#MetricsMonday (001) – What’s Connected? (Part 1)

To kick things off, let's start with a fundamental aspect of cybersecurity, Enterprise Asset Management. We'll keep it simple by initially focusing on our local networks.

How many devices do you have in your organization? Is 100 a good number? Probably not if you're only a five person office. If you have a 100 person office, that number starts to make more sense. But if you have a 1000 person office, 100 managed systems is a little short. If you don't know what's connected to your network, how can you expect to manage and secure them?

For argument's sake, you operate a Windows Active Directory environment, and all user systems are domain-joined so that they can access shared resources. In general terms domain-joined systems are manageable and non-domain systems are not. A managed system has central policies and settings applied, and carry less risk from rogue applications or misuse. Business people understand risk: less risk is good, and more risk is bad.

So the number of domain-joined systems makes sense as a metric, but do you have well-executed asset management practices? When a system is rebuilt or replaced, are the old computer accounts explicitly removed? Tracking the number of active domain-joined systems starts to make more sense. Now you need to define a threshold for what qualifies as active. Allowing for time off work, let's say that systems are expected to be used at least once every two weeks. Of course, you'll want a procedure to handle someone on extended leave. Perhaps just booting the system or performing a wake-on-LAN call will suffice. Up until now we've been focused on user systems, but don't forget that you need to count your servers as well. If you're an SMB/SME you can probably consolidate the numbers but if you're large enough to have separate IT server and desktop teams, it might make more sense to retain separate accounting.

So now we have some metrics that are starting to be useful:

  • # of managed systems
  • # of active systems
  • % of active / managed systems

But wait, do you see the blind spot? What about unmanaged systems? Having 100% active systems is great but if you have unmanaged / unknown devices in your environment, that's bad right? Of course, computers aren't the only things we have on our networks. We can expect to see network devices such as switches, routers, firewalls, wireless access points, security cameras, and even devices from third parties. Let's generalize and group these into a single category of known devices. If you've been following along, you know that the next logical item is the number of unknown devices, which I'll affectionally refer to as rogue devices.

  • # of known devices
  • # of rogue devices

Let's distill these and consider how each of these metrics directly corresponds to a clear risk factor. Keep in mind that these can be applied to an entire organization or to individual business units.

  • % of active vs inactive systems - Minimize inactive to reduce risk
  • % of managed vs unmanaged systems - Minimize unmanaged to reduce risk
  • % of known vs rogue devices - Minimize rogue to reduce risk

The last part of this initial puzzle is to establish a comfort threshold or risk appetite for these. I like 5% as a threshold because even in larger Caribbean environments, the list of offenders is manageable. For example, in a 1,000 device environment, tracking down 50 rogue systems is quite achievable in a short period of time. In specialized environments, such as the industrial SCADA/OT/ICS part of a power plant, that risk appetite is going to be much lower, even nil.

TIP: For larger organizations, regularly sharing and comparing the metrics of different business units can help encourage cooperation and support!

Now how and where do we get this data? That's the proverbial million dollar question which we'll discuss in Part 2!.

Image Source: Adobe Firefly Generative AI

#MetricsMonday (000) – Metrics, We Don’t Need No Stinkin’ Metrics!

Security starts with visibility. Great, I see some trending data but is that good or bad?

You can't manage what you can't measure. Is what we are doing effective? Is what we're doing even useful?

We've all heard these nuggets of wisdom before. And yet with the ever increasing pace of change, complexity, and demands of daily life, it's easy to get stuck in the weeds and neglect metrics and reporting.

Without good metrics, how do we know if we're doing a good job? Without good metrics, how do we justify our time and investment in a product or service? How can we demonstrate that we need more resources such as budget or staff? Worst of all, without meaningful metrics, how do our businesses understand and recognize the value cybersecurity?

So what metrics should we report? The number of blocked network threats is always good eye candy, and so is the number of rejected emails. Do any of these matter to the business? Maybe, if the blocked network traffic negatively impacted a business function. The same goes for blocking emails. These might be more useful to performance management than cybersecurity; so what to do?

Follow our #MetricsMonday series, where we explore cybersecurity metrics with the aim to develop a set of meaningful metrics that directly map to cybersecurity and most importantly, to business outcomes.

So welcome aboard, we're glad you're here.

Image Source: Adobe Firefly Generative AI

Home Cybersecurity & Privacy Tips

  1. Trust but Verify – You are the best weapon against cybercrime in all of its forms. Being highly skeptical of the latest email or social media post about miracle cures or sensationalized current events will go a long way. If you receive an email from work or a friend, particularly if you end up on a web page that is asking for your credentials, stop! Take a few minutes to verify that this is legitimate. Take a break while you give them a voice or video call.
  2. Updates – As painful as it can be, updates really do serve a purpose. In addition to Windows or Mac updates, do remember to update Google Chrome, Firefox, and any other browsers you may use. If you have to use apps like Adobe Flash or Java, make sure you keep up with those as well. It is safest to perform the updates from within the application itself as opposed to searching for the updates online. There are many websites dedicated to distributing fake updates. In fact, this would be a great time to uninstall all those 3rd party tools that are bloating your system. If it isn’t installed, you don’t have to update it. Lastly, do remember to update your firmware in things like wireless routers, access points as well as the BIOS of your computers.
  3. Change Default Passwords – If you use default passwords, you can’t claim to have been hacked! That would like leaving the front door open and claiming you were robbed.
  4. Be a User, Not an Administrator - Keep your computer’s admin account separate from your everyday user account. It is all too easy to set up your user account as an administrator. Just don’t! Over the last five years, 88% of the Critical vulnerabilities published by Microsoft were mitigated by the removal of admin rights? Yes, you read that correctly - 88%! Removing admin rights does not mean that you can’t make changes to your own system. It just means that there will be an extra step to verify that you really want to make the change. I haven’t been an admin on my own computers in well over 10 years!  Create a separate account used for tasks like installing applications. When a change is necessary, you’ll simply be prompted to enter the necessary username and password. Boy, do I have stories about admins making mistakes on their own systems…
  5. OpenDNS – As most of you know, we have been advocates of the OpenDNS platform for a long time as a Managed Security Service Provider. As a home user, you too can benefit from tools for free. You simply have to change your computer to point at their DNS servers (208.26.222.222 and 208.67.220.220). Better yet, reconfigure your home router to do this so that all of your home devices benefit from the security. You don’t even have to sign up for anything!  If you have young children in the household, you can also use their Family Shield servers which filter adult content as well. For those seeking a bit more control, you can subscribe to one of their paid plans. https://www.opendns.com/home-internet-security.
  6. Web Of Trust – I have always liked a hybrid approach to security, mixing commercial and community-driven security tools. Web of Trust is a great browser add-on that helps keep your web surfing safe and away from malicious or suspicious web sites. It is a free add-on for Chrome, Firefox, and other browsers, even mobile platforms. https://mywot.com
  7. AdBlock Plus – Not only are ads annoying but they often are harbor malicious content. This free browser add-on does a good job suppressing the ads found on many websites and can actually improve your Internet speeds. You may need to make exceptions for your reputable news sites if you are actively keeping up with current events. https://adblockplus.org/
  8. Separate Your WiFi – Creating separate WiFi networks for work, home, and other devices is a really easy and fast way to reduce your risk. Most routers support four or more networks so you can keep things separate – particularly any non-computer devices like smart TVs, door, or security cameras. All those other devices are just computers hidden away in a different box and just as susceptible to being compromised as your computer. Did you ever hear about the clothing irons that were used to distribute malware and hack WiFi networks?
  9. Separate Your Email Accounts – If you have been an Internet citizen for a while like me, you are likely to have that one email address that you’ve used for everything from email, to Geo Cities, My Space, AIM, Amazon, eBay, banking, Facebook, Twitter, Snapchat, and some newfangled thing called TikTok. By using a single address, you are at a greatly increased risk of having that email account compromised and losing access to all those linked systems. An easy to start reducing this risk is to create an email account for social media, newsletters, and promotions. Gmail, Outlook, Yahoo, and even AOL are good options for this and are free. You can later create a separate account for financial transactions. Oh and please don’t use the same password for each of these!
  10. Multifactor Authentication – Without getting into a discussion of good passwords and password managers, most modern online services support some form of additional authentication factor. This might be a text message to your phone (my least favorite method and susceptible to SIM-jacking or SIM-swapping). A better option, if possible, would be to use an authenticator app such as Google or Microsoft Authenticator. This additional factor is further protected because, you are a good person, and good people secure their devices with passcodes or biometric security. Subliminal messages are fun! Once set up, these provide you with codes that you have to enter in addition to your password in order to access a resource. While not invulnerable to compromise, these do help and can also alert you to a hacker trying to use your credentials somewhere. Also, turn on and pay attention to the account alerting options prevalent in most services. If you see connections coming from another country at an unexpected time, you might want to be concerned!

What do you think?

Wellness While Working From Home

Having spent the majority of the last ten years working remotely, I thought I would share a few personal wellness tips that have worked for me.

1.      Take regular breaks and get away from the computer. Even if this means setting an hourly timer, get up and walk around for a few minutes, stretch, get some fresh air, or play with your pet.

2.     Try your best to operate in a separate workspace, an office is ideal. If you can’t and have to work in a common area, consider putting everything away at the end of the workday. Resist the temptation to continuously be working.

3.      Stay active. If you’re used to going to the gym or playing sport (like tennis for me!) don’t give up on fitness. The 7 Minute Workout is a great way to stay active and can easily be done indoors. It’s actually a great way to start the day. Yes, there is also a free app for it too!

4.     Watch your caffeine intake. Most everyone knows I love my coffee but over time, I have learned to manage my intake and now limit myself to no more than four coffees a day, usually three. At some point my body is no longer going to tolerate it so by reducing my intake, I’m hopefully prolonging my enjoyment. I really don’t get diet-coffee i.e. decaffeinated!

5.      Stay hydrated. My rule of thumb is to simply drink a glass of water every time I have a cup of coffee. Your mileage will vary but this is an easy process to counteract the dehydrating effects of coffee.  

6.     Give your eyes a break. Blink more and use eye drops. We have a tendency to blink less the longer we stare at a screen. I’m a fan of the Similasan Dry Eye Relief drops. They also have a Complete Eye Relief formula but have never used it.

7.      Lastly, keep connected. Make a point of regularly speaking to your family, friends, colleagues, and peers. This means more than just email or text messages, try a video call. Social interaction is healthy.

Do you have tip you would like to share? Let us know!