I am not a security expert. I’m just some guy who works in IT but I have been thinking more and more about the security side of things lately. Last year, I was a guest on the Liquidware Unplugged event and the topic of security came up. I mentioned personal security being very important for corporate security.
The fact is the biggest security risk in an enterprise is its people. We all coast through the mandatory data compliance and security training courses our employers provide each year but I feel like most of those courses miss an important factor in securing a company. They should not just teach employees to handle data at work carefully and to ensure their physical workspace is secure BUT also provide comprehensive guidance on how they should secure their personal data when outside of work too.
Password Spraying has come up as an attack method used in various stories I have covered over the years. This is when attackers will guess account passwords based off common passwords. I have also covered stories of brute force attacks when hackers will target an account and again guess passwords.
What is scary is that many people use the same password for their personal accounts and their work accounts. If you use the same password for your GMail, Amazon, Paddy Power account etc. as you do for your work account and one of those services suffers a breach. Attackers could gain your name, password, address and more then just simply figure out where you work based on your job listed on various social media sites like Facebook or Linkedin and just try to sign-in to your work’s portal.
Recently, two major events occurred that got mainstream media attention. They were portrayed as data breaches by some but really it was just large-scale data scraping of information already publicly available on Facebook and Linkedin. Worryingly, even the Facebook data scraped included people’s employers. Interestingly, there was also a suggestion some other data related to users of those services was sourced from other online services and combined.
If you’d like to check to see if your data was included in these large data scraping events and indeed in other major data breaches, you should search your e-mail addresses and phone numbers in the free service: https://haveibeenpwned.com/
Employers provide data compliance and security training that is really just cookie cutter content with little thought given to new and emerging threats until they are a clear and present danger. Most mandatory training courses I have had to take part in never mentioned personal security. They warn against disclosing information to cold callers, they warn of not allowing people to tailgate a way into the office behind you, they instruct you to always lock your computer when leaving and some other general tips on how to handle sensitive data.
I feel this ignores a large gaping security hole. The people problem!
Ok, my question about favourite password managers has been getting a great response. 3 of the products getting more mentions than others so let’s get a poll going.
Which is the best Password Manager between these 3:
— Rory Monaghan (@Rorymon) December 21, 2020
Something you can do to help safeguard your personal passwords is to get into the practice of using a password manager. When logging into a service, change your password with a randomly generated password and save it into the manager. Whatever you do, set a good password for your password manager and best to not document it anywhere it could be exfiltrated. Also configure the account for Multi-Factor Authentication. This approach is a calculated risk, if the password manager service is breached someone gets all your passwords. Personally, I never store any work related passwords in a password manager. I use it as a way to randomize my passwords. If something like Office 365 gets hit and someone gets my password, I can at least rest a little easier knowing I don’t use that password for anything else.
— Mike Streetz (@O_P) April 16, 2021
Some further advancements are being made for more secure authentication methods. Microsoft themselves have pretty much put the idea of passwords to bed. Passwordless devices like Yubikeys are becoming more and more popular and community members like Mike Streetz and Jason Samuel have been sharing some of their very exciting research into such solutions.
I mentioned MFA in the this article. It’s a must and you should enable it on any service you use that offers that ability BUT don’t let yourself fall into a false sense of security. You may think if you used MFA, even if someone gets your password it won’t enough to get them access. WRONG. MFAs can still be compromised, particularly for codes sent by SMS through SIM swapping but also via social engineering and by something I don’t see getting talked about a lot…a lack of vigilance by users.
The more services that leverage MFA, the more MFA prompts a person is going to see in a given day. If you work in an organization that say uses a service like CyberArk which is behind an MFA, CVAD or Horizon behind MFA, Office 365 behind MFA etc. People could become too comfortable with just approving without even thinking about it. Have you ever had your Teams authentication expire and randomly pop-up a prompt and wonder what the heck that is for? How many people just approve it without a second thought?
It reminds me a little about UAC on people’s personal Windows Vista laptops back in the day. The UAC prompts were so regular they became ineffective. No one batted an eyelid when they got a prompt and just allowed the processes to run elevated.
Vigilance extends to more obvious talked about security threats like social engineering and phishing attempts. Any good InfoSec team will keep users trained on how to spot suspicious e-mails and how to handle cold calls looking for information. Something to be aware of is the e-mails from gangs who may claim to have gained access to your account(s) and if you don’t pay them they will disclose sensitive information to all your friends and family. This could be very concerning and very effective for them get money from you but realize, your e-mail address could have been publicly exposed in a previous breach. Just because they claim something, it doesn’t make it true.
What your InfoSec team may not tell you about is to be weary what networks you connect your devices to and good practices for your personal devices.
You might be surprised that some popular well established businesses who offer free Wi-Fi in their premises don’t necessarily have the best security in place. You should think twice about connected to these networks! This is a topic I will expand on in future.
A more immediate concern with everyone working from home is security of their personal devices and networks. When was the last time you performed a firmware upgrade on your router? Do you know what, if any ports are open on your router? Some ISPs leave ports open by default. You should regularly check your network devices to perform security updates. A good example of network devices with serious security issues that got actively exploited was Ubiquti but there have also been others. You can use Shodan to look up certain device types like those by Ubiquti to find a list of devices currently exposed online. For a fun but scary glimpse at a random assortment of devices exposed online checkout Shodan 2000 you can usually find security cameras, breached routers, windows machines with a ransomware note and more.
If you are a geeky would money and time to blow, you could consider building your layered mesh network at home. Having a seperate network for your Smart TVs, Smart Lights and other IoT devices vs what you run your computers on can be a good idea. You can even create your own guest network for visitors to use.
As annoying as it may be, you should also install Windows Updates, macOS updates and other operating systems updates as soon as you can. Patching your network gear is attempting to keep your outer perimeter wall as stable and secure as possible. Security updates on your devices is another layer of security that is very important. So to is keeping your browsers and other apps as up to date as possible and of course protecting your devices from being stolen, your passwords from being stolen and other sensitive data secure.
I started this blog post talking about social media sites. Seems fitting to end with a little bit about social media etiquette related to corporate security on your personal timelines. Above is an example of an Irish politician trying to dunk on a far right group but in doing so he exposes security software being used by the Irish Government. As it happens, the version of the software being used is now End of Life which means McAfee won’t be providing security updates for it anymore. The tweet also exposes email addresses and extension numbers used by the IT teams. I decided to mask this info but last time I checked the tweet is still out there despite me letting him know the risks and despite reaching out to their IT teams. When posting on social media, best to not mention your employer. Avoid sharing screenshots or pictures of a corporate device or software and don’t take pictures in your office.
This blog post could go on and on but I’ll wrap it up here. This article has been in my drafts since last year but with the recent news stories making waves on mainstream media I figured now was a good time to finish it up. I hope to post a couple more security related blog posts in future.