The insecurities list: 10 ways to improve cybersecurity
A friend asked me to list all of the cybersecurity things that bug me and what he should be diligent about regarding user security. We talked about access control lists, MAC layer spoofing, and a bunch of other topics and why they mattered. You should come up with a list of head-desk things.
After a bit of thought, here’s a list. It’s by NO means comprehensive, and it’s not an organized best practices document. Instead, these are marbles that roll around in my head and bother me a lot.
1. Ban and route to null t.co, bit.ly, and other URL shorteners
Why? Especially in phishing emails, a user has no idea where the link is going, what’s behind that link, or what kind of benevolent or conversely malicious payload is going to load in the default browser. Sure, your anti-malware or antivirus tool, or even the browser’s own instinct, might prevent a page load that opens a back door into your network. Maybe.
2. Allow browsers to force https
Firefox and Chrome both have this feature. Lots of sites have log-ons on http where credentials are in plaintext on your network, or even the internet routing path in general that expose log-ons. Firefox now defaults to smacking users that try to use auto-fill on http sites. Educate users about this. And if, heaven forbid, your site has a log-on over http, you need to turn in your security stirrups while your horse still rides.
3. Update your asset lists monthly
There’s too much change. Insurance companies love receipts and having things in order, as do police departments—which the insurance companies must have a report from. Yes, there’s something to the tactic of taking a video of all your stuff, as well as the serial numbers, on a periodic basis and uploading it to two places.
4. Go through and delete expired browser certificates
Get rid of them. Allow users to get scary error messages when something tries to route them to somewhere expired so that they don’t swallow the next thing that inevitably arrives: the forged certificate “open-wide” page. Face it, you need a key management system and rigorous enforcement once the trial has been completed. Key managers are worth their weight in stolen assets.
5. Client hosts files don’t work. But router hosts files do
In my personal opinion, Microsoft should be banned for ignoring a hosts file, the file that contains hosts and IP addresses. It’s done because this can disrupt Active Directory under some circumstances, so they ignore the file.
The problem is there are many well-thought cogent lists of fake and misspelled sites in hosts files that can prevent users from shooting themselves in the spelling foot. This is such an unholy act that Microsoft should be spanked.
MacOS and Linux both respect this file dutifully, which is why it needs to be periodically examined by scripts to see if it’s been corrupted by unscrupulous users or, more importantly, malware. Always write your organization’s hosts file once in a while just to remove potential corruptions.
6. Inventory your OS assets review
Running scans of your network for new and unknown MAC addresses means you’ve perhaps discovered new purchases or worse, newly implanted machinery on your network. After reading of the new DISHWASHER CVE (look it up—Meile USA), you have no idea until you’ve done the work of slogging through your ACLs and MAC address tables to look for the new backdoors into your network.
7. Do sanity check meetings
If you’re on a security team, schedule regular meetings with other departments within IT. Let people voice their concerns. Remind people of organizational security needs. Allow yourselves time to physically visit important assets. Several eyes on assets might reveal something new or strange to investigate.
8. Read the damn logs
There are lots of great syslog amalgamation services that read Microsoft and standard syslog files. Filter and read them. Act upon what you see. The logs are there for a reason. Yes, Facebook can be more interesting, but read the damn logs.
9. Have a new hire systems security orientation
Security at other organizations ranges from tight to non-existent—and everything in between. When a new hire comes on board, presume they know nothing at all about your organizational security mandates. Best practices for many organizations include training on Sarbanes-Oxley, HIPPA and other industry tenets. But security in every business segment is different. At minimum, make it a video with a quiz. Then you’ve established a baseline.
10. Go outside
Although it seems counter-intuitive, constant brainstorming drains you. Team time and alone time are a better mix, as sitting at a desk for hours at a time becomes fatiguing. Get outside no matter the weather. Oxygenate. Get away from email, Slack, online management monitors—the whole mess. Refreshed, your mind will be more lucid to be ready for the next period of madness.