Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
October is Cybersecurity Awareness Month
It's October already, and it seems like only a year since it was last October. Why is this significant? Because in both Australia and the US, and quite probably elsewhere, it is Cybersecurity Awareness Month, during which governments encourage enterprises to raise awareness, and also to raise public awareness of cybercrime and privacy concerns. The Australian Cyber Security Centre received a cybercrime report every 7 minutes during the 2021-2 financial year, an increase of 13% from the previous year, and there is no reason to believe things have improved in the last year.
We do our bit by making available a short talk for local government and community groups on Baseline Security for Small and Medium Enterprises; we also allow guest access to its accompanying course page whch contains additional resources (all the links within this story point to resources within that course or to external resources). Many of its recommendations are equally applicable to microbusinesses, self-employed professionals and private individuals, and it's no surprise that our recommendations overlap with this year's advice from the government agencies. Let's look at a few key points.
Proactive Patching
Both the major US and Australian agencies are this year recommending proactive patching of devices and systems. For smaller businesses and individuals, there is really no reason not to simply enable the default automatic updates of Microsoft, Apple and Google operating systems and applications. Large enterprises are different; they have complex, mission-critical systems running internally-developed and externally-sourced software which require extensive regression testing of the patches in a lab setting to ensure stability. And while this is being done, these systems are well-defended behind many layers of firewalls, endpoint security and intrusion prevention systems which will prevent their vulnerabilities being successfully exploited.
For small business and individuals, the situation is different; their systems are much simpler, often consisting primarily of the office suites provided by the operating system vendors, who have already done all the required regression testing to ensure that their OS patches don't break their apps, and vice-versa. And their systems are not surrounded by multiple layers of defence, but mininally-defended, so that any delay in applying patches increases the likelihood of successful exploitation.
In short: check for updates on a weekly basis, ideally every Wednesday morning for Windows systems, so as to catch Microsoft's monthly US Tuesday release of patches. Macs, iPhones and Android phones are generally similarly configured to auto-update. Yes, it's sometimes a pain to have to reboot after patches have been applied, but it is well worth it.
Strong Passphrases, Password Managers and Multi Factor Authentication
Both the US and Australian agencies recognise the importance of defending against online credential theft, and are suggesting various defensive techniques:
Strong Passwords - or, better, Passphrases
Unfortunately, the US Cybersecurity and Infrastructure Agency is giving outdated advice stating that "Strong passwords are long, random, unique and include all four character types (uppercase, lowercase, numbers and symbols)". This has long been known to be counter-productive as the resulting passwords are hard to memorize and users inevitable have to write them down or, after several logon failures, will give up and reset their passwords to something simpler. In fact, Special Publication 800-63B from the US National Institute of Standards and Technology, which provides guidance to US government agencies, deprecates any requirements for password complexity, instead recommending support for very long passphrases and only requiring a minimum of eight characters.
It's better to follow the advice of the Australian Cyber Security Center, to use passphrases: "Passphrases are passwords that use 4 or more random words". Just don't use "correct horse battery staple" 😁
Both agencies recommend the use of password managers to generate and store passphrases.
Best of all, enable multi-factor authentication on online accounts, especially email (Gmail, MS Outlook), social media and financial accounts. Where possible, make use of security keys such as Yubikeys (strongest), or mobile app-based authenticator applications such as Google Authenticator, Microsoft Authenticator or Authy (strong). Complain to companies and service providers who do not support these but instead rely on six-digit text-message verification codes (weak), as these are easily hacked and are now deprecated (again, see NIST SP 800-63B).
Backups
The ACSC recommends backing up important files. I'd go further, and recommend backing up each complete system.
The most important point is to store backups offline and, ideally, off-site. In other words, after backing up the system - say, to an external USB hard drive - you should unplug the backup drive so that it cannot be reached by ransomware or any other malware that infects your system. That way, should you fall victim to ransomware, the backup itself will not be encrypted and held ransom, and you can successfully boot from backup media and restore the lost files to get back to work.
Storing a backup off-site provides a last line of defence against disasters such as fires and flooding. While you can arranges this by, for example, storing a copy of backup media in some secure location, it is increasingly easy to make backups to cloud storage such as Amazon S3 or Google Cloud Storage (although this, in turn, introduces new threats unless secured properly).
After doing a detailed comparison of different products a few years ago, I settled on R-Drive Image to backup my Windows systems, buying multiple licences for our machines. It has never let me down and has saved my proverbial behind on several occasions. See https://www.drive-image.com/ for information. I also run both local and cloud backups, nightly, for our office NAS devices.
Speaking of ransomware, you should be aware that a backup alone cannot provide full protection against modern ransomware gangs. This is because, prior to encrypting and locking up your files, the ransomware uploads copies to the gang's command and control servers, and they may threaten to release your data publicly. It is much better to prevent ransomware - and other malware - from getting a foothold in the first place.
Large enterprises do this via a technique known as application safelisting (also application whitelisting or allowlisting) which will only allow a short list of approved programs to run on users' computers. However, application safelisting software can be quite expensive as it is intended for centralized management of many computers.
A free alternative that is well worth investigating is already built into Windows 10 and later, in the form of Controlled Folder Access. You can find this by going to the Windows Security dashboard (the blue sheild icon in the systray at lower right of the desktop), then clicking "Virus & threat protection" followed by "Manage ransomware protection".
Controlled folder access works with two lists - one of approved application programs, and one of the folders these programs are allowed to access. By default, many popular programs - e.g. the Microsoft Office suite - are enabled by default, as are the folders they generally use. If you have other programs - for example, I have a number of special-purpose editors and word processors - they will need to be added manually (this can be tedious, but stick with it!).
However, once controlled folder access is turned on, other programs - such as ransomware - will be blocked from running, and even the approved programs will be blocked from accessing other folders. There are no 100% guarantees, as there are some advanced techniques which can get around it, but tests have shown that controlled folder access will block most of the common ransomware.
Other Guidance
There's some other plausible advice in the government agencies' Cyber Awareness Month strategies, but it's less actionable and less certain. For example, CISA says, "Recognise & Report Phishing", but all the evidence suggests that this is far from easy - especially now that the phishing operators are using generative artificial intelligence to write better email lures for this and other scams.
Australian Cyber Security Agency, Cyber Security Awareness Month, web page, October 2023. Available online at https://www.cyber.gov.au/learn-basics/view-resources/cyber-security-awareness-month.
US Cybersecurity & Infrastructure Security Agency, Cybersecurity Awareness Month, web page, October 2023. Available online at https://www.cisa.gov/cybersecurity-awareness-month.
Les Bell and Associates, Baseline Security for Small and Medium Enterprises, online course, undated. Available online at https://www.lesbell.com.au/course/view.php?id=7.
Upcoming Courses
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
- SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.