At Seirim we know SME's are often overworked and lacking resources. Something as obscure as cybersecurity may not be on your management's radar as a high priority, but it should be.

Taking a look at recent headlines like the massive SolarWinds and US government hack hopefully gets your attention, but at the same time it might give you a false sense that these attacks only occur at the high levels of major corps, security-related companies and governments. That's false, they just get the biggest headlines.

Unfortunately, everyone from individuals to small companies to even now hospitals and medical research institutes are under increasing attack. Ransomware, for example, can lock up and cripple your company's operations in an instant. Don't succumb to complacency - it's too easy to take for granted the wide array of digital infrastructure your company depends on daily. 

_Personal Protocols

"People are the weakest link" is the cliche wisdom in cybersecurity. It's true in that it's the easiest place to go wrong. Better security starts with creating better habits and awareness. 

1. Use a VPN

It's not a comprehensive solution, but using a respectable VPN goes far to help encrypt and protect for data in transfer from your device to the VPN's exit points. Take note you are trusting your VPN provider with a lot of access to your meta data, but it does cut down on the number of prying eyes on your traffic across the internet and local attackers. 

2. Social Media Savvy

Malicious hackers use publically accessible info to glean info which in aggregate can give them critical insight to penetrate your infrastructure. Just like it's unwise to announce you're going to vacation for two weeks, just after posting pics of your fancy new stereo system, take it a step further and know that hackers can put together seemingly much more innocuous info like where you work, where you went to school, your hobbies, pets, family members' names and birthdays and so on to profile you and zero in their hacking attempts. So, try to dial back what and how much you share.

3. Be wary of Public and Unsecure WiFi Access

Use VPN regularly or when accessing your company's data or any senstive data at any time, but especially when on public or untrusted WiFi, it's best to be suspicious. Some recommended VPN's can be found here.

4. Don't perform sensitive tasks on subpar networks

If you can't get your VPN to work in the airport or coffee shop WiFi and get https access to the site you're visting, just hold off on accessing your most sensitive accounts and activities until later. Hackers purposefully use these environments, and prey on the fact that users might be working in a rush and let down their guard, to stage attacks. The risk is real that the WiFi you're connecting to is completely false and set up by them, they have established a man in the middle attack on the network, they are sniffing packets on it, and more.

5. Don't download and install junk

Sketchy, low quality or worse pirated software is a favored vehicle by hackers to load malware onto your devices. Stay away. it's not worth it.

6. Lock and autolock your devices while away

Make sure to set your computer to lock when you are away for more than just a few minutes. Even better is to do it manually every time you step away from it. In Windows, can quickly lock your computer by hitting "Windows key + 'L'", on a Mac press "Control + Command + Q".

7. Increase Security by Increasing your Privacy

Much like the social media savviness mentioned above, you also want to lessen your public exposure not just a researching hacker but the "higher level up" powers that be. You may not be in their crosshairs for attack now, but even if just by algorithmic methods or if they themselves get hacked or those in control change their tune, (or who is control changes) all the meta data on you is a vulnerability. So, don't show all your cards, and not to any one company, country or group. Consider using alternates to common gateways, like DuckDuckGo for search, for example, or ProtonMail for email, use privacy browsers like Brave or the Tor onion network and so on.

8. Extract and backup data from online accounts

You never know when a service might go out of business, they get hacked or your account does, or they change their terms and conditions or any other in a long list of things that can go wrong. So, if you have valuable info, chats, emails and attachments in online accounts, make sure to get your own copy of it now for safekeeping.

9. Close inactive online accounts

Don't use an account anymore? Then it is just an extra attack vector holding information of yours or about you, or a password you might have used more than once. It's just a matter of time that any service can be breached, and the more accounts you have languishing on the web the more you are exposed.

10. Don't give access to your accounts to others

Sure, with your most trusted loved one or partner, but in that case make sure they follow security protocols as strictly as you do. It does no good if your password is super safe with you, but your partner has it in clear text in a word file on their machine or phone. Beyond, limit sharing your account access info with anyone else as much as possible (ideally to zero) Not because you don't trust them per se, but because it just widens your exposure. 

11. Delete info unnecessary to share online

Did you overshare in the past? Did you need to give so much access to these services? Sign in and check how much info they have on you, the less info the better.

12. Use fake info in some low-tier online accounts

Here is a frustrasting story of someone who went to great lenghs to remove their physical home address from every online source they could for greater privacy, only for their address to still be the top result for their name in Bing. No matter what they've done, they can't get that one result to persist, and despite their strong requests they won't remove the result. Why not fight fire with fire? For accounts where it doesn't matter, where they are asking for more info than they should, why not feed them some obscure data to throw off the trail? Take care though with accounts where it matters, if you forgot the randomly wrong brthday you entered you could have trouble accessing an account, for example.  

 

_Anti-Phishing

The #1 attack vector is through people and their weaknesses. Busy, tired, and using so much internet and online activity we're clicking and opening things moment after moment. Bad actors take advantage and target individuals with phishing emails, attempting to get extract info or actions or to get them to click on a virus, malware, or spyware trojan horse. Stay wise with a series of precautions and preventions.

 

 

13. When in doubt contact sender via other channel

Does something look off? Contact the sender via phone and ask them by voice if the email and its attachments are as intended.

14. Hover over links in emails and chats before clicking them

Don't blindly click on anything, not even links in this article. Hover over them, right click on them, inspect carefully where they are going. When in doubt, if must open them, do so in an incognito browser.

15. Investigate meta details in received emails

Do not rely on senders' names or the shown email address. If your email client doesn't show it readily, drill further down to click on it and see the email's properties to see who it actually really came from as sender names and emails can be spoofed.

16. Do not use media (USB sticks, SD cards, External drives) of unknown origin

Refrain from using any unknown or untrusted media. If you must use media from someone, ensure they have anti-virus and malware scanned on their side first.

17. Don't download or click on attachments if anything suspicious at all

This is a main point, the vehicle for many attacks is the attachment in the phishing email. Be very skeptical of attachments, and if any doubt at all sdo not download or click on them (they'll execute) without verifying their integrity with the sender first. When downloaded, scan attachments with anti-malware software first.

 

_Email (and similarly sensitive) Account Security

Email is at the center of our digital lives. It's stable relative to chat and social media applications, but it's also an older internet technology, and might be a weakness and vulnerability in your digital sphere.

 

18. Have Secondary Contact Info in Important Accounts

In important accounts like your email, make sure you have secondary and backup contact information (phone and email addresses), so you can be alerted in multiple channels of any suspicious activity in your account, and have more ways to regain your account in case it is hacked. Of course, be mindful of the provacy implications of what you are entering here, and the risk of this info also being used against you in the wrong hands. On the whole, though, the benefit to multi-channels to prove ownership of your most important accounts is compelling.

19. Don't Remain Signed In on Devices and Browsers

It's mighty convenient to be able to just open up your phone or laptop browser and just immediately check your email, accounts, social media apps - all the things we use daily - at just the bump of a thumb or opening a bookmark. But with just a little bit of access, so can an attacker. So do not leave all the apps so open and ready, but require signing in and hopefully also 2FA for sensitive accounts every time you use them. You might even have an old phone sitting a drawer that can still connect to your email, for example, and that's an unnecessarily exposed risk.

20. Don't Enable Signing in to Services via Third Parties like Facebook

Seems convenient to enable signing in to that service using Facebook, Gmail or similar connection, right? Too convenient, if an attacker has access to one then they can access every service like that that you have connected. Use unique sign-in credentials for every service.

21. Check what services have connection access to your email

Over time, many services we try and use get approval to check our contact lists and email account, even to send messages on our behalf and more. Check for these such connections in your email settings and remove everything not absolutely necessary. Generally, refrain from giving apps such access at all.

22. Check Account Recent History

Just like you look at your credit card statement or credit report, check your accounts recent history periodically to monitor for any access that wasn't by you or expected.

23. Enable 2FA to be able to use your email

Really, your main email account(s) need to be under serious lock and key and 2FA is a huge help. Use it whenever possible.

24. Use an Email Address from your Own Domain URL

yourname2000@gmail.com works, but what if Google's algorithm (because let's face it they don't have any accessible customer service) changes its mood on you and locks your account? You lost control of a very important service in your life. Now, you can still use Gmail, for example, but invest in your own domain so if you get blocked you can move your email address you own control of, like me@MyOwnURL.com so you can maintain your email by pointing your domain to a new email provider if necessary.

25. Use multiple email Addresses

Don't rely on only one email address, have backup email(s) which can act as backup contact information for your main email address. Also consider a lowest tier of email address in your system as the catchall for the "least desirable" services you have to use an email for, as well.

26. Use Security Questions Very Carefully

Many email and similar systems ask for answers to personal questions for account and password recovery. Do use this feature, but make sure your answers are not "easily researchable or discoverable" by an attacker (for example, your high school's name, or your mother's maiden name can be found out for many people pretty readily). Indeed, these answers are like passwords and you can treat them as such, and make sure you record your answers in a password manager as carefully as you do your passwords.

27. Run Security and Privacy Checkups

Services like Gmail have their own Security Checkup features in Settings to check for issues and vulnerabilities. Use it but also rely on your own decisions, in addition.

 

_Passwords

Passwords remain at the center of digital security. Despite being augmented with Two Factor Authentication (2FA) in the forms of apps, devices or methods like fingerprint recognition it seems passwords, depsite being too often a major weakness, are hard to do without in digital security and access. Passwords are a critical element to get right with good habits, systems, and best practices.

28. Check for breached accounts

Firstly, take account of your history of exposure. You may well already have accounts that have been breached or can have easily been done so. Check your email addresses at the trusted have i been pwned website to know your exposure and start any necessary damage control.

29. Use Unique, Complex Passwords

Make sure every password is unique for every service. When any account get hacked, hackers check the same passwords at other services to get access to every account they can. Minimize the potential damage with a unique password for every account. Make your passwords complex, with many characters, no words in the dictionary or proper nouns and mixing upppercase and lowercase letters, symbols and numbers. At least 8 digits long, aim for up to 15 greater security.

30. Use a Password Manager

Make sure the password manager is resilient, and you have multiple contact methods. And that your password to the password manager also secure and saved physically, safely.

31. Use a Backup Password Manager

What if your main password manager were to go down, you lose access, its file gets corrupted, or some major error were to occur? Take note that the password manager itself is a point of attack and potential weakness, and if it's breached "all may be lost" and by having more than one, you're doubling that risk. Weigh that carefully, though, with the single point of failure risk... So, a backup password manager, carefully guarded, maybe used for just the most important accounts (so it's less burdening of your time and actually gets used) Don't plainly store the password for one manager in the other, or either one getting breached results in the other also getting breached.

32. Use 2 Factor Authentication (2FA) when Possible

Whether the Google Authenticator app, a USB security key device, fingerprint detection or otherwise, 2FA is always a good idea. Make sure to backup the initialization keys given to you when creating such additions in your password manager.

33. Change Passwords over Time

Sure, you've done your job well of making sure your passwords are unique, complex and well stored - but what if the service where you use it is hacked? Or any hole in your system. So as a matter of course, change your passwords after some periods of time. Opinioins vary on how often, maybe every 6 months is ok. Of course if there is evidence of any breach, change potentially affected passwords immediately.

34. Use Given Passwords only Temporarily

It shouldn't be common for services to do so now, as it isn't a good practice, but if any service sends you a password by email or message, only use that password temporarily and change it to your own-created and stored password as soon as possible. That password residing in a chat or email application isn't secure and is discoverable and usable by attackers.

 

_Browser Clean-up

Like passwords and email, browsers are at the center of our digital worlds as the portal to so many services and web applications that we use. This dynamic environment is therefore a main target for malicious actors and a critical place to employ best practices.

35. Don't store passwords in the browser

Browsers are a main focus of malicious hackers, and your passwords residing in them is an unnecessary risk for important accounts, at least.

36. Add browser extensions and add-ons very sparingly

Plugins are a definite attack vector. Only add very trusted and well regarded plugins to your browsers that you absolutely need.

37. Remove unused or unneeded browser extensions

And if you arent using them, get rid of them as they are increasing your exposure.

38. Reconsider your browser choice

It's worth a thought, remember the "all eggs in one basket dilemna". Firefox, Brave and other projects are worth considering for better privacy and security. At least can alternate between them to obfuscate your online fingerprint somewhat.

39. Update your browser regularly

Always allow updates, and check to make sure automatic updating is set to on.

40. Disable risky unneeded features such as Flash and ActiveX

In Internet Explorer and Microsoft Edge, because it connects to your PC and Java's functions - too powerful and not worth it.

41. Disable JavaScript but Whitelist it for trusted sites

JavaScript is heavily used across so many websites to power their features, but it's also unfortunately a likely attack vector. If your risk profile is high, consider disabling it overall, and just whitelisting trusted sites.

42. Use Incognito Browsing

Not just for "mature" browsing needs, using incognito browser sessions helps cut back on privacy intrusive tracking and cookies, but it's no cure all.

43. Set 'Download' Setting to "Always ask me where to save files"

This creates a buffer for you to see anything being downloaded and saved to your computer from the browser, and the chance to stop it from happening if it wasn't intended.

44. Enable "Do not track" in browser settings

There's no benefit to being tracked, so...

45. Enable "Block third-party cookies" in browser settings

Websites have their own cookies to manage your session with them, that's understandable, though they can of course go overboard. But did you know many websites load other websites cookies and tracking to generate extra info on you? Very rarely a benefit in this for you, block them.

46. Set Privacy and Security Options to 'High'

These settings can change over time, but for example in Chrome settings now the options are "Standard" or "Enhanced" with Enhanced being the stronger and better choice. Idea here is to look through the settings periodically (in case somehow settings get changed or shift) and re-align them with strong security preferences.

47. Block websites from using your location, microphone, camera and more

Require that you give permission before doing so (and then only so reluctantly)

48. Use "Encrypt Sync with a Passphrase" in Google Chrome

This is "extra password" of sorts within your Google account to encrypt data syncing to other browser or app instances. If a hacker gets your main Google login access, they still can't replicate your account on another machine, and then use that to pull up all your 'saved in the browser and Google' passwords, search history, bookmarks etc. without this passphrase to decrypt it.

49. Clean Browser after using Public Networks

If you had to sign in to your email, financial or sensitive accounts on a public wifi connection, when done makes sure to log out of the accounts immediately, and clear your browser's cache and history to clear out all cookies, tokens and info that can be used to probe your accounts.

 

_Backups

Whether it's entropy degrading your data in situ, a power surge, user errors, a malicious employee or a ransomware attack, the best defense for your data is to have it regularly backed up, redundantly and very securely. And not just once - multiple copies using multiple strategies in multiple locations increases your ability to bounce back from any issue.

50. Automate your Backups

Backups need to occur as frequently as possible so if ever in case of an issue you lose only the work and data since the last backup. Make your backups include automatic procedures so it isn't forgotten and requires less work, which helps it get done.

51. Make Primary Backup system

Backup to multiple backup types and locations - the "3-2-1" concept is often repeated, meaning you keep at least 3 copies of your data, on at least 2 different storage medium (devices) and with at least 1 offsite location in case anything occurs at your main location. For important data, we'd recommend even more, if feasible, including 2 offsite locations: with one being paid cloud storage, and the other internally controlled (a server you own and manage) if possible. If not, 2 offsite redundant backup cloud storage providers is a good idea in case one fails. Can see an article here on the topic which we agree with.

Locally, we recommend having a Network Attached Storage (NAS) solution. There are fancy commercial options but you can now make cheaper versions for home office use with a newer more powerful Raspberry Pi and SSD hard drives, for example, using open source software and backup programs like TrueNAS, OpenMediaVault, Rsync, Rclone, and BorgBackup.

52. Make Secondary Backup system

In addition to local storage, whether it be NAS or simpler external hard drives, you also want to be making backups "offsite" and these days that very often means the cloud. There is a range of "backup to the cloud" solutions that range from mirroring everything on your computer to the cloud, to allowing you to choose only the folders and files you want to back up, like our favorite solution SpiderOak, and then very simple storage like BackBlaze B2 Cloud storage or Rsync.net which offer very simple storage areas that you'll need to know how to manage.

SpiderOak is our preferred backup solution for individual computers, as their ability to selectively choose folders, the fact that they allow the presrvation of files in the cloud even if you remove them from your local computer, the abiltity to backup external hard drives, and their encryption-on-your-device before it exports from your computer to the cloud are all top-notch features that work well. We are also fans of their business solutions.

53. Make Tertiary Backup system (and ideally even a 4th)

So, it might feel like overkill, but what if your local area has a fire, and your offsite cloud solution ended up not working? So, to be extra sure, add another backup solution that is different from the others and complements any of their weaknesses well. Consider another different location, backed up in a different way. An addtional cloud provider, that works differently than your first, and so on. Here are some good resources for researching more providers and solutions: Cloud backup services reviewed and Best free backup software reviewed.

54. Make backups encrypted

These multiple backups are each a risk exposure, you cannot trust the places where they are stored, so use very strong encryption on your side encrypting the data before it leaves you. Guard encryption keys very carefully.

55. Scan backups for Malware

Be careful not to export any viruses or malware with your backups.

56. Manually check backups to make sure they work

Go through a fire drill scenario. If you did actaully lose your primary data, are these backups going to work? Access the backup files, restore to a machine, unencrypt them, and make sure they are whole, and no important documents have been errantly left out.

57. Diagram and Document your Backup System

Make sure your system is detailed, explained and securely and confidentially shared with others in case anything happens to the person who knows how it was put together their successors can takeover and use the system.

58. Use "versioning" software in your workflow

Programmers know the value of being able to "wind back the clock" after making some changes and maybe mistakes, and version control systems like Git (commonly used at the Github service) are a very useful tool for tracking and preserving work.

 

_Endpoints

Or "devices" rather - each and every one of them needs to be attended to to be secured and monitored for any issues. Computers, phones, tablets, printers, TVs smartwatches even? Who knows, everything is connecting to the net, has password details stored in it, and could be an attack vector. 

59. Use Anti-Virus/Malware/Spyware

Kind of goes without saying, but here it is. Currently, the already-installed and hopefully running Windows Defender is good to use, but there are many more to consider. We would recommend Malwarebytes or Bitdefender as a start. Schedule automatic scans, and check the configuration settings to make sure they are fit for your needs.

60. Enable Automatic Updates

Malicious hackers are always looking for weaknesses in software. Software vendors do their best to patch these vulnerabilities when they come to light and include the fixes in their updates. If you aren't allowing for updates you are missing out on the patches and leaving your software and therefore all your computer vulnerable.

61. Manually Check that Software is Updated

Don't just rely on automatic backups, open and make sure in the settings and from the applications' websites that you are using the latest, updated, patched versions of all your software. Especially your browsers, chat, and Teamviewer-like applications, but any app that has internet connectivity and/or has powerful executing powers on your device.

62. Encrypt Your Data on your computer

Ensure you are encryoting your local drives, with the included Bitlocker on Windows or FileVault on iOS. Make sure to save the passwords for these encryptions securely in your password manager.

63. Disable Macros

"Macros" are scripts (like mini programs) that can be run from inside Microsoft Office software and is an unfortunately strong and powerful vector for hackers. There is little benefit to having them enabled unless you really use them, and even then change the settings to be very stringent. Hackers will load macros in documents that when executed automatically can function like malware. Disable Macros in Microsoft applications under File > Settings > Advanced Settings > Trust Center > Macros or similar.

64. User Access Control

You don't need to use your computer as the root, admin user on a daily and regualr basis. If a computer used as root and then breached, the attacker has root access. Add a regular user with less prvilieges and limited abilities. In case of a hack the attacker has less power inside the machine. The same goes for every type of device, account and environment. Do not use admin access regularly, create, lesser privileged accounts that only have as much access, abilities and rights as they need to do their current work.

65. Remove unused and sketchy applications

Every application is a potential attack vector, so if you aren't using it or are unsure of its quality or the trustworthiness of its source it needs to be removed. Further, any software that was once good, but is no longer supported (i.e. the company changed, went out of business or the product deprecated) it should also be considered for removal and replacement.

66. Use cable locks to prevent physical theft

Especially in public, but also in office environments, and might as well at home too if not too inconvenient.

67. Use "Find my Device" apps 

They enable you to find, lockdown and wipe lost devices. Common for mobiles but less so for desktops and mobiles, some anti-virus and EDR (see below) include this important feature.

68. Use Secure DNS Settings

Use good DNS settings, here is an overview.

69. Consider Endpoint Monitoring

You need to know all the applications that are currently and regularly running on your devices. Check in settings to look for active applications that you are not expecting so you can stop and remove them. An EDR (see next entry) or your anti-virus may provide some of this, but an extra solution to monitor running applications and manual reviews are advisable.

70. Consider Endpoint Detection and Response (EDR)

Like anti-virus on steroids, an Endpoint Detection and Response (EDR) solutions will proactively try to shut down any malicious activity on your devices. EDR pulls learned data for detection from your network environment and machine learning to (hopefully) detect dynamically advancing threats in real time by monitoring not just for virus signatures but also for irregular activity and behavior such as exfiltration of sensitive data. Here is a good survey of leading EDR solutions.

71. Change Windows to always show full file names

Malicious files can hide by being called reallyavirus.jpg.exe which you can click on and execute. Reduce that possibility by chaging your settings to always show all files final extenstion, the "exe", which are not shown by default so you can better know what you're working with, especially for downloaded files.

72. Check the "Hash" of programs when installing them

When installing software, perform a hash check to make sure the software you downloaded is the exact version unaltered from the provider. Here is a good how-to and another.

73. Create and manage Bring your own device (BYOD) Policies

Be proactive in your organization by requiring team members to follow a set protocol for anti-virus use, encryption, automatic software updates and all listed here to make sure security is adhered to across the board.

 

_Network

More arcane and "in the background" from most people's perspectives, but no less important to security. Indeed paying great attention to keeping your networks secure is paramount.

74. Conduct an Assessment of your Network

You can use applications like Nessus, NMAP (free), WireShark (free), SolarWinds and similar to help discover many details about your network, for example all the attached devices, open ports, configurations and so on. Here is a good guide on how to get started and what to consider.

75. Consider Data Loss Prevention

Measures to ensure your employees do not export or take away sensitive data like payment info, customer's private info an more via monitoring.

76. Add Vendors to your Network Very Cautiously    

Giving vendors and extra applications access to your network may introduce some benefits via they work they perform, but it also increases risk and exposure with added attack vectors. Only add vendors to segmented and controlled areas of your network with only the access to data they absolutely need.

77. Use a Strong Firewall

Make sure Windows Firewall is turned on if that is your OS, or an even more advanced Firewall if your company has it. Firewall's aren't as depended on as they used to be, but it's still a best idea. Even if you know about Firewalls, still check again to make sure it's on, it's easy to have turned it off at some point to allow some action, and then forget to turn it back or allow it to turn on.

78. Proactive Scanning with an IDS or IPS

Use an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS) to actively scan for malware, irregularities and more in the information packets being sent over your network. Do not just install and think all problems are solved, these systems need consistent configuring, monitoring and reviewing of their logs to make sure they are performing as hoped. In the case of IPS, it attempts to actively stop detected threats.

79. Perform Vulnerability Scans

Use third party manual operator vulnerability testing in addition to running simpler vulnerability testing software scans. Can also consider the more intensive, more manually and thoroughly performed Penetration Testing.

80. Close unused open ports    

Your routers, switches and servers at your company are 'listening and open' on many ports ready for communication from the internet. These open ports are gateways to your network, close as many of them as you don't specifically need open.

81. Segment Sub-Networks within your network

At your office, your marketing department doesn't need access to all of the same data assets as the finance dept., so why are they on the same network with no barriers between them? The more mindful segregation and partitioning of subnetworks within your organization the more secure your sectors are.

82. Require VPN for external access    

Require that external access to your network comes via mandated and controlled VPN configuraton. E

83. Turn off Public Network Sharing

In Windows, turn off Public file sharing, Public network discovery, and Public folder sharing - all unnecessary risks to have exposed when you happen to be on public networks. This is found in Network and Sharing Center > Advanced Sharing Options > Public.

84. Change and obscure default router names and passwords

Routers and similar devices come with default names that can give attackers more info about how to attack your network, and not changing the default password is of course the biggest vulnerability. Use an ambiguous name so any attacker looking for your specific network has a harder time, and make the password very strong (like 15 complex character minimum). Your router(s) are static, sitting ducks so attackers can take a very long time to attempt their hack so extra security is required.

85. Enable Network Encryption

Choose WPA2 if available which it should be with newer devices.

86. Disable Network During Vacation Times

If you know no one will need the network for some period of time, it is a good idea to power it down so no one can "sit on it" trying to crack it while you are away.

87. Consider Router Location

Try to centralize your router, so its signal is centralized where you need it, but not spilling out strongly to the street or some public areas where an attacker can sit and "wardrive" attempts to crack it.

88. Disable Remote Router Administration

Router's administrations are available in the local network, but sometimes also remotely over the web, so for extra security disable this Remote Administration capability which you surely will not need.

89. Update Router and Equipment Software and Firmware Regularly

Your router is most probably not updating its software automatically, it is a good idea to periodically log into it and manually update its software which may include vulnerability patches. Not just software needs updates, devices' firmware needs to be checked to make sure latest secure versions are updated to and installed. 

90. Check all Devices that Connect to the Network

It isn't just your own laptop or your phone, everything that is connecting is a vulnerability that can spill the network's passowrd and give up the keys to the castle.

91. Check the Logs

Critical in network security is to not just rely on software solutions blindly, but to follow them up and manually check all activity with a conscientious human eye for irregularities and issues. This applies not just for network activity, but also for activity and history in personal accounts, company accounts, device usages and more.

92. Block Access to Malicious Sites via Web Filtering

We won't go into blocking websites for productivity boost hopes, but blocking access to known malicious websites is always a good idea. This can be done via hardware, software at firewall level or with cloud solutions.

93. Consider a Unified Threat Management (UTM) device or system

A UTM combines firewalls, "next-generation firewalls", Intrusion Prevention Systems (IPS), secure web gateways, secure email gateways, network connectivity, web filtering, anti-virus and malware, VPN, IPsec and SSL, application and user controls and more. 

 

 

_Website Security

Chances are your company or organizations you are a part of have a website that is important to their operations. Keep these ideas in mind to help keep it secure.

94. Use SSL

Probably obvious in 2021 but just in case, yes, do it. Can get from LetsEncrypt for free but we still buy ours at SSLS.com

95. Use Access Control Awareness for Users on your CMS, Domain Registrar and Server    

You've may shared access to your website over the past months and years with different web developers, SEO people, blog article writers, employees and more. How safely are they guarding the access details you gave them..? It's critical to keep this ship tight. Only give as much access as you must for anyone to do the work they are doing, and no more, to help minimize risk. Use access-restrained user accounts, and if anyone leaves your company or no longer needs access, remove their access or change their passwords immediately.

96. Change passwords regularly

This is a helpful measure in addition to the Access Control mentioned above. If you just periodically change the passwords on the secure accounts you'll automatically purge access for anyone over time not needing access that you may have failed to consider.

97. Set domain registrar website transfer setting to locked

Most all registrars have this setting, absolutely set it to locked so no one transfers your website ownership away from you.

98. Use WhoIs protection to help guard ownership info

Knowing the identity of the website owner can give hackers incrediblly useful information and reaserch points to help further their attacks. In a worst case scenario it can give them a pressure point for extra leverage.

99. Run Vulnerability Scans and Make Repairs

Run at least simple freely available security scans of your website like Observatory from Mozilla or Sitecheck from Sucuri to discover vulnerabilities that need to be fixed and actually make the repairs. There are more intensive vulnerability tests that can be run by professionals to help discover even more deeper issues and weaknesses. These tests will return many esoteric fixes that you can make, like setting X-Frame Options Security Header, the X-Content type nosniff, setting Strict Transport Security and more.

100. DDOS Protection

Whether it's just a spike in popularity from something at your company going viral, or a dedicated attack, a Distributed Denial of Service (DDoS) attack can take your website down in minutes. Use services like CloudFlare or a Web Application Firewall (WAF) to help mitigate it.

101. Update all of your website's software, plugins and themes

And set updates to automatic when available. This is perhaps the most important advice here, as outdated, unpatched software is the most vulnerable to attack. Note this also applies to the software on your server, and your CMS, everything.

102. Use an "Uptime" monitor to alert if your website goes down

You will be messaged if your website ever goes down. Our current favorite to use is Uptime Robot.

103. Use secure and professional website hosting

Not only the company needs to be reputable, but the company they keep. If there is malicious content and websites also being hosted where you are, your website will suffer by association and proximity to them. Further, check how seriously the host takes security, and if they are lax by allowing unsecured FTP transfers, for example, which bad actors can use to inject malware to servers.

104. Do not use shared hosting as much as possible

As much as you can afford to, do not reside on overshared or badly managed hosting where malicious actors may be able to enter your hosting environment. This and other effects are referred to as Cross-site contaminaton.

105. Use a Dedicated IP Address

A dedicated IP address will help your website stay distinguishable from any other bad actor websites you may otherwise have to share an IP address with.

106. Check CMS settings and tighten all of its security

Attackers rely on website's leaving settings left on weak options. Lock down comments on your website if you don't need them. Turn off everything you don't need, like Tracebacks, and so on.

107. Check File Permissions Settings on the Server

Files can be Read, Written to, or Executed, and you want to lock that down so if an attacker has any acess to the website they cannot automatically affect files.

108. Create backups of your website

Just like for your internal company data, you need the whole backup regime including the 3-2-1 principle at a miniumum, with encryption, documentation, testing the backups and securing the passwords and encryption keys securely.

109. Use a Website Application Firewall (WAF)

This can do everything from limiting access to CMS admin pages to whitelisted IP addresses, to blocking automated bot attacks and probes, to scanning and blocking malware.

110. Setting a Content Security Policy (different from and much more powerful than a Privacy Policy)    

A Content Security Policy (CSP) is a powerful tool to help lock down and dictate what exact sripts (programs) and from where (from only your website or subdomains, for example, or very trusted third parties) with the goal being to prevent malicious Cross-site Scripting attacks (XSS). In XSS attackers inject malicious code into your website unbeknownst to you that can wreck havoc for you and your site visitors in many nefarious ways.

111. Prevent SQL Injection with Well-Built Backend Protocols

SQL Injections (SQLi) are one of the most common and serious methods of website and web application hacks. A lot of quality steps are advisable to help prevent them, including stringent input validation for your site's forms, using "stored procedures" on the database, escaping user supplied input and more. Make sure your backend web and web app developers are very well of SQL injection prevention best practices.  

 

_Big Picture

The above tips seem like a lot by number, but they actually just scratch the surface of all the very many things that must be done to keep secure. Just as helpful as specifics is an overall awareness and mindset to consider security at every turn. Be mindful of security always in all actions and you'll be closer to maintaining control of your digital realm.

112. Learn the "Executive level" Theory of Cybersecurity

The goal of cybersecurity is often referred to as the "C.I.A. triad", not for the US intel agency, but rather for the objectives to: 1. Keep data 'Confidential', i.e. only in your hands and no one else's it shouldn't be in. 2. Keep data "Integrity", it needs to remain whole, uncorrupted, and unchanged by mailicious actors 3. "Available" in that those who need data to do their work should still be able to reasonably access it. These goals aply to all data whether for personal or company, it's a useful paradigm to keep in mind.

113. Keep Abreast of Cybersecurity News

Cybersecurity risks are ever-evolving, maybe moving as fast or faster than anything else in computing technology. Stay tuned to cybersecurity news via some of the top blogs like CSO Online, ZDNet, Infosecurity Magazine, CNET security section, CyberNews, or a cybersecurity news aggregator like Cyber.Report.

114. Do a Risk Assessment

How much Personally Identifiable Information (PII) customer data or payment and financial info, sensitive client data and so on are you handling? Even just your own data, what be the costs if you lost access to all your data and services immediately? In most cases, the consequences of data breaches, cyberattack disruptions and ransomware are high enough to warrant much concern. How much concern, and how much money should be invested to mitigating these risks is the goal of a risk assessment.

115. Get Professional Help

At a certain level of risk and liability, "rolling your own" security isn't enough, and even if you have a great team, an extra set of eyes, perspective and formal test and checks are invaluable.

116. User Access Control (again) with the "Principle of Least Privilege"

It bears repeating, but it's so important to get it right, because this is the keys to the castle. The more people that have access to more data, the more risk exposure grows. Limit and restrict access and abilities to only the minimal required to do required tasks. This "Principle of Least Privilege" is key. Don't give anyone any more access than they need. If their situation changes (i.e. leaves company, or moves departments) make sure their access is changed accordingly.

117. Create Protocols for Incidents

Plan ahead for the worst, and who should do what when it happens, and what they should do, and so on.

118. Physical Security of your Premises

Don't forget to actually lock the doors! The more secure the better. Locks, cameras, employee awareness to lookout for unknown and suspicious individuals.

119. Implement 2FA (apps, cards, keys)

2FA doesn't just mean a phone app like Google Authenticator, it also includes devices like smart cards, USB security keys you insert into devices or use to generate time-based codes, biometrics like fingerprint scanning and so on. Here is a good overview of physical security devices.

120. Apply All of the Above to All Devices

Not just your computer, but also your mobile phone, and all home Internet of Things products, and more. It doesn't do any good if you lock down your laptops but not your phones, etc.

121. Apply All of the Above to Everyone in your Company, Household and Beyond

If you're secure but your colleagues, family or friends aren't, they can be breached and attacks can get closer to you. Especially in work environments, security training and mindfulness must extend to everyone for the whole group to remain secure.