With the explosion of the WannaCrypt ransomware worm over the weekend, a lot of people’s thoughts have turned to protecting their information and systems from such attacks. It certainly was a doozy of a worm, that’s for sure, and has wreaked havoc across the globe in a very short timeframe. This morning, a lot of corporate IT Security teams will be having emergency meetings to talk about and review their current protection plans, and whether they need any changes or additional responses to protect their networks.
For more information, TheRegister has a very good wrap up (as usual), available here:
But what if you don’t have an IT Security Team? What if you’re just a small business?
Consider this a good excuse then to spend some time thinking about your IT systems and the technology that you have in place. Running a small business myself, I know that the demands on your time can be staggering, and you probably haven’t had an opportunity to stop and think about the security of the information that your business relies upon. But it’s certainly a very worthwhile way to spend an hour. You don’t need to come up with all the answers – in fact, you don’t need to come up with any answers. Just have a think about what information you have, what you need, and what you’d be really upset by if it just went away suddenly. You can then take that list and use it as the basis of a discussion with a security / IT expert, who can bring in their IT industry knowledge.
And that’s exactly how I started my morning today, with an email from a client that simply asked:
|Hi Matt, just wondering what I should be doing/checking to make sure we aren’t vulnerable to a ransomware attack, as unlikely as it may be?|
I’ve decided to paste in my response to them here, to demonstrate how good system design will already be protecting you from a number of internet nasties. Names have been changed to protect the innocent, as have certain details.
Great question! Especially in light of the news about the new WannaCrypt/WannaCry ransomware bug that was built from NSA exploit code. Ransomware attacks are getting more and more popular.
The most important things that you yourself can do are:
This is where the Cloud Managed Endpoint Security package that we spoke about a couple of months comes in – it gives a central spot where we can see the status of all your laptops, making sure that they’ve all got the security package installed and turned on, that they’ve all got the latest virus signatures, etc. That’s definitely the best option, but I’m confident from our discussions that you’ve got a good handle on your current anti-virus. Until we upgrade to the cloud-security, just having a quick walk around once a fortnight, say, to check that everyone’s antivirus app is running and happy would be a great start.
The IT systems and setup that we’ve built for your firm have been designed to be very resistant to any sort of attack, even ones like these Ransomware attacks. Your environment has also been built to be very resilient even if a successful breach did occur.
The ways we achieved the attack resistance is:
The ways we achieve the resilience if an attack was to occur is:
Same scenario if a disaster (natural, man-made or electronic) befell your Margaret St office – you could simply take your laptops and your mobiles home and work from there. There’s no server that we are reliant on.
Hopefully that gives you good confidence in the systems that you have.
As you can see from the above, there’s a lot of different approaches to information security. There’s no “one-size-fits-all” system that can solve all your problems – the best approach is to “layer up” different overlapping products, systems and approaches to build an overall security model for the team. I’m confident that we’ve built a very strong and resilient environment for you, commiserate with the value of the confidential information that you deal in.
The trick, as always, is to match the security systems with the user experience – no point having a completely locked down system if it means that the staff can’t actually do their work. But there’s A LOT of happy middle ground that we can pragmatically cover before we get to that extremity.
Security is a moving target. Technology continually advances (both good protection tech and bad attack tech), and your firm is growing and evolving as well. It’s important to stay up to date with the industry and contextualise that to your unique situation. There’s always additional things we can look at should you have either concerns, or should you just want to improve security for certain high-value people or certain confidential information. For instance, we could:
Happy to chat more about this if you’d like, especially with all the recent developments.
That’s a quick overview of how the various bits and pieces that we have designed for this firm all fit together, and how overall we get a good security environment. You can see how the various bit and pieces all work together to provide comprehensive coverage. It is very contextualised to this particular client’s environment through, so I want to go through and unpack some of the more general points that you can use in your business right now.
Information Security is an Onion
Hopefully from the reading the email above, you can get a feeling for the fact that Information Security isn’t a new firewall, and it’s not a fancy new Anti-Virus app (despite what the vendors of each will tell you). Security is the result of a lot of little decisions, and a lot of overlapping layers.
This is because of two things:
- Good security products will be targeted at doing one thing, and doing it extremely well. There is no “jack of all trade” here, nor do you want one. You want to couple together a number of different security systems that are all excellent at what they do. Working together, they provide you an effective umbrella.
- Any product or system, security or otherwise, will have holes in it. Some times these holes are put there by design, and sometimes these holes are accidental or as a result of an unexpected bug or failure condition. IE, an email system NEEDS to be able to talk to other unknown systems on the internet to work. An email system that couldn’t receive email from anyone isn’t very useful. We speak about two broad categories here:
- Known Unknowns – These are the holes that we know about, or suspect. These are the easy ones, because we can defend against them. We know that the email server needs to talk to the internet, and we suspect that someone might be able to send a malformed request to it to trip it up. So we stick a stateful inspection firewall in front of it, something that can “speak SMTP”, and can enforce strict protocol compliance on the conversation. It can detect if an internet-based system is trying to do something nasty, and terminate the conversation before the email server is broken or compromised.
- Unknown Unknowns – These are the things that we don’t even suspect. The ones that blind-side you at 4PM on some idle Tuesday. We don’t know about these vulnerabilities, but what’s worse is that we’re not even aware of the fact that we don’t know them – we’re blissfully ignorant (for now).
So how do you protect against the Unknown Unknowns, if you don’t even know that you don’t know what they are?
Aside – is your head spinning yet? It will be!
The simple answer is that you assume you don’t know anything, and work backwards. And this is where the layering of the security onion comes in.
In our email server example above, we know that it has to talk to other email servers, and we suspect that someone bad might use that to attack it. But the vendor has promised us that the system is very secure and unhackable. Do we believe the vendor?
NO! We certainly don’t.
The vendor may be being truthful when they say that, but the reality is that the vendor will have a bunch of unknown unknowns themselves. So when they say “our product is secure”, they truly do mean it – it’s just that they don’t yet realise how it might be compromised.
To protect against it, we “layer up”. Even though the email server shouldn’t be listening for anything other than incoming emails, we still stick a firewall in front of it anyway, just in case. If it did have an unknown vulnerability, we would still be safe because the firewall would stop it.
Is the firewall fool-proof? Probably not! That’s why the edge router in front of the firewall has basic packet filtering enabled.
Is the edge router fool-proof? Probably not! That’s why we have our carrier turn on some anti-DDoS systems on their end of the link, to filter junk out before it even comes to our gear.
And so on and so forth.
Or to put it another way:
- It’s fine in the dry weather, because it sits in the corner all folded up. It’s there, you’ve invested in it, and you’re happy with it because every time you wonder if it might rain, you can glance across and look at your umbrella. You feel good because you’re prepared.
- When it start to rain, you reach for your umbrella. After all, that’s why you have it.
- But when you open it up, you discover that it’s got holes all in it. Some big, some small. Some you knew about, some you didn’t.
- If you went out in the rain like this, you’d get wet.
What do you do?
- You pick up your second umbrella, and open it up.
- Much to your dismay, it’s also got a bunch of holes in it.
- Oh noes!
- What do?
This is where the layering comes in.
- The holes in Umbrella 1 are probably in different spots to the holes in Umbrella 2.
- If you were to stack Umbrella 1 on top of Umbrella 2, most of the holes would then be covered.
- Rain might still get through some of the overlapping holes, but the vast majority are now secured.
- And to protect yourself against the last few holes, you might put an overcoat on.
By layering up multiple levels of protection, like layers of an onion, you dramatically increase your security position even when dealing with systems and products that have both known unknowns, and unknown unknowns.
All That Sounds Complex and Expensive.
The important concept is to ensure that the security design you have is contextual to the organisation and the level of protection required.
Does a 3-person startup need multiple application-layer firewalls and carrier-side traffic sanitation? Of course not.
The important benefit here, especially for smaller firms, is not even to do with the systems that you deploy – it’s the fact that you’re starting to think about it. Because once you start to think about information security, you start to embed those questions into all the other little decisions and thoughts in your day to day life. It’s THOSE decisions that then pay off for you.
So if you’re thinking about which laptop to buy, and one is $500 more than the other one:
- Without a security mindset, your reaction might be “What a rip-off! This one’s $500 cheaper and just the same. I can save some money here.”
- With a security mindset, your reaction might be “Why is this one $500 more? It comes with a TPM encryption chip – I wonder what that is? Is it something that could help me, or not?”
The same thing happens with all the other decisions that you make.
What email system to use.
Where to host your website.
Do you use a free anti-virus app, or do you pay for one?
Once you start embedding information security as an attribute for evaluating options, you start to build up small increases in your security profile with every decision you make. And as we just explained, it’s this “layering” of security abilities that is what really raises your security environment.
Keeping Current vs “Good Enough”
One point that bears repeating over and over and over is this – Keeping Current is the most effective thing you can do for your business’s information security landscape.
In other words, update your things, people.
The PC that you’ve been using for 5 years is past it’s useful life.
The mobile phone that you’ve had for 6 years now (“and IS STILL working PERFECTLY”) isn’t working perfectly. It’s full of security holes, and the vendor hasn’t issued an update for it for 18 months now. What’s more, the latest security systems can’t work with it. I hope you don’t have any critical information on it, such as an internet banking app…
The brand new mobile phone that you’ve had for 6 months, but have never bothered to update – it’s just as bad.
KEEP YOUR STUFF CURRENT!
Vendors are constantly releasing security patches for their devices or their software. These are often-times in response to KNOWN vulnerabilities. IE, the maker of your shiny new iPhone KNOWS that someone can take over your data via this particular process. So they patch that bug. But if you don’t install the update on your phone, then you’re walking around with a device in your pocket that EVERYONE knows is insecure.
I spend a bit of my time meeting with business owners to review and audit their IT landscape. I see A LOT of old gear out there. Invariable, this comes down to an investment decision:
- The cost of buying a new PC when one is “still working”,
- The cost that you might incur when getting someone to re-install all your apps and data onto the new one PC
- The costs that you might incur if your crummy old core app won’t actually work on the latest Windows version (NB – this is a HUGE red flag on the core app!!!)
Unfortunately, the longer you put this decision off, the worse it gets, and the more expensive it gets.
Look, I know that when you’re running a small business, every dollar counts. However, you don’t need me to explain why you’re financially better off to update your technology on a shorter (say, a 4 year cycle) – you can figure out the maths around proactive investment in new IT equipment (which is tax-deductible anyway, and currently able to be deprecated instantly) vs the lost productivity and consulting costs to mop up after a breach. I’m not asking you to like it, just to think about it.
When you factor in the potential downsides, keeping up to date is quite often the best bang-for-your-buck approach to security, delivering a lot of value for a regular, planned outlay. The further behind the 8-ball you get, the more difficult it is to catch back up.
So what are some proactive, pragmatic steps you could start to plan for?
Big Progress eventuates from Small Steps
As I’ve harped on about, Information Security is a multi-layered solution. So lets look at some small steps that you can start to take, which will incrementally improve your security landscape. Remember that the whole is greater than the sum of the parts, so the more of this we can do, the better results we’ll see.
Windows Update and Microsoft Update.
Turn these on now. Can a rogue Windows Update muck up your PC? Yes – it can and has happened. However, the risk lately has been very low – this is not as big a problem as it was 10 years ago. I’m quite happy having automatic updates enabled for all my machines, and all my clients’ machines. The risk is worth the reward. People who were running Windows 10 with automatic updates enabled were already protected from this WannaCrypt worm, for instance.
While you’re in there, make sure you’ve ticked the box to enable Microsoft Update, so that you’ll also receive updates for other Microsoft products like Office (not just Windows updates).
The caveat here is around enterprises with more than a hundred or so PCs under management. You may have special requirements that dictate an alternative plan. But I’m hoping that at your size you’ve already invested in something like SCCM / InTune / etc that will be helping you with desktop management and patching. WSUS is still free.
If you don’t have any Anti-Virus or Internet Security, go and get some and install it. “But it slows down my PC too much!” – yes, it will have an impact on performance. Different products vary from almost-undetectable, to maple-syrup-on-a-cold-winters-day. Do a bit of research and upgrade your PC hardware if you need to.
Not having anti-virus because you have an old PC is not a good excuse to your customers when their credit card details end up published on some random Russian hacking forum.
If you can’t afford commercial AntiVirus, at least install one of the free packages. Some people swear by AVG, for instance, but I went away from it when they started to have ads pop up all the time. Honestly, basic Antivirus and Internet Security from any of the big names (Norton, Symantec, etc) is very affordable these days, especially if you buy a multi-device pack and install it on all your PCs at the same time.
If you’ve already got anti-virus, make sure it’s actually installed on each PC, is active, is updated, and is still within it’s subscription period.
If you’ve got over ~10 PCs, you really want something that’s centrally managed. There’s a LOT of options in this space, especially with vendors like Symantec moving into the cloud-hosted space with their Symantec Endpoint Protection Cloud.
If you’ve got a Mac, you need Antivirus too.
This about the age of your computers and other devices. Are they still running Windows XP? What are your plans to modernise your PC fleet to ensure that both your hardware and software is up to date and the most robust it can be?
You’ll probably pick up other benefits are part of this – increased productivity due to new, faster PCs. Mobility options by replacing PCs with laptops or tablets.
Before you go out buying new PCs willy-nilly though, you DO need to do some homework.
- Make sure your core line-of-business apps will work with the latest operating system version, and that the vendor will support you.
- This is particularly a big issue with people who have invested in very expensive hardware or software for their businesses – things like 3D drafting software or specialised industrial robots are often built to run on very specific versions and might not work on a newer version of Windows, or with newer PC hardware or interface cables.
- An engineering firm that invested $500k in drafting software 5 years ago might not feel like paying the upgrade fees for the new version, along with the user training costs and everything else that goes along with it.
- They need to work out whether it’s worth the extra spend.
- To do that, they’ll need to think about what the cost to the business would be if their draftsmen are unable to work for a week because of a Ransomware attack, and what impact that would have on their current contracts and delivery dates, as well as on their ability to win more contracts in the future.
- In that light, the $100k software upgrade fees might be a fraction of the cost whilst increasing employee satisfaction and positioning the business well with the latest toolset.
- Make sure you’re buying the right computers. Remember the example from above with the two laptops, one with the TPM chip and one without? Make sure that what you buy is the best value for you, even if it’s the more expensive option.
- Make sure that your peripherals and accessories will work with the new computers. With new standards for monitor connections, you might find that all your old VGA monitors won’t connect to your fancy new DisplayPort laptops, say. You don’t want to get half way through and have blown your original budget.
- Make sure you have a plan that captures all the touch-points and knock-on effects. How are you going to roll out new PCs? All at once, or over 3 years? What’s the impact to your Support team if they need to troubleshoot apps running on both Windows 7 and Windows 10?
- Make sure your people have the opportunity to receive the training that they need to be productive on their new PC. The new computer might be far-and-away better than the old one, but if it’s got the wrong colour background then it’ll just be the worst thing ever.
Benefits of Cloud Systems for Security
As you’ll have seen from my email response, a big part of the increased security landscape that this client enjoys is due to the selection and provision of key cloud services. Cloud services can come with advantages in this space vs traditional on-premise systems:
|Updates||You need to install all the updates yourself. You need to schedule the work out of hours, test the patches, install them, etc.||The vendor is responsible for updating the cloud system for you – that’s part of what you pay for each month.|
|Configuration||You need to configure the system to make sure it’s secure. You need to research what the vendor’s best practices are, and make sure you’ve ticked the right boxes, etc||The vendor is responsible for the configuration of their system, and THEY need to make sure that they’ve deployed it in a secure fashion, and that they’re adhering to all their policies.|
|Scale||You need to research new attacks and make sure that your configuration is still right.||The vendor probably has a dedicated team in charge of their security. For a large vendor like Microsoft, their Office365 system is used globally. This gives them access to a HUGE amount of insight and analytics to spot attacks before they are launched.|
|Features||If you want to increase the security of one of your apps, you need to research and deploy the additional functionality.||Progressive cloud vendors are always looking to increase the feature-set they provide to their customers. There is a steady stream of security features being developed by any proactive cloud vendor for their customers, from enhanced encryption or logon detection, to seamless 2 Factor Authentication options. All you need to do is tick the box to turn it on.|
There are more benefits around location independence and re-deployment or apps and data should a new device need to be provisioned. Cloud systems make it easy for your team to get back up and running quickly even if their computer is ransomed or damaged.
What you’re looking for in an IT Partner when you want to have Security discussions.
First of all, you want an IT Partner that you can actually talk to. Someone you can bounce questions off without being made to feel like you’re asking a stupid question. Someone that takes the time to understand your business and your information landscape.
Basically, the same things you’ll be looking for with any of your business partners.
Ideally, you want to be talking to someone who’s happy to come out and speak to you about your concerns, and to spend some time asking questions about your current IT setup as well as learning your business itself. In my experience, I find that designing an effective information security plan requires a good underlying knowledge of your client’s business – what they do, how they work, what sort of data they have and why. Otherwise you run the risk of designing a plan that doesn’t actually suit the business. And any plan that impedes people instead of enabling them will soon have the team working around your lovely plan and it’ll all be for naught.
You want to be talking to someone who will approach the security discussion in the same way as we’ve walked through it here – holistically, looking at all aspects of your network and systems to identify the weak points and the buttress them with complementary and overlapping umbrellas. You want to avoid any reliance on any single Big Security System that will make your dreams come true – big systems certainly do have their place, but they exist as part of the entire landscape.
Lastly, you want to make sure you can trust the advice of your partner. Someone who’s been around, who has a proven track record, and who has happy clients – they’re a good first start.
There are a lot of good Information Security partners out there, once you find the right one for you.
So if I do this, then I’ll be secure, right?
Sadly, Information Security is an arms-race between the baddies who want your data and the goodies who you pay to keep you safe. This is not going to change any time soon.
It’s the same as house security – you can never make your house completely safe from burglars – if someone wants what you have bad enough, they’re going to try very hard to get it. The effective approach is to make your house significantly difficult to break into, in the hope that the burglars will move on and try someone else’s house instead.
While that might seem like a defeatist approach, it’s anything but. You should definitely invest in Information Security systems that protect your valuable company IP as well as your client’s confidential information. However, do so with the knowledge that much smarter people that you exist out there, and they’re much better funded than you are. So we all do the best we can with the resources we’ve got, and we maximise the effectiveness of what we’ve got by layering it up.
Remember too another word I’ve been repeating through this article – “contextualised”.
- I don’t even have a roller door on my garage, because no one wants to steal my old 4WD. There is no payoff for them. I do keep it locked, and never leave any valuables in it in plain sight.
- However, would I take the same approach if I had a Porsche sitting in there?
- What about if I had a whole collection of vintage Porsches?
- Goodness no!
- Likewise, your Information Security approach will be contextualised to the business you’re in, and the amount and confidentiality of the information that you hold.
Let’s face it – there are enough people out there with old systems and no anti-virus that are much easier pickings. Make sure you’re not one of them.
Most importantly, any security plan needs to be regularly reviewed to ensure that it remains effective, that it remains appropriate for the organisation, and that it’s still using the best available products and solutions. As we’ve already spoken about today, the IT ecosystem is constantly evolving – make sure you take advantage of that and have it work in your favour.
It’s all too confusing – where to from here?
If you want to make sure YOU avoid the massive clean-up effort that comes from a virus or ransomware attack, get in touch and we can talk about your current IT environment and what risks that may expose you to.
A good first step would be to conduct a comprehensive IT Review & Roadmap generation exercise. During this engagement we’ll work closely with you to review and audit your current IT environment – something that’s generally really useful all by itself if you don’t have comprehensive IT design documentation. Once we know what we’re dealing with, we can formulate a Risk Register of the top business risks that your technology environment exposes you to. Then, working with you to understand your business vision, we can craft a long-term Strategic Roadmap that moves your business forward and protects you from the biggest risks currently facing you.
For medium-sized firms (anywhere from ~80 staff upwards), moving towards a proactive plan for your technology can deliver massive benefits. Your senior leadership or board members will love the fact that you have a costed, high-level roadmap to guide your investment and deliver business capability. Working to an overarching plan reduces any wastage or re-working that can be required when deploying systems or tech ad-hoc. The old “measure twice, cut once” maxim.
As always, feel free to get in touch if you’d like to sit down for a no obligation chat to see where we might be able to assist you in your business.
Latest posts by Matt Russell (see all)
- Planner gets a mobile app! - June 15, 2017
- See what the latest Surface devices can do for you. - May 23, 2017
- OneDrive gets its PlaceHolders back! - May 16, 2017