Random SysAdmin Thoughts...

Adventures in DevOps and other random technical musings

Basic Security Practices

Sections: Passwords AntiVirus Firewall Encryption VPN

I recently had a friend ask me about basic “cyber-security” for thier small business. When I say a small business they are a one person shop but handle some very personal information for their customers. While I was trying to compose a good human answer to this very generic question I was thinking that personal digital security isn’t any different from corporate security. The only real difference is if you can outsource the technical components to the IT department or if you need to do it yourself. True security requires a mindset to prevent exposure. Not using systems for things they weren’t intended for, being very cautions about emails, etc. Good digital hygine is a habit that can be learned and takes time. However, here are a few tips and technologies to help.

Passwords

This is probably the most important thing I can recommend to anyone, change your passwords! All of them! This may seem like over kill but it’s really important to prevent certain types of attacks. A simple example is if you are using the same password for your email and social media accounts and someone is able to compromise one they are able to get to the other. Now imagine someone now has access to your email. It’s possible they could reset passwords on sites they currently don’t have access to, additionally they could peruse your messages for information of other sites you use and build a larger more believable online presence as you.

It seems ridiculous at first glance to maintain and remember hundreds or more passwords, however there is a simple solution. Use a password manager. I am a personal fan of Lastpass but any manager that allows for access via mobile device, application and web then also encrypts the data at rest is good. I’m partial to them because of these features and it uses a web plugin to create and fillin my passwords so I never need to type a password for when logging into a site.

I’m sure everyone has heard that complex passwords are needed and you should have passwords of a certain length, numbers, letters, uppercase, etc. but they are hard to generate and remember. With a password manager you don’t need to worry about any of these issues. It allows me to create complex passwords similar to: b8RrNFstRJH!&WrVK*fVMrkmT92MKF for each account without concern about memorizing or typing them.

Encryption

This is something I’m certainly not an expert at but can give some basic guidance. The first question you need to ask is what are you protecting against? Are you protecting against your laptop being stolen or against files and data being taken with out your knowledge? This is significant because the anwser to each of those are different and varying degrees of complexity.

Hard Disk Encryption

If you are looking to protect your personal data if someone steals your laptop from your car or office, this is what you are interested in. Whole hard disk encryption makes your entire entire drive appear to be random bits of data. Anyone trying to read that data should not even be able to tell what is free space or a file on the drive. This is built into the operating system of current versions of Windows 10 called BitLocker, and Mac OSX uses FileVault. All you need to do is enable it and the system will encrypt the drive without needed to do anything else.

Windows will present you with a backup key YOU NEED TO PROTECT THAT KEY. Print it out and lock it in a filing cabinet or take a picture and put it in your phone. If your computer updates the certain sections of the drive you will need to prove it’s yours and the only way to get access is with that key. DON’T LOSE IT!

Mac users have a bit of an easier time - the key can be backed up to iCloud and protected that way.

File Level Encryption

This encrypts individual files or directories on your workstation NOT the entire disk. This has the advantage of being very granular but also requires a bit more management to ensure proper security. Also it doesn’t encrypt the file system structure or additional parts of the files or filesystem which could also contain confidential data (directory is name of client?). This protects against someone getting access to your system and copying data from it after it was already running. Access could be achieved physically, programatticly such as through malware.

Firewalls

Every major operating system has a firewall built into it and it should be enabled. Some applications will require modification to work properly but as a general rule they should be turned on and limit incoming connections. If you have the option to install a hardware firewall for your network I have two options I am partial to. If you are not afraid of getting your geek on, have some spare hardware and want to learn I would recommend pfSense for it’s ease of installation and capabilities. You are getting a commercial grade firewall for OpenSource prices.

That said if you want commercial support and everything that goes with it I would seriously consider the FortiGate 50E. It’s an enterprise level firewall with support and is more than enough for the small office. It can also be combined with wireless, webfiltering and much more so if you don’t mind paying for it, I would consider this the way to go. (Disclaimer - it’s March 2019 by the time you read this something may have changed)

AntiVirus

AntiVirus is the thing we all hate but need to have. There is no glamour in it but it’s going to help keep us safe. People that have fewier than ten systems I would look to Sophos Home. There is a free component but I would recommend purchasing the whole thing. Also I would combine it with FortiClient which will scan your systems for known vunerabilities. The two combined offer a reasonable solution for a great price.

VPN

What do you do when you’re working from Starbucks, shared office space or some other open wireless access point? You certainly don’t send your traffic over the airwaves unencrypted. Use a VPN service. This will tunnel al your traffic to the endpoint rendering it unreadable to anyone on the local networks or between you and the VPN termination point. Proton VPN is my personal favorite. They are based in Switzerland and don’t log traffic so there is no ability of anyone hacking or requesting logs. Additionally they have endpoints in multiple countries so if you need/want to change your connection points it’s extremely simple. There is even the option of connecting your firewall to them so all traffic from your local network is tunneled out. This is useful to prevent your ISP from spying or tampering with your traffic. (Yes, this is now legal in the US)

Conclusion

I know this was a long post and there is a lot I didn’t cover but I’m hoping that people find it useful and learn from it. If you have any comments, questions or suggestions send me a message on Twitter and I’ll be happy to reply.

Cheers