Network Security

Cybersecurity for Small Businesses Part 2 Every year, many companies, large and small, invest a large amount of resources into their information technology (IT) systems including, but not limited to, costs for computers and related hardware equipment, software, Internet access, cybersecurity, and personnel training. Businesses rely on IT systems for storing and processing important financial and other sensitive information, accessing the Internet, communicating through email, and running programs they need to use on a daily basis. All the systems that run on a network and use the Internet to gather information and perform cloud services should be protected from unauthorized, inappropriate, and wrong use. Protecting IT assets is a duty that falls not only on IT teams but also on the executives who can allocate the right resources to protect the corporate network.In light of increasingly sophisticated threats and ransomware attacks against local governments and financial institutions, management is responsible for ensuring that the right IT internal controls are in place and performing as intended. But where a small business should start in evaluating the cyber security of its network? A security self-assessment should be the first step towards evaluating the effectiveness of the whole IT operation. 1- INTERNAL CONTROLS Internal controls are policies and procedures that involve authorization and oversight of the IT operations. In this role, the Chief Executive Officer of a company works with the Chief Information Officer to elaborate and enforce procedure to help staff achieve optimal cyber security results. It is also not uncommon to see that CEO and CIO use a third party vendor to assess and establish the rules governing internal controls. 2- THE MAIN CYBERSECURITY MODEL The main information security model is based on three key areas: 1) CONFIDENTIALITY: this section is linked to privacy and trust. Confidentiality is a set of policies that prevents or minimizes the unauthorized access to the company’s sensitive data and assets.2) INTEGRITY: Integrity deals with the quality of the data that is stored and handled on a daily basis. Accurate and complete data are essential for good decision-making.3) AVAILABILITY: if data cannot be accessed when needed, there will be little value. The most secure systems are those that are also the most available at all the times against power outages, natural disasters and attempts by individuals with malicious intent. 3- BUILDING LAYERS OF DEFENSE A network system should implement multiple layers of security to protect its assets and data. If there is only one layer of security, a single attack can have access to the network and compromise company’s assets. A combination of structured layers can reduce the risks of breach to a minimum and safeguard the corporate network from intruders who always try to gain control. 4- IT POLICIES IT policies define the correct use of the equipment and the appropriate use behavior. In this scenario, IT admins explain the consequences of policy violations but also provide the means of communicating the users the policies that are in place and how to be compliant with the general network security rules.For example, a policy that deals with Internet and email use, should describe what constitutesappropriate and inappropriate use of IT resources, along with the expectations employees have concerning personal use of IT equipment and user privacy (e.g., management reserves the right to examine email, personal file directories, web access history and other information stored oncorporate computers, at any time and without notice). It should also describe the consequences for policy violations (e.g., an employee found to have violated the policy may be subject to disciplinary action, up to and including termination of employment). 5- MOBILE DEVICES As explained in my post regarding part 1 of cyber security for small businesses, given the increase relevance and use of smart phones and tablets in a corporate network, I recommend to lay out a specific policy for mobile devices that stresses the importance of Mobile Device Management. MDM is an access control policy that prohibits certain apps in a corporate environment and monitors the use of those that are already installed in the smart phones. A policy related to mobile devices should also have provisions about reporting lost or stolen devices and contemplate rules about the approval of new devices that get connected to the corporate network. 6- IT PERSONNEL AND STAFF TRANING Cybersecurity is a process that leads to training two categories of users:1) IT Personnel: IT personnel needs to be constantly up to date about the evolution of threats and how to harden the IT systems used by the help desk as well as by the regular employees. In this context, it is paramount to learn from reputable resources how to stay abreast in the cyber space.2) Employees: if employees are not trained to observe the security policies in place, they will end up being the weakest line of defense. Management should set up training for IT admins as well for employees who most of the time are unaware of the attacks perpetrated to a company network. Internet safety and email security are the first line of defense employees should learn about. The failure to provide IT security training and raise awareness increases the risk that users willnot understand their responsibilities, putting the data and IT resources with which they have been entrusted at greater risk for unauthorized access, misuse, or abuse. For example, without training and awareness, employees may not understand how their Internet browsing could cause their computers to become infected with spyware that may compromise any personal, private, or sensitive information. The discussion about IT security and training should focus on the following matters: If training and real time alerts are made available to IT admins and users, the risk of compromising a network will become minimal because everyone will get involved in training and displaying a proactive behavior. 7- MORE IT WORK TO DO A network that is really secure is the one that properly identifies and locates all the devices in a network. If a single device is not tracked and

How Changing DNS Can Improve the Security of Our Network One of the main pillars of cybersecurity is the DNS. The Domain Name System is an intangible element of the Internet. Every time we research something on the Internet, the DNS gets activated by displaying in our browser the website we are looking for. People use DNS thousands of times a day without even knowing it: every time a user connects to a website, opens an app on their phone, or updates software, their device queries DNS servers to find the IP address associated with the domain. Most organizations don’t bother to secure the DNS layer, but they should, and even home users should be able to make modifications in their network to secure DNS. LEARN HOW TO ADD AN EXTRA LAYER OF SECURITY BY REPLACING THE DNS SERVERS IN YOUR BROWSERIn simple words dns works like a phone book: if you want to call someone you check the phone book to get their phone number; similarly, if you want to open a website, the dns gives you the IP address for that website. To open a website, you need to know its server IP address because computers only understand IP addresses and not domain names, but can you imagine if we were all forced to remember each IP address for every website we visit? That is impossible and that’s why DNS kicks in. We just have to remember the domain name and the dns will resolve the IP address for that domain. POTENTIAL ISSUES IF YOU OR YOUR IT DEPARTMENT DOESN’T SECURE YOUR DNS The problem of not securing the dns is due to an old misconception that it would be enough to install an antivirus on your pc or MAC and your computer will be enough protected. The second error is based on the conviction that the DNS servers installed in the routers of the major ISP such as the ones operating in Westchester, NY, Connecticut (Optimum and Verizon) are safe enough and we should not be bothered changing the DNS in our routers. As a matter of fact, there are DNS attacks that can be carried forward and that can redirect our Internet searches in places where we don’t want to be and where criminals live and prosper. Here are some of these DNS attacks: 1- DNS Hijacking: it occurs when cyber criminals hack the dns either by changing the dns server address or by intercepting the communication between your device and the dns server. After hacking, perpetrators replace the actual server IP address with their site. For example, if you try to open google.com you will be redirected to the hackers’ page where fake advertisements or bogus websites will try to steal your confidential information. 2- DNS Spoofing and DNS Cache Poisoning: dns spoofing is an attack in which the attackers spoof the dns result without changing the dns server settings on the end user computer: a typical dns spoofing act is cache poisoning or dns poisoning. In dns cache poisoning the attacker spoofed the dns cache by redirecting the user to the malicious site. The dns cache is used to speed up the dns resolve process when you open a website its IP address is resolved from the dns server then it is stored as a dns cache so that you don’t have to contact the dns server again next time you try to open the same website the dns cache stored on your computer quickly resolves the IP address speeding up the whole process. Hackers can poison this cache by replacing the IP address, so you are directed to their malicious site instead of the actual site.The difference between dns spoofing and dns hijacking is that dns hijacking or (aka dns redirection) typically involves malware infection that changes the dns settings on user’s computer. Malware replaces the dns server address with the malicious one so all dns queries are sent to the hacker’s dns server. DNS spoofing, on the other hand, is an act where hackers spoof the dns records cached on your computer and use it to their own advantage. HOW YOU CAN PROTERCT YOUR NETWORK FROM DNS HACKING 1- Install a good antimalware product such as Malware bytes. The reason why I recommend Malware bytes is because it has a free browser security plugin, Malware Browser Guard, which will shield up all the Internet searches you make and block all the nasty popups that can lead to hijacking your DNS.2- Use DNS Security: if you own or run a website, you should enable this feature that will enhance the security of the DNS by using cryptographic keys. Basically, DNSSEC creates a chain of trust through encrypted keys that cannot be spoofed or intercepted by criminals.3- Change the Default Password of your Router: as I have reiterated many times, I recommend to avoid the username admin anywhere in our network but if you cannot change the word admin, try to create a very complex password made of multiple types of characters (minimum 10).4- Use a VPN: vpn allows you to browse the internet securely and the chances to get hijacked are reduced to a minimum, because VPN creates a safe tunnel between your searches and the VPN provider.5- Use Secure DNS: if you are able to replace the DNS servers in your router with safe DNS servers such as Google public DNS, Cloudflare or Cisco Open DNS, all the queries your network will make will be resolved to your browser after a check of trust is made by these much safer DNS servers. Here is the list of the main free Public DNS providers: I would just go with Google, Cloudflare or Open DNS and would live the others as a backup. The table above shows Primary Address and Secondary Address because the DNS have to be redundant, that is, if the primary is unavailable, the secondary will step in and viceversa. WHAT PUBLIC DNS DON’T DO TO YOUR NETWORK 1- DNS

The Role of Human Factor in Spreading Malware We all know that technology is made by people and for the people but bad technology is made by intelligent people to harm unaware people. Have you ever thought that at the far end of a malware attack there are very sophisticated programmers and at the opposite end there are people who barely know what a virus is and don’t know how to operate a computer safely? Malware usually does not target those who are in between, that is, people who are able to pay attention to how to stay safe online. The human factor in cybersecurity plays a huge role and it is usually replaced by the expression “users’ education”. Companies are nowadays spending millions of dollars educating people about the risks involved in a cyber attack. The target of a hacker is to find out where users are most vulnerable and access their network. Read my articles about: 1- The first line of defense against ransomware for small businesses 2- If you are a residential user, learn what to do if you believe you have been hacked 3- Learn to take 7 proactive steps to protect your business in Westchester from Malware THE PORTS OF ENTRY OF A MALWARE CAMPAIGN: LEARN WHERE HACKERS GAIN FOOTHOLD As you can see, all these attacks were crafted by humans and targeted unaware humans. Elements that define users’ risk: what type of human behavior determines that the user is at risk? Ransomware is a such serious infection in that it can not only steal information from single users or corporations but it can also weaken the infrastructure of services used every day. Attacks are getting more sophisticated than ever: think about the ransomware installed in the IT admin tool Kaseya that spread across the networks Kaseya and other IT admin were managing. It took weeks to remediate the issue, patch software and networks to finally get rid of the infection. Hackers hide in the most unthinkable places and wait for their prey to come out: unbelievable. Regular training that shows the latest tactics used by attacker is the best way to prevent networks from getting infected. As I often said, security is a process and not a one time task; the evolution of malware and its tactics should be used as a source of knowledge to educate system administrators and users on the dangers of a such fast moving environment, where scopes and targets can rapidly change. Unfortunately, as computers are getting more secure and giving hard time to hackers, mobile threats are now on the rise. Hackers know that we all use more our mobile phones than computers to conduct business and make payments. Text messages with infected links can grant access to our contacts and send spam messages using our phones, unbeknownst to us. Persuasive messages range from package deliveries notifications to amazon purchases. The role of the cloud is also to be mentioned here. Hackers are using the cloud to host their malware and to create suspicious applications that can collect users behaviors before crafting an attack. This type of spyware is very sophisticated and is usually defeated in a corporate environment by whitelisting only a restricted number of applications users can use. For residential users, however, things can be a little bit more complicated as their digital behavior is more permissive, but it will be sufficient to say at the moment that users should only download apps on their phones from the App Store and Google Play. The pandemic has also made more difficult to track data loss prevention and in 2021 we have seen an increase in insider threats. This table provided by Proofpoint shows that protecting computers and laptop’s USB ports can prevent hackers from leaking information to muddy environments: I have posted an article with an interesting video detailing instructions on how to secure USB devices on Windows 10, but the main requirement is that, in order to do that, the machine needs to run Windows 10 Pro and not the home version. Human factors matter more than the technical aspects of an attack. Cyber criminals always look at what can be leveraged and access that can be exploited. Regular training can help users spot malicious emails and bad links contained in bogus websites.

7 Steps to Protect a Small Business Network from Malware A recent ransomware attack against the German newspaper Heilbronn Stimme raises questions related to the security of their network and the role of IT people and users within that organization. As the infection kept spreading across devices, the newspaper reported that other child companies of the German media group have been affected by the malware. The German company targeted by hackers is not the only one victim of a digital blackmail but more organizations will continue to be hit as along as ransomware evolves and companies do not harden the security of their systems. And the fact that it did not happen in Westchester, or New York, or New Jersey or Connecticut, it does not mean that this story does not deserve our attention. According to the security company Spinbackup, the 2021 cost of data loss suffered by companies in 2021 was about 20 billions, a whopping 70% increase from the 11.5 billion reported in 2019. A company is not only made by its executives and its employees, but also by the IT technicians working in it, no matter if IT is outsourced or not. I consider the ransomware example that hit the European network as a moment to ask my self what action the company took to foster a safer digital environment. Or in more general terms, what is the role of network security in a medium sized company? Let’s ask ourselves some questions so that we can try to find the right solution to the problem: Hacking a network is a profitable business and hackers will rarely hack a home network where there are 2 or 3 computers connected to the Internet. Hackers go where money is: the most luring targets for them are the healthcare, the government and the financial sectors. So, what a small business in Westchester should do to protect its network, its assets and its data? Also, does it cost a lot of money to protect a network from ransomware? The answer is: it depends on its size, because licenses of software products go by users or batch of users. In this article, I am not going to talk about giving tips regarding networks that have Windows 7 computers running, because I consider it silly. Don’t get me wrong: in my opinion, Windows 7 computers should only be used in a business network only if they satisfy the following 2 conditions: A) They are disconnected from the main network and are basically just used as type writer with no chance of sharing resources with other machines. B) They are placed in another network after that help desk has segmented the network via a firewall or a network switch that support VLANs. Learn how to protect a small business network from malware with network segmentation If I were called to secure a small business network, I would begin first with educating users: 1- USERS’ EDUCATION: Tech experts working for the company should educate users about the risk involved in welcoming risky actors doing social engineering and acting as impersonators. Social engineering is a type of attack that attempts to obtain sensitive information by engaging the target until the victim is deceived and a foothold is gained by the perpetrator. Impersonators, on the other hand, are people who claim to be people known by the users. Impersonators attempt to gain access to a network by the deceiving familiarity and confidence that users have with the people or companies they already know or do business with. 2- USE FIREWALLS IN THE MAIN OFFICE NETWORK: If the main headquarters are physically established in a place where users report for work every day, the office network should have a firewall that analyzes what each device does and what each application does. More advanced firewalls can scrutinize app behaviors and exclude other apps from the main network. 3- DESKTOP COMPUTERS AND LAPTOPS: users should login in their devices via a standard account and admin accounts should only be reserved to administrators. If a user tries to download and install a non approved software, the standard account will not allow him/her to do that. Also, a particular attention should be devoted to the deployment and monitoring of antivirus products and the protection of the browser because, as I said many times, one of the main port of entries for an infection is the Internet, the second being an infected email. 4- ZERO TRUST FOR USERS AND ADMINS AS WELL: Users should not be able to run media that have not been previously authorized. For example, I would disable autorun and autoplay in the Windows control panel such as shown in this picture: and flash drives should be blocked from accessing the operating system. This video shows how to block access to flash drives on Windows 10 pro (Windows 10 Home is not supported): Admins, on the other hand, are not good admins if they use the username ADMIN to login as administrators and disregard the 2 factors authentication. 5- USE A VPN AS MUCH AS POSSIBLE: A virtual private network is a tunneling protocol that allows users to send the Internet traffic not through the main ISP but through a more secure connection that cannot be intercepted by prying eyes. Years ago one of the main drawbacks of the VPN was that it slowed down quite significantly your Internet traffic but nowadays many VPNs have solved this problem and offer decent speeds. A small disadvantage of a VPN, especially if corporate users are working from home is that they won’t be able to use their home printer if they are connected to the VPN. Just turn it off for a minute or two (if you are allowed to by your system administrator) and you can eventually print from your printer. 6- STORE LOCAL BACKUPS IN A SECURE PLACE: First of all, small business environments should have cloud backups. Local backups should be made frequently and when they are completed, they

Cybersecurity for Small Businesses Part 1 Cybersecurity is the branch of Information Technology that deals with minimizing the cyber risk by increasing the protection of a business or organization. The actors that play the cyber role are: Cyber and network security should be first of all considered with an holistic approach: if it’s true that the times of simply buying an antivirus are gone, network security is a process that gets improved over time because businesses can not lose the trust of their customers. For example, if a retailer is hit by a breach that provided credit card numbers to hackers, the retailer can regain the trust of its consumers by becoming, for example, a leader in adopting and enforcing new security standards. If an employee clicks on an infected link in a malicious email, who do you think is at fault? The employee or the employer? I would say that first the employer is to blame because I have seen too many cases or businesses running with gmail or aol or hotmail. You cannot run a business with an email generally used by home users because the security implemented for home users is not the same as the security features that are present in a business email. Secondly, a weak email security is the first port of entry into a network for spammers and hackers who constantly scan networks in search for vulnerabilities to exploit. Furthermore, an employer who has taken the first steps towards securing the business emails should also have the IT team train users on how to avoid phishing, spam and spoofing attacks. For example, business email providers such as Microsoft and Google Workspace have specific sections of their admin portal devoted to the topic of the impersonation, which is one of the most successful attacks conducted by hackers. Learn how to recognize spoofing emails by just simply hovering with your mouse on the link and you will realize that the message you have just received is not really coming from the organization you believe just sent you that message. Securing a network means also to establish policies to authorize users and only grant access to the established users. For example, employees are not the only ones who access the network on a daily basis, but vendors and contractors access systems in different ways. It’s up to the IT department to determine the level of trust towards external entities that do business within the main network. At the internal level, users should only have standard computer accounts and should all have multi factor’s authentication and pin numbers enabled for all the software that they are using on a daily basis. A good move is to segment a network: for example, if the main network has the IP range of 192.168.1.1/254, with a firewall or a network switch that supports VLANs, the IT people can isolate the main network and put more sensitive devices on another network, such as the one that has different octets, like 192.168.34.1/254. This way, if an intruder gets into a network, it cannot get into another one because the networks differ from each other. Consider also how mobile devices access the business network: if a BYOD device access the office network via a WIFI, it is recommended to give that device access to a network that has been already segmented, as discussed above. In addition, Mobile Device Management (MDM) is that part of IT security that deals with securing Iphones, Android phones, Ipads and tablets. MDM and VPN should be the way to go to secure a mobile device that connects to the business network. Back to the devices that are enabled in the network, IT department should keep regularly up to date the operating systems and the third-party software. For example, if you run Windows 10 or WIndows 11 updates, you should also run Microsoft Office updates. Enabling automatic updates whenever possible will allow help desk to work on more intensive security tasks. A further step towards reducing risk is the removal of unsupported hardware and software. If there are still machines running Windows 7, consider upgrading the computers to the current operating system and if you still need to have that old machine in your network, put that computer in a segmented network so that its vulnerabilities will not reach newer devices located within the same network.