October 15, 2020

Security hygiene for a small professional office

I was going to email these security hygiene recommendations to a lawyer setting up a new office but I realized that others would benefit too.   These recommendations are roughly in priority order.  See my other blog entries for more detail on many of these.

  1. Password manager: You and your employees and contractors should (really, must) use one, e.g., LastPass or 1Password.  For every important account, change its password to long (~30 chars) and random (and therefore unique) and store the password in the password manager.  Never reuse passwords.
  2. Second factor authentication (2FA): Enable it on all accounts where it's available.  The 6-digit Google Authenticator type (called TOTP) is better than SMS/text, but if only SMS/text is available, use it.  Google Authenticator is OK but it's better to use Authy as it installs on all your devices and makes device recovery much easier.  Enable 2FA on your password manager but read this first: Don't get locked out of your password manager.
  3. Security and privacy awareness training: Ensure that you and your employees and contractors are all very aware of: how social engineering in general, phishing, vishing, business email compromise, and other attacks work, and know how to be resistant; and privacy laws and their requirements for protecting and managing personal information.  Roll this out in concert with the password manager and 2FA, as they may require user training anyway.
  4. Email account security: Ensure all email accounts are really secure (long, random password and 2FA): if any email account gets hacked, the attacker (using password recovery mechanisms) can take over all other accounts that are tied to it.
  5. Data backup: Ensure your data is backed up to the cloud -- e.g., CrashPlan, Sync.com (ensure your plan has at least 180-day retention), or Backblaze -- and also backed up to an external drive.  Ensure the external drive has full disk encryption. 
  6. Device hardening: Ensure all devices are recent enough that they are still getting regular security updates; stop using any devices that are too old.  Put strong passwords/PINs on computers and mobile devices.  For Windows, makes sure you have Windows 10 Pro and then turn on BitLocker, which is full disk encryption; for Macs, ensure File Vault 2 is encrypting your main drive.  On computers use quality security extensions on all browsers (e.g., HTTPS Everywhere, Privacy Badger, and uBlock Origin) and set the OS firewall to block all incoming traffic.  Don't plug in USB devices that have been out of your control.
  7. Cloud services: Be aware that most cloud services (Google Drive, OneDrive, Dropbox, iCloud, etc., many backup services, and almost all value-added services) store your data in such a way that if the service gets hacked, the attacked could get your data.  But there are services that store your data more securely, using end-to-end encryption, e.g., Sync.com and CrashPlan.
  8. File transfer security: Email by itself is not a secure way to send personal information or sensitive information. Secure alternatives include encrypting files with 7-Zip (and AES encryption) before emailing them, using Sync.com to share folders (Team Shares) or files (set Enhanced Privacy and a password on the Link, and send the password some way other than email), or use an end-to-end encrypted messaging service like Signal.

October 14, 2020

Cybersecurity talk online at Community Futures Small Business Week

I'm honored to be speaking at the Small Business Week event hosted by the Okanagan Community Futures organizations.  It's a three-day online event, October 20 to 22.

My talk -- "Cybersecurity: The bare essentials to implement right now" -- will be in the afternoon of October 21, and will be aimed at small businesses and professionals.

August 31, 2020

Don't get locked out of your password manager

Let's say you're security conscious so you do all these reasonable things:

  • use a password manager such as LastPass
  • use a TOTP-type 2FA app/service such as Authy
  • have multiple devices so you have Authy synced between them all, using Authy's Backups Password
  • use a long random string as your Authy Backups Password, so you store it in LastPass (and of course can't remember it)
  • enable 2FA on LastPass using Authy.

Well, you've just created a cross-dependency between LastPass and Authy:

  • you can't log into LastPass without getting a 2FA code from Authy; and 
  • you can't log into Authy (meaning, connect it to the Authy online service) without getting your Authy Backups Password, which is stored in LastPass.
(Note that with LastPass, you can temporary turn off 2FA via an email verification process; but you can't do this with 1Password.  To verify the 2FA disabling, you have to be able to sign into the email account that you've configured for recovery of LastPass.  So if that email account password is random and in LastPass, you have a different cross-dependency.)

What could go wrong?  

Everything is fine as long as your device is working normally.  LastPass remembers your 2FA code for quite a while (several months, maybe?) and Authy remembers your login (meaning, its connection to the online service) forever.

But if somethings happens -- your LastPass 2FA times out, you get logged out of Authy, either of these apps needs to be reinstalled, everything on your device needs to be reinstalled, etc. -- that's when you'll notice, and be bitten by, the cross-dependency.

(As a side note, it's always better to have LastPass and Authy installed and working on more than one device.  That way, if something goes wrong on one device, you can use one of your other devices instead.)

What can you do?

The best way around this cross-dependency is to have your important login-related information stored somewhere else.  I highly recommend that you have some other backup that doesn't depend in any way on LastPass or Authy or even your computer or mobile devices.  Think of it as a fail-safe or last-resort backup.

That other backup should contain critical information like:

  • userid/password for LastPass
  • userid/password for Authy
  • userid/password for Google or Apple (depending on your mobile devices)
  • userid/password for the email account use use to own/recover other accounts
  • userid/password for your cloud-based backup/sync service(s)
  • mobile device login PINs
  • computer login password
  • BitLocker recovery password (if you have a Windows computer)

But where?

 I have three suggestions for how/where to store that backup:

  1. Print it out on paper:
    • Keep a table of the critical login-related information in your accounts file and print it out on paper.  Yes, the old-fashioned flat white stuff.
    • If you can print it out without service names or userids -- so it's just a list of passwords -- that's even better (in case someone finds it or you lose it), but be absolutely certain that you could look at the page in a year and be able to figure out what each password is for, and that you'll remember what the userids are. 
    • You could compromise and include just the first letter of the service name beside each password; also include the userids (or a short form of them that you will recognize) if you're not absolutely sure you'll remember them.
    • Hide the page somewhere really good. 
    • Put an entry in your calendar to update and reprint the list every, say, 3 months.  At the same time refresh your memory on all the information that you haven't printed out (service name, userids, etc.).
  2. Store it on a full-drive encrypted USB flash drive:
    • VeraCrypt (https://www.veracrypt.fr/en/) is the best way I’m aware of to do this full-drive encryption.  It creates an encrypted virtual drive inside the flash drive.
    • With VeraCrypt you'll then have a completely standalone backup that you can decrypt on any computer in the world (after you download and install VeraCrypt on that computer). 
    • If you get a big enough flash drive, e.g., 256 MB, you can backup all your computer files there. 
    • The downside is that with VeraCrypt you'll have to choose and remember a(nother) password to encrypt/decrypt the virtual drive.  (Don't reuse an existing password for this -- create a new one.)
    • You don't need to hide the flash drive -- because you've chosen a strong password -- but putting it in a (supposedly) fireproof safe would be good.
    • Put an entry in your calendar to update the flash drive with your latest files every, say, 3 months. 
  3. Store it in a second LastPass account:
    • This is more complicated so may not be right for everyone.
    • Create a second LastPass account.
    • Don't enable 2FA on it so there is no cross-dependency with Authy or anything else.
    • The account needs to have (i.e., be owned by) a different email address, of course, but ideally choose an email address that you don't use for anything else, isn't publicly visible, and that no one else knows about.  You should probably create a new one just for this.
    • Choose a really strong password since there's no 2FA to provide additional protection for the account.

How to choose?

Here are some considerations when you're deciding which of the three schemes to go with:

  • Scheme #1 is the simplest, but it's potentially readable by an attacker, and it's at the mercy of local physical threats like fire, water damage from fire, theft, etc.  If you're traveling, the page is risky to bring along.
  • Scheme #2 has the benefit of backing up all your files at the same time (if you want), and can't be read if someone finds it, but it too is subject to some of the above local physical threats as well as to EMP.  :)  You can bring the flash drive with you when traveling.
  • Scheme #3 is in the cloud so is not subject to local physical threats, but it's dependent on a third-party.  It's also accessible over the Internet, just by knowing the userid and password -- both a benefit and a risk.  There's nothing you need to bring when traveling.

Availability (of your data, your systems, etc.) is a key pillar of information security, and resilience is necessary for availability.  If you implement one or more of these three fail-safe backup schemes, you’ll be a lot more resilient to the nasty shocks that can hit your digital life.

June 6, 2020

Cybersecurity Hygiene slides

Earlier this week I presented an information security talk via Zoom to the Okanagan Young Professionals Collective.  The OYP Collective is sponsored by the Central Okanagan Economic Development Commission (COEDC).

Unlike most of my talks this one was aimed entirely at individuals, although with a for pointers small business too.  Of course all the security controls that I presented fully apply to businesses of all sizes.

Here is the PDF of my presentation. And this is the TL;DR in case you want to start taking action (and I hope you will):
  1. Ensure you/family/team are resistant to social engineering
  2. Get a password manager and stop typing your passwords
  3. Change all passwords to unique, starting with most important
  4. Get a TOTP authenticator and use it wherever supported
  5. Ensure your main email account is damned secure
  6. Back up your data (encrypted) to the cloud and locally
  7. Harden all your devices: updates, strong PINs/PWs, FDE, ...
  8. Train yourself/family/team on security & privacy, keep learning

May 25, 2020

Security hygiene general suggestions

I typed this up for a couple of clients and thought I'd share it here too.

1. Password manager: Get one and use it, and passwords, properly.  LastPass is a good one.  See:  https://www.gsharratt.com/2020/03/set-up-password-manager-nice-covid-19.html.  Using passwords properly includes never reusing them and using long random strings (e.g., 30 chars) for (almost) every password.  

1.a. With LastPass, set up Emergency Access to and from a trusted other person's LastPass account. 

2. Two-factor authentication: Start using Authy on important accounts,.  See:  https://www.gsharratt.com/2020/03/set-up-password-manager-nice-covid-19.html

2.a. Set up 2FA for your password manager.  But see this first: https://www.gsharratt.com/2020/08/dont-get-locked-out.html

3. Background on Internet storage and backup (and zero knowledge):  https://www.gsharratt.com/2016/07/are-your-cloud-backup-and-storage.html

4. Backup: Use (zero knowledge) cloud backup if possible.  Best and most expensive is CrashPlan (see item #3 above), next is Blackblaze (a bit less secure, a bit less expensive -- https://www.backblaze.com/), and next is Sync.com (not quite as good for backup but great for syncing files between devices -- see item #3 above).  This backup will run automatically always or every day (your choice) and you'll never have to think about backup again.  It's a good idea to keep doing your local monthly backup too.  (Sync gives you 5 GB for free.)

5. Strongly consider encrypting your computer drive and your backup drive.  Unless they are encrypted, if someone steals your computer or your backup drive, they can access all your data.  See the link just below.  File Vault 2 comes with Macs.  On Windows, BitLocker requires that you have Windows 10 Pro (not Home).  BitLocker also gives you encryption of external drives and flash drives.  Store you BitLocker recovery password in your password manager.

6. Make sure you have a strong PIN on your phone/tablet, 8+ digits, and turn on auto-wipe after 10 wrong guesses.

7. Make sue you have a strong password on your computer, 12+ characters and as random-looking as possible.