Case Study – Ourselves!

As the saying goes, sharing is caring but first, some background. Most of our infrastructure has been in the cloud for close to ten years i.e. email, security and management consoles, etc. Early on, our endpoints were domain-joined but that proved cumbersome for us as we spent the majority of our time off-LAN, working remotely or were at customer sites. As cybersecurity service providers we lead by example and make a point of using the same technologies and tools that recommend for our customers.

Our core endpoint security consists of several tools and layers. We’ll start from the foundation and work our way up the stack:

  • Trapezoid FIVE – If you can’t trust the hardware, how can you trust the software? Firmware is everywhere, from your laptop to IoT device to datacenters to the cloud. It is even part of the NIST Cybersecurity Framework. Using Trapezoid FIVE, we monitor the BIOS integrity of our systems for unauthorized changes.
  • OpenDNS Umbrella, specifically the Roaming Client provides security management and reporting from the endpoint, network, and web perspectives. Our systems benefit from the same Community Threat Intelligence feeds that we provide for our customers.
  • CylancePROTECT – All modules are fully enabled and enforced. File security is set to Auto Quarantine with Execution Control. Files are examined pre-execution.  Memory Violations are terminated. The CylancePROTECT services and applications are protected against tampering. The Application Control module is enabled and prevents creating or even saving an unauthorized application (Portable Executable or PE) file let alone running it. ScriptControl is fully enabled and will block unauthorized ActiveScript, PowerShell scripts, or MS Office Macros from running. Objectively, fully locking down scripts was the hardest aspect but critical for the prevention of file-less malware. Lastly, the Device Control module allows the usage of only authorized devices.
  • CylanceOPTICS – The OPTICS endpoint detection and response (EDR) tool is deployed with a custom-developed ruleset that also aligns with the MITRE ATT&CK Framework.
  • OPSWAT MetaDefender Cloud – All web downloads are scanned with over 35 antimalware engines in the MetaDefender Cloud system.
  • HerdProtect – As CylancePROTECT only monitors Portable Executable (PE) files, we also regularly scan our endpoints with HerdProtect’s 68 independent antivirus scanners. This ensures an explicit check of data files such as MS Office, Adobe, and image files.
  • McAfee GetClean – We have a long relationship with McAfee and continue to work with the company, notably with the Joint Development Program. We use this tool to help provide McAfee with information on known clean system images and files.
  • DUO Beyond – Authentication to our local systems requires multifactor authentication using DUO. In addition to requiring MFA, we are also enabling usage of Yubikey Two Factor security keys wherever possible.
  • BitLocker – All local volumes are fully encrypted using Windows BitLocker.
  • Windows and application updates are installed within one month of release. Patch management is primarily monitored using Patch Manager Plus Cloud but also with DUO’s Device Health application.
  • RoboForm Everywhere manages my passwords. I’ve been using it for a very long time. LastPass is the other popular app for this. We never save passwords in browsers.
  • User accounts never have administrative rights – not now, not next November, never! Check out the latest BeyondTrust report on Microsoft vulnerabilities.
  • Device management is performed using several tools and layers subject to the individual device’s specifics. Cisco Meraki’s MDM system is the most common and the ability to manage our own systems as well as customers’ systems, firewalls, switches, and wireless devices simply more efficient.
  • Finally, our online presence, or our digital risk, is monitored using a combination of opensource tools like Google Alerts as well as private tools deep/dark web tools, including but not limited Digital Shadows and SpyCloud.

The commonly stated trade-offs for security are performance and convenience. As security is our business, it cannot be compromised for convenience. That said, if I really had to nitpick, the one area that might be considered inconvenient would be the authentication process with MFA. In reality the few extra seconds required to use the DUO app on our phones is truly trivial. Technology is constantly evolving and we’re always looking at ways to improve.

As for performance, we have long believed in making the right investments in computing devices up-front. We favor business-class computers, currently the HP Zbook Workstations. We also made the switch to solid-state drives (SSD) ten years ago and haven’t looked back. My current system is a five-year-old HP Zbook 14 G2 with dual SSD drives and 16GB RAM. It runs as well now as the day I purchased it. Only when I am simultaneously running several virtual systems do I long for more RAM. More recent models like the Zbook 15u support 32GB RAM. Over time that too will improve. The longevity is partially due to the choice of hardware (platform, RAM, SSD) and partially due to our carefully, curated security stack.

Bonus Tip: An easy way to improve the performance of a Windows system running on a standard hard disk is to use a USB key and enable ReadyBoost. This nifty feature has been around since Windows 7 and does a really good job improving performance. Note that you should format and dedicate this key to the computer and not use it for moving files around. A small, high-speed 16GB key is ideal and can be connected to a USB port somewhere on the back or side, where it will be out of the way and that you won’t be tempted to remove.

I hope you found this information useful. If you have any questions about the information provided, please do not hesitate to contact me.

Home Cybersecurity & Privacy Tips

  1. Trust but Verify – You are the best weapon against cybercrime in all of its forms. Being highly skeptical of the latest email or social media post about miracle cures or sensationalized current events will go a long way. If you receive an email from work or a friend, particularly if you end up on a web page that is asking for your credentials, stop! Take a few minutes to verify that this is legitimate. Take a break while you give them a voice or video call.
  2. Updates – As painful as it can be, updates really do serve a purpose. In addition to Windows or Mac updates, do remember to update Google Chrome, Firefox, and any other browsers you may use. If you have to use apps like Adobe Flash or Java, make sure you keep up with those as well. It is safest to perform the updates from within the application itself as opposed to searching for the updates online. There are many websites dedicated to distributing fake updates. In fact, this would be a great time to uninstall all those 3rd party tools that are bloating your system. If it isn’t installed, you don’t have to update it. Lastly, do remember to update your firmware in things like wireless routers, access points as well as the BIOS of your computers.
  3. Change Default Passwords – If you use default passwords, you can’t claim to have been hacked! That would like leaving the front door open and claiming you were robbed.
  4. Be a User, Not an Administrator – Keep your computer’s admin account separate from your everyday user account. It is all too easy to set up your user account as an administrator. Just don’t! Over the last five years, 88% of the Critical vulnerabilities published by Microsoft were mitigated by the removal of admin rights? Yes, you read that correctly – 88%! Removing admin rights does not mean that you can’t make changes to your own system. It just means that there will be an extra step to verify that you really want to make the change. I haven’t been an admin on my own computers in well over 10 years!  Create a separate account used for tasks like installing applications. When a change is necessary, you’ll simply be prompted to enter the necessary username and password. Boy, do I have stories about admins making mistakes on their own systems…
  5. OpenDNS – As most of you know, we have been advocates of the OpenDNS platform for a long time as a Managed Security Service Provider. As a home user, you too can benefit from tools for free. You simply have to change your computer to point at their DNS servers (208.26.222.222 and 208.67.220.220). Better yet, reconfigure your home router to do this so that all of your home devices benefit from the security. You don’t even have to sign up for anything!  If you have young children in the household, you can also use their Family Shield servers which filter adult content as well. For those seeking a bit more control, you can subscribe to one of their paid plans. https://www.opendns.com/home-internet-security.
  6. Web Of Trust – I have always liked a hybrid approach to security, mixing commercial and community-driven security tools. Web of Trust is a great browser add-on that helps keep your web surfing safe and away from malicious or suspicious web sites. It is a free add-on for Chrome, Firefox, and other browsers, even mobile platforms. https://mywot.com
  7. AdBlock Plus – Not only are ads annoying but they often are harbor malicious content. This free browser add-on does a good job suppressing the ads found on many websites and can actually improve your Internet speeds. You may need to make exceptions for your reputable news sites if you are actively keeping up with current events. https://adblockplus.org/
  8. Separate Your WiFi – Creating separate WiFi networks for work, home, and other devices is a really easy and fast way to reduce your risk. Most routers support four or more networks so you can keep things separate – particularly any non-computer devices like smart TVs, door, or security cameras. All those other devices are just computers hidden away in a different box and just as susceptible to being compromised as your computer. Did you ever hear about the clothing irons that were used to distribute malware and hack WiFi networks?
  9. Separate Your Email Accounts – If you have been an Internet citizen for a while like me, you are likely to have that one email address that you’ve used for everything from email, to Geo Cities, My Space, AIM, Amazon, eBay, banking, Facebook, Twitter, Snapchat, and some newfangled thing called TikTok. By using a single address, you are at a greatly increased risk of having that email account compromised and losing access to all those linked systems. An easy to start reducing this risk is to create an email account for social media, newsletters, and promotions. Gmail, Outlook, Yahoo, and even AOL are good options for this and are free. You can later create a separate account for financial transactions. Oh and please don’t use the same password for each of these!
  10. Multifactor Authentication – Without getting into a discussion of good passwords and password managers, most modern online services support some form of additional authentication factor. This might be a text message to your phone (my least favorite method and susceptible to SIM-jacking or SIM-swapping). A better option, if possible, would be to use an authenticator app such as Google or Microsoft Authenticator. This additional factor is further protected because, you are a good person, and good people secure their devices with passcodes or biometric security. Subliminal messages are fun! Once set up, these provide you with codes that you have to enter in addition to your password in order to access a resource. While not invulnerable to compromise, these do help and can also alert you to a hacker trying to use your credentials somewhere. Also, turn on and pay attention to the account alerting options prevalent in most services. If you see connections coming from another country at an unexpected time, you might want to be concerned!

What do you think?

Wellness While Working From Home

Having spent the majority of the last ten years working remotely, I thought I would share a few personal wellness tips that have worked for me.

1.      Take regular breaks and get away from the computer. Even if this means setting an hourly timer, get up and walk around for a few minutes, stretch, get some fresh air, or play with your pet.

2.     Try your best to operate in a separate workspace, an office is ideal. If you can’t and have to work in a common area, consider putting everything away at the end of the workday. Resist the temptation to continuously be working.

3.      Stay active. If you’re used to going to the gym or playing sport (like tennis for me!) don’t give up on fitness. The 7 Minute Workout is a great way to stay active and can easily be done indoors. It’s actually a great way to start the day. Yes, there is also a free app for it too!

4.     Watch your caffeine intake. Most everyone knows I love my coffee but over time, I have learned to manage my intake and now limit myself to no more than four coffees a day, usually three. At some point my body is no longer going to tolerate it so by reducing my intake, I’m hopefully prolonging my enjoyment. I really don’t get diet-coffee i.e. decaffeinated!

5.      Stay hydrated. My rule of thumb is to simply drink a glass of water every time I have a cup of coffee. Your mileage will vary but this is an easy process to counteract the dehydrating effects of coffee.  

6.     Give your eyes a break. Blink more and use eye drops. We have a tendency to blink less the longer we stare at a screen. I’m a fan of the Similasan Dry Eye Relief drops. They also have a Complete Eye Relief formula but have never used it.

7.      Lastly, keep connected. Make a point of regularly speaking to your family, friends, colleagues, and peers. This means more than just email or text messages, try a video call. Social interaction is healthy.

Do you have tip you would like to share? Let us know!