This article is available on my free Cloud Computing podcast.
Introduction to security and privacy
Security and privacy is a frequent topic of discussion nowadays. With ever increasing IT infrastructures at the service provider and enterprise level as well as with increasing IT knowledge among the average knowledge workers and home users, being aware of security and privacy fundamentals is of paramount importance for ensuring smooth operations of IT systems involved at all levels.
It is true that security threats, almost exclusively including threats from the Internet, also known as cyber threats have evolved over the years and have become increasingly complex, encompassing various fields of IT operations and a wide range of systems and applications. It is a fact that security threats are multi-dimensional and therefore being a security professional requires possibly the broadest and also deepest level of knowledge and expertise in the industry. Also due to the dynamic nature of security, new types of threats are emerging each day, thus making the real time monitoring of the global cyberspace threat landscape and the big data analysis of threats more relevant than ever.
This article does not attempt to dig deeper into the security professional side of things nor assess any aspects of security incident monitoring, security vulnerability analysis, breach analysis and forensics. The article addresses the less specialized audience, covering most modern knowledge workers and home power users. In the following sections we will provide an overview of items to keep in mind when organizing security of your IT systems in an attempt to keep up to date and protected from imminent threats which could compromise your systems and your online and offline activities.
Security as per the ISO OSI model
As per the ISO OSI model, all layers of a computing system must be secured to an acceptable level. Remember that computer and network security requires a multi-layered approach.
This includes the physical security of the systems itself, including protection from malicious user physical access as well as protection from natural and power disasters. For this reason, the usage of at least a good UPS and a good PSU is very important for any computing system.
Perimeter and network security
Apply the following recommendations for securing your perimeter and network appliances and systems:
- Have a managed firewall device at your premises. PfSense is good option which comes with many commercial implementations in small and affordable form factors.
- Baseline your network and deploy tools to keep an up-to-date view and monitoring of the status of your network. This includes tools like nmap and IP scanners.
- Always know the architecture of your network and be prepared to troubleshoot network traffic flow.
- Apply latest firmware and security patches to all network appliances.
- Apply whitelist and blacklist logic to all traffic.
- Make use of a trusted IAM (Identity and Access Management) and/or a Privileged Identity Management (PAM) system to centrally apply AAA functions (Authentication, Authorization and Accounting). This refers to usage of network directories which can be on-premise or cloud, such as for example Active Directory and Azure Active Directory.
- Make use of a hardware firewall with ACL and maybe IPS/IDS and Web content filtering features.
- Design a multi-layered architecture, in which you isolate traffic in a DMZ network zone and have accommodations for cutting off parts of the network in case of a breach or security attack.
- Security is primarily about trust. Whom you trust to access what resources with what permission levels and on which conditions is of paramount importance. Invest in Zero-Trust Security Architectures.
- If you are utilizing a public cloud service such as Microsoft Azure, invest in the related data, network and application security tools and technologies which accompany your cloud of choice.
Apply the following recommendations for securing your endpoint:
- Make use of an integrated antimalware system which includes the following:
- Identity theft protection
- Family content filtering and online activity monitoring for underage children
- Make use of secure DNS and Web content filtering systems. OpenDNS is a good example, other relevant services, such as Cloudflare, are available as well.
- Make use of an advanced firewall application. In the case of Windows, staying with Windows local firewall is never sufficient.
- Be aware of emerging mobile threats. Do not underestimate the backdoors which could open from your mobile devices. Ensure that you keep all systems patched with latest security updates and apply all security measures to your mobile devices as you would normally do with desktop PCs.
- Do not forget that a lot of threats come in through the email/SMTP door. Ensure you are using all malicious email protection techniques (patched email clients, antispam, antivirus, antiphishing, encryption).
Data and email security
Securing your data and emails should be considered from three fundamental view points: Firstly from the data at-rest security, secondly from the data in-transit security and thirdly from the data in-use security. Apply the following recommendations for securing your structured and unstructured data and emails:
- Make use of SSL/TLS certificates for securing your servers, your client devices and your applications. Deploy PKI infrastructure or make use of a public Certificate Authority (CA). TLS certificates and asymmetric public key cryptography will see an increasing range of applications in the future.
- Digitally sign your software and make use only of software which has been digitally signed by its vendor/developer.
- Make use of file and email encryption based on public private keys or other architecture. You can use Microsoft Bitlocker or other open source technologies for disk-based encryption.
- Make use of file integrity algorithms (SHA, MD5) whenever you download any file or application.
- Ensure that you utilize best practices for email security, including the configuration of SPF, DKIM, DMARC DNS records and potentially the usage of Content Delivery Networks (CDN). The following article provides a handful of email security best practices: https://www.cloudflare.com/press-releases/2021/cloudflare-takes-on-email-security/.
- Ensure you have policies in place for securing the distribution and usage of mobile and removable media in your organization (usb sticks, etc).
- Ensure you have ways to minimize the possibility of data leaving your computer without your knowledge. Having a DLP (Data Loss Prevention) system in place is a good way to accomplish that. Modern public cloud SaaS and IaaS systems such as Office 365 offer this functionality.
- If you host any services in a Managed Service Provider (MSP), Cloud Service Provider (CSP) or public cloud, ensure that you are aware of the provider’s security and privacy policies as well as take any feasible action to secure your data. A good introduction to security best practices in the case of hosting a WordPress site can be found at: https://www.hostinger.com/tutorials/how-to-secure-wordpress.
Apply the following recommendations for securing your operating system:
- Minimize the number of installed applications and services (minimize security attack surface). Make use of security hardening techniques to minimize the exposed applications and services.
- Do not expose your machines to the Internet if not required.
- Apply latest security updates to your OS.
- Make usage of Controlled Folder Access feature in Windows 10.
- Make usage of local group policy and domain group policy for securing various security aspects in your organization.
- Make usage of AppLocker and Software Restriction Policies via Active Directory Group Policy.
- When assigning permissions to users (SMB, NTFS, SQL, Active Directory, etc) always make usage of RBAC when possible as well as apply the principle of least privilege. Also implement configuration audit policies which will record which users accessed which resources and what actions were taken anytime in the recent past.
- Change the default admin password in your appliances and devices.
- Keep all your installed applications up to date.
- Make use of secure browsers with security plugins. You can get ideas and free tools for increasing security and privacy in your system by visiting https://www.privacytools.io/.
It is recommended to follow the tips below for increasing the levels of your privacy online:
- Investigate your credit report and ensure that all financial and medical data are stored by companies you trust or better yet, store this information only offline in at least two backup locations.
- Use strong passwords (lowercase and capital letters, numbers and special characters). The best passwords are long ones which are relatively easy to remember because they correspond to a unique phrase (slightly changed) which only the owner of the password could know.
- Ensure that you maximize the usage of Multi-Factor authentication (MFA). New trends in security are increasing this requirement level not only to what you know (password) and what you have (token) but also to what you are (biometrics). Make use of smart cards or tokens for logging into on-premise and cloud applications. An example of hardware-based token devices is Yubikey. MFA can come in various types such as the following:
- Windows Hello for Business or other biometric-based passwordless system
- Mobile Authenticator app with online access request verification or offline access code generator
- FIDO2 security key
- OATH hardware token
- OATH software token
- SMS verification Voice call verification
- Do not make use of a local administrator account to avoid elevation and malicious code execution.
- Enable User Account Control (UAC).
- Beware of social engineering attacks. Never disclose your password or other sensitive data to anyone pretenting to be a technical support engineer or have other related technical authority.
- Use a password manager to keep all your strong passwords secure.
- Never disclose your personal passwords to anyone.
- Never disclose your email to recipients you don’t trust.
- Check for traces you leave while you browse the Internet (cookies, IP addresses).
- Make use of identity theft tools, such as LifeLock (https://www.lifelock.com/).
- Use a VPN proxy for more anonymous browsing.
- Make use of sandboxed virtualized systems to access the Internet. A great sandbox system can be a virtual machine or a container.
- Make use of a private search engine. Startpage.com is a good place to start.
- Look for GDPR and ISO 27001 notices, privacy notices and cookies in all sites which you visit.
Security and privacy links
The following is a non-exchastive list of recommended security and privacy tools and links:
- PFSense home appliance
- OWASP web app security projects
- SSL Labs
- OpenVAS vulnerability scanner
- Kali Linux forensic tools
- Kali Linux pen test tools
- Restore privacy
- Shields Up port scanning service
- Firefox Relay Service
- PCI-DSS security standard
- VPN Mentor
- Password and remote connection credentials manager
- Malware Bytes
- Microsoft Safety Scanner
- Keyscrambler anti-keylogger software
Backup and restore
No matter how well you have organized your security, there is always the possibility of a breach you cannot have control of. Therefore make sure that you always keep redundant backups of all valuable assets and data and that you have documented procedures for restoring your data in case of an emergency or security threat. Utilizing the cloud is a good way to ensure you will have access to your data off-site. There are further concerns about whom you trust your data with, but that’s another (very long) chapter to discuss.
Security documentation and training
Make sure that you document all security tools and procedures you follow and the tests you apply and make sure that you keep yourself and colleagues up to date with emerging security threats and trends on a regular basis. Having a regular newsletter with latest threats and exploits is a good idea. MS-ISCA from CIS security is a good place to start: https://www.cisecurity.org/ms-isac/
There are many security layers which you can work to optimize and protect. However keep in mind that the only truly secure system is the offline system. Any system which connects to at least one network is by definition susceptible to various threats. Another security fact is that any system which can be locked also can and will be unlocked at some point. Always remember that security is a long journey without an end but with a clear target in mind. Keep it simple, cut off what is not absolutely required for operating your system and apply whitelist of blacklist logic to everything. Security is also about trust and more specifically whom you trust with your data, identity, services and applications. In order to have good security in your systems you should investigate your applied web of trust.
Keeping an eye on latest developments is always key for becoming more proactive and for attaining a more holistic approach to security and privacy.