November 14, 2020

Cloud backup for professionals and organizations

One of the highest priorities for securing any organization, big or small, is data backup. Most organizations could not survive the loss of their data, and hardware failure, software failure, ransomware, other malware, human error, etc., can all completely or partially destroy that data in an instant.

Protection against those threats come as two types of security controls: prevention and recovery. You implement security controls to try to prevent the threats from materializing, and you also implement security controls that should help your operations recover if they do.

Here or there?

The recovery security control for loss of data is data backup, and there are two broad categories: cloud and local. Because local backup -- such a external drives, flash drives, or network-attached storage -- is in the same building as – and often right beside – the computer that it is backing up, it is subject to the many of the same physical risks as the source computer. If the building is damaged by a fire, hurricane, or flood, or a thief breaks in and steals electronic equipment, both the original data and the local backup could be lost at the same time, negating the benefit of the backup. Cloud backup is therefore usually a higher priority than local backup.

I'll talk first about cloud backup for a professional with a single computer, then I'll extend this to a multi-computer organization.

The usual suspects 

Most people immediately think of the "cloud big four" when they think of cloud storage or sync: Apple iCloud Drive, Dropbox, Google Drive, and Microsoft OneDrive. People gravitate to them because they are large, reputable companies (with excellent security, by the way) and they offer free storage for a certain amount of data. You can also pay a subscription fee to get storage beyond the free limit.

So you could backup all your data in one of the big four, but should you? The answer is usually "no".

What you need

Let's back up a bit.  What should you be looking for in a data backup offering, whether cloud or local, to help you choose the best offering for you? These are the backup-specific requirements that apply to most situations:

  1. sufficient confidentiality;
  2. sufficiently long retention for deleted files and old file versions; and
  3. the ability to restore data – one file or the entire backup set -- not only from the most recent backup but from any chosen point in time (called a point-in-time restore).

I'll show you why there's a really good chance that the big four won't meet your needs in those three areas.

Confidentiality

"Sufficient confidentiality" means sufficient with respect to the level of confidentiality required for the data you are backing up. This is not black and white, rather it's a spectrum.

At one end of the spectrum, for data already in the public domain – say, cat videos that you've collected from the Internet – you don't need to be too concerned about theft or release of the data. But at the other end, for sensitive data -- tax records (which contain your SIN or SSN), a personal journal (your darkest secrets), a list of account userids and passwords (the keys to your kingdom), sensitive personal information of your customers (privacy and data protection laws), etc. – you want high confidentiality. Every other type of data -- your photos, for instance – falls somewhere in the middle, depending on how sensitive it is.

So you first need to look at your data to identify and classify the different confidentiality requirements – sensitivity -- of the various types of data present. Then you can determine what cloud services meet the needs of your data.

End-to-end encryption

If your data to back up contains some sensitive data – and almost everyone's does – the big four don't provide sufficient confidentiality, because they don't support end-to-end encryption (E2EE).

E2EE means, literally, that your data is encrypted from one end to the other. This term was originally applied to communications that are encrypted from one end – one user – to the other end – the other user – in such a way that no one in the middle can decrypt the messages being exchanged between the two users.

By extension, the term has come to be applied to cloud storage (including backup) as well, with the same user – the one with the data -- being at both conceptual ends: one end for encryption on the user's device, going across the network to the cloud server for storage, then back across the network to the user's device for decryption. With E2EE cloud storage, no one in the middle – including, most notably, the cloud service – is able to decrypt the user's data. You can read more on Wikipedia. You might also see E2EE referred to as "zero knowledge", because the cloud service has no knowledge of the contents of the data.

The big four may have excellent security, but they don't provide E2EE. If an attacker manages to break into a cloud service provider's servers, they may be able to extricate your data. For low and medium sensitivity data, "excellent security" as provided by the big four is usually sufficient, but that may not be good enough for sensitive data, for which you should probably be using E2EE.

Retention

"Sufficiently long retention for deleted files and old file versions" refers to how long the cloud service will save files you've backed up and then deleted, and files you've backed up and then edited or replaced with different contents. If you delete a file from your computer by mistake, delete a file and later realize you need it, overwrite a file by mistake, or make edits that you later want to back out – you'll be depending on your backup provider's retention of deleted files and old file versions.

The big four cloud storage provides provide only a minimal 30-day retention for both deleted files and old file versions. So, for example, if you delete a file on your computer by mistake and only notice this two months later, it's too late to restore the file from your backup, because it will have been automatically purged by the provider. For most of your data, 30 days is not nearly long enough.

There's one exception to the 30-day retention for the big four: if you buy one of Dropbox's (expensive) business plans, you'll get 180-day retention.

Point-in-time restore

When you need to retrieve a file files from your backup, that's called a restore. There are broadly two types of restores you can do:

  1. restore an individual file as it was just before it was changed or deleted – a file restore; and
  2. restore a folder/directory – which could also be the entire set of backed-up data – as it was at a particular point in time – a point-in-time restore.

If you want to get back a file or a few files that you deleted or changed, you would use a file restore. But if your computer was lost or stolen, suffered a serious failure, or got infected with malware (including ransomware), you would need to do a point-in-time restore of your entire backup, to the date and time just before the problem occurred.

The big four offer file restores to all plans but offer point-in-time restores only to paid customers. Naturally the restores are possible only within the retention period.

Cloud storage+

If used one of the big four for your backup, you might very well need to buy a paid plan in order to get enough storage capacity to back up all your data. That would give you point-in-time restore capability, but you'd still have only 30-day retention, which is not enough. The big four are actually storage or sync services with a little bit of backup, as opposed to being true backup services. And because they are not E2EE, you'd only be able to store low sensitivity data, not all your data. What to do?

Luckily there's a nice alternative to the big four: true backup services with full confidentiality via E2EE, long retention times, and point-in-time restore.

True backup

I'll present three such providers that are excellent choices for your backup: CrashPlan, Backblaze, and Sync.com. You can use the information below to select the best provider for you as a function of your needs: price sensitivity, retention, confidentiality, and features (e.g., selecting vs. excluding vs. moving, pure backup vs. combined backup and sync, etc.). You might even care about data residency – where the servers, and therefore your data, are located -- although technically it doesn’t matter for an E2EE provider.

CrashPlan

  • USD $120 (CAD $160) for retention forever and unlimited storage
  • Full E2EE implementation
  • The UI allows you to select the folders/files you want to back up
  • The UI allows you to request a point-in-time restore
  • U.S. company (Code42) and servers

Backblaze

  • USD $84 (CAD $110) for 365-day retention and unlimited storage
  • USD $84 (CAD $110) plus a USD $0.005 (CAD $0.007) per GB monthly charge for retention forever
  • Partially E2EE: your data is stored in an E2EE manner, but any restore of your data is not E2EE, as your decryption key must be sent to the server temporarily so that it can decrypt your data to send to you
  • The UI does not allow you to select the folders/files you want to back up – instead, everything on the selected drive is backed up but you can exclude any folders you want
  • The UI allows you to request a point-in-time restore
  • U.S. company and servers

Sync.com

  • CAD $96 for 180-day retention and 2 TB of storage
  • CAD $120 for 365-day retention and 3 TB of storage
  • Full E2EE implementation
  • The UI does not allow you to select the folders/files you want to back up – instead you have to move all folders/files you want to back up into the "Sync" virtual folder. This can be an inconvenience, but using junction points is a possible alternative.
  • For the folders/files in the Sync folder, Sync.com additionally provides real-time syncing between multiple devices, a great feature for some use cases
  • The UI does not allow you to request a point-in-time restore, but you can request it by contacting customer support
  • Canadian company and servers

Mix and match?

Of course you could choose to divide up your data: back up your less sensitive data to one or more of the big four – say, to take advantage of their free plans --- and back up your more sensitive data to an E2EE backup provider -- maybe the 5GB of free storage from Sync.com. 

If you do this, though, you have to be careful in two ways: (1) to keep your data well-segregated so that high sensitivity data doesn't get backed up by mistake to a non-E2EE provider, and (2) to ensure that all of your data is backed up to at least one service and no data is missed. 

This may sound simple but it's prone to mistakes happening over time. It's obviously much simpler to ensure that all your data is backed up, and with the proper confidentiality, if you choose a single E2EE provider for everything -- so which path you choose depends on how price sensitive you are.

Scaling away

If you're an organization with more than one computer to back up, all three E2EE backup providers will accommodate that. Organizations need, among other enterprise features, an organization-wide account and an administration console for the service, and all three have that. CrashPlan's base plan is already a business offering so includes the admin console, while with Backblaze and Sync.com you'll get an admin console if you choose a (more expensive) business plan.

Do you want more?

A key tenet of information security is defense in depth. When applied to backup, this means having more than one backup of your data, in case something goes wrong with the first backup. As described above a cloud backup is the first priority, so you should generally add backups in this order: (1) a cloud backup, (2) a local backup, (3) a second cloud backup, and (4) a second local backup. How far down the list you go depends on how important your data is and how paranoid you are.

That's it for the cloud! My next post will cover local backups.

For further reading

Here are a few good sources for more learning on backup services:

Note: Wirecutter – which I highly respect – recommends IDrive in their review. I last tried IDrive in early 2020 and was not impressed with its reliability and abilities. Of note was that it did not properly support BitLocker, which is very important for Windows machines. If you try IDrive, do let me know what you think.

October 15, 2020

Security hygiene for a small professional office

I was going to email these security hygiene recommendations to a lawyer setting up a new office but I realized that others would benefit too.   These recommendations are roughly in priority order.  See my other blog entries for more detail on many of these.

  1. Password manager: You and your employees and contractors should (really, must) use one, e.g., LastPass or 1Password.  For every important account, change its password to long (~30 chars) and random (and therefore unique) and store the password in the password manager.  Never reuse passwords.  See this post for more information.
  2. Second factor authentication (2FA): Enable it on all accounts where it's available.  The 6-digit Google Authenticator type (called TOTP) is better than SMS/text, but if only SMS/text is available, use it.  Google Authenticator is OK but it's better to use Authy as it installs on all your devices and makes device recovery much easier.  See this post for more information.  Enable 2FA on your password manager but read this first: Don't get locked out of your password manager.
  3. Security and privacy awareness training: Ensure that you and your employees and contractors are all very aware of: how social engineering in general, phishing, vishing, business email compromise, and other attacks work, and know how to be resistant; and privacy laws and their requirements for protecting and managing personal information.  Roll this out in concert with the password manager and 2FA, as they may require user training anyway.
  4. Email account security: Ensure all email accounts are really secure (long, random password and 2FA): if any email account gets hacked, the attacker (using password recovery mechanisms) can take over all other accounts that are tied to it.
  5. Data backup: Ensure your data is backed up to the cloud -- e.g., CrashPlan, Sync.com (ensure your plan has at least 180-day retention), or Backblaze -- and also backed up to an external drive.  Ensure the external drive has full disk encryption. 
  6. Device hardening: Ensure all devices are recent enough that they are still getting regular security updates; stop using any devices that are too old.  Put strong passwords/PINs on computers and mobile devices.  For Windows, makes sure you have Windows 10 Pro and then turn on BitLocker, which is full disk encryption; for Macs, ensure File Vault 2 is encrypting your main drive.  On computers use quality security extensions on all browsers (e.g., HTTPS Everywhere, Privacy Badger, and uBlock Origin) and set the OS firewall to block all incoming traffic.  Don't plug in USB devices that have been out of your control.
  7. Cloud services: Be aware that most cloud services (Google Drive, OneDrive, Dropbox, iCloud Drive, etc., many backup services, and almost all value-added services) store your data in such a way that if the service gets hacked, the attacked could get your data.  But there are services that store your data more securely, using end-to-end encryption (E2EE), e.g., Sync.com and CrashPlan.
  8. File transfer security: Email by itself is not a secure way to send personal information or sensitive information. Secure alternatives include encrypting files with 7-Zip (and AES encryption) before emailing them, using Sync.com to share folders (Team Shares) or files (set Enhanced Privacy and a password on the Link, and send the password some way other than email), or use an E2EE messaging service like Signal.


October 14, 2020

Cybersecurity talk online at Community Futures Small Business Week

I'm honored to be speaking at the Small Business Week event hosted by the Okanagan Community Futures organizations.  It's a three-day online event, October 20 to 22.

My talk -- "Cybersecurity: The bare essentials to implement right now" -- will be in the afternoon of October 21, and will be aimed at small businesses and professionals.

August 31, 2020

Don't get locked out of your password manager

Let's say you're security conscious so you do all these reasonable things:

  • use a password manager such as LastPass (see this post for more info)
  • use a TOTP-type 2FA app/service such as Authy (see this post for more info)
  • have multiple devices so you have Authy synced between them all, using Authy's Backups Password
  • use a long random string as your Authy Backups Password, so you store it in LastPass (and of course can't remember it)
  • enable 2FA on LastPass using Authy.

Well, you've just created a cross-dependency between LastPass and Authy:

  • you can't log into LastPass without getting a 2FA code from Authy; and 
  • you can't log into Authy (meaning, connect it to the Authy online service) without getting your Authy Backups Password, which is stored in LastPass.
(Note that with LastPass, you can temporary turn off 2FA via an email verification process; but you can't do this with 1Password.  To verify the 2FA disabling, you have to be able to sign into the email account that you've configured for recovery of LastPass.  So if that email account password is random and in LastPass, you have a different cross-dependency.)

What could go wrong?  

Everything is fine as long as your device is working normally.  LastPass remembers your 2FA code for quite a while (several months, maybe?) and Authy remembers your login (meaning, its connection to the online service) forever.

But if somethings happens -- your LastPass 2FA times out, you get logged out of Authy, either of these apps needs to be reinstalled, everything on your device needs to be reinstalled, etc. -- that's when you'll notice, and be bitten by, the cross-dependency.

(As a side note, it's always better to have LastPass and Authy installed and working on more than one device.  That way, if something goes wrong on one device, you can use one of your other devices instead.)

What can you do?

The best way around this cross-dependency is to have your important login-related information stored somewhere else.  I highly recommend that you have some other backup that doesn't depend in any way on LastPass or Authy or even your computer or mobile devices.  Think of it as a fail-safe or last-resort backup.

That other backup should contain critical information like:

  • userid/password for LastPass
  • userid/password for Authy
  • userid/password for Google or Apple (depending on your mobile devices)
  • userid/password for the email account use use to own/recover other accounts
  • userid/password for your cloud-based backup/sync service(s)
  • mobile device login PINs
  • computer login password
  • BitLocker recovery password (if you have a Windows computer)

But where?

 I have three suggestions for how/where to store that backup:

  1. Print it out on paper:
    • Keep a table of the critical login-related information in your accounts file and print it out on paper.  Yes, the old-fashioned flat white stuff.
    • If you can print it out without service names or userids -- so it's just a list of passwords -- that's even better (in case someone finds it or you lose it), but be absolutely certain that you could look at the page in a year and be able to figure out what each password is for, and that you'll remember what the userids are. 
    • You could compromise and include just the first letter of the service name beside each password; also include the userids (or a short form of them that you will recognize) if you're not absolutely sure you'll remember them.
    • Hide the page somewhere really good. 
    • Put an entry in your calendar to update and reprint the list every, say, 3 months.  At the same time refresh your memory on all the information that you haven't printed out (service name, userids, etc.).
  2. Store it on a full-drive encrypted USB flash drive:
    • VeraCrypt (https://www.veracrypt.fr/en/) is the best way I’m aware of to do this full-drive encryption.  It creates an encrypted virtual drive inside the flash drive.
    • With VeraCrypt you'll then have a completely standalone backup that you can decrypt on any computer in the world (after you download and install VeraCrypt on that computer). 
    • If you get a big enough flash drive, e.g., 256 MB, you can backup all your computer files there. 
    • The downside is that with VeraCrypt you'll have to choose and remember a(nother) password to encrypt/decrypt the virtual drive.  (Don't reuse an existing password for this -- create a new one.)
    • You don't need to hide the flash drive -- because you've chosen a strong password -- but putting it in a (supposedly) fireproof safe would be good.
    • Put an entry in your calendar to update the flash drive with your latest files every, say, 3 months. 
  3. Store it in a second LastPass account:
    • This is more complicated so may not be right for everyone.
    • Create a second LastPass account.
    • Don't enable 2FA on it so there is no cross-dependency with Authy or anything else.
    • The account needs to have (i.e., be owned by) a different email address, of course, but ideally choose an email address that you don't use for anything else, isn't publicly visible, and that no one else knows about.  You should probably create a new one just for this.
    • Choose a really strong password since there's no 2FA to provide additional protection for the account.

How to choose?

Here are some considerations when you're deciding which of the three schemes to go with:

  • Scheme #1 is the simplest, but it's potentially readable by an attacker, and it's at the mercy of local physical threats like fire, water damage from fire, theft, etc.  If you're traveling, the page is risky to bring along.
  • Scheme #2 has the benefit of backing up all your files at the same time (if you want), and can't be read if someone finds it, but it too is subject to some of the above local physical threats as well as to EMP.  :)  You can bring the flash drive with you when traveling.
  • Scheme #3 is in the cloud so is not subject to local physical threats, but it's dependent on a third-party.  It's also accessible over the Internet, just by knowing the userid and password -- both a benefit and a risk.  There's nothing you need to bring when traveling.

Availability (of your data, your systems, etc.) is a key pillar of information security, and resilience is necessary for availability.  If you implement one or more of these three fail-safe backup schemes, you’ll be a lot more resilient to the nasty shocks that can hit your digital life.

June 6, 2020

Cybersecurity Hygiene slides

Earlier this week I presented an information security talk via Zoom to the Okanagan Young Professionals Collective.  The OYP Collective is sponsored by the Central Okanagan Economic Development Commission (COEDC).

Unlike most of my talks this one was aimed entirely at individuals, although with a for pointers small business too.  Of course all the security controls that I presented fully apply to businesses of all sizes.

Here is the PDF of my presentation. And this is the TL;DR in case you want to start taking action (and I hope you will):
  1. Ensure you/family/team are resistant to social engineering
  2. Get a password manager and stop typing your passwords
  3. Change all passwords to unique, starting with most important
  4. Get a TOTP authenticator and use it wherever supported
  5. Ensure your main email account is damned secure
  6. Back up your data (encrypted) to the cloud and locally
  7. Harden all your devices: updates, strong PINs/PWs, FDE, ...
  8. Train yourself/family/team on security & privacy, keep learning