Letter to the Editor:
In light of the May 19, 2021 compromise of a City workers email, I would like to share a few remarks that may be of interest to fellow Burbankers who run a business or work on teams.
I prepared these opinions based on my eight years of experience working as an IT in the Navy handling secret data and messaging; my 10+ years as the CEO of a software company, my 20+ years consulting to big companies; and 20+ years as a cloud services administrator.
Clones of Hard Drives
When a hacker gains access to a computer, the operating system is usually compromised and it would take a long time to figure out how to fix it. Hard drives are very cheap now. All servers should be backed up as a matter of policy however, it is advisable to make a clone of all essential computer hard drives and store that clone drive in a fireproof, theft proof and waterproof storage area. A server should store data on a separate hard drive than the operating system, so that the operating system clone can be simply swapped out in the event of a total failure or if a bad actor infects the server or attempts a ransom scenario. Storing the data and operating systems separately makes recovery faster. At least two clones can be kept, with one off-site.
Network Attached Storage
Data should be stored separately, on a different drive than the operating system, and all hard drives should be configured in a RAID (Redundant Array of Independent Disks)if they are not already. Hot-swap RAID storage is best. A small business can purchase a RAID storage device for very little money. SSDs are more expensive, but last longer than spinning discs and therefore cost less in the long run. Consider scheduled hard drive replacement to SSDs. Real-time backups can be made to a NAS (Network Attached Storage device.) These devices will also copy essential files to the cloud. Use of encryption at the storage point is recommended. The NAS will do this work in the background. This will give you three copies of all data (1) the server (2) the NAS and (3) the cloud (whichever company you wish to use–I am extra careful and store at two separate companies concurrently and my NAS automates this completely.)
Clones of Hard Drives
When a hacker gains access to a computer, the operating system is usually compromised and it would take a long time to figure out how to fix it. Hard drives are very cheap now. All servers should be backed up as a matter of policy however, it is advisable to make a clone of all essential computer hard drives and store that clone drive in a fireproof, theft proof and waterproof storage area. A server should store data on a separate hard drive than the operating system, so that the operating system clone can be simply swapped out in the event of a total failure or if a bad actor infects the server or attempts a ransom scenario. Storing the data and operating systems separately makes recovery faster. At least two clones can be kept, with one off-site.
Network Attached Storage
Data should be stored separately, on a different drive than the operating system, and all hard drives should be configured in a RAID (Redundant Array of Independent Disks)if they are not already. Hot-swap RAID storage is best. A small business can purchase a RAID storage device for very little money. SSDs are more expensive, but last longer than spinning discs and therefore cost less in the long run. Consider scheduled hard drive replacement to SSDs. Real-time backups can be made to a NAS (Network Attached Storage device.) These devices will also copy essential files to the cloud. Use of encryption at the storage point is recommended. The NAS will do this work in the background. This will give you three copies of all data (1) the server (2) the NAS and (3) the cloud (whichever company you wish to use–I am extra careful and store at two separate companies concurrently and my NAS automates this completely.)
Use of Phones
Physical security is important with all devices, but especially phones. Phones are easily lost or stolen and are often set down in public spaces. Apple Face ID is not a perfect product however it will offer considerable convenience and security in preventing unauthorized access to the device. It would be prudent to check in with all workers to ensure that everyone is using a lock of some kind on the phone (Face ID, fingerprint or PIN#.)
Remote Access
Many IT professionals have backdoor logins for networks and all backdoors should be closed. Zoom, Teams and Hangouts should never be installed on or used on the same network as important data management systems. Any device that could be used as an attack point should never be used for remote sessions or video calls. Screen sharing tools should not be used at all. All ports that permit screen sharing tools should be blocked at some point other than the individual device, because people tend to unblock things that are blocked on their individual computers. Remote Desktop or similar access methods are okay so long as the IT in charge understands how to disable the ports after Remote Desktop is not in use. Remote Desktop connections are encrypted however are also vulnerable if a hacker learns network login details. These tools should not be left enabled as a matter of practice.
Ports
All unneeded ports should be disabled. Even with a firewall in place, there is no call for having idle open ports of any kind.
Two-Factor/Multi-Factor/
If possible, use an adaptive authentication system for all remote workers and anyone gaining access while not physically at your location.
Adaptive Authentication solutions can step up/step down authentication methods based on a wide variety of contextual factors including:
● Consecutive login failures
● User account
● Geo-location (physical location)
● Geo-velocity (physical distance between consecutive login attempts)
● Attempted action
● Entity type (device type)
● 3rd-party threat intelligence data
● Day of week
● Time of day
● Operating system
● Source IP address
● User role
● Wi-Fi Connections
A poorly-secured Wi-Fi router is a vulnerability. Captive portals should not be used by remote/traveling staff accessing the internet on a work device. A captive portal is the type that asks the user to go to a landing page and enter some data and/or confirm acceptance of terms/user agreement (e.g. a hotel’s Wi-Fi network.) Workers in the field should connect with their own data plan provided by and monitored by the City. Confidential, secret, and top-secret networks should be accessed only using a City-approved and provided hotspot/portable internet device.
Password Managers
Consider mandatory use of password managers that generate highly-complex password schemas. The password manager such as Apple Keychain, will then store and recall these complex passwords automatically. I use LastPass.
Other Considerations
● User account
● Geo-location (physical location)
● Geo-velocity (physical distance between consecutive login attempts)
● Attempted action
● Entity type (device type)
● 3rd-party threat intelligence data
● Day of week
● Time of day
● Operating system
● Source IP address
● User role
● Wi-Fi Connections
A poorly-secured Wi-Fi router is a vulnerability. Captive portals should not be used by remote/traveling staff accessing the internet on a work device. A captive portal is the type that asks the user to go to a landing page and enter some data and/or confirm acceptance of terms/user agreement (e.g. a hotel’s Wi-Fi network.) Workers in the field should connect with their own data plan provided by and monitored by the City. Confidential, secret, and top-secret networks should be accessed only using a City-approved and provided hotspot/portable internet device.
Password Managers
Consider mandatory use of password managers that generate highly-complex password schemas. The password manager such as Apple Keychain, will then store and recall these complex passwords automatically. I use LastPass.
Other Considerations
● Password Hygiene or Reuse
● Phishing Emails
● Connecting Infected USB Devices
● Use encrypted VPN connections
● Encrypt stored data
● Phishing Emails
● Connecting Infected USB Devices
● Use encrypted VPN connections
● Encrypt stored data
Consider auditing attack surfaces and how you can reduce the number of attack points.
Feel free to post a comment and I will do my best to respond.
Christopher Matthew Spencer