2021-09-29

My Cyber Security Awareness Month talks at ORL Kelowna

October is Cyber Security Awareness Month and I'm looking forward to speaking twice for the Okanagan Regional Library (ORL) branch in Kelowna.  

My two hour-long online talks will present cybersecurity hygiene, the basic set of security measures that all individuals, families, and businesses should implement (and maintain over time) to reduce their risks from cybersecurity threats: malware (ransomware, viruses, ...), social engineering (phishing, smishing, business email compromise, ...), device theft, loss, or destruction, etc.

The October 14 talk will cover passwords, password managers, and two-factor authentication (2FA) while the October 28 talk will deal with data backup, email and phone security, mobile and computer security, and user awareness training.  Oct. 28 talk will also briefly present some of the additional security measures beyond that multi-person businesses should implement.

These talks are being presented online and free of charge.  You can take part online or in person at ORL Kelowna.  If you're interested, please register here:

https://orl.evanced.info/signup/EventDetails?EventId=57396&lib=1006&backTo=Calendar&startDate=2021/10/01

2021-08-21

Information Security Policies

If your organization is very small, security hygiene measures – which I've written about in detail -- may be all you need for information security.  But as your organization gets larger, the scope of your information security needs necessarily widens and there are more and more controls to put in place (and monitor).

One of the best ways to start down the path to an information security program is to create a suite of information security policies.  Policies, in any domain, essentially state "this is the way we do things here".  If you create an information security policies suite that covers the breadth of controls you need in information security (and privacy) – and if you then implement those policies, as you obviously should – they will drive your entire security (and privacy) program.

It sounds simple but it's best handled with an explicit understanding of your organization's needs in priority order:
  1. generate a list of all the policies required by the organization
  2. prioritize the list
  3. starting from the highest-priority policy and moving down the list, for each policy:
    1. write the policy, review it, and iterate it it's good enough quality
    2. prioritize the list of controls described in the policy
    3. implement the high-priority controls in the policy
  4. get the entire suite of policies approved
  5. set up a system to track compliance with the policies
  6. go through all the policies to implement the medium-priority controls in each policy
  7. go through all the policies to implement the remaining (lower-priority) controls in each policy
  8. revisit the suite of policies annually or when business conditions change
I've tried to show above that the steps are not linear, rather the are circular.  So you can start implementing the important policies before you've written all the policies, and you can start implementing a lower priority policy before you've fully implemented a higher-priority policy.  Your goal is to implement the controls in the order that achieves the best risk reduction for the organization.

There are several frameworks you could start from in creating your suite of policies, but the most commonly used is the specification ISO/IEC 27002:2013, "Information technology — Security techniques — Code of practice for information security controls", or simply ISO 27002.  This is a spec that you'll have to pay for in order to access in full text.

At a basic level you would create one policy artifact for each of the 14 "meat" (non-introductory) chapters -- effectively policy areas -- of the specification:

5. Information security policies
6. Organization of information security
7. Human resource security
8. Asset management
9. Access control
10. Cryptography
11. Physical and environmental security
12. Operations security
13. Communications security
14. System acquisition, development and maintenance
15. Supplier relationships
16. Information security incident management
17. Information security aspects of business continuity management
18. Compliance

Most chapters cover more than one policy area and the areas in scope for each chapter are not always obvious from the chapter titles; so it's very useful to look at the subheadings and sub-subheadings under each chapter, which you can find here

I recommend you read though this list carefully in order to understand, at a high level, the wide breath of information security policy areas, and to start your thinking on which areas you need to cover. 

There are a few policy areas that need to be added on top of what ISO 27002 provides, the most important being:
  1. Risk Management Policy
  2. Acceptable Use Policy (AUP)
  3. Disaster Recovery Policy
  4. Privacy Policy for external consumption
Each policy area will become one artifact in your suite of policies.  There are different ways to map policy areas to policy documents, such as one-to-one or many-to-one.  It's often best if each artifact is a separate document because this allows you to reissue each one separately, with change control, but some smaller organizations may prefer to have the entire suite in one document for simplicity.

All -- except for two -- of the policy artifacts are written for the purpose of guiding the teams in the organization that are responsible for aspects of security, so their audience is those teams.  These target teams are mainly:
  1. information security
  2. privacy (if present, for the internal privacy policy) 
  3. human resources (for human resources polices, and the AUP)
  4. legal (for privacy policies, human resources policies, and the AUP)
  5. corporate security (if present, for many aspects of physical security)
The two exceptions are:
  1. Acceptable Use Policy (AUP) – the target is employees
  2. Privacy Policy for external consumption – the target is customers
Creating policies can be a fair amount of work and is often therefore put off longer than it should be.  The best way to reduce the effort is to start from a template that covers all policies areas in depth and to then customize it to suit the organization.  Templates can be found on the web or from an information security consultant.

Having information security policies is very important for any organization, but you don't need to try to create them all right way.  Proper prioritization, based on a rough gap and risk assessment, is key to knowing which ones are needed ASAP and which can wait.  It's so much better to have in place the handful -- or even a couple - of policies that will make a real different to your organization's security than to postpone indefinitely the creation of any policies because the project seems overwhelming.

This has been only the briefest of overviews of the important area of information security policies.  There is so much more that could be written but this blog post has to stop somewhere.  If you do a web search you'll find no shortage of information.






2021-07-17

Security considerations for buying a new smartphone or tablet

If you're in the market for a new smartphone or tablet, one of your most important criteria should be a long support life of security updates.  When your device stops getting security updates, the longer you continue to use it, the larger the target painted on your back becomes, due to the security vulnerabilities that start accumulating. 

Android versus iOS (iPhone or iPad) is often a personal, quasi-religious choice, but, functionality aside, it's fair to say that iOS is more secure but generally more expensive than Android.

For Android:

This is a great article to help you understand security updates by brand for Android:

8 Best Android Phones (Unlocked, Cheap): Our 2021 Picks | WIRED

Look especially at the number of years of security updates provided, since when the security updates end, your phone or tablet becomes only a good paperweight.  Brands that license Android from Google usually have a shorter support life than Google has for its own devices (Nexus brand).

N.B. The number of years of security updates is from when the device is released to the market, not from when you buy it!  So you have to find the release date for a device you're looking at.  You could do a web search for the brand and model of the device combined with "release date".

For iOS: 

Apple does a better job of providing security updates, so an iOS device will almost always get 4 or 5 years of security updates.  And this year, some 5-year-old iOS devices are getting an extra year of support, for a total of 6 years, but that's unusual.

2021-07-05

My next talk, kind of: July 21 (AMA)

I've done lots of talks, both in-person and online, on various cybersecurity / information security subjects such as passwords and password managers, two-factor authentication (2FA)/MFA, backup and storage, device and network hardening, secure internet use, privacy, and user security/privacy awareness.

But this session is different: the entire purpose is to answer your questions. You'll be able to ask me your questions in the multi-way videoconference.

For SMBs in the Okanagan, this is your chance to ask any questions you have about cybersecurity as well as information security generally.

Details and registration here: 

2021-04-04

Almost free cloud backup

If you're sold on having a full cloud backup of all your data -- and you should be -- but you find the cloud backup services I suggested a bit pricey, there might be an "almost free" option you could use.  It depends, though, on your having access to a lot of space on a cloud storage service like Google Drive, OneDrive, Drobox, iCloud Drive, etc.  You might have this already, say, if you subscribe to Microsoft 365.

This solution will give you as much retention as you want of old file versions and deleted files, and will let you do point-in-time restores.

Here are the pieces of the solution:

  1. A Sync.com Free plan account, which gives you 5 GB for free (and more if you refer other people to the service).
  2. A cloud storage services (as noted above) with enough space for your entire backup. (You'll actually need somewhat more space given the versioning.)
  3. The SyncBackSE backup software, about CAD $62 one-time

Here is what you do:

  1. Divide your files logically -- in your head -- into two piles: Sensitive and Non-Sensitive.
    • Sensitive files are ones that you think need end-to-end encryption (E2EE).
    • Non-Sensitive files are ones that don't need E2EE.
  2. Then separate your files physically -- on your drive -- so that each high-level folder (say, the top level folders under your Documents folder or your Photos folder) contains either Sensitive files or Non-Sensitive files but not both.
    • Sensitive files are limited to the 5 GB or 6 GB or whatever in your Sync.com plan.
    • Non-Sensitive files are limited to whatever you have in your cloud storage plan.
  3. Buy SyncBackSE software (see above).
  4. Configure SyncBackSE to automatically and daily do this:
    • Back up all Sensitive folders to the Sync.com folder, using Versioning
    • Back up all Non-Sensitive folders to the OneDrive folder, using Versioning
If you want to get a bit fancier, you could use SyncBackSE's AES encryption abilities to encrypt files before writing them to the Non-Sensitive cloud storage. Then you don't really need Sync.com.

If you use this referral link to sign up for Sync.com, you'll get an extra 1 GB of storage.  (I will too, but I have no need for any more space.)