What can a small business do to protect itself?

[Dukenukem117]

A few partners and I run a little design shop and our data is arguably the most important asset we have. At the same time, it's probably the most vulnerable since not all of us are that tech-savy. We have at least one guy who is of the "Apple protects" cult. So it's difficult for me to establish any best-practices given I have very little experience with Apple products and what's available for them.

We currently use Box for our file sharing, and everyone has been told to use 2-step authentication. But I recently discovered a serious flaw in this when I realized all my codes were being forwarded to my MightyText chrome extension. So if my laptop were to be stolen, they basically have my cellphone and can get into everything. I doubt this is the only security flaw we have.

I've attended a few presentations on cyber security, and I'm ok with computers. I can build them and diagnose basic problems, but I wouldn't have any idea where to start if my website or email got hacked. It also seems like that despite one's best efforts to install the right security programs and fail safes, human error can break anything. So I don't think throwing the kitchen sink such as paying for the capability of bricking anyone's laptop or cell is worth it. I know big corporations have to implement all kinds of restrictive software and fail safes, and we simply can't afford it.

I'm guessing there's a 80/20 thing going on where a handful of best practices can prevent 80% of problems?

Does anyone have any experience in this department? Thanks.

 

[nerp]

The main thing to ensure is you have a remote backup of the most essential data. And it has to be isolated so something like ransomware can't get to it. Think -- if the building burns down and everything in here is totally destroyed forever, what needs to be offsite so we can rebuild and not lose anything.

 

[Dukenukem117]

Is there a way to have it automatically back-up without also putting it at risk of being hacked?

 

[TheRyuu]

We currently use Box for our file sharing, and everyone has been told to use 2-step authentication. But I recently discovered a serious flaw in this when I realized all my codes were being forwarded to my MightyText chrome extension. So if my laptop were to be stolen, they basically have my cellphone and can get into everything. I doubt this is the only security flaw we have.

Using texts for two factor isn't recommended anymore. We've had alternative methods (TOTP)[1] for quite some time now and are supported with tools like Google Authenticator[2].

[1] https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
[2] https://en.wikipedia.org/wiki/Google_Authenticator

 

[Elixer]

Is there a way to have it automatically back-up without also putting it at risk of being hacked?

You can do encrypted backups, but, if you lose the key, you are SOL.
You don't really specify what hardware you got now, and what kind of server are you using.
Usually, you do a air gap for highly confidential files, which never has access outside of your LAN, and that pretty much mitigates anyone trying to steal your files. Your front facing server might still get hacked/defaced, but, that is about as far as they can get, and a simple wipe/reload is trivial. On premise attacks are different though, for that you need a dedicated security system.

 

[Dukenukem117]

Using texts for two factor isn't recommended anymore. We've had alternative methods (TOTP)[1] for quite some time now and are supported with tools like Google Authenticator[2].

[1] https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
[2] https://en.wikipedia.org/wiki/Google_Authenticator

I prefer using an authenticator, but I've noticed that not every company has moved to having it as an option. Surprisingly few actually.

You can do encrypted backups, but, if you lose the key, you are SOL.
You don't really specify what hardware you got now, and what kind of server are you using.
Usually, you do a air gap for highly confidential files, which never has access outside of your LAN, and that pretty much mitigates anyone trying to steal your files. Your front facing server might still get hacked/defaced, but, that is about as far as they can get, and a simple wipe/reload is trivial. On premise attacks are different though, for that you need a dedicated security system.

Sorry, I should have been more clear. We haven't even reached the point where we own a dedicated server. We currently use squarespace for hosting but are planning to move to a shared hosting plan with Siteground. We'll just rebuild everything in Wordpress. I purchased one of the more popular premium themes that gets regular security updates, but none of us know how to properly respond to a DDOS or hack. We don't expect anyone to really care about us, but I'd hate to cross that threshold of being attack-worthy without realizing it.

We telecommute the vast majority of our work, and only get together when we have to (like for a meeting). Our emails are handled with google apps. Communications with Glip, Skype, and Hangouts mostly.

Our file sharing is handled by Box, but we have just about everything in our Box account (about 40gb) at the moment (which concerns me). If I were to set up a server that can only be accessed via LAN, should I only access it through Windows safe mode?

I use Kaspersky internet security on all my devices, but I don't know what everyone else is on. Problem is everyone has multiple devices nowadays, and at least 2-3 of them can easily get lost (phones, tablets, laptops).

I backup data on my computer, and I have an external storage drive for everything (personal and work). I haven't gotten into the habit of backing it up regularly though, but I also don't know what's a good interval.

I plan to call an all-hands meeting to go over all this, but I haven't quite figured out what to go over. I'm thinking everyone should know what to do if one of their devices get lost. I know it won't be hard to brick and wipe a phone remotely, but I'm not sure about laptops and tablets. I also wonder if we should have a list of "emergency numbers" on who to call if something gets hacked, or is calling even the right method of communication. I realize I have no idea how to respond if our emails got hacked or web page gets DDOSed. I've dealt with my share of malware and viruses over the years, but nothing like a deliberate attack. And most of the time I had the luxury of looking for solutions after I got infected without worrying about downtime or files or anything.

 

[Bardock]

train your employees to recognize phishing and social engineering attacks.

 

[Chiefcrowe]

Since you are not backing up regularly, for your computer data, I would recommend an online backup service like Backblaze - which backs up your files constantly in the background so you don't really have to worry about it.

 

[Elixer]

Sorry, I should have been more clear. We haven't even reached the point where we own a dedicated server. We currently use squarespace for hosting but are planning to move to a shared hosting plan with Siteground. We'll just rebuild everything in Wordpress. I purchased one of the more popular premium themes that gets regular security updates, but none of us know how to properly respond to a DDOS or hack. We don't expect anyone to really care about us, but I'd hate to cross that threshold of being attack-worthy without realizing it.

Well, since you are using a service for your site, they are the ones that should be able to handle DDoS attacks.
As far as hacking goes, that depends on if you have root access to the server or not, if you allow logins via root (you should NOT.), you should have SSH keys for all logins, use fail2ban, and other programs to monitor your site.
I don't like wordpress at all, has too many holes, try to keep up with all the updates.

Our file sharing is handled by Box, but we have just about everything in our Box account (about 40gb) at the moment (which concerns me).

Box is pretty good, has some nice security features, if you are an admin on Box, you should enable all the security features they offer, and pay attention to the audit logs.

If I were to set up a server that can only be accessed via LAN, should I only access it through Windows safe mode?

Safe mode? Why would you do that? It depends on the server you would use, and what OS, and, no, I wouldn't use a windows OS, I would use CentOS, but, it seems you are over your head with all this.

It really is best to write out what your exact needs are, what the benefit would be to having your own server versus paying for one (AWS, or whatever), What you need for redundancy, level of encryption, audit logs, and so on.

I use Kaspersky internet security on all my devices, but I don't know what everyone else is on. Problem is everyone has multiple devices nowadays, and at least 2-3 of them can easily get lost (phones, tablets, laptops).

This is where encryption comes into play, all devices that accesses company data should have encryption enabled, and the device is rendered useless after X attempts to log in.

I backup data on my computer, and I have an external storage drive for everything (personal and work). I haven't gotten into the habit of backing it up regularly though, but I also don't know what's a good interval.

If the data changes hourly/daily/weekly, then you should backup hourly/daily/weekly. There is no way around this, a HD/SSD failure can happen at ANY time, without ANY notice at all.
Cloud storage is good here, as was mentioned above, and make sure you encrypt the data if it is valuable.

I plan to call an all-hands meeting to go over all this, but I haven't quite figured out what to go over. I'm thinking everyone should know what to do if one of their devices get lost. I know it won't be hard to brick and wipe a phone remotely, but I'm not sure about laptops and tablets. I also wonder if we should have a list of "emergency numbers" on who to call if something gets hacked, or is calling even the right method of communication. I realize I have no idea how to respond if our emails got hacked or web page gets DDOSed. I've dealt with my share of malware and viruses over the years, but nothing like a deliberate attack. And most of the time I had the luxury of looking for solutions after I got infected without worrying about downtime or files or anything.

Sounds like a plan...

 

[John Connor]

You do know that you can send a text to a cell phone with email, right?

http://www.digitaltrends.com/mobile/how-to-send-e-mail-to-sms-text/

http://www.emailtextmessages.com/

Now onto the "cloud." I use several myself including the aforementioned Box.

If you want to use a cloud provider like Box, Dropbox, Adrive, etc you can use Boxcryptor.(Edit- Doesn't look like Adrive is compatible with Boxcryptor.)

If this was me and being in a corporate environment I would either use Dreamobjects and the propitiatory CrossFTP cleint or Amazon S3. I like Authy myself, but I have to use Authy, Google Authenticator and Symmetric's App for PayPal.

https://aws.amazon.com/iam/details/mfa/

https://aws.amazon.com/s3/

I vote Amazon S3 as it is very cheap and there is no reacquiring fee. You just pay for the amount of data stored and shared. To put it another way. My Flight Simulator install is roughly 55GB in size. If I threw that on Amazon S3 it would cost me around $8 and change a month. The great thing about Amazon S3 or Dreamobjects is that your data is stored at multiple locations for redundancy.

Boxcryptor can be used with Amazon S3. https://www.boxcryptor.com/en/blog/post/boxcryptor-now-supports-amazon-cloud-drive/

If I had a corporate environment where my users would only use office orientated applications, I would have them all use Ubuntu or some other Linux environment. You now have cut out 95% of malware. But! if you use Windows I would look at a sandboxing application like Voodoo Shield or Anti-executable. There are others as well. Go here and read up. http://www.wilderssecurity.com/

Network security: Consider a hardware-based firewall with malware scanning and IDS (Intrusion Detection System). For a small business you can use an ITX computer or server running Sophos Firewall, or Untangle. Untangle also sells appliances. For a large company then you might want to look into Cisco products. I'm willing to bet Sophos or Untangle are just as good though.

 

[Dukenukem117]

You do know that you can send a text to a cell phone with email, right?

http://www.digitaltrends.com/mobile/how-to-send-e-mail-to-sms-text/

http://www.emailtextmessages.com/

I always figured this service was out there, but I'm not sure why I would want to use it. It seems like another vulnerability.

Now onto the "cloud." I use several myself including the aforementioned Box.

If you want to use a cloud provider like Box, Dropbox, Adrive, etc you can use Boxcryptor.(Edit- Doesn't look like Adrive is compatible with Boxcryptor.)

Thanks, I'll check this out. Though encrypting data seems weak if stupid human error compromises it, and if those stupid humans are forgetful as most stupid humans are, then they might forget how to decrypt it. I'm still not entirely sold on the idea of encrypting everything I own, though I do think it makes sense for certain areas.

If this was me and being in a corporate environment I would either use Dreamobjects and the propitiatory CrossFTP cleint or Amazon S3. I like Authy myself, but I have to use Authy, Google Authenticator and Symmetric's App for PayPal.

https://aws.amazon.com/iam/details/mfa/

https://aws.amazon.com/s3/

I vote Amazon S3 as it is very cheap and there is no reacquiring fee. You just pay for the amount of data stored and shared. To put it another way. My Flight Simulator install is roughly 55GB in size. If I threw that on Amazon S3 it would cost me around $8 and change a month. The great thing about Amazon S3 or Dreamobjects is that your data is stored at multiple locations for redundancy.

Boxcryptor can be used with Amazon S3. https://www.boxcryptor.com/en/blog/post/boxcryptor-now-supports-amazon-cloud-drive/

The reason we like box is because of it offers a lot of granular control with permissions, link sharing, and such. Plus it saves I think 25 old versions of each file, making reverting to a prior save extremely easy. Doing design work where we can work on a file for hours and end up saving it past a point of no return, being able to revert back is incredibly useful. It's probably my favorite feature by far. That and the price is reasonable ($5/user for the 100gb starter)

If I had a corporate environment where my users would only use office orientated applications, I would have them all use Ubuntu or some other Linux environment. You now have cut out 95% of malware. But! if you use Windows I would look at a sandboxing application like Voodoo Shield or Anti-executable. There are others as well. Go here and read up. http://www.wilderssecurity.com/

Network security: Consider a hardware-based firewall with malware scanning and IDS (Intrusion Detection System). For a small business you can use an ITX computer or server running Sophos Firewall, or Untangle. Untangle also sells appliances. For a large company then you might want to look into Cisco products. I'm willing to bet Sophos or Untangle are just as good though.

I'll keep this in mind if we ever get there. Right now its just a bunch of people working from home at the startup phase. My goal is to find a solution that isn't too expensive, but also isn't too cumbersome. If it requires a lot of training, I know not everyone is going to do it. Working around the human component is quite frustrating. One of the partners thinks I'm being paranoid and that we have nothing worth hacking. It's worth noting that he uses apple products.

After spending the last two days reading up on this, I've drafted a 5-page checklist/manual broken up into 5 parts so that people can complete it over time. Otherwise I know they will think it its too daunting to start and just procrastinate their ass off. Most of it is common sense to a techie, but I go over all the basics like having up to date software, AV, AM, good passwords, good password habits, 2FA, general best-practices. If they are able to do most of this, I think we are safe so long as the person on the other end isn't explicitly targeting us. But I still think that's a big IF. Changing people's habits is hard, and I can't really police or verify if they've done everything.

I'm getting everyone on Kaspersky for AV and Malwarebyte premium for AM. I'm currently looking into Yubikey and LastPass, though this youtube video is making me rethink password managers.

https://www.youtube.com/watch?v=pcePrailWwc

I'm still looking into how I can silo off things like shared accounts so that one person can't take down everything. One idea is to give everyone two box accounts, one for mobile and one for their home PC, with the mobile one having more restricted permissions.

But I think that no matter how much work I frontload, it's going to be stupid human error that trips us up. I should probably start documenting a crisis response plan for when something bad happens...

 

[John Connor]

Sending a text through E-mail is not less secure.

So long as you know your password you won't lose data using Boxcryptor.

There is data redundancy with Amazon S3 or Dreamobjects.

I know in a FTP you can set permissions for groups and users. That might be an option.

Keepass doesn't use the Cloud. NEVER store passwords in the cloud.

Definition-based anti-virus won't stop a zero-day payload like ransomware.

 

[Dukenukem117]

Sending a text through E-mail is not less secure.

Oh, I see. For some reason I read it as sending an email through text. That makes more sense.

So long as you know your password you won't lose data using Boxcryptor.

I'll have to look into it more. It's on the list of things to do when we reach the next milestone.

There is data redundancy with Amazon S3 or Dreamobjects.

I know in a FTP you can set permissions for groups and users. That might be an option.

Box seems to be fine for now. I don't see a reason to break the same service down into individual components and have to manage it all.

Keepass doesn't use the Cloud. NEVER store passwords in the cloud.

I don't plan on using a password manager for everything, but why is the cloud so risky? If I had it on a local file and its being shared across devices with dropbox, isn't that still the cloud?

Definition-based anti-virus won't stop a zero-day payload like ransomware.

What would?

 

[John Connor]

I don't plan on using a password manager for everything, but why is the cloud so risky? If I had it on a local file and its being shared across devices with dropbox, isn't that still the cloud?

Yes, Dropbox is the cloud. Should be a no brainer as to why you shouldn't upload your passwords to someone's server. Regardless of their security. Apple's cloud was hacked.

What would?

I mentioned products like VooDoo Shield and Anti-exicutable. And I could have sworn I mentioned this websitte. http://www.wilderssecurity.com/

 

[Dukenukem117]

Oh, I didn't realize that was meant to counter zero-day.

 

[Dukenukem117]

What would be the safe way to log into a recovery email account? Lets say I want to use one account as nothing but the recovery email for other emails, but never to sign up with any services so it's largely hidden from public records.

If I had to log into it, what would the safe way be? I'm assuming using a different PC that you know is clean of viruses and malware, and possibly in safe-mode? Or maybe use a chromebook?

 

[Dukenukem117]

I spent all night making a diagram on how I think would be a way to silo off vulnerabilities that is also not too difficult to learn. At least 8 unique passwords though... not sure if I'm asking for too much.

 

[John Connor]

What would be the safe way to log into a recovery email account? Lets say I want to use one account as nothing but the recovery email for other emails, but never to sign up with any services so it's largely hidden from public records.

If I had to log into it, what would the safe way be? I'm assuming using a different PC that you know is clean of viruses and malware, and possibly in safe-mode? Or maybe use a chromebook?

Just create a new E-mail account and don't give out the addy. If you want to really protect it, throw Win 7 in VMware Workstation (now called something else) and install Thunderbird in the VM and use that to access the E-mail. Don't browse the net or install anything. But that really is going too far.

In fact, you should always have one E-mail addy for financials, etc and other E-mail address for other things. I have one E-mail address for Paypal, my bank, ebay, Amazon, etc and other addresses for signing up for crap, etc.

 

[John Connor]

I spent all night making a diagram on how I think would be a way to silo off vulnerabilities that is also not too difficult to learn. At least 8 unique passwords though... not sure if I'm asking for too much.

What password safe will you be using? Like I said, I wouldn't use anything that connects to the Internet ("cloud") Use keepass. I back up the keepass database in the programs folder under keepass and archive it using 7 zip in a SFX archive with a nice long password. Then I store that on a DVD/RW which is placed in a fire proof safe. You can also upload that back up SFX archive to a cloud I guess. It's really password protected twice, both the database kbdx file and the SFX archive if you chose AES 256.

Two factor any account that allows it.

 

[Dukenukem117]

I looked into Keepass a lot, and it really makes sense except only I and the IT people will do the work. Problem is I'm going to have to train everyone, and I know none of them are going to keep up with maintaining Keepass. So even if it has a higher ceiling in security, I think a more accessible and convenient app that requires little to no maintenance on the user's part is the best I can ask for. There are other more glaring vulnerabilities in our system, most being making behavioral changes. If I manage to get all those to an acceptable level, I can come back to Keepass.

Right now I'm doing a trial on Dashlane. Even though its probably the most expensive password manager, it looks to be the easiest to pick up and is harder to phish than Lastpass. Double encrypting a backup set of passwords is a great idea. I was worried about all the unique keys I'm going to have to memorize. I may get a dirt cheap last-gen chromebook that does nothing but access my recovery email, decrypt passwords; and as a last resort, act as a burner PC/sandbox.

I reworked the account diagram some more. I tried to limit links to recovery email as much as possible. And since I don't plan on accessing that email from any mobile device, I have to route everything that sends me email updates to one of the emails I check regularly on my phone. I also tried to make it where everything has at least two security features, and an intruder will need a third piece to easily spread to connected nodes. So even if someone manages to get into my password manager, they will need my smartphone or email password to get past 2FA on the important accounts dependent on the password manager. It's not a difficult 3rd factor to bypass for a decent hacker, but hopefully it buys me enough time to get my PW manager back. I also separated each device by removing windows login and encrypted the ones most likely to get stolen.

If I can get everyone to do these things in addition to all the AV/AM, I think we'll be a harder target than most. And if remembering 12 unique passwords is manageable, I'll consider making Paypal, Microsoft, and Amazon unique passwords as well, instead of dependent on Dashlane.

 

[John Connor]

Look alright I guess. The only issue I have is the master password for Dashline. So make sure you have steps in place for its security.

WordPress has an Authy plugin BTW and it looks like you have Yubi for WordPress?

 

[Dukenukem117]

Look alright I guess. The only issue I have is the master password for Dashline. So make sure you have steps in place for its security.

Same. I've never used a password manager before, and the simple idea of putting all my eggs in one basket makes me nervous. But after a lot of research, it does appear that the best vulnerability a PM sort of patches isn't a tech one but a human one: We're lazy and stupid and don't want to remember 80 to 100 unique passphrases. With a PW manager creating a random password for each site (and also conveniently changing it for you), it at least makes it so that any compromised databases don't give your password to multiple sites.

WordPress has an Authy plugin BTW and it looks like you have Yubi for WordPress?

I'm still trying to figure out how the whole thing works. We're migrating from squarespace, which was one-stop-shop for hosting and site. Sitegrounds has preinstalled WP for us, and I haven't really messed with it too much. I got to look into how the access works between the two, which one controls what, and which one can take down what. I didn't want to set anything up where having access to any one node will automatically confer access to dependent nodes. The business accounts are also the ones we have to share access, and I don't like the idea of "sharing" with a password manager period.

 

[John Connor]

WordPress is a snap to manually install regardless of hosts. I have even configured a WP install in Xampp and then made the necessary database changes and uploaded it to my host. Did the same thing with a phpBB forum. I spent months configuring my phpBB forum in Xampp and then when I had everything the way I wanted I uploaded it live.

WordPress has a great tutorial on manually installing.

Your host doesn't play a factor in whether the Authy plugin will work or not. Just install the Plugin and create an account at the Authy website and grab the API key. In fact, I think the Authy plugin will say all this once installed.

If you don't want Authy, it does indeed look like Yubi has their own WP plugin. https://www.yubico.com/why-yubico/for-businesses/systems/content-management-systems/

Plase make sure you use the xmlrpc plugin. xmlrpc is a BIG hacker door! https://wordpress.org/plugins/disable-xml-rpc/

Or add this code to your htaccess file:

# BEGIN Tweaks
# Rules to block access to WordPress specific files
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files readme.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>

# Rules to disable XML-RPC
<files xmlrpc.php>
Order allow,deny
Deny from all
</files>
#
# Rules to disable directory browsing
Options -Indexes
#
<IfModule mod_rewrite.c>
#
# Rules to protect wp-includes
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]
#
# Rules to prevent php execution in uploads
RewriteRule ^(.*)/uploads/(.*).php(.?) - [F]
#
# Rules to help reduce spam
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !^.*
RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ - [F]
</IfModule>
# END Tweaks

Now that xmlrpc code in bold will disable ALL xmlrpc which means the WP App won't work for users who use that App. But if you use the xmlrpc plugin and delete the bold, then the App will function at the same time preventing a hacker from owning you.

Also consider using Ninjafirewall. You can get buy with the free Pro version. Or if you want, buy the Pro+ version. Ninjafirewall has blocked a few hackers for me personally. I also run a script that prevents hacks and spam, but it can be very tedious and it's not for the faint of heart. You might be interested in CIDRAM though. I know the author of that script.

If your host has it, use mod_security!

 

[John Connor]

I would also use CloudFlare or another reverse proxy like Securi or incapsula. CloudFlare has better options for the free account. To keep your IP addresses hidden, after you throw your site in CloudFlare, have your IP address changed. Then delete your MX record at CloudFlare and use a third party E-mail service. You could use gmail. But you may need to upgrade as gmail only allws so many E-mails per month using SMTP. If you use gmail you will need the wp-mail-smtp plugin. https://wordpress.org/plugins/wp-mail-smtp/

The reason why you want to change your IP after you add your site to Cloudflare is because there's already a record of your IP. But once your site is siting behind CloudFlare and you have the IP changed, it's next to impossible to find the real IP address. Even with a CloudFlare resolver. I have tried everything and anything to get my real IP to my website. Even using certain commands in Nmap.

The reason why you want to delete the MX record and use a third party E-mail service is because you can find the real IP with a MX record lookup.

I know this is waaaay too much Info. to take in. But just read it slowly and read, read, read and most of all learn. Don't be a victim and don't get owned.

"Come get some." https://youtu.be/h9G-3MD9zNQ?t=3s

 

[Dukenukem117]

Thanks a lot. Yes, it is sorta overwhelming, but knowing is half the battle.