March 31, 2021

World Backup Day, and suggestions

Today is World Backup Day.  A CBC story.

Data backup is really important so here are a few suggestions:

  1. Ensure that all your important data is backed up to at least one and ideally to two different "places", at least one of which is in the cloud.
  2. For files that live on your computer or an external drive, your first backup should be to a cloud provider.  Your second backup can be cloud or local.
  3. If you have files that live in the cloud, you need at least one backup too, which could be on your computer or an external drive.
  4. Manual backup can work if you're diligent, but automated regular backup is much better.
  5. Cloud sync (often free, e.g., Google Drive) is not the same as cloud backup (usually paid, e.g., Backblaze).  True backup will keep deleted files and old versions of your files for at least, say, a year, supports point-in-time restore, and lets you choose which folders to back up.  Cloud sync providers usually keep these for no more than 30 days, don't support PIT restore, and only back up files you place in the single fixed folder.
  6. For sensitive data consider using a cloud provider with end-to-end encryption (E2EE), also called Zero Knowledge.
  7. For local backups (e.g., to external drives) you probably want to ensure that the data is encrypted.  (But then also ensure that your computer's drive is encrypted.  Windows 10 Home doesn't do that and Windows 10 Pro doesn't do it by default; if an someone steals your computer they'll get all your data.)
  8. For mobile devices you can reduce data backup concerns by ensuring that all important data on your device actually comes from (is synced from) the cloud, or, say in the case of new photos, is automatically backed up to the cloud.

March 30, 2021

Browser extensions for privacy and security

This New York Times article lists my favorite three browser extensions for security and privacy:

Tools to Protect Your Digital Privacy

They are:

  1. uBlock Origin
  2. Privacy Badger, and
  3. HTTPS Everywhere.

There is one additional benefit of uBlock Origin not mentioned in the article, namely that advertising can contain or lead you to malware, aka, malvertising. 

March 9, 2021

How to follow blogs

Chances are that you've run across at least a few blogs or news websites that you find interesting -- maybe even this blog!  You'd love to read their new posts but you know you'll never remember to check the websites regularly.  What do to?

It's pretty easy, actually.  Use either of these services to subscribe to your favorite sites:

NewsBlur, my favorite, has a very nice free tier.

Using them is straightforward: you subscribe to the feeds to you want to follow, then you only have to remember to go to the NewsBlur or Feedly website every few days or so.  They will show you in one place any new content from the sites you follow.

Subscribing to a website/blog's feed is usually simple.  For NewsBlur, click the "+" icon in the bottom left and paste in the website URL.  For example, for this blog, you would paste this:

https://www.gsharratt.com

Alternatively, you can paste the URL of the feed into NewsBlur (and you'll have to do this if the website URL doesn't work).  You can often find the feed URL by viewing the page source of the website's main page and searching for "rss" or "atom".  For this blog, for instance, the feed URL is:

https://www.gsharratt.com/feeds/posts/default?alt=rss

For websites that have multiple feeds, it's best to use the feed URL.  Websites with more than one feed will usually provide a page listing all the feeds.  Find the one you want, copy its URL, and paste it into NewsBlur.

How does this newsreader magic work?  It makes use of the RSS or Atom feeds that most (but not all) blogs and many other websites publish in parallel with their regular web (html) content.

Once you have subscribed to your favorite blogs and other sites and get in the habit of regularly checking your newsreader, you won't ever want to give it up.

Upcoming talk to Kelowna Chamber of Commerce

My previous blog post has been published in a condensed form on the Kelowna Chamber of Commerce news feed: Blog: How to Address Ransomware, Phishing, & Business Email Compromise.

And I'll speaking on related topics as part of the Chamber's Business Smarts series on March 24.  See here for more information and registration: Business Smarts WEBINAR - Cybersecurity.

---

Update 2021-04-07: You can find a video recording of my March 24 Kelowna Chamber talk here:


March 1, 2021

How to address ransomware, phishing, and BEC

You’ve almost certainly heard of ransomware, phishing, and business email compromise as they are all over the news today.  You probably have a general idea of what they are – enough to be worried -- but how well do you understand the risks they create and how to protect your organization? 

Attackers are looking for the biggest payouts for the lowest effort and risk, and this drives the ever-changing prevalence of threats.  Ransomware is a dominant threat today because it's easier for attackers to commercialize compared to phishing.  Business email compromise is increasing because it can yield bigger payouts for attackers.  This post will discuss the threats of ransomware, phishing, business email compromise, and another one you may not have heard of, a server-side attack.  We'll then dig into what you can do about them.

Four threats

Let's start with the simplest threat, phishing to steal credentials.  Phishing is mostly delivered through email – but there are subtypes for SMS, etc. – and this type of phishing generally aims to fool the recipient into giving up their account credentials – userid and password -- using a fake login page for a cloud service. Using the stolen credentials, the attacker can obviously perform an account takeover of the cloud service account in question, but they will also likely be able to use credential stuffing to take over other accounts owned by that userid.  Credential stuffing means trying the userid/password combination on hundreds of different cloud services, and it works because most people use the same password for many of their accounts.  In other words, most users don't use a unique password per account, as they should. 

Once the attacker takes over one or more accounts, they can make money by many different means, including stealing data from the accounts then reselling the data (e.g., for credit card data) or threatening its disclosure.  (By the way, if personal information is accessed in any way, in most jurisdictions this is a privacy data breach and must be reported to the privacy authority.)

There is a related threat, a server-side attack, that involves an attacker stealing credentials from the cloud service itself instead of its users.  The attacker will break into a cloud service and steal the "passwords file", which contains the userid and the associated, obfuscated (salted and hashed) password for each of the cloud service's users.  The attacker will then perform a cracking operation to de-obfuscate the passwords, and will generally be successful for those users that haven't used a strong password. 

What makes a password "strong"?  It's sufficient length, sufficient randomness, and sufficient character types complexity (the mix of uppercase, lowercase, digits, and symbols).  "Sufficient" is a fuzzy and moving target, but if a password isn't a bare minimum of 12 characters long, doesn't look random, or doesn't use at least three types of characters, it may not be strong enough to resist cracking.  Once passwords are cracked, there are same risks as for phishing, such as account takeover and credential stuffing.

Business email compromise (BEC) requires the most effort for the attacker.  In a typical compromise, the attacker will get access (through one of a variety of means) to an email account for an organization head or financial head and will monitor the email traffic for a while.  Once the attacker understands the organization's financial processes and which employees are involve with financial transfers, they will send a fake email (from a fake account, often with a similar-looking domain name) to an employee requesting a wire transfer to some outside destination.  If the deception is not detected in time, the attacker will receive the transfer.

The last, and probably most important, threat we'll discuss is ransomware.  This is a type of malware usually delivered through phishing emails (but not the credentials-stealing kind), and it is rapidly surpassing other types of malware and phishing because of its ease of monetization.

For email-based ransomware (and other malware), a user will typically be fooled into executing a file attached to an email or to clicking on a link in an email and downloading a file, resulting in a compromise of their device by the attacker's malware (i.e., malicious software).  Ransomware encrypts the infected computer's files in place and then demands a ransom payment to provide the decryption key; and the ransomware will typically try to spread to other computers in the organization.  If the organization decides to pay the ransom (it's a complex decision) and is very lucky, the key will work; otherwise the data is irretrievably destroyed. 

Increasingly, though, ransomware does more than encryption: it will send a copy of the victim's data to the attacker's server before encrypting it, and the attacker will additionally (and maybe on more than one occasion) threaten to publicly release the data if the ransom is not paid.  Whereas a data backup is a good recovery mechanism for ransomware's encryption, there really is no way to mitigate a public release of data, which makes victims more willing to pay.  (Note that both cases would generally be considered privacy data breaches if personal data is involved.)

Mitigations

If we analyze the four threats in detail and look at how to mitigate the resulting risks – i.e., prevent them, reduce their effect, or recover from them -- it turns out that we need two different sets of mitigations, aka security controls:

  • controls that address the primary risks of account takeover and credential stuffing, and financial loss for BEC – let's call this Type 1; and
  • controls that address the primary risks of device compromise (by malware) and destruction of data – we'll call this Type 2.

Mapping these risks to the four threats above:

  • Type 1 controls are for credentials-stealing phishing, business email compromise, and credentials-stealing server-side attacks; and
  • Type 2 controls are for malware and ransomware.

Both types are also mitigating a variety of secondary risks, including financial loss and theft or exposure of data.

The controls

So what are these two amazing sets of security controls?  They are for the most part the basic set of security controls that security professionals call "security hygiene" – fundamental security controls that every organization should implement as a matter of course before getting into anything fancier. 

The Type 1 controls are focused mainly on protecting credentials:

  • user security awareness training;
  • the proper use of passwords: mainly ensuring they are strong and unique;
  • the use of a password manager: as the best way of properly managing passwords;
  • the proper use of the password manager, including using it to autofill login pages: whereas a user can be phished by a fake login page, a password manager will notice the fake page's incorrect domain name and will refuse to autofill the credentials into that page;
  • use of two-factor authentication (2FA)/multi-factor authentication (MFA): as a second line of defense on an account in case the account's password is compromised; and
  • for BEC in particular, setting up a proper verification process for financial transactions, such as through the use of out-of-band verification like a phone call or walking over to talk to the sender: to catch fraudulent requests.

The Type 2 controls are targeted mainly at spam and malware:

  • user security awareness training;
  • the use of an email anti-spam/malware filter: to stop phishing emails before they reach users; and
  • security hardening of devices, especially computers, by locking down operating system (OS) security-related settings and the use of antimalware ("antivirus") and anti-ransomware software or, for larger organizations, endpoint protection software/services: to prevent malware from successfully running if a user falls for it;
  • the use of data backup, to a cloud backup service or a local backup drive, or ideally to both: to recover from the destruction of data by ransomware.

User security awareness training is listed first for both type of controls because it's usually the most important control that organizations can put in place.  Properly trained employees could forestall many risks even in the absence of many technical security controls (such as password managers, 2FA, spam filters, hardening, antimalware, etc.) – but conversely, the best technical security controls can be bypassed or rendered ineffective by unaware employees. 

All organizations should properly train their employees on security (and privacy) risks – starting as soon as possible and then at least annually.  They should also choose the right mix of technical security controls to fit their organization, risk tolerance, and budget.  Every single organization, though, should have all the Type 1 and Type 2 security controls listed above as a minimum.

For more

This has been only a brief introduction to some common cybersecurity threats that most organization face, and to how to start addressing them.  If you want to learn more – and I strongly encourage you to do so – there is no shortage of information available.  Most everything you might want to know is on the Internet, so you can do a web search for any of the terms in this post.  You can also read some of my other blog posts; see my blog map for an index of useful posts.