Click on the links for a summary and detail of each commandment.

This commandment is more targeted at the mobile device side of technology, but app stores are spreading into the desktop/laptop areas by way of Windows Store for Windows 8.1 and Windows 10.

From a mobile device perspective, you should only use the official app store for that platform. Most smartphones come with a setting that tells them to only allow apps to be downloaded and installed from the official sources (or not to be installed from untrusted sources).

So for iPhones, only use App Store, Androids should only use Google Play, Kindles should use Amazon Appstore and Blackberrys should only use Blackberry World.

Apple has very tight control over the apps it allows in App Store. It checks the apps very thoroughly to ensure nothing nasty can get onto its customers devices. They have had issues in the recent past, but they are the most secure of the mobile platforms because of their controls.

Google Play is larger than App Store and as such would be more of a target for the bad guys. While they do scan all new apps coming into the store, there have been occasional breaches, for example in April and May of 2016. More concerning was a raft of Malware that surreptitiously rooted Android devices in June 2016.

Rooting is a procedure which gives the user of the device complete control over all of the devices functions and removes any built-in security protections or restrictions that the manufacturer included on the device.

That’s all there is to it. I will continue below with some details on the subject of App Stores and mobile device security. So if you are not interested in such particulars, just make sure you only use the official one for your device.

If rooting goes wrong, from an Android perspective, it’s very easy to make a mistake and, what is referred to as, “brick” the phone (i.e.- turn it into an expensive paperweight). If you do that, you won’t get any sympathy from the manufacturer or mobile operator, as rooting will void the warranty.

Also, because you are using the phone at an elevated level of access, you could be more easily compromised by malware, which will be able to execute without restriction.

In the Apple universe, some people like to Jailbreak their iThing. This is similar to rooting and it enables you to install some tweaks and apps that Apple don’t approve of. However anytime there is an iOS update distributed by Apple, this is going to un-Jailbreak the iThing, so you will have to go through the process of re-Jailbreaking and reinstalling the apps that you want.

Jailbreaking also can cause the iThing to become unstable and may require regular restores. Finally, it has been shown that some iOS malware requires a Jailbroken device, so it obviously dramatically reduces the security of the device.

As a bare minimum you should use a PIN or password to lock your mobile devices. Patterns are not quite as secure as a PIN and certainly not as secure as a password. Also make sure that the device auto-locks after a relatively short length of time (30-60 seconds).

If you have a fairly modern phone and you store any sort of Personally Identifiable Information on it, then you must encrypt the data at least, but realistically you should do it to the entire device. Remember that we talked about this in Commandment VI.

Have it set to receive and install updates automatically in order to plug any security vulnerabilities as mentioned in Commandment I.

A reputable Anti-Virus app should also be deployed. Keep it updated and active at all times in accordance with Commandment II.

Turn off Bluetooth when you are not using it and if you are having a highly confidential conversation, do NOT use a Bluetooth headset, as audio eavesdropping on Bluetooth is ridiculously easy. Turn off Bluetooth and use a wired headset for such conversations.

Also, if you are the creator of confidential materials, you might want to ditch the Bluetooth keyboard as intercepting keystrokes is even easier.

I’m sure you have heard the horror stories of people’s children running up massive credit card bills by way of in-app purchases on the games they play on tablets and smartphones. Well there is a straightforward way of preventing that from getting out of control. Simply set your mobile device to ask for a password for every purchase from the app store. Oh and obviously you don’t give the child the password – m-kay! J

If you have no other security controls on your mobile device at least have the store account secure, because if thieves get your phone, they could max out your credit card on all sorts of nice things for themselves.

The IMEI number is a unique number assigned to your mobile phone and it is used by the mobile operators to identify your phone (as distinct from your number which is assigned to your SIM card). If you make a note of the IMEI number, then in the event your device is lost or stolen, you can notify your mobile operator and they can block the device which will render it useless (at least within Ireland).

It’s quite easy to get the IMEI number for your handset. Simply dial *#06# and your devices IMEI number will be displayed. Take a screenshot of it and e-mail the picture to yourself so you can have it handy.

If you have any comments, suggestions or questions on the above, please leave a comment below.

Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.

This is an easy commandment to follow, but there might be temptation to breach it for convenience. 

If you find a USB memory stick on the street or in a car park, bring it to a waste electrical goods recycling centre and dispose of it there. I was going to say place it in a bin, but that would not be good for the environment.

If anybody comes to you and wants you to plug in a USB memory stick into your desktop or laptop, just don’t! No matter what promises they make as to the security and cleanliness of their systems, you simply cannot trust the device.

It’s not really the data files on the USB memory stick that you are terribly worried about (although you should be concerned about macro viruses) but the other hidden nasties that could be lurking on it. You’re IT team might have disabled the “AutoRun” capability on your machine, but if the evil doers really want to get inside your network, they could implant a piece of evil code deep within the hardware of the USB stick that can infect files being copied to and from the USB memory stick. 

It’s not just USB memory sticks that you need to be careful of, but any USB connected device (e.g.- Mouse) that you just “happen” to discover lying on the ground of your company’s car park. They could all be loaded with nasty code that might spy on you and your company if they were connected.

The only USB devices you should allow to connect to your device are those which you have purchased new, from the reputable source and were still in their shrink wrapped packaging, when they came to you. Never let these out of your control, or to be connected to anybody else’s machine.

That’s all there is to it. I will continue below with some details on issues of USB device security concerns and workarounds to avoid the temptation to breach this. So if you are not interested in such particulars, just don’t allow any strange/unknown USB devices to be connected to your desktop/laptop.

All sorts of removable media are a concern and thus has it always been so, since the dawn of the floppy disk. Viruses and Trojan Horses have been spreading for decades via removable media. We should therefore be as concerned about the provenance of any such media before we let it near our machines.

The concern with USB devices, is because there is an additional risk coming from the electronics on board the device itself. A DVD does not have any electronics on it.

The focus so far has been on the spreading of malware. However a big risk to a business of having unsecured USB ports on their machines is the theft of data. We are not just talking about some evil doer coming into your office and stealing the data. We are talking about those people that are working for you who have access to your company’s inner secrets and files. For example, you may have a facilities manager that is thinking about quitting, they may copy your entire customer database to a USB stick before they hand in their notice.

Obviously you need to enable your staff to access that which they need to do their job, but do they have access to data that they don’t need to have access to? In the example above a facilities manager has no need to access your customer database, so they should be prevented from accessing it.

You should apply, what is called, the rule of least privilege. Put simply, start from a point where nobody has access to anything (with the obvious exception of the trusted administrator account). Then grant appropriate access (read-only, read-write-update-delete) to the relevant sets of data as required.

If you need support in carrying out a review of your security set up, just contact us in L2 Cyber Security Solutions.

So a colleague needs to share a large file (e.g.- Presentation) that they have been working on for days and the file is too big to e-mail it to you. Well if they are a colleague then they should simply store the file on a network file share.

Of course they may have worked on this presentation on their own personal home PC, if they don’t have a company laptop. In this case I wouldn’t even trust the presentation as the home PC is a complete red flag. If your company expects employees to work on projects at home, they should either (a) provide them with a laptop full time or (b) have a pool of “loaner” laptops which the employees can borrow. These laptops should be configured to meet the company security standards and are only for use by the employee and not their family.

The person needing to transfer the files may be working for a different company (e.g.- a vendor or a solicitor). There are plenty of cloud based storage solutions available – Google Drive, SkyDrive, Box, iCloud and Dropbox to name but a few. They all come with a free offering which should be more than adequate for most needs. The files to be transferred can be uploaded to the cloud and then shared with the intended recipient. It might be a good idea to compress the files with a good password before uploading to give additional security.

Disabling AutoRun may not be totally adequate to protecting your machine from an infection. You should ideally disable the USB ports in the hardware settings of your computer, however this would prevent you using a USB mouse and keyboard. 

You can get software that will effectively disable the USB ports for all devices other than a mouse, keyboard and a printer. This would be useful for preventing somebody copying lots of data from your network. However a committed hacker who wants to spy on your business can get a USB stick that will either emulate a keyboard or be connected in-line with your existing keyboard and then log all of the keystrokes you make, which would include your passwords.

Some enterprising people have created a USB memory stick that will fry the electronics on the motherboard of a computer simply by inserting it into a port. While there is no apparent purpose, other than the wanton destruction of somebody’s desktop/laptop, it could be used as part of a campaign to disrupt somebody’s business during merger/acquisition discussions. 

I attended a seminar where the CEO of the company sponsoring the whole event openly admitted that he lost a laptop at a previous seminar to malware after one of the other presenters inserted an infected USB stick into the CEO’s laptop to get his presentation.

If you are organising such an event, you should make sure all of the presentations come to you via the channels described in the transferring large files section above. It might also be an idea to have a backup laptop too.

If you have any comments, suggestions or questions on the above, please leave a comment below.

Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.

This is one that should be an absolute no-brainer. Your password is your key to your data and applications. It should be absolutely sacrosanct and known only to yourself and NOBODY else. Nobody else has a need for it, except the evil doers and you wouldn’t give it to them willingly, would you? It couldn’t be simpler than this.

For the purposes of thoroughness, in this article all references to Password also refers to Passphrases, PINs or any other method of gaining access, which is based on something you know.

For a business machine, nobody else needs your passwords. The instant your password is known by somebody else, then that could lead to fraud being committed in your name because your account can be accessed by somebody else. You could potentially lose your job or face prosecution as a result of this. If you are in a company where managers know the passwords of their team, then I’m afraid that company has a very poor security policy and may actually be in breach of privacy laws.

Your IT support provider should not need your password to sign in to your machine. They should have Administrative access over all the machines on the network, so they should be able to see everything they need from their own machines. In situations where they need to remotely see what you are seeing, then they should have tools for taking remote control of your machine. They should ONLY ever do this with your permission.

Even for a home machine I would recommend everybody in the household who needs to use the desktop/laptop should have their user account and password and these really should not be shared. If you are giving your machine in to be repaired, you should probably change the administrator’s account password to something easy for the repair people and then change it back on return.

Finally Microsoft/Apple/Google will not ring you about a virus or other problem on your machine. Eircom/Vodafone/Virgin Media will not ring you about your Internet Wi-Fi. Hang up on these people and JUST NEVER GIVE YOUR PASSWORD TO ANYONE.

That’s all there is to it. I will continue below with some details on the subject of passwords. So if you are not interested in such particulars, just make sure your password is only known to you.

This is the 2015 list of the top 25 most commonly used passwords (the 2014 chart position is in parenthesis):

1. 123456 (Unchanged)

2. password (Unchanged)

3. 12345678 (Up 1)

4. qwerty (Up 1)

5. 12345 (Down 2)

6. 123456789 (Unchanged)

7. football (Up 3)

8. 1234 (Down 1)

9. 1234567 (Up 2)

10. baseball (Down 2)

11. welcome (New)

12. 1234567890 (New)

13. abc123 (Up 1)

14. 111111 (Up 1)

15. 1qaz2wsx (New)

16. dragon (Down 7)

17. master (Up 2)

18. monkey (Down 6)

19. letmein (Down 6)

20. login (New)

21. princess (New)

22. qwertyuiop (New)

23. solo (New)

24. passw0rd (New)

25. starwars (New)

If you use one of these passwords, then you might as well not have a password, as these are going to be the first passwords attempted by any hacker.

Some might say that #4 and #22 look a bit complicated – until you look at the keyboard and see that these are the top row of letters on an English language keyboard.

#15 looks like a real complicated password, doesn’t it? Look at the keyboard again, it is a key sequence running down a column of keys from the top row, left hand side to the bottom row and then the next column of keys.

Some of the other passwords, that are actual words, have originated from popular culture. For example #16 came as a result of the popularity of Game of Thrones. #21, #23 and #25 showed up as new in 2015 as a result of Star Wars Episode VII, The Force Awakens.

I would say change it immediately, however lets be practical here. If you change the password in a rush, you’re likely to forget what you changed it to. Take your time and read on here for further advice.

I’m sorry – but this is absolutely ESSENTIAL (note emphasis), as reusing passwords is simply begging for trouble. Just ask Mark Zuckerberg (CEO of Facebook). He used the same password (and it was poor password at that) for LinkedIn, Pintrest and Twitter. When LinkedIn was hacked in 2012, the list of all e-mail addresses and passwords of its members at that time were stolen. This list was recently released and some enterprising evil doers tried Mr. Zuckerberg’s e-mail address and password from that list on Twitter and Pintrest and compromised his accounts. 

This doesn’t just happen to high profile people, but normal everyday people like you and I. Here was another case of these leaked e-mail addresses and passwords being tried by bad guys on other services.

Certainly turning on Two Factor Authentication (see Commandment VII) would provide a great additional layer of protection, but not all sites provide this facility so it cannot be relied upon.

Creating unique passwords for every application or website can appear daunting, but it can also be very easy. All you need to do is come up with a method for creating the password that uses attributes of each application or website to generate the password. As long as you can remember the method for creating the password, then you should be in good shape. 

There is an entire module in the Security Awareness Training that L2 Cyber Security Solutions deliver which gives a couple of suggested methods that generate incredibly complex passwords, but as long as the method is known, they are easy to re-produce. Contact us, to find out more about the training course.

Proper words make for really bad passwords, as one method hackers use to break a password is what is called a Dictionary Attack. This is essentially like throwing the Oxford English Dictionary at somebody’s password.

You might think you are being clever by substituting different characters in a proper word – e.g.- P@$$w0rd. I’m afraid they tend to be wise to those techniques and will try them too.

Your password needs to make no obvious sense to anybody other than you. It should also be reasonably long – I would suggest 12 characters as a minimum. The longer the better as it makes it harder for the bad guys to crack. Make sure there is a mix of uppercase, lowercase, numbers and special characters.

A passphrase is a password that is made up of a sequence of proper words. For example “ItWasTheBestOfTimes” or “MaryHadALittleLamb”. Passphrases are quite a good idea as they typically make the password very long, which makes it much harder to crack.

However my two examples are probably too iconic and would likely be attempted by the evil doers. Chose something more obscure like the third line of lyrics in a verse of a favourite song. Also add a little complexity by incorporating at least one number and a special character. So this might give us “R3memberTh3Sh@man” – that is 17 characters of pretty decent passphrase right there. (One Attaboy for the first person to identify the song without using Google/Bing/Yahoo J)

Obviously it takes time to type in 17 characters, but as you keep using it, your muscle memory will kick in and make it a doddle to type in after a few days. If it’s only something you need to do once or twice a day it wouldn’t be that great an inconvenience. 

STOP! Don’t do this anymore. Your passwords are effectively stored in an open file on your machine and are easily accessible by any evil doer that can get into it.

While this is OK-ish, there are a lot of utilities out there that crack the passwords of Excel spreadsheets.

Refer back to Commandment VI about encryption. Using compression utilities or purpose made encryption software to scramble the password spreadsheet would be a far better idea.

If you really are struggling with the whole topic of passwords, then get yourself a Password Manager. This will store your usernames and passwords for each and every site in a secure database and will pop them into the appropriate places on the log on page. They will even generate incredibly complicated passwords that even you won’t remember, because they will do the remembering for you.

There are plenty of free ones available and some that have free and paid versions. You must make up your own mind about which one is for you. There are some which only work on an individual device, as they store the password locally. So if you have a desktop, laptop and smart phone, this kind of password manager would not be appropriate. You would be better off going with one that has a cloud option, where the password database is on the internet and can be synchronised across the devices and platforms.

You should ensure that you are backing up the password database appropriately in case of a failure of the machine. This is most important where you are using the password manager to generate the passwords for you.

Finally bear in mind that, because of the nature of their business, Password Manager vendors are significant targets for the bad guys. There have been breaches in the past.

If you have any comments, suggestions or questions on the above, please leave a comment below.

Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.

What is two factor authentication? Put simply it is a way of gaining access to an application by using two means of verifying the identity of the person requesting access. Typically the means of verification are (a) something you know – e.g.- a Password (b) something you have – e.g.- a Mobile phone (c) something you are – e.g.- a Fingerprint.

It is probably one of the best ways of protecting an on-line account from evil doers, who scour the web, stealing passwords by the millions from the likes of LinkedIn and MySpace.

Withdrawing cash from an ATM is probably the most common use of Two Factor Authentication (2FA) you are familiar with. In order to get cash, you need something you have (the ATM card) and something you know (your PIN).

In the on-line world 2FA helps protect your account in the case where, for example, hackers have compromised your password. If your account also requires your fingerprint to be scanned to gain access, then the hackers would need your finger in order to get into your account. As long as it is still attached to your body and your body is not in the hackers possession either, then your account should be pretty safe.

A more common form of on-line 2FA is by use of SMS text messages to your mobile phone. So if you try to log into your account with your username and password, a text message will be sent to your mobile phone with a 5 or 6 digit code to be typed in after you have entered your password. If you suddenly receive a text message with such a code and you were not actively trying to log in to your account at that moment in time, then it means somebody has compromised your password, but they shouldn’t be able to get any further as they will not have the code that has been sent to you. Now would be a really good time to go and change your password on that account (and any other account that you use that password on – cos you do that don’t you??? L).

Lots of on-line services offer 2FA (Google, Microsoft, Apple, LinkedIn, Facebook, Dropbox, Evernote, etc.). For a full list check this website. If you have an account that has 2FA available, you really should go and enable this now to give yourself a massive increase in protection.

That’s all there is to it. I will continue below with some details on the subject of Two Factor Authentication. So if you are not interested in such particulars, just make sure you have activated it on all accounts that have the facility – in particular e-mail accounts.

Depending on the application, you may only need to enter the separate code once per device or browser. If the device you use is always under your control, you should be offered an option to “Trust this device”, which if checked, means you will not be prompted for the second factor at each and every log on. 

If your device is not always under your control, or it is particularly portable (i.e.- particularly theft-friendly), then you really should set it to always ask for the second factor on log in. I know this may seem like a big ask, but you will get used to it very quickly.

Just think of the absolute hassle and suffering you would go through if somebody has compromised your e-mail account and is now spamming your customers and colleagues. If the bad guys have your e-mail account, they may easily reset your social media account passwords and start posting inappropriate messages. All this because you found it a little bit inconvenient to spend an additional 5-10 seconds logging in at the start of the day.

SMS Text messages are not the most secure way to receive a second factor, because there is communication happening between you entering the password and you receiving the code. So it is possible for a committed hacker to (a) intercept these or (b) have compromised your mobile number. 

An Authenticator App or Token can be used in place of an SMS Text message. These generate, random numbers every 30 seconds. So this removes the communication channel between you entering the password and you needing to provide the code. 

One such App that is available on a number of platforms, including Apple, is the Google Authenticator. This can provide your second factor on services such as Amazon, Dropbox, Facebook, Evernote, Salesforce.com and obviously Google’s own platform.

The only issue with using this app, is where you lose your phone or it’s damaged beyond repair. When you set-up the Authenticator App on a service, the service should either ask you for a backup phone number or give you a set of one-time-passwords (OTP) which you should print and keep safe, as these might be the only way that you can get back into the service when you no longer have access to the Authenticator app.

There was a Mythbusters episode where the team showed how they were able to fool a fingerprint reader on a door lock. Now it should be pointed out that this door lock should also have been configured for PIN entry as well, so that there would have been proper two factor authentication. Also in this episode, the fingerprint reader on a ~2006 model laptop offered more protection against the faked fingerprint than the door scanner.

So, yes they can be compromised, but other “something you are” attributes (also referred to as biometrics) are available, like Iris Scanning, Voice or Facial Recognition, etc. None of these are completely fool-proof, which is why they need to be used in conjunction with other factors to offer greater security.

If you have any comments, suggestions or questions on the above, please leave a comment below.

Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.

Your data is valuable to you. Even something as simple as the phone numbers in your phone’s contact app. It’s also valuable to the evil doers. They would dearly love access to your phone with all of the valuable e-mail, SMS, call logs, WhatsApp messages. Everything on your phone will be of some use to these criminals, because it is real data, with valid names, e-mail addresses, phone numbers, etc. and they can sell this online to anybody who wants it, such as your competitors. Wouldn’t they like to know that you’ve been making lots of calls to one of their customers recently.

The thing with mobile devices (Laptops, Tablets and Phones) is they can hold a lot of data and can be very easily mislaid or worse stolen. That is why it is ESSENTIAL (note emphasis) that you encrypt (i.e.- scramble the data such that it is unreadable unless you have the key) all data on your mobile device. This is quite easy to do as most modern smart phones and tablets have the ability built in. For laptops, special software may be required (e.g.- Bitlocker is the Microsoft supplied product for Windows, but there are others).

Also there may be a legal requirement for you to encrypt data. If you store documents, spreadsheets or databases which contain Personally Identifiable Information (PII), then the Data Protection Directive requires that this data be stored such that only those people who are authorised to it, shall have access to it. So for a mobile device this means the data must be encrypted and only accessible to the person who has the key. If a device containing PII details is lost or stolen, then a report must be made to the Data Protection Commissioner’s office. If the data was properly encrypted, no further action would likely occur. However if the data was not encrypted, the Data Protection Commissioner would carry out a detailed investigation of your practices, which may lead to prosecution.

That’s all there is to it. I will continue below with some details on the subject of encryption. So if you are not interested in such particulars, just make sure all of your data on mobile devices is encrypted.

PII is something which can identify somebody as a person or in conjunction with other pieces of PII data can identify somebody as a person. The following is an example of some attributes which are considered PII: 

So if you have any of these attributes which identify customers, business partners, colleagues, etc. stored on a mobile device, you must have this information encrypted.

To be totally safe and secure, you should always opt for complete device or full disk encryption. This means you don’t have to worry about accidentally having a piece of sensitive data in an unencrypted place on your mobile device.

However, some people may be of the opinion that it is overkill to encrypt everything. They may only have a single spreadsheet that contains PII data, so they might opt to use Microsoft Excel’s encrypt function. In newer versions of Excel this uses, what is called, AES 128 bit encryption, which is OK, but it is crackable (there are a lot of utilities for breaking Excel passwords). If you had to notify your customers about the loss of their PII data, it would not give a great impression if they thought you only used Excel’s encryption.

File compression utilities such WinZip or 7Zip offer AES 256 bit encryption which is much more robust. However if somebody uses a short or widely known password (“123456” anyone?L) then these can be cracked too. If you chose a nice long and complicated password, then compressing the files, with encryption should be acceptable.

However there is nothing like using a purpose built encryption package to give confidence that you take security seriously. A well known application called PGP (Pretty Good Privacy) has been around since 1991. It is now a commercial product which has been bought by Symantec. It can secure files, folders, entire disks and also e-mail. There is a freely available alternative called TrueCrypt, however it is no longer actively supported, so it may not be acceptable to use this product. However VeraCrypt is actively supported and was based on a version of TrueCrypt from before it went unsupported.

Finally for devices like Phones and Tablets, if you have installed additional memory cards (MicroSD or the like) to increase storage, then make sure these are also encrypted, as this might be a slightly separate function to encrypting the device storage.

If you have encrypted your entire device, hard drive or even a folder containing a lot of files, it is possible that the corruption of a tiny section of that encrypted data may make the whole lot inaccessible. This is as opposed to where the folder of files were not encrypted, the corruption of a tiny section would only impact on a single file and even then it may still be accessible.

It is therefore essential that you have your data backed up. That sounds familiar … hmmm … Commandment IV anybody?

Of course if your data is being backed up to some form of external media (tape, disk, USB memory stick), then these are also highly mobile, so the data should be encrypted on that media too.

Some Full Disk Encryption utilities (e.g.- VeraCrypt) will create a Rescue/Recovery disk when they encrypt the full hard drive. This is just in case the keyfiles on the hard disk become corrupted. It will enable you to access the encrypted data. This Rescue/Recovery Disk should be put somewhere very safe and secure.

A lot of the data that flows across the internet is not encrypted, therefore it is quite easy for anybody to see what other people are reading/downloading. E-mail is a particular case in point, as most e-mail data traffic is not encrypted. So if somebody had tapped into your network connection, they could quite easily read any e-mails that were in transit to and from your customers or vendors.

Most large corporations would have a form of e-mail encryption, called Transport Layer Security (TLS), turned on which would scramble e-mail messages while they are enroute from their e-mail servers to yours. However if your e-mail server is not set-up with TLS, then they cannot scramble the e-mail to you, so it will traverse the internet in an unscrambled form. Similarly, your e-mails to them would be in a legible form.

If you use an e-mail hosting provider (e.g.- Microsoft Office 365 or Google Apps for Work) then it is quite likely that you have a TLS facility and it probably is already active (you should check to make sure it is).

However if you are dealing with customers who have basic e-mail services (e.g.- @IOL.ie, @Eircom.net, @Oceanfree.net, etc.) these almost certainly do not have TLS available to them. So if you need to be sending sensitive data to such accounts, you should check with the data protection commissioner about your responsibilities. You may need to get a waiver signed by these customers to acknowledge that their side of the e-mail communications channel is insecure.

If you have any comments, suggestions or questions on the above, please leave a comment below.

Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.

I’m going to start this summary with some scary figures. 93% of phishing e-mails in Quarter 1 2016 have carried a Ransomware payload (source – PhishMe Q1 2016 Malware review). 30% of people that receive phishing e-mails open them and 12% of those that do, then open attachments or click on links (source – Verizon 2016 Data Breach Investigations Report).

Putting this into real figures – if you have 50 staff and they each receive phishing e-mail, 46 of them will have received Ransomware, 14 of them will look at the ransomware e-mail and 2 of them will open an attachment or click the link which will bring Ransomware into your business and cause mayhem. Even if you have followed Commandment IV to the letter.

This commandment is slightly different to the previous commandments, in that it requires you to do something to protect yourself (as opposed to installing/running something to protect yourself). But it is very simple one.

If you receive an e-mail or text message from somebody you do not know, then simply delete it and move on. This is particularly true if the message contains a Link (do NOT click) or an attachment (do NOT open) – Just delete the message already.

“But wait a minute!” I hear you cry “That message might be from a new employee at my biggest customer. I can’t go deleting that.”

Indeed, that might not be a great idea, but wouldn’t it look really good and professional of you if you picked up the phone (do not use e-mail) and verified that the sender (a) exists in your customer’s company and (b) they did just actually send you something. Both answers to these must be Yes, before you should contemplate opening the attachment or clicking the link (see the detail section below about checking Links).

“But wait a minute!” I hear others of you cry “I work in a big corporation and that message might be from somebody important in another location whom I don’t know. I can’t go deleting that.”

Do you know what? I have the same answer for you. Pick up the phone and verify (a) the person exists and (b) they just sent you something. If you don’t have Yes answers to these questions, then bin the message.

There is a corollary to this commandment: Thou shalt never open an unexpected file/link from thine family, friends or colleagues.

The important word here is “unexpected”. If your parent suddenly sends you what appears to be an invoice or remittance advice – that’s kind of unexpected, isn’t it? Perhaps you get daily reconciliation reports from a colleague at the start of a day. Suddenly you get a second such report at lunchtime – that’s a bit unexpected, isn’t it?

As with the previous examples – pick up the phone and verify that, whoever it was, just sent you something.

“I’m a busy business leader! I don’t have time to be calling people checking that they sent me messages!”

If you don’t have somebody who can screen your messages for you, and you insist on opening attachments, I’m afraid you will fall victim to some sort of Malware incident and potentially expose your business to a security breach. Can you afford that?

Sorry, this was a long summary, but the above needed saying. That’s all there is to it. I will continue below with some details on the subject of unexpected messages. So if you are not interested in such particulars, just make sure you delete messages from strangers and unexpected messages from family, friends and colleagues.

In all internet browsers and e-mail clients, if there is a Link contained in an e-mail, there is a very simple way of telling where the link wants to take you. Simply hover the mouse over the link. Then look down at the bottom of your browser window, you should see the actual destination. Hover your mouse over this link: http://www.Microsoft.com/ … it does NOT go to Microsoft, but somewhere nicer. J

I deliberately referred to messages as opposed to just e-mails in this commandment, as it is possible to receive malware links via SMS text messages on your mobile phone. This malware could cause your phone to text or call premium rate numbers, or it could blast all of your contacts with malware texts and e-mails.

Similarly, other smart phone messaging apps, like SnapChat, WhatsApp, etc. Treat messages with links and attachments in these the same way by simply deleting them.

Phishing is a social engineering technique where cyber attackers attempt to fool you into taking an action in response to a message. E-mails may appear to come from your bank, revenue commissioners, courier firms, etc. They nearly always are trying to rush you into taking the action (e.g.- “You must respond to this e-mail within 24 hours or your account will be deleted.”) They usually contain an attachment or instructions to click on a link to a website. As stated at the start of this post, most of those attachments or links now contain Ransomware.

The old-fashioned types of Phishing e-mails were referred to as the “Nigerian 419”. These were usually hideously misspelled, with awful grammar. They typically came from a “family member” of a recently deceased, insanely wealthy Nigerian business man or Prince. They were asking for you to allow them to move dozens of millions of dollars into your bank account, so they can hide it from the authorities. They will leave you keep several million dollars for your troubles. It’s all total nonsense of course. If you engaged them, they will eventually hit you up for a few thousand dollars for bribes or “facilitation fees” and you will never hear from them again.

A newer phenomenon is the message from a lonely soldier, looking for somebody to simply correspond with, like a really old fashioned Pen Pal. If you engage, they will strike up a friendly dialogue with you, telling you all about their lives in the army and how lonely they find it. This could go on for weeks, possibly months. Then suddenly you get an urgent e-mail. They were on a short holiday in … someplace, probably not with the best reputation for tourism … They’ve been mugged and all their cash and passports have been taken. They need money urgently to bribe the cops … can you wire them … blah blah blah! Just don’t engage with these people in the first place.

The other types of Phishing e-mails appear to come from legitimate businesses (banks, courier firms, etc.) They even have the correct logos and perhaps even some legitimate links to the company’s website – except of course for the one they want you to click on – that one will take you somewhere else to infect you with horrible Ransomware. I regularly get pretty convincing looking e-mails from NatWest (a UK Bank, which does not operate in Ireland K). The link they want me to click on goes to some weird address in Germany.

Phishing e-mails can catch out even the most careful of us, as a Phishing e-mail at the right time can fool you more easily. When I set-up my business I needed to register with the Irish Revenue Commissioners who do everything on-line, except all of the registration which is done by post. So I registered and got all the required secure access to my on-line tax affairs. A couple of weeks later I had a query that I filled in on an on-line form and submitted it. I was told that I would receive a response within 3 working days.

Now, I did not know what form that response would be. Would I get an e-mail? Would it be on the Revenue website under my log-in? I just didn’t know. Two days later I got an e-mail from “Revenue”, which was pretty plain looking but did suggest that I should click on a link that was in reference to my tax affairs. I had never had an e-mail from Revenue before, so I did not know what they looked like. I was sorely tempted, as I urgently needed that answer, but the voices in the back of my head kept shouting “Don’t do it!”. I did the “Link Check” – lo and behold, I was heading for Russia apparently. J

This is the thing – if you are expecting something and you get an e-mail about that something, then you are much more inclined to believe it is valid. That’s why the courier delivery e-mails are very successful – lots of people are waiting on deliveries from courier companies and they would only be delighted to open that attachment to find out where their delivery is. Just don’t do it!!! Go to the courier’s website and use their tracking feature.

Another aspect is that for certain employees, receiving an e-mail with a subject about something that they deal with every minute of every day, tends to make them want to seek a form of closure. The easiest example is an accountant receiving an e-mail about a reconciliation statement. This is the stuff accountants dream about (or so I’ve been led to believe J) so they are pre-disposed to opening the attachment, without checking who or where it has come from.

Everybody should take the time to critically assess each and every e-mail they receive. Yes we all receive lots of e-mail every day, but to take a few extra seconds to check it over and if you are really not sure, then ask somebody who might know. Your IT support provider would be a good place to check with.

Phishing can also happen on-line. I refer you to an earlier post of mine about a really sneaky Facebook phishing attack in April 2016. 

This is where things get a bit more personal. With Phishing e-mails, the bad guys send out an e-mail to tens of thousands of e-mail addresses. With Spear Phishing, they individually create an e-mail to target specific individuals.

The bad guys will target an organisation and find out who works there. Then using social networks, discover the names of friends and colleagues of those employees. They will then create a fake e-mail account in the name of one of those friends and send an e-mail containing a malware laden attachment or a link to an infectious website. This e-mail could be something as simple as:

Of course that link will cause the download and installation of any sort of nasty Malware on Dave’s computer, but most likely it will be a backdoor. It will probably even show a few photographs, so as not arouse suspicion. The bad guys now have a covert means of access into your company’s network. They can use this to slowly move around gaining access to other computers and servers, by exploiting unpatched vulnerabilities (see Commandment I) and slowly copying information back to the hacker’s servers (exfiltration). This can go on for weeks or months.

“Ahhhh here!” I hear you exclaim “How am I supposed to be able to recognise that sort of personalised e-mail attack?”

Just like I said in the summary above in respect to the Corollary to this commandment – That e-mail was “unexpected”, so Dave should pick up the phone and call Mike and ask him whether or not he just sent him a link to some photos.

Ransomware is making all the headlines these days as it targets people at all levels of an organisation. However something that has been costing companies millions of dollars every year has targeted the CEOs or MDs of companies. The FBI calls it Business E-mail Compromise (BEC). It is also known as the CEO E-mail scam and is a form of Spear Phishing. Between October 2013 and February 2016 there have been over 17,500 reports in nearly 80 countries amounting in losses of US$2.3 Billion.

The attackers will research the company, find out who their CEO/MD is and who is in charge of finance (CFO/Finance Director). They will then find out who their customers or trusted vendors are and then craft a very believable e-mail, purportedly from the CEO (but they are spoofing the address) to the head of finance requesting that they initiate a wire transfer of a believable amount of money to a vendor account to pay for “something”. Of course the something that is being paid for is the criminal’s lifestyle. This type of scam can have consequences for the individuals who have been targeted.

There is a very simple way to avoid this being an issue at your organisation. Have a policy that states the CEO/MD cannot request a wire transfer without first having made verbal contact with the head of finance. Also if the account to which the transfer is being made is not the “usual one”, then the customer or vendor finance people should be contacted to verify the account details. Make this your company policy now, enforce it and never bend the rules … ever. 

If you have any comments, suggestions or questions on the above, please leave a comment below.

Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.

In conjunction with the first, second and third commandments … are you seeing a pattern here? By following each of these simple commandments, you are providing additional layers of defence against the evil doers. This is what security experts refer to as Defence-in-Depth. The more precautions you take, the more difficult it makes life for the bad guys, so they move on to easier targets than you. Anyway back to today’s commandment – Backups.

They are not sexy, but they are an absolute ESSENTIAL (note the amount of emphasis here) part of your protection. If you don’t have a backup of your data, you will lose some or all of it and you may not be able to recover from that loss. It is that simple. If your data is important to you, BACK IT UP!

You may have heard of this reasonably new phenomenon called Ransomware, which scrambles all your data and you have to pay good money to some bad guys to get the key to unscramble your data. Well guess what? If you have good backups, you can tell the bad guys to take a long walk off a short plank. You simply wipe the affected machines and reload from backups. Granted this takes time and money, but at least it’s not funding criminals. If you have bad or non-existent backups, then:

Anyway, backups – what do you need to do. First of all identify where all of your data is stored within your organisation. Then categorise it by how volatile it is (how often does it change) and how important it is to you. Next decide how long (of a time period) are you willing and able to suffer a loss of the data (e.g. can you restore from last night’s backup and re-key all of the day’s transactions from printed dockets). Finally decide how long you are willing to wait before the data is restored and you are back up and running.

With all of that noted, you can devise a backup plan that should suit your needs. I will cover the creation of a plan in a future article, but for now just make sure you are backing up everything and safely.

You also need to verify on a regular (quarterly/bi-annual) basis that the data you are backing up is usable. There is no point in backing up data that may be corrupted on the backup medium, such that when you need to restore it, that it is useless. So get in the habit of restoring your data and checking it is correct and accurate.

Just keep one thing in mind. Do you have to keep records of monthly or quarterly reports going back for a period of years? Are these stored on your main server and on backups? If so make sure that you have a separate set of backups for this data, that does not get overwritten on a regular basis. If you only have a set backup rotation that gets overwritten every few weeks or even every few months, then an accidental deletion of one of these monthly reports, may mean that within a few weeks/months the deleted report will vanish from the backups. So backup vital data separately.

That’s all there is to it. I will continue below with some details on the subject of backups. So if you are not interested in such particulars, just make sure your data is backed up and verified.

For a small business, your data is probably being backed up to a (Re)Writable-DVD, USB stick or External Hard Drive. 

For a medium business, if you’re using physical media, it is likely tape or disk cartridges.

These are all great physical media but here’s the thing – do you store these backups in the same building as where your data is currently stored (Desktop, Laptop or Server)? If so, then if a fire strikes, your data and all its backups could be lost. You will be up an unmentionable (this is a polite blog) creek without a paddle J.

The backups might be in a Fire Proof Safe, but these are only rated for a certain length of “burn-time” before they are no longer guaranteed to offer protection from flames. However the internal temperature of the safe may raise sufficiently within that burn-time to damage the media stored within. Can you take that chance?

You need to move your physical backup media off-site at the earliest possible time after it has been backed up to. Simple as.

Bigger Enterprises should have a well documented, maintained and tested backup and recovery process. You may have the greatest backup process in the world, but you do not want to be testing the recovery process under the duress of a disaster. So make sure you test the recovery process and backup media regularly.

One final consideration in respect to physical media – If your current infrastructure is destroyed and you have the backup media in your hands, have you got the required hardware and software also stored off-site or available at short notice to be able to read the media. For most of the above mentioned media, the physical side shouldn’t be an issue, but you might want a copy of any backup software that you use held off-site too. If you are dealing with Tapes (particularly) or some unusual disk cartridge unit, then you should ensure that you will also have a compatible drive available with which to insert the tape/disk cartridges. Bear in mind that these backup units change every few years, and while they do try to maintain backward compatibility, you might end up with tapes/disks that are no longer readable or even supported.

“I’m backed up in the cloud, so I’m safe from fires and floods.” 

Indeed you are, but are you backing up everything you need? Cloud services can be expensive for the amount of data they store, so you may only be backing up a subset of your data – hopefully it’s the important subset.

Perhaps you have splurged and you are backing up everything. Great – but how secure is that back-up? Is it encrypted on the storage provider’s servers? Is the data encrypted when it is en-route to the servers? With the mainstream providers (Apple, Google, Microsoft, DropBox, etc.), it should definitely be secure. You might want to check if you are as secure if you are using other providers.

How are your backups configured? Are you replicating/synchronising all changes made on your local data store to the cloud data store? What happens if somebody accidentally deletes a file? Sure it can be recovered from the recycle bin and possibly by a similar function on the cloud servers. But what if the file’s absence is not noticed for 3 or 4 months and it has now vanished from the recycle bins? This is where generational backups might come in to play (see below).

What happens if the provider has a significant outage (Google Drive was offline for 3.5 hours at a peak business time), or worse suddenly closes down (MegaUpload servers were seized by the FBI. While there was no doubt a lot of illegal material on those servers, there was much more genuine business data which was suddenly completely inaccessible by its owners)? Are you ready to cope with such a possibility?

“I have multiple sites and am replicating/synchronising my data between two (or more) locations.” 

This is good position to be in, as all the elements of it are within your control. The same issues that affect the cloud backup would also be at play here.

Site-to-Site replication introduces some other risks though:

How close to each other are these sites? 

In situations where there are typically no devastating storms or floods, I would suggest that sites should be at a minimum of 10 miles/15 kilometres apart to help avoid the impact of localised problems. In areas affected by Hurricanes, Tornadoes, Earthquakes or Floods I would suggest that sites should be several hundred miles/kilometres apart and not prone to being affected by similar disasters. 

Are any of the sites prone to flooding or storm damage?

If so, these should not be used to store the data of any other sites. Rather the data of such sites should be stored at more secure/stable locations.

Are they close to a government office, Airport, Military base, Explosives or Chemical factory?

This list could go on, but essentially what you need to determine is whether your site is close to “something” that might attract a situation (e.g.- extensive rioting) or may cause a localised disaster (e.g.- fire at an explosives plant). Whatever the situation, you need to consider the affect it might have on your operations (e.g.- will the police cordon off an area for an extended period of time).

“My IT guru says we don’t need backups, as our servers have this thing called RAID which protects them from data loss.”

RAID is a good thing to have, but I’m afraid that person is no guru. RAID is not a backup. All it does is introduce a level of resiliency in your data storage which reduces the impact of a hard disk failure. There are different types of RAID, some can tolerate the loss of only a single hard disk and others the loss of two hard disks.

You still need to have backups even with a RAID set-up.

These are typically from the era of Tape backups, but a lot of modern backup software still implements these methods even in disk and cloud type backups.

There is an easy way to think of a generational backup is Grandfather-Father-Son or GFS (the female equivalent is also valid J). This is a three generation backup. You can have a two generation backup too (Father-Son) or more than three (whatever number you want really). When you do your backups, you rotate through the three sets of backups, overwriting the oldest backup with the newest data.

So in the simplest set-up, say you want to set-up a daily backup of all data using the GFS method. You therefore have three sets of media, one for each day. This is from the start of the backup series, for a five-day week:

With this set-up though, you need to consider that if somebody deleted a file from the data store on Thursday, then after the following Monday’s backup is run (overwriting Wednesday’s backup), the deleted file will no longer be recoverable.

So you need to define a generational backup that will suit your business needs. This could be a combination of generational backups. You might have Monday-Thursday daily backups run over a three rotation (3 Mondays, 3 Tuesdays, etc.), then have Friday full backups stretching back for 12 weeks. Supplementing this, if you have special Monthly reporting a separate archival backup (i.e.- one that is not overwritten) is taken of that monthly data and stored safely. It’s whatever your business determines that it needs.

Again, from the era of tape backups, where a full backup might take a very long time to run, comes the notion of Incremental and Differential backups.

So Full backups does what it says on the tin. A full backup is made of all of the data in the data store, regardless of whether it has been added or changed since the last backup. This may take a long time to run depending on the amount of data and the speed at which it can be written to the backup media.

Both Incremental and Differential Backups need to be based on a Full Backup having been run at least once.

An Incremental Backup is a backup of data that has been added, changed or deleted since the previous backup (no matter what type that was). This will always be the quickest backup.

A Differential Backup is a backup of data that has been added, changed or deleted since the last Full backup. This will gradually get slower and slower until a new Full Backup is run.

So typically these are implemented by way of taking a full backup at some point in the day/week and running an incremental or differential backup for the remainder of the day/week. 

In previous employments, I usually took the Full backup of a Friday night (as the backups might run long into Saturday). Then on Monday through Thursday I would take an Incremental or Differential backup.

As mentioned above, incremental backups would always be the fastest and Differentials would gradually get slower. The trade-off with regards to this though is when it comes to restoration. The Differential could be much faster, depending on when the restore is needed from.

So using an example of a disaster happening on a Thursday morning and you need to restore all of your data from Wednesday night:

Incremental:

Differential:

So in the Differential scenario you just needed to restore from two backups as opposed to four backups in the Incremental scenario.

If you can do a Full backup of your data every day of the week, that would be the best, but if it impacts on daily operations in any way, then chose a method that suits your business.

If you have any comments, suggestions or questions on the above, please leave a comment below.

Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.

In conjunction with the first and second commandments, having a Firewall in place on your desktop or laptop improves your security posture as it adds another layer of protection in the fight against the evil doers. It is by no means a perfect solution on its own, as a poorly configured firewall would offer as much protection as a string vest in -30c/-22f weather conditions.

What is a Firewall though? A Firewall is a network security application or device that monitors the data flowing in and out of the network and controls this data traffic based on a predetermined set of security rules. The Firewall basically establishes a barrier between the internal network, which it secures and is considered “trusted”, and the external or other network, (e.g. the Internet) that is assumed to be insecure and “untrusted”.

Operating System provided firewalls on desktops and laptops are OK … ish, but are typically fairly open in order to enable the widest amount of applications to have unfettered access to the internet. They also aren’t great at notifying you if an application is trying to communicate in a different way (perhaps it has been compromised and is now being used to serve as part of a botnet).

A proper firewall on your internet connection is a much better solution. For home users, your Internet Service Provider (ISP) should have provided you with a router that has a built-in firewall. This would be similar to the Operating System firewall in being fairly open. If your ISP allows you to control it, then you might be able to lock it down to offer more protection. Bear in mind that you should also ensure that your router gets firmware updates as and when they are made available (see Commandment I (1)). 

In a business/corporate environment a proper hardware firewall is an absolute must. Its final rule should be “Source All, Destination All, BLOCK!”. This is a catchall to prevent some simple oversight exposing your network. Above that catchall, the rules should enable the bare minimum of internet access for what your company needs and these should be audited on a regular (monthly or quarterly) basis to ensure they are still appropriate. Finally, as per Commandment I (1), it should have its firmware updated as and when.

That’s all there is to it. I will continue below with some details on the subject of firewalls. So if you are not interested in such particulars, just make sure you have a firewall on your desktop/laptop and internet connection.

I have a separate firewall application running on my Windows machines, and it is configured to notify me and seek permission every time a new application requests access to both the internet and my local “trusted” network. Also if an application is “updated” it needs to get permission all over again. Sure, this means I get bugged for permissions on a regular basis, but it has actually stopped me from being affected by malware on a couple of occasions. So I think the small bit of aggravation is worth it. I’m not paranoid. They are all out to get me. J

This separate firewall also logs any activity that it has blocked, which is useful to know if you are getting probed or attacked. 

Rather than saying Internet Connection Firewalls, I deliberately use “Network Connection Firewalls”. For a business/corporate environment, if you have more than one site connected in a Wide Area Network (WAN), each location should be firewalled from each other. This gives you protection should one site get compromised, it can be disconnected from the rest of the WAN. Even if you are a single site, then a firewall on your internet connection is still essential. 

This firewall is usually a separate piece of hardware that sits between your external connection and your internal network. In some situations you may have a couple of firewalls, one sitting at the external connection protecting a webserver and a second sitting between the webserver and the internal network. The webserver in this case is said to be sitting in a DMZ (De-Militarised Zone). The outer Firewall enables internet access into the webserver and the inner Firewall protects the internal network from the internet.

As mentioned earlier, firewalls need to be configured appropriately. I came across my first firewall in 1997 and the engineer setting it up told me that the most important rule was “Source All, Destination All, BLOCK!”. This was to be the final rule in the list of rules. Then it was a case of setting rules to enable the business and applications that were used to be able to access what they needed, and nothing more. This is a case of providing least privileges. If somebody wanted more, they needed to request it and explain why they needed it.

As time goes by, applications change, people change and companies change. Therefore it is fair to say that firewalls need to change. The rules should be audited on a regular basis to ensure they reflect the current situation. If an application has been retired and it had a specific firewall rule, you need to disable or delete the rule. You don’t want a hacker “pretending” he is that application and walking back and forth through your firewall, with all of your private data and you know nothing about it, now do you?

It is all well and good having a firewall in place, but it also needs to be monitored to make sure it is doing its job. A good firewall should be logging events and errors and these logs should be monitored by somebody or something. That something could be a Security Information and Event Management (SIEM) application, which will alert on certain conditions (firewall is being probed repeatedly, authorisation failures, etc.). This might be beyond the reach of a very small business, but if you need to comply with some standards (e.g. PCI DSS, HIPAA, etc.), then it will probably be required to have one.

Standard firewalls are good at blocking specific IP addresses and Ports on the internet, but as time has moved on, a lot of the applications in use are now going across the firewall as normal web traffic (over ports 80, 8080 and 443), so if a piece of malware is transmitting your secrets over that channel, your standard firewall may not be able to block it. 

So Next Generation Firewalls (NGFW) have come along which, along with blocking IP address and ports, can also use an application white-list that only allows specific applications to get out to the internet – e.g.- Salesforce.com – OK you may pass, NastyMalware.ru – I don’t know you, so you may not pass. NGFWs can also have an Anti-Virus type scanning ability, which is updated on a regular basis. Finally they can typically inspect encrypted traffic to ensure nothing nefarious is coming through in a scrambled fashion. Different NGFW vendors offer different capabilities, so it is worth comparing a few of them to make sure you get the protection you need. 

Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS) are used in conjunction with Firewalls to add another layer of protection. I will discuss these in a future article.

If you have any comments, suggestions or questions on the above, please leave a comment below.

Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.

In conjunction with the first commandment, having Anti-Virus software installed, updated and active on your desktop, laptop or mobile device dramatically improves your security posture. This adds another layer of protection in the fight against the bad guys. 

Don’t for one second think that just having Anti-Virus on your device will give you enough protection. It will most certainly not as Anti-Virus vendors are always behind the virus creators*. The virus creator makes a new virus and releases it on the internet. Until an Anti-Virus vendor gets to analyse that virus, they cannot add it’s signature into their software. So for that period of time (it could be minutes, more likely hours and sometimes days) your device is at risk of being infected by that virus.

So that covers installed and updated. Why did I say you need to have it “Active”? Surely it is always active? Some sneaky viruses, quietly disable popular Anti-Virus software. There are also some people who think that Anti-Virus use too much resources on the device and this negatively affects things like games. So they may disable the AV while they are playing their game. While there is a low risk of a virus getting in through the game, if you use Dropbox, Google Drive, iCloud, etc. and share files with others, a virus infected file may get into your device through this route. So if your children use a device for gaming ask them to not disable the Anti-Virus software or better still password lock the settings for it. 

That’s all there is to it. I will continue below with some details on the subject of Viruses. So if you are not interested in such particulars, just make sure your Anti-Virus software is installed, updated and active.

I actually wrote a paper about computer viruses back in 1993 and at that time the McAfee Anti-Virus package had reached 1,500 viruses that it scanned for. McAfee had been going for 4 years at that stage and the rate of virus creation was growing worryingly in those days. Desktop PCs were slow machines to begin with and RAM was significantly restricted in the MS-DOS/PC-DOS days (remember the 640KB maximum, before jumping through hoops to access memory up to 1,024KB boundary and beyond). Anti-Virus (AV) software was a significant drain on resources and it was not uncommon for users to have to disable it to be able to do actual work.

Today, it is hard to get an actual figure for the amount of Viruses out there. Back in 2012, Symantec claimed it was scanning for 17.7 million viruses, but a considerable amount of these appear to be tiny variations of the same virus. At least modern devices have more power and memory with which to be able to run AV.

*The statement I made above about AV always being behind the creators is not entirely accurate as AV packages scan for Virus-like behaviour and block that, So if my newly created virus displayed that type of behaviour it would be caught instantly and not need to wait for a signature to be determined. There are also packages that calculate checksums of executable files which can be used to verify if the file has been changed in any way. This method can slow down the machine, as each checksum is calculated and you need to be absolutely certain to have started with a perfectly clean device in the first place. So they are by no means perfect solutions.

There are three primary vectors for viruses to replicate. The first is by infecting executable files (.exe or .com). There are a couple of ways that they achieve this. One way is the virus will load itself into memory and “watch” for the operating system loading files. When it detects an executable is being loaded, it will see if it has already infected that file and if not, then it proceeds to infect it. The other way is that when the virus executes, it scans accessible drives for executable files and then infects them.

The next vector of infection is via Macros. Adobe PDF and Microsoft Office packages allow executable scripts, called Macros, to be embedded in their documents. When a document is opened, these macros may be executed. This is one of the primary ways that Ransomware is using to spread. I refer you to Commandment V (5) for how you should handle such attachments received via e-mail – “Thou shalt cast aside messages from strangers and not open attachments/click links they may send you.”

Finally Boot Sector viruses actually replace the first sectors on the system drive, where the PC hardware always looks for the boot loader (the piece of software that tells the hardware where to find the operating system files to load). So these ones execute before the operating system and any AV package gets loaded. These were sometimes used for Stealth Viruses, which when loaded into memory would use various methods to hide their existence from the operating system and more importantly AV packages. Luckily the AV community copped on to that behaviour and know how to find even the stealthiest of virus.

AV software not only scan for Viruses, but also things like Trojan Horses, Rootkits and Spyware. I’m not going to get into these in this article, but will come back around to them in a future post.

A lot of the commercial AV packages now come as Suites where, along with Anti-Virus, they bundle a Firewall, Browser protection, banking/shopping protection, parental controls, etc. These all add further layers of protection and are to be encouraged, though I sometimes find on lower-end consumer devices that these suites consume a lot of resources and tend to slow the machines down.

I personally prefer to pick and choose different standalone packages for my multi-layered protection, but then again I’m an awkward type that knows what he likes. J

If you have any comments, suggestions or questions on the above, please leave a comment below.

Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.