Author: Robert Broxup

Before you sell, give away or recycle mobile phones, tablets, desktop computers, laptops or USB drives or other items with data storage such as cameras with memory cards, delete the data. It is, of course, necessary to make sure you have a safe copy of your data or fully operational replacement devices before disposing of your old devices. Consider what is on your device, such as:

• Browser history

• Saved passwords

• Personal financial records

• Photographs

• Access to emails and social media accounts

• Customer data

• Retained links to licensed software

• Active logins such as iCloud

• Links to external storage services such as Dropbox, Google Drive and One Drive

This list is not exhaustive, but what is essential is for you to think about what is on your device. Although gaining access to data on devices depends on the level of security implemented, assume that if someone wants to access it, they will eventually get access; determined by the value of the data and the effort required to gain access. In the wrong hands, the data could be detrimental to personal safety and security. Where devices belong to businesses, the data could compromise the personal safety and security of employees or customers. If you are selling the device, the buyer will expect to be able to use it, so you are unlikely to have any enabled security.

Several years ago, I bought a mobile phone from eBay and found that it still had 100s of personal contacts, numerous text messages that had not been deleted, including some in the outbox waiting to send. My initial thought was that I had purchased a stolen phone, however, upon further investigation and telephone conversations with contacts in the phone, I was able to confirm the sale was genuine, just the seller had not wiped the phone. In this case, the previous owner traded in his phone for a newer model, and I bought the phone from the trader. The eBay listing showed the phone as ‘refurbished’, which didn’t include a factory reset.

Additional steps are often required to delete the data thoroughly. Storage devices work by having an index of files, and the index points to the physical location of where the data is stored. For speed of operations, deleting files often deletes the entry from the index leaving the data intact but no longer visible. If you don’t securely delete the files, someone could recover them.

• Consider removing the hard disk from desktops and laptops and destroying them rather than attempting to delete the data securely. Industrial shredding services are available that will turn a hard disk into 1000s of small pieces of metal. You could use a hammer to render a hard disk useless. The approach taken should be relative to the value of the data you are trying to destroy.

• Selling or giving away desktops and laptops without a hard disk is a viable option. New owners can easily purchase replacement drives and have a fully operational system.

• Restore devices to factory default. For example, Apple iOS has the option in settings to reset the device and remove all data. Windows 10 also has a built-in feature to reset the operating system and destroy all existing data. Reinstalling the operating system from installation media is an available option. These options allow you to sell or give away devices in a state where the new owner can log in as a 1^st time user.

• Utilities such as ‘CCleaner’ have options to securely delete unused space on hard disks and securely delete entries in the index to prevent data from ever being recovered.

Understanding your organisation’s network boundary is essential to being vigilant and maintaining a high level of security.  Internet at home or in a single-site business can be straight forward. Still, as companies grow in size and complexity, it is easy to lose control by not understanding the boundary infrastructure, how it is maintained, and details of those responsible for its maintenance. This blog is not a comprehensive guide to boundary security but covers essential aspects that will provide an improved level of protection and reduced exposure to risk if implemented. In cases of outsourced firewall management, this also acts as a check against 3^rd party suppliers.

Firewall Inventory

Maintaining an inventory of firewalls is an essential starting point for understanding the boundary and how it interacts with the outside world.

• Do you have an inventory of all firewalls?

• Does the inventory include the physical locations of each firewall?

• Who are the manufacturers, and what are the models of each firewall?

• What are the internal and external network addresses of each firewall?

• Who is responsible for maintaining the accuracy of the inventory?

If you don’t know where all your firewalls are, then it follows that you will not be able to guarantee that strong passwords are applied, that firmware is up to date, or that firewall rules accurately reflect the requirements of the business. The inventory should also include other information covered in subsequent sections below.

Firewall Passwords

Strong passwords and secure storage of passwords are essential to controlling access to firewalls and preventing unauthorised configuration changes.

• Have all manufacturer default passwords been replaced with strong passwords?

• Are you able to verify that strong passwords apply to all firewalls in the inventory?

• Does your business apply strategic division of labour when it comes to passwords or do one or more individuals have knowledge or access to all firewall passwords?

• How frequently are firewall passwords changed?

• What password vault do you have in place to store firewall passwords?

• Do all persons with knowledge of firewall passwords or access to the password vault have a legitimate business requirement to do so?

Firmware

Firmware is the software installed directly in the hardware. Hardware manufacturers often release new versions of the firmware during the usable life of the equipment.

• What is the latest version of firmware for each firewall’s make and model?

• What is the current version of firmware for each of the firewalls in the inventory?

• Are you able to verify that each of the firewalls in your business has the latest firmware version?

• When was firmware last updated on each of the firewalls in the inventory?

• Who is responsible for checking firmware releases and performing updates?

New versions of firmware are often released specifically to mitigate security risks. Not having processes to check and upgrade firmware to the latest version will allow exploitation of vulnerabilities.

Firewall Rules

Firewall rules need documentation for each of the firewalls in the inventory. Rule documentation should include:

• What is the business purpose of the rule?

• Does the rule control inbound or outbound traffic?

• What IP addresses and Network Ports are ‘allowed’ or ‘denied’?

• Who approved and who created the firewall rule?

Firewall rules change over time as business requirements change, not to mention unauthorised changes to firewall rules. Documentation and ongoing processes will ensure that the rules configured reflect business requirements.

• When was each firewall in the inventory last checked to ensure that all firewall rules fulfil a genuine business purpose?

• How frequently are firewall rules checked?

• Who is responsible for checking firewall rules?

• Are firewall rules disabled or deleted when they no longer have a legitimate business purpose?

Firewall Management

Having effective processes in place to manage firewall configuration will reduce the risk of unauthorised changes.

• Can the firewalls in the inventory be administered from outside the network?

• Which Network Port is used to administer the firewalls from outside the network?

• Is this different from the manufacturer’s default Network Port?

• Are time restrictions applied to control the administration of firewall changes from outside the network?

• When accessing the firewall to manage the configuration, is the connection made using HTTP or HTTPS?

• Does your business use ‘change management’ process to request, approve, and implement firewall configuration changes?

• ·         Are changes to firewall configuration undertaken by qualified persons?

• Who is responsible for approving firewall configuration changes?

It is a common theme that when you receive a call from your bank or utility providers, for example, telling you that for your data protection they must take you through security so they can identify you. Stop right there! They called you! It is your responsibility to identify them.

Most of these calls come from unknown or blocked numbers. Where you can identify the number, it is often from a pool of numbers which you would most likely not recognise. If they call you, how are you expected to identify them if they refuse to speak with you until you have confirmed your name and given them your date of birth, along with whatever information they require?

• When someone calls you, you often have no way to verify their identity

• Fraudsters can use the information provided for identity confirmation to impersonate you

Organisations are good at telling their customers they will never ask for passwords, but they are comfortable asking for all the information needed to have passwords reset. As long as organisations are calling members of the public in this way, fraudsters will be able to mimic that behaviour to steal enough information to act as if they are you.

Following the publication of a recent article about Public Wi-Fi and the use of Virtual Private Networks (VPNs),  I have received questions about what is reasonable with websites attempting to block the use of VPNs. A recurring concern was specifically the blocking of VPN access through an unencrypted public Wi-Fi network.

VPNs are an excellent security measure, but because of how VPNs can circumvent geographic restrictions on content, many organisations have contractual requirements to take extra steps to restrict access. The problem is that because key entertainment sites such as the BBC, Netflix and Amazon Prime use VPN blocking, many VPN users who stream movies and television programs need to deactivate their VPN at some point.

Blocking access through a VPN is relatively easy as the services require IP addresses to function and websites can be configured to block traffic to these IP addresses or redirect traffic to a page asking for the VPN to be disabled. There are also other means such as blocking specific network ports. What makes it difficult is that as businesses create new VPN services with different IP addresses, and as identified, are subsequently blocked.

The use of a VPN also prevents content filtering because network traffic is encrypted. In the case of a public Wi-Fi, the service provider would struggle to stop for example the use of peer to peer file sharing to download illegal content, access to pornography in public, or access to extremist materials online. The reality is that because of how some people use VPNs to perform unlawful activities; website owners are continuously introducing countermeasures, and some countries have either banned the use of VPNs or are currently attempting to do so.

Consider how people become conditioned to do things in a certain way and that potentially harmful activity becomes normal, with consequences that are never fully appreciated. As more websites and services ask for VPNs to be disabled to access the content, the more people will get used to the idea that disabling a VPN is the normal thing to do. Consequently, it becomes less effective as a security measure. This behavioural change has already taken place in other areas:

• Browsers, for example, have the option to disable cookies, but many websites will not function if cookies are disabled. Websites consequently ask for cookies to be enabled, and the measures that are there to add extra privacy are no longer sufficient. Although you can manage cookies within browser settings, for many people, this can be painful, and the path of least resistance is to have cookies enabled and ignore the settings. In short, the way websites use cookies often undermines the browser security measures.

• Advert blocking components in browsers are another example, and many websites perform checks. If they have, visitors are redirected to a page instructing them to deactivate the advert blocker to view the content. Again, the more this happens, and the more frequently these instructions are followed, the less effective advert blocking becomes, and with many adverts containing malware, the risks of exposure increase.

• Terms and conditions – most of the time, terms and conditions are so complicated and long-winded that nobody has the time to read them or even care what they include. People have got used to the idea that terms and conditions are accepted by just ticking a box to say they have read them and agree to the terms.

• Cookie notifications – how websites have implemented cookie notifications is annoying and interrupts the users’ experience of websites. The inevitable outcome is that people will click OK to accept cookies to get rid of the banner or pop-up that is preventing them from reading the content without any consideration or care about cookies.

What would you think if you visited a website and it redirected you to a page that told you that the site has detected that you have ‘ABC XYZ Antivirus’ installed and the site requires you to disable it before displaying content? I would expect people would be sensible enough to leave the site and not follow the instructions.