Sophos Cloud Optix
My last post about two-factor authentication (2FA) got me thinking about another post for National Cyber Security Awareness Month (NCSAM).
While the last one dealt mostly with the ‘S’ in NCSAM, this one will also bring in a good measure of ‘A’.
My wife recently went back to work after spending a considerable amount of time away to look after our children.
With her work and home IT needs now converging on our family network, this got me thinking about security in a whole new way.
For over a decade now I’ve been responsible for maintaining security resources and advising Sophos customers and partners about security best practices.
I also do a fair bit of public speaking for Sophos on emerging threats and protection strategies and am always in contact with IT professionals and end users.
What I haven’t done so well is make sure that those closest to me get the same benefit from my experience.
While I practice what I preach, it occured to me that my family doesn’t get the equivalent level of attention.
The old adage about the cobbler’s kids came surging to mind.
So here’s a checklist of what I did.
Getting started
The first step was to get a laptop and configure it with all the necessary tools.
My wife works for a company that provides online services and is fortunate to work from home most of the time.
It also means that she spends a considerable amount of time online and handling potentially sensitive information.
The company is a small start-up, so she is mostly on her own when it comes to providing and securing these tools.
The basics
Since she is comfortable with computers, but by no means an expert, I went with the sensible option of Windows 7 Ultimate with Microsoft Office and Chrome.
→ This isn’t an endorsement for the security, usability or performance of Chrome over any other browser. It was simply the browser she was most accustomed to and I didn’t want to change too many things all at once.
This combination makes my job much easier when it comes to off-the-shelf hardware, general availability of tools, patching and compatibility of software.
And of course, I also made sure that the laptop was running up-to-date anti-virus software.
Encryption
With all the software installed, it was time to think about disk encryption.
I chose BitLocker because it gives me full disk encryption built into the operating system.
(Linux and Mac users have similar built-in options in the form of cryptsetup and FileVault2.)
If you plan on having any sensitive information on a portable device, I highly recommend that you encrypt it.
File storage and sharing
Next we looked at ways to securely share and store files in the cloud.
I’ve been using ownCloud for some time so I created an account on my server for my wife.
The benefit of ownCloud is that it allows me to control how and where the files are stored.
It also serves as a handy way to back up her files automatically by using the sync client, and works equally well on a smartphone.
If you prefer to use some of the available free cloud services for file storage and portability, make sure you understand how it’s all secured and consider adding your own layer of encryption as well.
Awareness
Then came the end-user training.
This is where we talked about the benefits of complex passwords and using different passwords for every site you interact with.
(Enjoy this video? Check out the SophosLabs YouTube channel.)
Like many users, my wife at first balked at the concept of different (and complex) passwords for every site.
However, she’s been using a password manager, in her case, LastPass, for some time, so choosing new and secure passwords was easy.
The password manager also made adding two-factor authentication relatively painless.
Securing the network
Let’s not forget about the network.
At home, we use the free Sophos UTM Home Edition which looks after our firewall needs as well as providing web and email filtering, intrusion prevention and a VPN (virtual private network) for secure remote access.
Wi-Fi
Since we’re talking networks, I should mention that our home wireless network is also set up with security in mind.
I have nearly 20 devices that require connectivity, and although I I still use wired Ethernet for some devices, for others, Wi-Fi is my only choice.
With that in mind I selected WPA2 Personal for my security mode with a 20 character passphrase.
Sure, it’s long and complex but I only had to enter it once on each device – the device are good at remembering it so I don’t have to.
Smartphone protection
I also encrypted my wife’s smartphone too, and ensured she had better than a four-digit passcode to unlock it.
After all, she receives work and personal email on this device.
While I was at it, I installed the Google Authenticator app so we could add two-factor authentication to all of her social media sites – especially Facebook and Twitter, which she uses both for work and for play.
Was it worth the trouble?
This was an interesting exercise, and well worth the time I spent on it.
My wife will undoubtedly be safer and more secure online; her employer’s data will be safer, too, thus spreading the benefits well beyond our own network.
It also provided me with a good checklist to go out and evaluate the security posture of my friends and family .
After all, if I’m going to provide them with technical support, I might as well make sure they’re standing on a good foundation.
Now, time to go explain elliptic curve cryptography to the kids!
Image of Wi-fi antenna thingy courtesy of Shutterstock.
Note: This article originally stated Mrs. Shier was using Windows 7 Professional, that was corrected to be Windows 7 Ultimate edition.
Password strength?
http://xkcd.com/936/
"Then came the end-user training."
It is always a hard job to train loved ones, but you can always tell how well you presented the training material by how long you received the cold shoulder from the better half! Not to mention those nights on the couch after "training classes"
I thought BitLocker drive encryption was only available on the Enterprise & Ultimate editions of Windows 7 (?)
That is true Phil. Fortunately in Windows 8 it is also available in the Pro edition.
Windows 8.1 was just released this week and it also supports encryption, by default even, if your hardware meets certain onerous specs. While that currently means it will only work for about 5 or 10 models of computer that are available, moving forward manufacturers will begin meeting Microsoft's new specifications and be able to take advantage of encryption at no extra charge.
I don't have the full list of requirements handy, but the system must support Secure Boot, have a TPM version 2 or higher and contain memory chips soldered onto the motherboard. Quite stringent specs!
Caution: Data stored in the cloud is not considered private any more and a judge does not have to review requests for this data.
Right! How can anyone say ANY 'Cloud'-service is secure? is your data safer on your own PC or your neighbors? Does the 'Cloud' platform give any guarantees about its safety and security, will they own up to security breaches or hide the fact until someone discloses blurb calling them out and they give statement say, 'oops! my bad!"? The only reason to use any cloud product is for those too lazy to carry a USB storage or CD.
If no one has reported a security breach is because no one has found the breach yet. Just doing day to day admin activities, IT folks by-pass common guards. Case in point,
I worked at a bank where the User ID's unique identifiers was the user's actual Social Security number. I am sure they still do this. I would have worksheets and data files on my laptop will the data and I'd bring the system home. Was I using the data in malicious manner? no. is it a breach of security? yes. I needed to do it to do my job! I'd hazard a guess that if everyone admitted to what they do to do their work would shock the security minded. The bank keeps the users' number for 3 yrs in the system after they leave.
Maybe what is reported as an accidental malicious breaches are 2-5% of all breaches where most are intentional.
Steve has a good point.
Awesome content about security .
Rex's response was very similar to my immediate thoughts. You mention 'potentially sensitive information' and then discussed backing it up to a device to which you have absolutely no control of the ulimate security.
In your favor you did add a footnote about adding an additional layer of encryption.
I was very disappointed not to see any mention of securing the network system itself. You can start by ensuring that your router/modem is secured, as best you can as nothing is totally foolproof, from external entry attempts with at least an SPI firewall. You should also be careful about the settings as you don't usually need to have any access from external sources to your system. Then use IP address allocation together with MAC address filtering. I know some at Sophos say that doesn't work, but it does and is at least an extra line of 'defence' making it harder for intruders to access your connected devices, either by Ethernet or WiFi. It can even prevent them seeing your network traffic if properly set up with controls on Ethernet, WiFi and all APs. Plus, whenever possible and appropriate, use VPN systems that have strong encryption.
I never advise use of any 'cloud' service as you have absolutely no control over their security.
To be fair to John, the author of the article, [a] this is a checklist, not a detailed guide to each security task (though that might make a good followup series!), and [b] he does explicitly mention the Sophos UTM, which is all about network security. You can click the link in the article to list the protections it can add.
By the way, I am one of the "some at Sophos" who say MAC address filtering is not a security measure, and the reason I say that is quite simple: it isn't. (I'm afraid that's not an opinion, it's a statement. MAC addresses are meant to be broadcast openly, so they are not suitable as authentication secrets. So be wary of a false sense of security – MAC filtering is for safety, not security.)
In this video you can see why:
http://nakedsecurity.sophos.com/2013/05/22/bustin…
As your experiments found, many WiFi networks are totally unsecured. So I am surprised that you are not advocating the use of every tool at the network Admin's disposal. Access Control Lists have their uses but are not the only 'line of defence'. They do make life more difficult for those casually seeking to use available and visible networks, but they do not stop the determinedly nefarious.
The Netgear DG834G, for example, offers a decent ACL that will effectively prevent access to any but the devices whose MACs are listed. Most casual users do not have the tools or knowledge, nor desire, to hack into a network to grab a MAC address, unless they are of the nefarious type. Using WPA2-PSK adds to the defences on the networks and I certainly use and encourage its usage in conjunction with other tools.
So the use of an ACL based on MAC codes together with IP reservation and restriction together with decent encryption and network management systems is effective in my experience (20+ years with computer systems) – except against the most determined types. An ACL is not enough on its own and I never said it was. I was approaching the matter from the viewpoint of a home user interested in improving the security and safety of their WiFi and Ethernet networks in a manageable and cost effective way in the home environment.
My non-cloud off-site backup would be:
1. Home VPN concentrator like the Sophos free UTM. One each at my home & a friend's. Establish a site-to-site tunnel.
2. Establish a file share at a friend's house; say a USB external drive I buy & he installs on one of his systems. He buys a drive for me to install on my network.
3. We each back up files to the drive at the other's home. If desired, encrypt them ourselves first.
Advantages:
Costs for the UTM hardware & backup drive are basically one-time + a little ongoing for electricity.
Offsite storage is with a trusted entity.
Have other UTM advantages (firewall, VPN for remote access, spam filtering, etc.).
No provider to go out of business, give data to the gov't, or sell it to the highest (or every) bidder.
What if the LastPass password is compromised? Does the hacker then gain possession of all the stored passwords?
Good security article.