notacomputergeek

Physical
Once you’ve purchased the right hardware, you’ve got to create a secure environment for it. While doing business, you’ll create lots of data that someone else may want or you can’t afford to lose. It goes without saying that your environment needs to have physical locks and/or a security system. Critical systems also need Uninterruptible Power Supplies (UPS) that keep systems running in the event of a power outage and shut them down properly if the power is out for longer periods. If you have a server in the office, I suggest keeping it in a separate room that has additional security such as another locked door (so it’s behind at least a total of two locked doors), walls that go above the fake (drop) ceilings, dedicated power outlets, proper ventilation, and non-carpet floors. I had a colleague once that locked her keys in her office. I grabbed a chair, popped the ceiling tile up, climbed over the wall, and retrieved her keys. So don’t be fooled that the drop ceilings provide a safe space.

Software
Threats to computers today are numerous with multiple points of entry for malicious activity. Whether you have one computer or a hundred you need a multi-faceted approach and something that detects various types of infection, such as viruses, malware, Trojans, spyware, ransomware, etc. Getting software that just checks for virus signatures is only partially protecting you. Choose a product that can deploy clients from a cloud interface and can monitor all computers from one centralized administrator console. If you are using an email server, such as Microsoft Exchange, choose a product that also monitors the flow of e-mail – many viruses and spam are transmitted by e-mail. Microsoft scans email, but you can also have an additional set of eyes (another product) scanning.

If your budget allows, purchase a network appliance such as a router or firewall that can do real-time scanning and content filtering. Along with e-mail, internet surfing is another likely place where a computer can get infected. Another way to protect your users from going to malicious places on the internet is to use an alternate DNS resolution company rather than your ISP. One example that was free for many years is OpenDNS, but now has a fee and is owned by Cisco.

Windows 10 and up users can use Windows Defender Firewall and Windows Security, which is built into the operating system. There are other free PC versions of various security programs, but I would not trust any free security solutions for your server. By the way, yes, your server needs the software installed on it. Even if no one ever uses the server, an infected endpoint can copy files to the server (specifically through network shares) or allow the bad actor to remotely access the server.

AV vs NGAV vs EDR vs XDR vs MDR
When computer viruses were first noticed, they really didn’t do much other than maybe keep your computer from working. To combat viruses, Anti-Virus (AV) programs were created, but really could only check for known signatures on a specific file or running process. Unlike AV, NGAV is typically cloud-based and can detect suspicious behavior. As bad actors got more sophisticated, companies needed to check for more things, so EDR (Endpoint Detection and Response) became the standard. EDR can deter malicious activity and utilizes forensic data stored on the endpoint. Now, security companies say their products are XDR (Extended Detection and Response), which looks at your entire infrastructure (not just the endpoint) holistically from many viewpoints and can then take action to mitigate the attack before you even know anything happened. MDR (Managed Detection and Response) is usually 24/7 and managed by an external vendor rather than internal resources.

Policies
Don’t leave your computer logged in while you’re away. How long is up to each company. At least have it set to lock after say, 30 minutes, so you must enter a password, biometrics, or passkey to get back in. I see people all the time go away for lunch and leave their computer open for ANYONE to use. Maybe a disgruntled employee wants to send an e-mail to the rest of the office on your behalf – yikes! If you don’t come back from lunch or that sales meeting, your computer will be vulnerable all night and the cleaning crew may love to surf pornographic sites for you – double yikes!

Have your company use strong or difficult passwords for their login accounts. Passphrases are longer and easier to remember. Many passwords can be guessed, hacked, or cracked easily. Office documents, such as Microsoft Word or Excel can also be individually password protected. Veracrypt is a good, free option to create an encrypted drive on your computer if your policies require it.

Training
A large percentage of malicious activity enters the IT environment when an end user does something they shouldn’t – opening an infected attachment, clicking a malicious link, creating poor passwords, and many more. End user training should be ongoing and provide examples of known attacks, so users can become familiar with identifying malicious activity. Many companies utilize vendors to perform simulated phishing attacks combined with additional learning if a user is successfully phished by the simulation. NIST (National Institute of Standards and Technology) defines phishing as “a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.”

Cybersecurity
According to NIST, cybersecurity is “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.” By now, you’re probably heard this term many times. It really is a process and involves many things working together – physical security, software, policies, cybersecurity insurance, end users, and training. It’s unrealistic to expect users to be cyber experts who can detect every malicious intention, so solutions must be implemented to assist end users while they perform their daily tasks – it’s a team effort.

A bit of my history
• The first virus I saw was the Monkey Virus and it was transmitted when a 3.5” disk was left in a computer that was rebooted.

Non-Profit Tips
• Contact your regional CISA (Cybersecurity and Infrastructure Security Agency) agent and develop a relationship. They are a wealth of information and through their Cyber Hygiene Vulnerability Scanning Program, they will perform routine scans of your wide area network (WAN) at no cost.
• There are several discounted products at techsoup.org.