Cybersecurity hygiene for the new year

Happy new year!  Here are some cybersecurity greetings for the new year -- it's a very dangerous world out there.

I hope all of you are doing these basic cybersecurity hygiene things:
  • You're using a cloud-based password manager, e.g., 1Password, LastPass, or Bitwarden -- and all your passwords are long, random, and unique (never reused).  (Proper use of a password manager will make you very resistant to phishing.)
  • You're using cloud-based 2FA, especially Authy -- and you've enabled 2FA on all services that support it.
  • You're backing up all your data both to at least one cloud backup service (e.g., CrashPlan, Backblaze, Sync.com, Duplicati) and to at least one external drive -- and those external drives have full-disk encryption.
  • You've hardened all your devices with strong passwords/PINs, full-disk encryption (for Windows you need BitLocker), and regular updates.
  • You've junked all computers, phones, and tablets that no longer get updates.
  • (I could go on and on, but that's a good start.)
  • You might think all this will consume too much time, but you'll be saving yourself a lot more wasted time from your digital life getting compromised.  Most of the above are mainly one-time actions to set up.
If you're still using your ISP's email service, like @telus.net and @shaw.ca, this is for you:
  • If/when you decide to look to greener hills, you'll find it really painful to move to a new ISP since your existing one has you by the short and scruffy. The issue is not all your contacts that use that address, it's all your cloud services that have that address as the owning email id.
  • I recommend that you start fixing this now: create a permanent email address like @gmail.com or @outlook.com and slowly move over all your cloud accounts to that new address. Then you'll be free to switch ISPs if you ever want to. The longer you wait to do this, the more cloud accounts you'll have, and the more painful the eventual fix will be.
  • (Yes, the above falls under security: it's availability, which is a key part of the confidentiality/integrity/availability security triad.)


Tips for protecting your password manager account

This is a great article that applies to any password manager (PM):

7 Tips to Protect Your Bitwarden Account | Bitwarden

If you've implemented a password manager for you or your org, there is more to do!  Here are some additional suggestions that build on the article:

  • Treat as a crown jewel the email account that owns your PM account and all your other cloud accounts.  If baddies can take over that account, they can take over almost all your accounts by doing password resets.
  • You have to properly use a PM to get the value: it's not enough to just have a PM account and store your logins in it.  For starters, for your important accounts, change their passwords to long random strings, and use the PM to autofill your credentials into web login pages; that will make you very resistant to phishing.
  • Two-factor authentication (2FA) is critical for your important accounts, including your PM and email accounts.  Authy is an excellent 2FA authenticator app/service.
  • Backing up your vault is a great idea, but be aware that if you're on a Windows PC, your main drive is not encrypted unless you have enabled BitLocker (or the Device Encryption found on Microsoft Surface-type devices); so you'll need to store your PM vault export somewhere else.

If you or your org haven't yet implemented a PM, it's usually the very first thing to do (along with 2FA) to improve your cybersecurity. Three excellent PM to consider are BitWarden, 1Password, and LastPass.  Check out their business tiers if your org is multi-person.


Buying a new smartphone: security updates

When buying an Android phone, or tablet, you need to pay a lot more attention to the issue of security updates speed and longevity than with an Apple device. 

Most of the articles listed on the first page of the search below are worth reading to understand what manufacturers/phones are the best for security updates.  You want a phone manufacturer that will quickly pass on to you the security updates that Google releases, and will continue to do so for as many years as possible.  When the Android security updates stop getting to your phone, it's good only as a paperweight.


With Apple you have much less to think about, and a phone will always get 4 or 5 years of updates.  Some 5-year old iPhone and iPad models are getting 6 years, which is unusual.  And Apple is even providing occasional security updates to devices on iOS 12 (and above), which way behind the current iOS 15.


My Cyber Security Awareness Month talks at ORL Kelowna

October is Cyber Security Awareness Month and I'm looking forward to speaking twice for the Okanagan Regional Library (ORL) branch in Kelowna.  

My two hour-long online talks will present cybersecurity hygiene, the basic set of security measures that all individuals, families, and businesses should implement (and maintain over time) to reduce their risks from cybersecurity threats: malware (ransomware, viruses, ...), social engineering (phishing, smishing, business email compromise, ...), device theft, loss, or destruction, etc.

The October 14 talk will cover passwords, password managers, and two-factor authentication (2FA) while the October 28 talk will deal with data backup, email and phone security, mobile and computer security, and user awareness training.  Oct. 28 talk will also briefly present some of the additional security measures beyond that multi-person businesses should implement.

These talks are being presented online and free of charge.  You can take part online or in person at ORL Kelowna.  If you're interested, please register here:



Information Security Policies

If your organization is very small, security hygiene measures – which I've written about in detail -- may be all you need for information security.  But as your organization gets larger, the scope of your information security needs necessarily widens and there are more and more controls to put in place (and monitor).

One of the best ways to start down the path to an information security program is to create a suite of information security policies.  Policies, in any domain, essentially state "this is the way we do things here".  If you create an information security policies suite that covers the breadth of controls you need in information security (and privacy) – and if you then implement those policies, as you obviously should – they will drive your entire security (and privacy) program.

It sounds simple but it's best handled with an explicit understanding of your organization's needs in priority order:
  1. generate a list of all the policies required by the organization
  2. prioritize the list
  3. starting from the highest-priority policy and moving down the list, for each policy:
    1. write the policy, review it, and iterate it it's good enough quality
    2. prioritize the list of controls described in the policy
    3. implement the high-priority controls in the policy
  4. get the entire suite of policies approved
  5. set up a system to track compliance with the policies
  6. go through all the policies to implement the medium-priority controls in each policy
  7. go through all the policies to implement the remaining (lower-priority) controls in each policy
  8. revisit the suite of policies annually or when business conditions change
I've tried to show above that the steps are not linear, rather the are circular.  So you can start implementing the important policies before you've written all the policies, and you can start implementing a lower priority policy before you've fully implemented a higher-priority policy.  Your goal is to implement the controls in the order that achieves the best risk reduction for the organization.

There are several frameworks you could start from in creating your suite of policies, but the most commonly used is the specification ISO/IEC 27002:2013, "Information technology — Security techniques — Code of practice for information security controls", or simply ISO 27002.  This is a spec that you'll have to pay for in order to access in full text.

At a basic level you would create one policy artifact for each of the 14 "meat" (non-introductory) chapters -- effectively policy areas -- of the specification:

5. Information security policies
6. Organization of information security
7. Human resource security
8. Asset management
9. Access control
10. Cryptography
11. Physical and environmental security
12. Operations security
13. Communications security
14. System acquisition, development and maintenance
15. Supplier relationships
16. Information security incident management
17. Information security aspects of business continuity management
18. Compliance

Most chapters cover more than one policy area and the areas in scope for each chapter are not always obvious from the chapter titles; so it's very useful to look at the subheadings and sub-subheadings under each chapter, which you can find here

I recommend you read though this list carefully in order to understand, at a high level, the wide breath of information security policy areas, and to start your thinking on which areas you need to cover. 

There are a few policy areas that need to be added on top of what ISO 27002 provides, the most important being:
  1. Risk Management Policy
  2. Acceptable Use Policy (AUP)
  3. Disaster Recovery Policy
  4. Privacy Policy for external consumption
Each policy area will become one artifact in your suite of policies.  There are different ways to map policy areas to policy documents, such as one-to-one or many-to-one.  It's often best if each artifact is a separate document because this allows you to reissue each one separately, with change control, but some smaller organizations may prefer to have the entire suite in one document for simplicity.

All -- except for two -- of the policy artifacts are written for the purpose of guiding the teams in the organization that are responsible for aspects of security, so their audience is those teams.  These target teams are mainly:
  1. information security
  2. privacy (if present, for the internal privacy policy) 
  3. human resources (for human resources polices, and the AUP)
  4. legal (for privacy policies, human resources policies, and the AUP)
  5. corporate security (if present, for many aspects of physical security)
The two exceptions are:
  1. Acceptable Use Policy (AUP) – the target is employees
  2. Privacy Policy for external consumption – the target is customers
Creating policies can be a fair amount of work and is often therefore put off longer than it should be.  The best way to reduce the effort is to start from a template that covers all policies areas in depth and to then customize it to suit the organization.  Templates can be found on the web or from an information security consultant.

Having information security policies is very important for any organization, but you don't need to try to create them all right way.  Proper prioritization, based on a rough gap and risk assessment, is key to knowing which ones are needed ASAP and which can wait.  It's so much better to have in place the handful -- or even a couple - of policies that will make a real different to your organization's security than to postpone indefinitely the creation of any policies because the project seems overwhelming.

This has been only the briefest of overviews of the important area of information security policies.  There is so much more that could be written but this blog post has to stop somewhere.  If you do a web search you'll find no shortage of information.