IT Security and Fear Mongers Who Prey Upon You

When it comes to IT Security everyone likes to hear that they are protected but they do not really understand the how.  Security is on every business owner’s and personal user’s mind.  Both physical security of their building/house and digital security on all their computer assets.  Physical security is well known to all – lock your doors, set the alarms, make sure windows and all outside points of entry are secured.  What is not well known to all is that the same holds true when working in networks and the digital world – lock your network doors, set network alarms and make sure your outside points of entry to your network are secured   How do you make this happen?  The following will help you understand what you will need and why.

Locking the Doors

The first stage of securing any network is to lock the doors and this is done through a firewall.  This can be both hardware and software.  This is the main entry point into your network from the outside world of the internet.  Spending a little bit of money on this to make sure it’s secured is highly recommended.  Internet traffic enters and exits this unit first. The data that is transferred are called packets.  These packets contain information that can be used to compromise security of your network.  Your firewall will scan these packets looking for malicious software.  Different firewalls have different methods of scanning packets and detecting threats.  Firewalls contain functionality that gives you full control of what type of information you want to allow through your firewall.

While most businesses will have a more managed solution, home users will have a router that is provided by their internet provider.  This router is your firewall.  The main door into your home network.  Each computer on your network is using this doorway to send and receive information.

Setting the Alarm

Every computer that has Microsoft Windows installed has a software firewall and malware program on them.  They are known as windows firewall and defender.  This is the most basic form of protection provided by Microsoft. It’s somewhat effective but by no means secure.  Thus, why we have another program installed called anti-virus and anti-malware.  This is a more in-depth approach to stopping malicious software from compromising your network/computer.  Different levels of this type of software exist from the very granular to the set it and forget it.   Most attacks will come from email and compromised websites.  Email that looks like it’s from someone you know but contains a link or file to trick you into clicking it.  If you are a clicker (a person that pays no attention and just randomly clicks on any link), then you need a robust piece of antivirus/malware/ransomware software to help protect your system.

Outside Entry Points

Just like a physical facility, your network has multiple points of entry. These ports of entry where information comes in on are called ports.  Ports are like the doors of the building.  Your firewall may allow different ports to go to different places.  Just like a door in a building or home will allow you access to different parts of the structure.

The most common port used is port 80.  Port 80 is where all unsecured web traffic resides.  All the http://www sites you go to are going across port 80 unless otherwise routed differently when it gets to the site.  Port 443 is also a web port but used for secured web traffic using SSL (Secured Socket Layer).  SSL has since been replaced with TLS (Transport Security Layer) but the SSL acronym still holds true and they are both interchangeable at this point.  Within your firewall / router you can dictate which ports go to which computer.  If you are running a webserver you need to open port 80 in your firewall/router and have it route to a specific server.  People who run their own webserver for their business should have this server setup on what is called the DMZ.  The DMZ is part of your network but not connected to anything internally so if someone cracks your web server, they aren’t getting anywhere beyond it.

Evolution of Detection

Cybercrime has evolved but fortunately, the technology to combat them has evolved to.  Just as cyber criminals use crowdsourcing to distribute their malware/ransomware virus we to can play that game.  Threat intelligence provides a pool of knowledge from around the world to help businesses combat emerging threats.  Threat intel often consists of identifying command and control servers, blacklists of known bad sites, and descriptions of threats. If someone from Australia finds a new threat, they can report this to a threat service, which pushes that info out to the user base.  This in turn keeps your virus software up to date and protects your system with the latest threats.  Thus, if you try and go to one of these compromised sites your software will alert you and prevent it from happening.

Artificial Intelligence (AI) plays an increasing role in cybersecurity.  AI attempts to mimic human thought and decision-making using machines. AI-driven security tools supplement your core team, taking away much of the routine and allowing your team to make higher-level decisions.  Strictly speaking, AI doesn’t learn on its own. AI uses complex, programmed logic to make smart decisions. However, many modern systems incorporate machine learning, a subset of AI. Machine learning uses algorithms and feedback to teach the machine to make smarter decisions over time without direct human intervention.

Now you have a basic understanding of how detection and prevention works, let’s explore a real-life example.  I will discuss my firsthand experience dealing with a security company trying to sell me their product using fear.  They prey upon those that are not informed and present data that is misinformation to what is happening.

We recently allowed an individual to demonstrate their security box by allowing them to plug it into our outbound traffic from our network.   I normally do not allow any outside firms to plug into our internal network for testing.  I refer you to my reference from before, securing your home.  While you are inside the network you will find security as far as not being able to reach certain servers, files and sites because you do not have those permissions.  However, outbound traffic is allowed.  I’m not blocking outbound traffic because I need my people to be functional and productive.  I felt the test was going to be completely pointless because if we were compromised it was coming from the outside in not vis versa.  Keep in mind that even someone plugging a compromised USB stick into their laptop would trigger different security protocols that will not allow the end user to run a malicious program.  Our focus is making sure no one from the outside enters in and that all our internal assets are secured.  The owner wanted to accommodate this individual and I was immediately trigged to the fear mongering approach.

Trigger 1.  Person immediately starts spewing out their security credentials without being prompted.  This is done to help reinforce their presence.

Trigger 2.  Stating their software is the best in the business.  The best software companies out there do not compare themselves to anyone else.  Nor would they badmouth any other software company that provides a similar service.  I happened to mention a company that I know for a fact deals with a lot of fortune 500 companies that deal with similar security as he was doing.  He immediately stated his was so much better at $10/user.

The test begins and as I figured it started reporting back connections to different parts of the world.  Why wouldn’t it.  I mean do you think Amazon hosts all their servers here in the U.S..  First hit comes from Brazil and I asked which computer this was coming from.  I got the IP and went to the end user and asked them if they were using yahoo and if so, what did you click on.  They stated they just opened it and were clicking the US Current Ten-Year fixed interest rates.  It went to Brazil.  Again, not surprising that a large company would use servers not located in the US.  Keep in mind this is outbound traffic only.  Not like Brazil is suddenly browsing my network. The next hit comes in from the Netherlands which leads to

Trigger 3.   His immediate response to the Netherlands hit was oh look, the Netherlands, just a haven of hackers living there.

I asked again what IP address this was coming from and he gave it to me.  Low and behold the IP address he gave me was the same IP address assigned to his box.  The hits were coming from his box.  Talk about self-serving software.  At this point I was through with this guy and wanted to know nothing else about his company.  Whatever security credentials he has spewed out to me meant nothing at this point.  I knew what was coming next.  I told him to unplug his machine because we are done.

Trigger 4.  He started asking about cloud services such as Microsoft Exchange and One Drive.  He hated anything that was cloud related and stated, “oh no, those guys never get hacked.”

On this fact he was correct.  Microsoft email accounts and what not, can be obtained easily by hackers.  Keep in mind just the account name itself.  Basically, your email address in which they will send spam email to or phishing attempts to you.  They will make it look like it’s coming from someone higher up in your company.  However, it’s just that persons name and not actually going through the email server.  Again, they do not have the credentials to send email that way.  We train our users to spot fake emails and to never click without thinking first.  There are policies and procedures in place to help prevent this from happening.  However, in the case if someone accidentally clicks, we have other software in place to protect them and the network.

The Meeting

Soon after he had finished his scan, he sat in on a meeting telling the owner how bad his security and how much risk there was.  What business owner wouldn’t listen to that?  He’s saying all your data is vulnerable and may have already been compromised.  I was waiting for him to say if you act now you can get a second systems for free just pay separate shipping and handling.  He was counting on the business owner to have a knee jerk reaction and just order it in.  I mean, why not, $10/user/month is pretty cheap.  Problem was that the business owner was smarter than this.

The Report

As I figured, a report followed up in a few days’ time to the owner of the company.  Stating how huge of a security risk they are.  Keep in mind he was basing this all off his software that gave false reporting.  He was now using fear of being unsecured to the internet to sell his equipment.  Most owners do not realize the small foot print their business has on the internet.  Especially, those not hosting email or web services.

Conclusion

Take security of your business and computers seriously.  If you want your network tested, hire a company to do a legitimate Pen Test on your outside network.  Pen test = Penetration Testing.  These companies try and penetrate your network to try and gain access to your sensitive data.  This is known as an ethical attack.  First, they will try and locate your business via the internet via different search methods to gain access to your IP address.  They may even ask you for specific email addresses to test the knowledge of end users and try and gain access through a harmless rogue script or staged website.  If that fails, they will then get the IP address from your IT staff to try and penetrate that way.  Secure the outside and protect the inside.  Don’t fall victim to those trying to sell you something you do not need and preying upon your fear of technology.  Remember, if you are running a business you still must be productive, and you do not want to handcuff your users by preventing them from accomplishing their daily duties.

In short, do not let a fear of the unknown influence snap decisions when it comes to technology.  Talk with your current IT provider and if you don’t understand or trust your current IT provider then it’s time to find another.  Your IT provider should be able to explain in terms which you understand.  Businesses should already have a security policy and disaster recovery policy in place.  These are written documentation on steps they will follow in case of emergency.  If you do not have these then you should be talking with your IT provider.