Looking back at 2017 and ahead at 2018, it became clear to me that all the great advice for cyber preparedness is not reaching the small and medium businesses, still. The question below was asked of me last week in a presentation in Southern Washington, which prompted me to publish this guidance. You’ll find some basic hygiene tips below and a more detailed narrative on patching is also included for some holiday reading. Please prepare your cyber posture for 2018 and protect your business.

What do I do to protect my business? 

1. Have your business/company cyber assessed by an 3rd party provider
2. Follow a cybersecurity framework for a proper cyber posture (The NIST framework is recommended)
3. Change all your passwords to be unique, do not repeat the same password.
4. Use complex passwords or a password generator
5. Set up monitoring and alerts of banking accounts for transactions 
6. Enable network monitoring of all known and unknown devices
7. Run modern end-point anti-virus/anti-malware products on all managed devices
8. Make sure your firewall is not set to the default settings and use a next generation firewall
9. Make sure all connected devices on your network are not set to default, segment your data away from IoT devices (IP cameras, personal assistants, printers etc.)
10. Learn and train your company about phishing and ransomware best practices
11. Don't surf unknown web sites
12. If mail looks suspicious or you are questioning its authenticity- investigate before you click.
13. Patch, Patch, Patch

The issue of deployment of patches or updates by companies is the biggest concern given the public awareness of these broad based cyber/malware attacks. Over the past couple months, the attacks, such as “WannaCry”, have been based upon the gaps in the “patching” of software or device vulnerabilities. The attackers develop their attacks to automatically detect and exploit these unpatched software or systems that are not updated with the current patch level as the basis for the attack and entry into a company. The attack is typically an exfiltration of data or Ransomware. 

Here are some examples of considerations in your infrastructure to consider. 

When a device manufacturer such as a network switch, firewall or router is identified as “end of life” EOL, then it either has a technological market disadvantage or a technical flaw that renders the device vulnerable in certain situations. The manufacturer does two things very well: One, they market the advantages of the next generation device with all the capabilities and features that are compelling to “buy” or “upgrade”. Secondly, they publicly identify the flaws and gaps and or vulnerabilities with the strongly urged recommendation to upgrade to the next generation product. This is normal course of business and does provide full disclosure to their customers.

The other side of this coin, is the same publicly known data used to communicate gaps and flaws is used to create distributed attacks on targeted devices. Once a flaw is known, the hacker communities are also aware and start their targeted attacks to enter an organization through the identified flaws. Yes, we are doing a great job telling the hacker communities how to hack. Call it the unintentional, borderline intentional, published hack advisory!

Software patches are similar in respect but much more frequent. The OEM publishers such as Microsoft, Google, WordPress, Apple, Adobe as examples, typically call the patches “security updates” or “security bulletins”.    Many of the updates are categorized as “Critical”, “Important” or “Moderate”. They also identify the issue in either part of the native OEM products or vulnerabilities in 3rd party applications used by the OEM applications that can compromise the publisher’s products. The OEM publishers have a significant role to play and this is not trivial work. To be fair, the OEM’s are not intentionally building vulnerable products, they find vulnerabilities over-time in either their native code or 3rd party licensed code and as a system requires an update or patch as part of their software life cycle. In addition, each patch update could in theory also inject new unknown flaws, fix one and then start another. 

Why don’t companies patch? Is it that their processes and procedures say wait? Resources are unavailable? Other projects have priorities? Will the patch break proprietary software/systems that run the business? Knowledge of all available patches? Frequency of patches? Likely some or all of these apply to you or someone you know. Is it worth it? Given what we know about the magnitude of the impact of these recent attacks, why are you waiting to patch? 

A well planned and organized cyber hygiene program could save your company and job! Have a cybersafe New Year!