3 Association Cybersecurity Questions for 2017
It is now officially 2017, w00t!
Cybersecurity had a rough year in 2016, with new exploit arrivals and massive data breaches reported in the news on a shockingly regular basis. On a positive note, all this focus has certainly raised awareness in the community at large. Almost everyone is talking about it! To start off 2017, I'd like to address three of the most common association cybersecurity questions I received during this last year.
1. How often should I change my passwords?
Passwords should be regularly updated for any login where there is a potential threat of data breach. In other words, if your password can be cracked, acquired or stolen, you should change it on a regular basis.
What defines this schedule? The security posture of the login in question.
If we're talking about a super-top-secret government agency, I would expect this login to use some sort of authentication key that changes the associated password every few minutes (or seconds). These solutions require the person logging in to have access to the key, and do not require their involvement to change the password. (Yes, it's super cool, but overkill for most corporate environments, in my opinion.)
For a standard corporate, educational, or non-profit environment, login passwords should be changed every six months to one year. Some advocates push for every quarter, or three months, but my experience has shown that maintaining such a short update cycle can create a burden on your support team for a relatively insignificant security benefit.
For online services, like email (Gmail, Hotmail, etc.), cloud storage (Dropbox, OneDrive), social networks (Facebook, LinkedIn), etc., the same posture question comes into play. If this cloud service is integrated with an ultra-secure solution, or contains data that absolutely cannot be breached, then we should implement a strong 2-factor password solution that changes automatically. If this is not an option because the service does not support it, then scheduled password changes should be implemented as part of the management of the account. For regular corporate environments, every 6 months to 1 year should be acceptable. For personal solutions, I would still recommend changing these passwords at least once a year.
2. We've been discussing phishing emails for several years now, yet we still have major hacks happening that frequently utilize this method of attack. Are phishing email attacks becoming more advanced?
The short answer is yes! When we first started seeing phishing attacks appear online in large quantities, the bulk of these messages were easy to automatically detect (and filter using technology solutions.) While it's true the success rates for these campaigns are usually pretty low, as time progressed—and the discussions related to phishing grew—these attackers adapted.
We do still see attacks that are easy to detect using just common sense or technology (misspellings, broken syntax, obviously malicious links, known malicious domains, etc.), but there are plenty of examples where we have to invest more attention to detect the phisher. These attackers are registering domain names that are very similar to the domains they mimic (usually off by only one character), and then are spending the time to deploy pages that impersonate these domains as malicious parodies. The typical visitor can take a casual look at these imitations, and not tell the difference.
It's not all bad news for the good guys on this topic. A lot of the most popular web browsers and email clients in use today are actively investing resources to identify and notify users of phishing emails and malicious hosts. While not perfect, these updates are having a dramatic impact on the number of users that are being duped. There has also been a great deal of discussion on this topic, raising the overall security awareness of the entire community in this regard. While this has definitely not eliminated the threat altogether, it has been a significant driver to force these attackers to innovate.
3. How do we strike the right balance between a remote-friendly workplace and a secure workplace?
As a telecommuter myself, I'm a pretty strong advocate for remote work. That being said, this is a complicated topic with several involved pieces. To answer this, I'm going to break these out a bit and speak to them individually.
Teleworkers, like regular employees, have access to office documents, source code, and other pieces of company data. This data has value, and can harm your company if it is lost or disseminated. Implement strict access controls on file servers to reduce the chance of employees (regardless of their location) accessing company documents they should not be able to access. Require teleworkers to use a company-provided machine (laptop or desktop) to store company data, and implement a policy that explains to them the appropriate methods for securing and transferring these documents. (This also allows you to guarantee that a current virus / malware solution is in place.) Train employees to encrypt documents (preferably using a secure solution such as GPG) whenever the data contained within relates to customers, financials, or proprietary information. Another option would be to deploy a hardened laptop to the employee, which makes use of an Encrypted File System to protect the data contained within. For employees who travel, encryption becomes even more important, as their exposure increases each trip they take. This point holds true for portable devices as well as laptops, tablets, and smart phones. If it can be easily stolen, then you should consider encrypting any data that is proprietary.
Accessing company email can add another layer to this topic depending on how your email solution is deployed. If your company is making use of a cloud-based solution, such as Office 365 or Gmail, then remote employees will be able to direct connect to their email without having to access your company network. If your company utilizes an on-premise solution, then the safest option would be to have the teleworker connect to a VPN and then connect to the mail server. I have seen on-premise mail servers configured to allow access to external clients (i.e., they do not need to connect to a VPN), but this is not my preference. (More about VPNs below.) Another option would be to make use of Remote Desktop. Then you can deploy your email application as a thin client using a software like Citrix or you can just allow them to login to an internal machine directly to access the email application. It is important to note that the Remote Desktop solution would need to be deployed securely or all you've successfully done is given attackers a new vector to exploit.
Company Cloud Services
With the rise of social media and cloud services, companies are more exposed than ever before. There are so many different accounts and services online with your data, it can be overwhelming just to try and track it all. As an employer, the best practice is to define a policy that controls how these services are used and maintained. This policy should contain not only allowed usage information, but also address things like scheduled password resets, account sharing, and data retention. This policy should be propagated to all employees, regardless of their work location.
Employee Home Network Configuration
It is unreasonable for us as an employer to expect our employees to hand over control of their home networks in order for them to be able to telecommute. There are a wealth of privacy and liability issues involved, and that's before we begin discussing the support overhead. So, what can we as employers expect of our employee home networks? Broadband access and a firewall. We can't even really guarantee the firewall, or that it's deployed securely if it is present.
This leaves us with one secure option, VPN—a Virtual Private Network.
Fifteen years ago, setting up a VPN was rather involved. Usually they were site-to-site, and configured at the firewall on both ends of the connection. This does work for teleworker configuration, but can be cumbersome and hard to manage.
Thankfully, the other option (something that firewall nerds such as myself refer to as "road warrior configuration") has advanced tremendously since 2002. Most corporate firewalls in use today offer a software-based VPN solution. This allows your teleworkers to install the software and create a "virtual" VPN network adapter that connects to your corporate firewall directly. (There are several variations to this, but the overall theme is the same. The traffic is encrypted and sent to a secure gateway that the employee has authenticated to.) This has the added benefit of encrypting all of the traffic sent from your employee's machine, farther securing their traffic. (Note: This does NOT encrypt all of the traffic coming from your employee's firewall, just the traffic running through the software they've installed on their machine.)
New employee devices are appearing on company networks at an increasing pace, many times with no review or oversight. This could be a tablet, laptop, or smartphone, and may be used in your office or at their home. At a bare minimum, require tablets and smart phones to maintain a lock code before allowing access to company email. (This can be configured on your company mail server.)
For when employees bring devices into the office; deploy a guest wireless network segregated from your internal network to prevent potential malware intrusions and casual scanning. Farther restrictions can also be considered if necessary, such as limiting which MAC addresses are allowed an IP from your firewall, or requiring a USB security key (dongle) before allowing network access.
Happy New Year!
Do you have a cybersecurity question you'd like me to answer? Email me at firstname.lastname@example.org and I will do my best to answer it. I hope you have a great (and secure) 2017!
About Joshua Hiller
Since 1994, Joshua Hiller has been a professional software developer and security analyst, working as a private contractor, team member, and team leader. Specializing in automation, integration, penetration auditing and forensics, Josh has over 15 years experience working in the non-profit industry in roles such as application developer, department director, and vice president. A married father of three girls, Josh’s interests include; art, comic books, fantasy, science (and science fiction), application and network security, software development and tropical fish.