Tag Archives: information security

Home Network Security Part 5 – Outsourcing

Many folks reading this “outsource” some of their computing power or storage to 3rd parties.  If you pay for hosting, or backup to a backup service, you’re “outsourcing”.  You’re also trusting this third party to take care of your data.  Have you looked at the security policies or audits of the companies you are working with?  It’s not easy, and at some point, you just have to pick a company to work with and hope they’re doing things “right”.

What Can You Do?

All data centers, and some hosting companies go through an audit called an SSAE16 (previously SAS70 type 2).  There are three parts to the SSAE16, and the technical security information is located in the SOC 2 report – sometimes shortened to SSAE16 type II.  SOC 1 is financial information, and SOC 3 is too generic to be of much use (and many companies don’t bother) – it’s just a statement that they have been audited.  Getting your hands on the SSAE16 SOC2 is almost impossible though – you’ll likely have to sign an NDA to read it, and even if you do read it, you might not understand it.  It’s a list of the controls a company has that protect the confidentiality, availability and integrity of the data they have.  Those controls are tested by auditors (usually over a period of 6 months), and the auditors make sure that the controls are adequate and operational (aka, they’re working like they’re meant to).

If you can find out if a company has an SSAE16 SOC 2, just the fact that they have one is a pretty good indicator that they’ve got their ducks in a row from a security perspective.  After all, why would you pay to go through the audit (several hundreds of thousands of dollars) and not reasonably expect to pass?  Also, the SOC 2 is meant to be shared with customer auditors and no company would want to share it if it was bad.

Companies (usually not US based ones) can also be certified against ISO 27001, which is the international security standard.  I personally think that an ISO27001 certification is a better indicator of security than an SSAE16 because ISO27001 dictates specific controls that must be in place.

Review Security Policies

Many companies make a generic version of their security policies available on their web page (or perhaps with an NDA).  Take a look at it and consider how reasonable it is, or compare it to what you do at home (or work).  Just having a security policy isn’t sufficient – make sure it covers the topics you’re concerned about.

How to Interpret What You Find

Does the company encrypt your data?  Who has control of the encryption keys?  You?  Them? Are you worried about your data being read – or given to a government in response to a subpoena?  Consider what you are worried about and see if you can find information about what the company does about it on their web page.  It also never hurts to e-mail them and ask – try the general sales e-mail first, they can usually answer your questions.

Popular Companies’ Security Information

Are there any other companies you use that you need help finding their security information?  I can help in a limited capacity via the comments (ie. pass on what’s publicly available).  If you’re really concerned about outsourcing and want more in-depth security information on your outsourcing company, contact me via e-mail mom at <my domain> and I can tell you about what my company does and how we might be able to help you

Other Posts in this Series

Home Network Security Part 4 – Wireless Networks

Wireless networks are great things – you can take your laptop pretty much anywhere in or around your house and still be connected to the Internet with no wires.  I remember when they were first beginning and a wireless card for your laptop cost almost $300, not to mention the cost of a wireless router.  CMU was one of the first schools to have a completely “wired” wireless campus – that meant that pretty much anywhere you were on campus, you could reach a wireless access point.  Wireless Andrew was my first experience with wireless networking, although I had heard of it previously.  And students could get a subsidized PCMCIA card for about $150.

Now, wireless networks are *everywhere*, and a lot cheaper.  Most cable modems or FIOS routers come with wireless enabled – and it’s a lot faster than it was.  When we first moved to our house, it took Verizon almost 3 weeks to get our FIOS installed (they had to increase the capacity at our neighborhood’s main connection point before they could connect us), but “helpful” neighbors had wide open access points, so we could still get on-line from home.  I’m not sure they ever knew we “borrowed” their connection for a while.

So what does this have to do with security?  A wireless access point that is incorrectly configured can be a legal liability for you, an access point into your network, as well as just plain annoying.  YOU are legally responsible for all Internet traffic that travels through your cable modem/FIOS router/phone line/whatever.  So, if someone decides to download/upload a pirated movie using your network, you are the one who will get the cease and desist order or court summons. You can fight it, but you still have to fight it in the first place.  If you don’t limit access to your wireless access point (router), someone sitting on the street could cause you a lot of headaches.

What is a correctly configured router?  One where you have a reasonable idea of who is connecting to your network and what they have access to – limiting access to authorized users.  The way most corporations do this is by requiring a corporate account or guest username/password (not network password) to access the wireless network.  If you’ve been in a hotel that you have to type your room number and last name into a web page before accessing the Internet, that’s what I’m talking about.  Most home routers do not have this capability.  If yours does, I suggest you look into using it.  A way that might look like a good idea is MAC address filtering.   It’s not a bad idea, but it won’t stop someone from connecting – it’s too easy to fake MAC addresses.  So don’t depend on it as the only mechanism.

The best method available to home users is to configure your network to use WPA2 with AES encryption, and a strong network key.  If you have older equipment (Nintendo DS…), it may not support WPA2, in which case, use WPA if you can, only using WEP as a very last resort.  WPA and WEP can both be broken in less than 3 hours (almost instantaneously for WEP).  It’s dependent on how much traffic goes across your network – but attackers can generate the traffic themselves.  WPA2 is a little harder, but not impossible to break.  Once an attacker has the network key, they can keep coming back to use your network for free.

If you’re router supports WPS (wi-fi protected setup), it’s a nice feature, but creates a vulnerability that someone can exploit to get access to your network more quickly.  Once you’ve setup your laptop/desktop – turn it off.

In addition to possibly opening you up to legal problems, someone able to access your wireless network can access systems on your home network, potentially compromising your confidentiality and integrity.  They can also affect your availability by using up all of your bandwidth.

For home users, this suggestion is not completely practical, but should definitely be implemented for small businesses.  Separate your wireless network from your “wired” or corporate network – by a firewall.  That means that folks on your wireless network (whether allowed or not) can only access the Internet.  Authorized users should use whatever your company’s remote access method is to access the internal network from the wireless network.  Home networks can implement this as well, but you’ll have to have some kind of remote access solution – like OpenVPN, or LogMeIn, etc.

Other Posts in this Series

Home Network Security Part 3 – Updates

You should always be automatically (or ASAP) updating all of the software on your system.  The operating system, your office suite, chat programs, your web browser.  If there’s an update for it, you should probably be applying it.  I’m not saying you necessarily need to upgrade your software, but you do need to keep it updated.

Updates and upgrades are small patches released by the vendor to fix something. They may fix one little thing, or they may fix a whole bunch of things and add features – it’s completely dependent on the vendor.

Security updates are to fix a known vulnerability and/or exploit.  Many times, in the description of the update you’ll see something like “fixes CVE-2013-3940” with a link to the vulnerability.  CVE is the common vulnerabilities and exposures database, which is also run by NIST as the National Vulnerability Database (NVD).  If you’re feeling technical, you can go read what the issue is, but it also gives an Impact of the vulnerability – which gives you an idea of how important it is to apply the update.  The higher the number, the faster you should apply the update!

If you do not apply the updates, your system is now vulnerable to a known attack, and many attacks have a corresponding exploit or Proof of Concept (PoC) code that is semi-public, so you can be sure that someone will be trying it out on random or targeted computers.  Just because you haven’t updated doesn’t mean that you will be attacked or that you will be compromised.  You have other protections in place to limit access to your system: like a firewall, or anti-virus.  It’s like playing Russian roulette with an old bulletproof vest.  Two things have to happen: you have to be attacked (the bullet in the correct chamber), and you have to be vulnerable (the vest might not work any more – or you might get hit outside the area protected by the vest).

Updates

For larger vendors (Microsoft), there is a distinction between a security update and a general update.  You should allow all security updates automatically.  Vendors have gotten really good at segregating the security fixes from new features, and so automatically updating security patches is not likely to affect you adversely.  General updates fix non-security issues or add new features.  For the most part, you’re not going to get any grief from automatically updating these, but from a security standpoint, you don’t need to automatically update the general updates.

Upgrades

Software manufacturers/developers stop supporting software at some point – the End of Life (EOL).  This means that no more patches will be available for it if a vulnerability is found.  If you’re still running Windows XP or Office 2003, you need to upgrade because Microsoft is killing support for it April 8, 2014.  And if you’re frugal, you might be running those old versions to save money – I know I’ve got XP in my Windows VM still.  Microsoft has a pretty long lifecycle for their products: over 10 years, but other developers don’t (Adobe is 5 years).  Some don’t even bother to tell you they’re not supporting a particular software version any longer.

What If I Don’t Want to Upgrade?

If you don’t want to or can’t upgrade to a supported version for some reason, you’ll want to make sure that you have a firewall that restricts all inbound traffic, an as up-to-date anti-virus as you can get, an up-to-date browser, and preferably a sandboxing tool like Google Chrome or sandboxie.  You will be vulnerable to exploits that have not been patched, but a firewall will help protect from network attacks, and anti-virus and sandboxing will help protect from “user error” attacks – ie. clicking on an e-mail attachment.

Additionally, if there’s no reason for this machine to be on your network (ex: it’s for CAD, or an off-line video game), consider just unplugging the network cable or disabling wireless.

Other Posts in this Series

Home Network Security Part 2 – Anti-Virus

Your systems should have anti-virus software installed – yes, even those of you with Macs. If you run Linux as a desktop, you get a pass, but I still recommend installing ClamAV or Sophos if you exchange files with Windows systems. You don’t want to unintentionally pass along a virus to your friends and family.

Sidenote: If you browse porn or other “questionable” sites, I’m not going to judge, but you need to be even more careful about having a good up-to-date anti-virus program (or 2 or 3).  And you should really consider sandboxing that activity – I use VMWare and snapshots when I need to visit questionable sites.

There are many anti-virus products available, and for the most part, they’re all good options. You want to look for a product that advertises “heuristics” – and almost all of them do. If you have more than 4-5 computers in your household (and a system you can install the centralized server on), you may want to consider splurging for the “endpoint protection” solutions which allow you to control the anti-virus software (and software firewall) from a centralized server – great for kids. But it’s not necessary at all.

One of my current favorites for Windows is Microsoft Security Essentials.  It’s free, rates very highly in the tests that are run by 3rd parties, and doesn’t completely bog down your system.

I use Sophos for Mac, (free) but I’ve also heard good things about Kaspersky (it’s also a firewall) and ESET, but I’ve not used either of them.

The most common vector of attack is through malware – viruses, trojans, key loggers, etc.  All an attacker has to do is get you to click on a web page or an e-mail attachment and they can infect your computer.  And you’re left cleaning up the mess.  The specific actions of the malware vary, but can cause your system to become part of a botnet, encrypt all of your important files, or give an attacker control of your system to read your files, send e-mail as you, etc.

Malware hits your confidentiality, integrity and availability, depending on the specific action, so it’s important to try to prevent it.

How to configure Anti-Virus

For the most part, the defaults for any anti-virus install are acceptable.  You want at a minimum:

  • Automatic signature updates
  • Heuristic detection enabled
  • On-access/on-read scanning

You also should consider the following settings, but there can be some drawbacks to them:

  • Automatic engine updates (not too many drawbacks, but does update the software automatically, some don’t want that)
  • On-write scanning (can slow down writes and disk performance)
  • Scanning networked drives (you may not want your system to be scanning a file server)
  • Scheduled scanning (a full scan of your system on a schedule.  This works better on a desktop, and while the scan is going on, it will generally bog down your system)

What if you do get infected?

If you do happen to be infected by malware, there are several things you can do.  One, get yourself a free anti-virus ASAP.  Run it, and it *may* be able to clean up your system.  If it can’t, it can at least tell you what file was infected, and you need to rebuild your system and restore from backup – without that file.  There are also IT shops which specialize in removing malware, and you can look into them, but it’s a long process and they likely charge more than you’re willing to pay, but it is an option.

How Anti-Virus Works (optional)

There are two methods of protecting a system from Viruses and Malware: signatures and heuristics.  In the past, Signatures were the only method available, but in the last 4-5 years, heuristics have become a significant research area and important protection.

Signatures are pieces of text, binary, code, memory, etc that indicate a specific virus exists.  For example, a virus adds a specific file to your file system, or changes a system file in a specific way.  For all known malware, your anti-virus should have a “signature” for it.  Although it may be a day or two from discovery to a signature update.  That’s great for known malware, but what about the new stuff that’s coming out almost every day?

This is where the heuristics comes in.  Your system operates in a certain way – “normal”.  Malware tends to do certain things that are outside of that normal: replicate itself, change system files, make network connections.  Anti-virus programs look for this type of behavior and takes steps to quarantine that code.  It’s generally done by running the code in a special “sandbox” where it can’t access your “real” system, and watching for system calls.  If it’s all clear, the anti-virus lets it continue to run on your system, and “remembers” what that clean code is and lets it run next time without sandboxing.  Some heuristic methods watch for abnormal network traffic or disk usage, but the specific method used is dependent on the software you bought, and how they conduct their research.  Heuristics aren’t perfect, but they’re considered “good enough” to help detect new malware that your software doesn’t have the signature for.

Other Posts in this Series

Home Network Security Part 1 – Firewalls

You need a firewall.  Yes, even you with only one computer at home. Yes, even you that works from a laptop at a coffee shop (especially you).

You don’t necessarily need a hardware firewall, which is what most people think of when I say “firewall”.  A software firewall is sufficient, and sometimes the best option.

There are several types of firewalls, the two I’m going to break down here are hardware and software.  You *always* want a firewall that claims SPI – Stateful Packet Inspection, or you’re going to have a lovely time figuring out which ports to open and close – luckily, all the newer ones I know of are stateful.

Firewalls prevent network connections from attackers, so they’re stopped “at the door” so to speak.  There are ways around firewalls, but a firewall will protect you from many of the random attacks that are continuously going on on the Internet.  They are one of the most basic, most available, and easiest to implement security protections you can have.

Hardware Firewalls

If you have more than one computer at home, a hardware firewall is ideal.  One point protects most of your systems.  If you have cable or FIOS high speed Internet access, you probably already have one (and it’s likely enabled) as part of your cable modem or FIOS router.  If you have a wireless router, it’s a good chance that you’ve got a hardware firewall.  If you don’t have one, or aren’t sure, the Cisco/Linksys WRT54G* series of home routers is pretty decent, and the ones I’ve had in the past have been solid – that doesn’t mean the current crop is as good, each manufacturer has had their issues.  Other brands to check out are: Dlink and Netgear.  I’m not a big fan of D-link, and that model might have a backdoor in it, but not confirmed and it’s cheap.  Pretty much any “router” you buy should claim that they have a “SPI” firewall, and you’re good to go, pick whichever manufacturer, and “other” features you like.

These “home” firewalls are not as powerful or configurable as an enterprise/business firewall, but they’re “good enough” for home users.  One of the biggest differences between a home firewall and an enterprise firewall is the lack of an Intrusion Detection System (IDS).  This isn’t a huge deal for home users, but if you want an IDS on your firewall, most providers sell small business firewalls that have that capability (although none of them have good ratings on Amazon).  You can also put your own IDS on your network.  Snort is (was?) the best free one, but the company supporting it was just acquired by Cisco, and no one knows how well that will go over yet.

Hardware firewalls build a virtual “wall” around your network to help prevent attacks.  Given the number of casual attacks that go across networks every day, a hardware firewall can also lighten the CPU/memory load on the systems inside that wall.

Even if you have a hardware firewall, you want to have a software firewall enabled for all of your “portable” devices – laptops that will leave your network, etc.

Software Firewalls

Windows and Macs have come with built-in software firewalls for several years.  This must be enabled on a laptop or machine that travels outside of your network.  It’s an added bonus to desktop systems, but not required.  The Windows firewall can be enabled by going to Control Panel then Security.  The “Windows Firewall” should be turned on.  On a Mac, go to System Preferences, Security & Privacy, and under Firewall, it should be turned on.

Almost all anti-virus software also offers a “personal firewall” as well, so you can opt for one of those.  They tend to work on the ports and protocols method, and some people prefer that.

Software firewalls only protect the one computer that it is enabled on, and there are actually *many* holes in software firewalls by default to support operating system services (network drive sharing, etc).  It’s a balance between usability and security, and the vendors tend towards usability in home systems.

Where hardware firewalls almost always work on the concepts of “ports and protocols”, software firewalls generally work at the application level – allowing specific processes or applications access, and blocking others.

Firewall Settings

Log into your firewall/router via the web page and pay attention to what your firewall settings say – print the screen, write them down, etc. Become familiar with them, find a manual for your router/firewall and twiddle with settings (and know how to hard reset the device!).

Most home users are going to want to completely block all incoming traffic at a hardware firewall and some software firewalls.  But won’t it keep things from working?  It shouldn’t.  This is where the Stateful Packet Inspection part comes in.  Something inside the wall initiates a connection to the outside.  The firewall allows back in all related traffic – responses from web pages, game servers, Netflix, etc.

There are some things that home users use which may require ports/protocols to be open from the outside. All home routers will have NAT (Network Address Translation) enabled – it’s sort of a firewall by itself, but not sufficient.  You’ll find some settings related to port forwarding if you need to open up any ports/protocols in your firewall.  Common situations that may require you to have ports open: VoIP service (although most have fixed this routing issue), remote control software (like Hamachi), and provider management control – your cable company or phone company may have remote control access to phones/routers/etc.  Personally, I close off access to anyone but me, but you’re taking the chance that your cable/phone company may not be able to help you remotely if you have problems.  Generally, I suggest closing everything off, then testing various items – call your VoIP number from your cell – does the call go through?  If not, you may need to open specific ports.

If you’re comfortable with networking concepts, I suggest blocking outgoing ports you know aren’t used as well.  This helps prevent attackers from using your network to attack others, and helps prevent what I call “callback” attacks, where the attacker has the target send traffic back to them over an open outgoing port.  This steps over the security vs. useability line, so take this advice with caution.

With a software firewall, I also suggest blocking all incoming traffic, but with Windows, there are a lot of applications that can access the machine by default.  Microsoft has a decent write-up of the settings options for Windows, and Apple has a corresponding document for Macs. Yes, it applies to Lion, Mountain Lion and Mavericks.  One setting I would caution you *not* to apply on the Mac firewall is logging – it will completely bog down your system, and if you’re not looking at the logs, why turn them on?

How Firewalls Work (optional reading)

Firewalls work on the concepts of ports and protocols or the newer software ones work based on applications.  A network connection is defined by two endpoints, each endpoint has an IP address, and a port.  The connection itself has a protocol.  That’s 5 pieces of information you can use to restrict access to your network.  Generally, home users do not worry about IP addresses, but they do worry about ports and the protocol.  Protocol is usually either TCP or UDP, although others exist, and port is a number from 1 to 65535 – although there are “well-known” ports that various services use.  Don’t bother remembering them unless you’re interested, you can always look them up 🙂  Most firewalls do this by creating “rules” that have at least one of the 5 pieces of information – with the assumption that the undefined pieces mean “all”.

Most (newer) software firewalls work on the concept of applications.  An application asks the firewall for permission to listen from the outside, and the user says “yes” this application can or “no” it can’t.  If the user says “yes”, the firewall allows any network connection to or from that application that the application requests – no matter what the port or protocol is.  This is more user-friendly, but can open a lot of holes that the user is unaware of – but you can bet attackers are.

Disclaimer, any links to products are affiliate links through Amazon.

Other Posts in this Series

Home Network Security

I review companies’ information security policies, practices, and procedures for a living. I tell them when they’re doing well, and when they suck (and have to do it nicely).  This past week, I was looking at a small business which is special in that they legitimately have to be concerned about targeted attacks (also known as “Advanced Persistent Threats” which I consider a bullshit term), and their network isn’t up-to-snuff.

In a diversion from personal finance stuff, I’m going to create a short series on protecting yourselves – as people with home networks, laptops, desktops, media servers, blogs, etc.  You may not be subject to targeted attacks, but you are subject to attacks just for the hell of it – and that’s more than enough motivation for most attackers.  Hopefully, some of you find this interesting and useful.

Information Security Basics

There are three things to be concerned about when it comes to information security: Confidentiality, Integrity, and Availability (CIA).  Each particular company or situation will focus on 1-2 of those, with the 3rd being relegated to “the back burner”.  But, it’s really important to at least consider all three areas.

Confidentiality

Confidentiality is keeping information from people who should not have access to it (for whatever reason).  Confidentiality means keeping your data under wraps, keeping it from prying eyes, keeping the information from “leaking” outside of the folks who are authorized.  It also means preventing people from being in a position to access the data in an unauthorized manner: not letting someone have access to a system where that data is stored.

Integrity

Integrity is one area that tends to get ignored (except in financial circles).  It means protecting information from unauthorized modification.  Financial institutions and folks that deal with SOX are really concerned about integrity – after all, if you can change one digit in the following string, you’re a very rich person: “1,000,000”.  Integrity also comes into play in legal disputes and digital forensics.  Because it’s *very* easy to change electronic information, and electronic information tends to be “hoarded”, it’s an important topic.  For personal files, integrity is important because one byte change in a photo, can “corrupt” the photo and you can no longer see it (although, this bleeds into availability).

Availability

You want to be able to access your information when you need it and where you need it.  This is generally the biggest concern of Internet based companies like Amazon – they lose money if you can’t get to their site.  Personal users also want to be able to get to their data when they need it.  For example, there’s a new virus out which will encrypt your entire hard drive (and all attached network drives) and won’t unlock the drive until you pay a ransom.  All of a sudden, you don’t have access to your pictures, your files, and possibly your records for business/tax purposes.

Information Security Controls

There are multiple ways to protect Confidentiality, Integrity, and Availability, and those are called controls.  You can have a “technical” control, where the systems enforce the control (like a locking screensaver), or you can have a “policy” control, where a policy dictates what to do/not do, and you expect people to follow those controls.  Generally, the policy controls aren’t as strong, but in some cases, there’s not much a choice because a technical control doesn’t exist.  I’ll be talking about both, but for a home user, “policy” controls are the easiest (cheapest) to implement and are “good enough”.

Links to the posts

  1. Firewalls
  2. Anti-Virus
  3. Updates
  4. Wireless Networks
  5. Outsourcing