Sunday, September 19, 2021

WFH Issues

WFH is a new acronym  for "Work From Home." I've blogged about my concerns before here and here.

Recently I came across a white paper from HP's Wolf Security group. Remember that they sell "endpoint security."

According to our HP Wolf Security Blurred Lines and Blindspots report, 23% of office workers globally expect to predominantly work from home post-pandemic, with an additional 16% expecting to split their time equally between home and the office. This will have far-reaching consequences for organizations across all economies.
This change is here to stay. That's really scary from a security perspective.

Here is a summary of their findings.

OFFICE WORKER REBELLIONS

Apathy
  • 39% of office workers surveyed aged 18-24 were unsure of the existing data security policies in place at their work
  • 36% of office workers surveyed had been given training on how to protect their home network
  • 54% of office workers surveyed aged 18-24 were more worried about deadlines than exposing the business to a data breach
Frustration
  • 48% of office workers surveyed aged 18-24 thought security policies are a hindrance
  • 37% of office workers surveyed said security policies and technologies are too restrictive
  • 48% of office workers surveyed said security measures result in a lot of wasted time
Circumvention
  • 31% of office workers surveyed aged 18-24 had tried to circumvent security
We have a lot of work to do.

There's another section on IT Team Rejections. I'll let you read that at your leisure.


Sunday, September 12, 2021

Mobile LTE Coverage Map

I recently came across an interesting article posted by the Federal Communications Commission (FCC).

It contains a map that shows the 4G LTE mobile coverage areas of the nation’s four largest mobile wireless carriers: AT&T Mobility, T-Mobile, UScellular, and Verizon.

It states that the coverage map was created using data submitted voluntarily by the four mobile carriers and depicts the coverage a customer can expect to receive when outdoors and stationary.

I am an AT&T wireless customer and have always found that cellular coverage varies significantly in the Memphis metro area.

This tool supports that experience on AT&T but I am skeptical of the other carriers' reporting.

Here is an example of LTE data in a neighborhood in Memphis that is not friendly to cellular towers.

AT&T

T-Mobile

Verizon

Who do you believe?

For reference, here's a map of cell tower locations.




Sunday, September 05, 2021

Microsegmentation

Years ago, a co-worker and I had a discussion about architecting our Unix systems as if each one was at risk from the network, even the LAN. His thinking was that you would never know where the threat was coming from so you should not trust anyone except those connections you made deliberately.

He was so far ahead of everyone else. And ahead of the technology available then.

Now we have Software Defined Networking (SDN). Usually SDN is applied to Wide Area Networks (WANs). SDNs warrant a whole series of posts on their own.

What is now nascent is Microsegmentation.


This excerpt from eSecurity Planet nails my co-worker's vision.
The Problem With Traditional Security Techniques
More traditional security tools, such as firewalls, VPNs and network access control (NAC), have their limits because they focus primarily on securing the network perimeter. Security teams historically assumed the biggest threats were attacking from outside the network. But that approach overlooked insider threats - and the damage that hackers could do when they eventually got inside the network.
SDN provides the underlying technology that wasn't available years ago.

But that allows you to worry about the next layer. What traffic do you allow between systems? Now you need to get to Layer 7 granularity.

Gardicore has a good article that lays out the benefits (and challenges) of microsegmentation.
Benefits of Microsegmentation
Lateral Movement Security
Reduce Attack Surface
Secure Critical Applications
Then an organization has to consider the methods.
Microsegmentation by environment
Creating regulatory boundaries
Microsegmentation by application type
Microsegmentation by tier
The steps for an implementation effort are:
Identify what needs to be segmented
Tackle short-term goals
Deal with long term goals
Repeat
Labeling of assets is critical along with a comprehensive understanding of the applications relationships and dependencies.

I'll cover more of microsegmentation in future posts.

Sunday, August 29, 2021

Chrome Incognito

Google recently came out on the short end of a $5 billion class-action lawsuit concerning Chrome's Incognito mode.

Apparently as a result of that lawsuit, Google is being more obvious about what Incognito means.

I thought it would be worth sharing. Here is the new splash screen for Incognito mode.


What Incognito does
After closing all Incognito tabs, Chrome clears:
• Your browsing activity from this device
• Your search history from this device
• Information entered in forms

What Incognito doesn't do
Incognito does not make you invisible online:
• Sites know when you visit them
• Employers or schools can track browsing activity
• Internet service providers may monitor web traffic

One subtlety in the first section is that Chrome doesn't take any clearing action until after you close all Incognito tabs. What this means is that if you visit a site that only allows limited visits from a non-subscriber, the cookie that tracks your visit isn't deleted until you close all Incognito tabs. Specifically, if you have Facebook open in an Incognito window and then visit a paywalled site, the count of you visiting the paywalled site will remain until you close the Facebook Incognito window.

It's probably a good time to revisit How to Sandbox Facebook.

Sunday, August 22, 2021

If You’re Going to Use the Cloud

... for Pete's sake, please use its strengths.

You know I have mixed opinions on the "cloud" depending on the size and capability of your organization.

An example of leveraging the cloud's strengths is in a recent article I saw from KnowBe4 entitled "Can the Microsoft 365 Platform Be Trusted to Stop Security Breaches?"

KnowBe4 referenced an article from Hornetsecurity entitled "1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds." (Don't click on that just yet.)


Realizing that everybody has an agenda, let's look at these articles.

KnowBe4 calls out the following findings:
  • 33% of organizations are not using Microsoft’s multi-factor authentication (MFA)
  • Of those using MFA, 55% of organizations are not using Conditional Access which scrutinizes connection requests beyond just providing credentials and additional authentication factors
  • Only 43% leverage Microsoft’s data loss prevention policies to keep data from leaving the organization
  • 68% of organizations expect Microsoft to keep email safe from threats
This is my point. If you're going to use a cloud solution such as Microsoft 365, leverage its capabilities. Even if they are premium services, they're probably NOT services you could deliver yourself.

KnowBe4's recommendation: Have your "Users ... undergo continual Security Awareness Training."

By the way, that's KnowBe4's business model - training users. And that's a good thing.

Now, before you click on Hornetsecurity's link, get ready for a pretty aggressive privacy policy.


That almost scared me off. But just click on "Cookie-Details" and slide everything to "Off".

In addition to the points that KnowBe4 raised from Hornetsecurity's study, Hornetsecurity has one more finding: "An impressive 82% of all our respondents who use third-party email security solutions reported no breaches."

I'll bet you can guess what Hornetsecurity sells.

Regardless of the various agendas, the Hornetsecurity study is solid and the findings valuable. Take them into consideration for your Microsoft 365 implementation.

And consider the value-add capabilities of any cloud solution you implement.

Sunday, August 15, 2021

Three Problems with Two Factor Authentication

One of the podcasts I listen to regularly is the SANS Internet Storm Center's "StormCast."


In addition to their podcasts, they have "diary" posts. Recently one of their contributors posted "Three Problems with Two Factor Authentication."

They actually listed 3 issues and "other gotchas."

Their list was:

0 - Usability
1 - Resetting the 2nd Factor
2 - Using a Token to Reset a Password

Now, being an engineer, I wasn't surprised by them beginning their count at "0."

But then they enumerated their "other gotchas."

4 - Other Gotchas

Where'd "3" go?

Very much worth the read!

Sunday, August 08, 2021

You Say Tomato, I Say Tomato

Does this irritate you as much as it does me?

It kept popping up on various web sites and you had to close it.

Here's how to eliminate this pop-up.



Set "Google Account sign-in prompts" to OFF.

It's that easy.


Tomato, tomato.