Security Guidance for Home and Business Users

The NHS has been in the news today (12 May 2017) for all of the wrong reasons. A ransomware attack is currently crippling some NHS trusts with some go so far as to suggest people to not attend hospitals because of the issues.

With this in mind I though it would be appropriate to pen a some security that home and business users can follow to help protect themselves and their employers. These can be found below:

1. Don’t click on links if you’re not sure they’re legit. It’s incredibly easy to make a link look legit so if in any doubt whatsoever don’t click it.

2. Don’t open attachments. If you get one from someone don’t open it unless you’re absolutely certain it’s legit. If you do get one and it looks suspicious don’t email the sender back, rather send a text message, WhatsApp message or some other messaging platform. Its easy to forge mail addresses and get reply-to emails sent to another address in which instance the cyber criminal will engage in a conversation and try convince you to open the attachment.

3. Enable file type extensions in Windows explorer. By default Windows doesn’t show these to try and make things look cleaner. It makes it really easy to make malicious files look harmless. The love bug virus way back in 2000 exploited this by sending a file name called loveletter.txt.vbs so when you looked at the file it looked like an innocent text file but when you opened it it was a malicious Visual Basic script.

4. Don’t run as an administrator. The first account created in Windows when you install it is made an administrator by default. Use a generic name for this account (e.g. SuperUser, Build, etc.) and then create a second account. Make the second account a standard user and use that instead. Most day to day stuff like creating documents, browsing Facebook, etc. doesn’t require admin rights. If you need to install specific software (e.g. Google Chrome) download this from the companies website and then when prompted use the super user credentials.

5. Configure windows update to run weekly at a minimum. Microsoft are generally good at patching 0-day vulnerabilities and by regularly running Windows update you will receive these updates.

6. Configure apps like iTunes, chrome, Firefox, flash player, adobe reader, etc to update weekly as well. Similar to Microsoft other application vendors will regularly patch their applications to resolve any vulnerabilities within the software.

7. Run an updated antivirus. Even if it’s just Windows defender or another free AV its good practice.

8. Get in the habit of doing regular backups. Ideally to a device not permanently connected to your machine. Buy a cheap external USB drive and plug it in once a week and run a backup. Yes it’s inconvenient and impractical but in the event you get ransomware on your machine you can recover without paying the criminals.

9. Review the apps and 3rd party apps and websites you’ve given consent to use your accounts to. Facebook, Google and Microsoft accounts can give you access to hundreds of web services. Make sure anything you don’t use anymore is removed.

10. Don’t use the same password on multiple accounts. You’re just asking for trouble. Rather use something like 1Password to manage all your passwords and have one good and complex master password instead.

For the more tech savvy users:

1. Make sure your devices aren’t using the default passwords. Things like webcams, wireless routers, printers, etc. Are all capable of opening a hole on your network. Start by setting complex passwords on each and every one of these.

2. Updates! Any and All devices that can have security update s installed should have them installed immediately.

3. Use Ad-Blockers in your web browsers! Just this week I read a scary article about a compromised ad-network introducing malware into browsers!

4. Where possible use a 3rd party provider like OpenDNS to help provide som extra protection.

For businesses there are a few additional things you should be doing to help protect your users from themselves:

Security software from vendors like iVanti, Avecto, etc. are a great investment to protect yourselves. The key is to get these products fully implemented and to continually review audit data and improve your configurations. Bryan Chriscoli (@techbry) tested WannaCry against his employers iVanti Application Control configuration (in an isolated test lab) and found that it protected them. This is because the initial application / delivery mechanism is introduced by the user and as such is not trusted and blocked from running.

Invest in mail scanning services to add an extra layer of protection. Almost all reputable vendors had their engines updated soon after the threat started spreading so whilst this doesn’t completely protect you, it certainly will help.

Communicate with your users. Make sure they know that if they aren’t 100% sure of the authenticity of an email they should contact service desk. The cost of having them contact your service desk to get them to double check an email will be considerably lower than the cost of recovering from an infection. Why not occasionally test your user base as well? Obviously if you choose to do this ensure you have permission from your CIO and business leaders before you send a phishing email.

That about covers it. If you have any questions regarding any of this contact please get in touch.