Basic Computer Security Isn’t So Basic Anymore

Blog / Basic Computer Security Isn’t So Basic Anymore

The Russian invasion of Ukraine has made headlines everywhere lately, including our newsletters. Hopefully you’ve found the details and key information within helpful and actionable. However, it wouldn’t be entirely untrue if one was to sum up our recent advice as “be more on guard than usual.” Don’t get me wrong; building strong use policies, staying on top of updates and security patches, and training employees should all be top of mind during these digitally-dangerous times. That said, I figured for today I’d step away from the nitty-gritty details of state-sponsored cyber warfare and get back to talking about basic computer security.

The thing is, cyber security has changed over the years. Remember, the computer world changes at breakneck speeds compared to everyday life. What used to be good advice like having complex passwords is no longer advisable, let alone the gold standard. Nowadays using pass phrases and multifactor authentication should be the new normal.

Take the case study from last week’s newsletter as an example. You may have noticed the attack used very few actual exploits. Most of it involved leveraging the standard configuration and behavior of common software to criminal ends. Yes, there was some “hacking” but in many respect the victims were meeting basic computer security standards. The problem is that those “basic standards” were outdated. So today, we’re going back to the basics to see how those basics have changed in recent times and reduce your vulnerabilities to unexpected attacks exploiting old security standards.

So what would be considered the actual basics of cybersecurity these days? Let’s find out!

  • Multi-factor authentication (MFA)

Yes, MFA is now considered a basic computer security requirement. Unfortunately, many organizations are still avoiding using it. Why? I can’t say for sure. Maybe some think it’s time consuming (though the productivity gains of computer technology alone far outweigh what little additional login time MFA requires)? Maybe others would rather risk relying on old standards than upgrade new ones. No one can really say.

MFA should be used for every external authentication option that exists for users. This means everything from connecting to Office365 to connecting to remote resources. It’s not a bad idea to use MFA for internal logins but that can wind up getting annoying for users. For now at least, using MFA for internal logins remains a good idea but not a minimum standard.

Remember MFA also needs to be built on good password practices, so don’t toss previous standards out entirely. You should continue to use policies forcing password complexity, minimum length, and regular password changes.

  • Proper Backups

Having backups is one thing, but having proper backups is something else. A proper backup solution includes two key features. The first is periodic backup testing, which ensures your backups are actually working. It also helps keep your IT team familiar with the restoration procedures which can help reduce stress and improve personnel performance in an emergency. The second feature of a proper backup is having at least one copy isolated from all your networks, not just the internet. It could be a tape backup stored offsite, an external hard drive in a fireproof safe that’s only connected specifically to take backups or when needed for restoration, or any of several different options. The point is to have a backup stored somewhere that can’t be accessed via hacking because it literally can’t be accessed from the internet.

A secondary requirement of a proper backup is that you actually know and can identify your important information and where it is. Knowing what is stored and where is useful in the event something catastrophic happens because it means you can properly prioritize restoring important information immediately and save the useful-but-not-vital data for after dealing with the main crisis.

  • An official policy for installing patches

All software installed on your organization’s machines should be monitored for updates. All of it. Not just Windows. Not just your anti-malware. ALL OF IT. Also, not all software come with automatic updates and sometimes patches will need to be manually downloaded. Your organization needs to make sure you are actually looking for—and properly applying—any critical patches quickly. Non-critical patches should still be applied in a timely manner but can be done on a set schedule.

Hardware also needs to be kept up to date as well. Firewalls, printers, switches, and IoT devices all need to be monitored for updates to their firmware. Hardware updates should be treated in the same way as software updates, with critical ones being applied quickly and non-critical ones being applied on a timely schedule.

Also, please believe us when we say this needs to be an official policy; if it’s not made official, then it’s not going to happen.

  • Use drive encryption

Drive encryption is a relatively new technology. Originally it was intended to protect drives on portable device like laptops. The idea is to encrypt the drive so that if the users don’t login properly the content can’t be recovered. This is useful because it means someone can’t just pop the drive into another machine and read it if the laptop gets stolen. Originally drive encryption was driven by software so there was a performance impact, but most modern hard drives have encryption built in so it can usually be used seamlessly.

Drive encryption is highly useful even on regular workstations and for the exact same reasons. Even if someone breaks in and rips the drive from its housing, they still won’t be able to read the contents. Drive encryption also helps protect the organization when it comes to PIPEDA and FOIP compliance. Personal information on a stolen encrypted drive is far safer than an an unencrypted drive (which means fewer issues for the organization in that case).

  • Abide by End-of-Life (EOL) dates

This applies to hardware and software as they can both become liabilities should they age out. EOL dates are standard on business-class equipment so they’re usually easy to find. Keep in mind that EOL dates can also be changed, so it’s important to occasionally re-confirm them. Periodically evaluate when items are due to age out to see if purchases need to be made down the road (either annually or bi-annually). Sometimes finding a replacement can be  difficult or which is why it’s important to abide by EOL dates. You could find yourself facing procurement problems (microchip shortages are still a thing, especially with China under new lockdowns) and being forced to rely on out-of-date products. Windows 7 is the best example of the worst version of this behaviour, as it’s still used in plenty of places despite being seven years past its EOL date, two years past its end of support, and new versions being readily available. Whether it’s a lack of commitment or the cost of an upgrade or both we can’t say, but relying on antiquated operating systems has never been a good cyber security habit.

There you have it. The new “basics” of basic computer security. None of it’s complicated or even particularly expensive and the only real requirement is some awareness and a commitment to actually get the work done before it’s too late, a situation Shakespeare was familiar with when our lead character opines “I wasted time, and now doth time waste me.”

Would you like to know more about the new standards of basic computer security? Contact your account manager today to set up a consultation.

 

Be kind,

Courtesy your friendly neighbourhood cyber-man.

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.

View more partners