowledge to implement a proper access control system and thus are pretty vulnerable to inside attacks.

On the diagram, you can see the different use cases companies can use cryptography. Modern access control frameworks use cryptography heavily to ensure access to data is more restricted than ever. 

Following are some of the internal security attack vectors through which attackers can gain access to information;

  • Information leakage: One of the most common and frequently used methods by cyber attackers is a simple leakage of information. Or, in other words, industrial espionage. Many employees could use this approach to avenge themselves.
  • Illegal activities: A company must be aware of any illegal activities going in their system. Some organization members could use this approach to frame the company or use it as a proxy when hacking.
  • Downloading malicious internet content: Most of the time, employees do not intentionally download malicious content; however, this happens. In both cases, a proper access control mechanism will mitigate or at least reduce the damage.
  • Social engineering: One of the most common ways for attackers to gain access to a network is by exploiting the trusting nature of the company’s employees. An information awareness course could quickly mitigate this attack. 
  • Malicious cyberattacks: Technically proficient employees can use their system access to open back doors into computer systems or leave programs on the network to steal information and wreak havoc. The best protection against this sort of attack is monitoring employees closely and being alert for disgruntled employees who might abuse their positions. In addition, experts advise immediately canceling network access and passwords when employees leave the company to avoid remote access to the network in the future.

In conclusion, unfortunately, because of the enormous rift in the trust between employees and employers, internal attacks can become the new trend. Companies must be aware of that and do their best to implement proper access control systems. Access to resources must be given appropriately and audited for every organization member, no matter whether CEO or a utility person.

Cybersecurity tactics for small teams – Physical Security – part 2

June 1, 2021 /

Please check the previous part – here.

The same concerns as to real estate apply to all vehicle-related threats. Hackers can use your vehicle to track your activities and to decide when to execute an attack towards you. As a final list of perils, I would like to mention the dangers related to garbage. Most people do not consider their garbage as a cybersecurity threat. However, the truth is – this is usually the best source of intel for a given hacker organization. Let me list the different threats your garbage generates, and after that, we can create a simple budget of how to keep your and your devices secure:

  • Paper: Every paper document with personal data, addresses, or buying preferences leads to information leaks, which any hacker group can use to penetrate your defenses. A paper retention policy is a must for every organization these days.
  • Hard Drives: Techniques for data forensics become more and more advanced. Hackers can use these techniques to retrieve data from hard drives and SSD drives found in the garbage. It is better to treat your Hard and SSD drives as paper documents and not resell or throw them away.
  • Mobile Phones: Modern mobile phones are computers. Deleting data from them is pretty tricky. To keep your organization safe, you must treat them similarly to paper documents and hard drives. 
  • Electronic Devices: Every smart device in your home and office is a low-level mini-computer that stores and records data. Hackers can read the storage chips of these devices with proper machinery. They can use the data stored there for malicious activities.
You can see a diagram showing how a small organization or even a freelancer handles their priorities in terms of cybersecurity. Everything starts with the digital garbage and its retention policy.

You can notice that the number of attack vectors to your persona is quite significant. And we are only in the physical security realm, without mentioning any digital space. As promised at the beginning of the article, I shall present a simple list of tools and activities, together with a budget. Using them, you can set up your cyber defenses on a limited budget:

  • Hardware toolkit (100$): This toolkit will give you the availability to disassemble all of your electronic devices and destroy them. If you have better knowledge of electronics, you can cut the power of your laptop microphone and camera. 
  • Paper Shredder (50$): A shredding machine can destroy paper documents, credit cards, and everything which looks like a paper-sized card. Still, cutting through the papers is just a first step, but not enough.
  • Camping Gear (50$): There is no better way of document destruction than burning them. With camping gear, you can go to the woods, have a barbecue, and meanwhile destroy all of your not-needed documents.
  • Safe (500$): Paper is the ultimate data storage. With proper care, it can survive over 100 years or more. Still, you must keep the paper somewhere, and there is no better place than a safe. For this money, you can get a safe the size of a standard desktop drawer unit. It is more than enough to store all of your documents.
  • Home And Vehicle Security Systems (4000$): Still using security systems without a network system can be pretty advantageous for you. An isolated security system can send you SMS messages when an event happens. Sure it is a little bit more expensive, but the only way of disabling such systems is by bringing a Faraday cage.

With a total budget of around 4700$, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. To break a safe, you should cut through it. And this generates sound. Sound is terrible for attackers, and it can alert neighbors.

In conclusion, just one more piece of advice. When you choose electronic devices (including a car) for your home, please research how smart the device is. The more intelligent it is, the more prone it is to hacking. Devices without Internet access are the best because the chance of hacking is relatively low or nearly zero.

Next part – here.

Photo of my last garbage destruction event. You can see the old paper documents burned.

Cybersecurity tactics for small teams – Physical Security – part 1

May 1, 2021 /

In the next couple of months, I shall write series of articles covering the topic of cybersecurity on a limited budget. The idea is to show you different methodologies for how to keep you safe without spending too much. The articles will cover various topics such as physical, computer, and mobile security. Additionally, as part of this series, I shall publish two articles covering business security and public image preservation. A final overview article will summarize all written and consist of a sample budget to cover your cybersecurity needs. It will be a good reference for startup and SME organizations. They can use it to establish or upgrade their cybersecurity defenses.

Different authors wrote many books and articles on keeping your computer and mobile phone safe for the past couple of years. Unfortunately, most of these writings ignored one fundament of cybersecurity. Without properly secured hardware devices, all of your defenses are meaningless. Of course, other authors wrote whole books on physical security, but no one covered it from a cybersecurity perspective. This article aims to cover this perspective and give an exemplary workflow of achieving adequate protection on a tight budget.

You can see a sample dependency graph of how an organization must structure its cybersecurity defenses on the diagram. As you can see, everything starts with physical security, and after that, you build more pieces on this fundament.

So let’s start it. 

There are multiple online threats to your security, and let’s start with them. During my time working in different companies, I saw many people neglecting these threats. Fortunately, these mistakes did not lead to escalation. But let me list them and give a short explanation of how they can affect you.

  • Social Platforms: Sharing your life is an excellent way to keep in touch with your friends and relatives. At the same time, it opens possibilities for hackers to monitor you. Monitoring is essential for other types of attacks. Usually, hackers execute these attacks in the following phases.
  • Shared Travel: Shared travel is a new way of traveling around. It increases comfort and lowers down the price of travel. At the same time, travelers organize the travel in public social media groups. Everyone can join this group and monitor when you travel. Such information is valuable, mainly if attackers target your home or office space.
  • Cyberstalking: Your online persona can trigger destructive emotions, and usually, this evolves into cyberstalking. It is essential to limit down exposure to such threats because they can end up into physical ones.
  • Navigation Devices: Using online navigation is lovely in terms of comfort, but most navigation software collects a considerable amount of data. Hackers can correlate this data to your real persona and monitor your life and travel plans.

As you can see from the list, different parties can monitor a good number of your online activities. With enough time and resources, these parties can execute future attacks on you. For real estates, we can create a similar list:

  • Social platforms: The situation is the same as in the previous paragraph. Attackers can execute multiple attacks using the information gathered by your social media accounts.
  • Smart Home Assistants: Smart assistants are hardware devices placed in your home. Usually, they have always turned on microphones to catch your commands and execute different orders regarding your house. At the same time, they can be hacked and used to monitor your activities.
  • Camera arrays and sensors: These days, many people install cameras and sensors attached to the Internet. Without proper cybersecurity protection, attackers can use these hardware devices to monitor your activities.
  • Laptop and smartphones: Same is true for laptops and smartphones without a proper security defense. Hackers can use them for monitoring your activities.

Intruders can use all of the upper threats to execute next-stage attacks on your real estate. Another aspect of your physical security is the security of your vehicle (car, truck, and other vehicles). As vehicles become more and more intelligent and automated, their vulnerability to hacks increases. Next are the common threats you can face with intelligent vehicles:

  • WiFi Access Points: Modern cars have WiFi access points in them. Or in simple words, this is a network router, which is part of your car’s computer. This router can be hacked and used for malicious activities.
  • Smart Locks: The current trend in the automotive industry is making cars more and more intelligent, including their locks. Of course, this is a wrong decision in cybersecurity because the makers increase the penetration surface with new functions and capabilities. Some of these locks use older encryption protocols, not updated with years.
  • Autopilot: Most modern e-cars support autopilot as a feature. Autopilot is a fancy name for a sophisticated computer program, which drives the car for you. And being a program, autopilot runs on a computer, and this computer can be hacked and used for malicious activities.
  • Real-time Updates: Newer car models receive constant updates on the fly. They follow the process your operating system uses to update itself. How secure this process is rarely publicly disclosed.

Next part is – here.

Cybersecurity for business travelers

April 1, 2021 /

Every business travel is a beautiful opportunity for people to visit their favorite countries and places. But these events are a fantastic opportunity for every sort of malicious cyber activity, too. Cyber criminals’ wet dream is many people connecting to the same hardware infrastructure, which is outdated in security because of lack of maintenance or cost savings.

Most people going on these trips are in business mode, deprotected. Usually, travelers are targets, but many hacker groups could attack local businesses or host infrastructure, too. Management personnel is wealthy and generate much interest in it as targets for cyber attacks. On the other hand, host infrastructure is a good target for hacktivism because some events have worldwide media coverage. We can imagine what happens if hackers manage to hack the internet access for hosting infrastructure and instead abc.com, they show anti-government slogans. Last but not least, travelers are excellent targets for data steal and botnets creation purposes.

So how can we keep ourselves safe? There are three primary attack vectors which travelers must have in mind. Hardware device-based attacks, data steals, and bank card information steals. The best strategy to prevent hardware-related threats is to carry only a smartphone. Modern smartphones are more capable of computing power and memory than most middle-class notebooks from the beginning of the decade. You don’t need a fully-featured laptop when you travel abroad. Modern smartphones are more than enough for day-to-day activities like chatting, email exchange, document reading. You bring your smartphone everywhere you go, so it is tough for someone to steal it. It provides many wireless ways for data exchange between devices, which decreases the risk of rubber ducky-based attacks. Often, many hotels, venues, cafes offer free wifi access for all the participants in the event. In general, using these wifi spots is a terrible idea. You can use them, but you have to know that hackers can record all the traffic on these devices. They can store all your encrypted user data, passwords, and sessions for later analysis and decryption attempts.

A better strategy is to use 4g mobile connections during your trip. In that case, the hacker must first hack the mobile internet provider connection to store and decrypt your data. Mobile internet providers are tough to hack, and that adds a layer of security to your device. This approach has a nice bonus feature; you can use the same 4g connection for internet access because of the smartphone’s internet sharing feature. I use 4g internet during my travels and hotel stays. In the most paranoid configuration, you bring two phones, one for a 4g connection and one for real work connected via wifi to the first phone. This setup offers a better level of security.

Bank card data stealing is one of the most common cybercrimes. Stealing card data is so easy that hackers steal millions of bank card credentials every day. How to prevent ourselves from these steals? With cash, of course. Cash is the ultimate paying method, never rejected, never tracked, and challenging to steal if stored properly. The average business trip has no more than ten days as a life span. The regular traveler can cover the expenses in cash during this time. However, for more extended stays bringing a considerable amount of money is not a good idea. Storing it is not easy, not to mention that many countries have an upper limit for cash transactions. In this case, carrying crypto tokens would be a fantastic idea. You can find many crypto exchanges and ATMs these days.

In conclusion, when traveling, the most valuable security advice is to stay undercover. Don’t show off yourself, don’t bring jewelry, wear functional but not expensive clothes, limit yourself to low to middle range electronic devices. You can also stay in moderate range hotels, pay in cash, and use an internet connection only when needed. And my last advice to business travelers worldwide – many cybercriminal organizations prepare themselves for your travel; please prepare yourself, too!