This is how computer security is like a good western

Chances are you’ve come across a few western movies in your time – it’s almost part of growing up, seeing those Saturday afternoon reruns. Part of the magic of a great western is the title – it’s just enough to raise your interest, your intrigue and get you wanting to watch to find out what it’s all about. Here’s some of the better ones I’ve found:

Now I know there’s plenty more great movies missing from this list (including the amazing Blazing Saddles), but stick with me and hopefully you’ll get my point.

Free Download - Top Tips For Cyber Security

The key thing about these titles is they mostly talk about some specifics – either a specific number or a particular group. You get a good picture of what the movie is going to be presenting to you. The title can certainly create some interesting mental images for those of us with creative imaginations!

Now for a title you’ve possibly not heard of – The Essential Eight.

I confess this isn’t for a movie though – it’s the short version of “Australian Signals Directorate’s Essential Eight Maturity Model”, which represents a set of guidelines for getting and keeping your network, and business, more secure.

Without getting overly technical, these “8 essentials”, when implemented correctly, will make great improvements to your security. Let’s take a quick look at what they are – the 8 characters in this movie.

1. Application whitelisting

This is the sheriff, carefully controlling who can move about the town. Application whitelisting means you only let approved programs run on your computers. This prevents unauthorised, and potentially malicious, programs from running and possibly causing problems. Think of your home - you only want certain people to be allowed to live there, moving around from room to room and dipping into the container with your favourite biscuits!

2. Patching applications

This is one of the deputies, making sure there’s no jay-walkers, lewd behaviour and the dress code is being met. Patching makes sure that the “residents” of your computer system stay up to date with the latest security and reliability updates, reducing the likelihood of misbehaviour or someone else taking advantage of them. Adobe’s Flash and Oracle’s Java are 2 residents that have been violated numerous times over the years, but they’re certainly not alone. Web browsers and PDF viewers are also high profile targets as they are used by a lot of people on many systems.

3. Microsoft office macros

It’s been a few years since these were high profile targets, but they’re still a risk. Office macros are those people that roll into town in fancier clothes – they have the flashy jewellery, big hats and fancy boots. The other residents can be a bit in awe of these folk and so can tend to drop their guard and let them do whatever they want because “they look so smart and pretty”, but there’s the potential they are actually snake oil peddlers in disguise and are going to take advantage of the simple town folk.
You really need to be checking the credentials of the files and macros so you know what they are actually going to do, and that they’ve come from a trusted source. It’s too late when they’ve drained your purse and ridden into the sunset, leaving you thinking “what the heck just happened?”.

4. User application hardening

This is the slightly odd bloke who lives on the edge of town and likes the simpler life. Nothing too flashy or fancy but rather he’s got the essentials to live and work as he needs to. Many applications on our computers have lots of additional features and capabilities which we’ll almost never need to use, but having these available means we could get ourselves into trouble.

You know those times you open a PDF to view it and you’re offered the opportunity to save it to some cloud storage location, or you visit a web page and up pops a message asking if you’d like to run a free scan of your computer to show you how to make it faster? Hardening your apps means these prompts and popups go away, allowing you to focus on your work and only having at hand the tools you need.

The funny guy at the edge of town may not have all the fancy trappings but he always seems to be happy and unflustered, satisfied that whilst he may not have all he wants, he does have everything he needs to live a fulfilled and productive life.

5. Restricting administrative privileges

This is the inn keeper that checks the rooms each day and makes sure people aren’t changing their rooms without permission. No hanging pictures on the walls, changing light shades or window coverings, and certainly no digging tunnels from the basement because it would be really cool to have a tunnel to crawl in!
If the computers on your network are not locked down, such that people can install whatever programs they want (see number 1 above), change system settings or make other modifications, then they become a liability on the network. You can’t control what the computer is doing and therefore it can break away from standards, potentially compromising things. That innocent little tunnel from the basement has the potential to bring down the entire building – is it really worth the risk? It’s not difficult, you just need to make sure the residents understand that this is for their benefit and the protection of the business. Even if they happen to “know a bit about computers” (how often have I heard that one?!) it’s not a risk worth taking – a little knowledge can be a dangerous thing!

6. Patching operating systems

The operating system is what makes everything else work – it’s the layout of the town, the fence protecting the residents, the water supply. If you want to keep the town safe then the fence needs to be maintained so “them critters from the south” can’t get in a cause havoc. Having a patched operating system means Crazy Ole Joe can’t build his next house in the middle of the main street – if he were to try and start it’ll get jumped on and prevented straight away.

If the town isn’t kept safe then all manner of potentially bad people could move in, unchecked, and create big problems. If this were to happen, eventually, the town is not a very nice place to be, possibly not safe, and you’ll be wanting to move away and find somewhere else to live.

If your systems are not patched then there’s a greater chance for reliability and security to be compromised, not only on that computer but also the rest of the network.

7. Multi-factor authentication

You’ve seen the movies where someone rides into town and states they are the newly appointed sheriff, possibly dropping the name of the governor of the state as their means of verification. They look the part, they sound the part, so the good innocent and trusting folk accept the new law keeper without actually verifying this person is who they say they are and has the authority they are claiming.

Multi-factor authentication means there is more than one method of verifying that this person’s claim about themselves is true. When you log into your banking website, it may ask for your ID and password, but then uses some other means of getting you to prove you are who you say you are – a special code generated by an app on your phone, an SMS code that’s sent to your phone, or possibly a small digital device with a code on it which changes every 30-60 seconds. It’s using something you know (ID and password) together with something you have (generated code, fingerprint, iris scan etc) to authenticate you.

Some buildings will require a person to enter a PIN code and swipe an ID badge in order to gain entry. Certain websites or applications can do similar. Consider some of the latest smart phones which can use your fingerprint, eye scan or facial recognition to unlock the device (this is biometrics). In order to register the biometric authentication you needed to enter a code (something you know) in order to then get set up for the finger/eye/face (something you have).

This is particularly useful for sensitive applications, systems, or remote access to the network. You want to know that the new sheriff is actually the new sheriff and not someone just wanting to pretend they’re someone they aren’t.

8. Daily backups

It’s been hot and dry outside so the hotel has done a lot of business with the locals and town visitors. There’s plenty of people staying in the hotel rooms, and Aunt Martha’s latest batch of smoky bacon rashers is a big hit. So there’s plenty of cash behind the bar and it needs to be protected. At times like this the local bank needs to send the armed guards over to collect the excess cash and securely transfer it into the bank’s vault. This certainly needs to be done daily, but on the really busy days it might need to be done more often to protect the hotel owners from being held up by bandits. The point at which the cash needs to be moved elsewhere is when it hits a level that it’s now “too much” to risk losing.

When it comes to the data on your network, you want to be having backups as often as necessary such that if you were to lose everything that’s not backed up then you won’t be too upset. In a high traffic environment where there’s lots of data being generated or changed then backups may need to be more frequent – possibly every hour. Retail, medical or professional services environments are examples of environments where there could be a lot of data change. A small second hand car yard might sell a couple of cars a day, so backups once a day are likely going to be fine.

The backups need to be at the right frequency, to the right sort of storage media, and they need to be taken offsite. It’s the “321 rule” – 3 types of backup, on 2 types of media, with at least 1 backup being offsite. So simply backing up your data to a USB portable drive and storing it in the bottom drawer of your desk is not going to be sufficient, especially if The Hateful Eight ride into town and start causing havoc. You might see the dust being thrown up into the sky as they approach town, but you don’t get that sort of warning when it comes to computer related problems – they are generally a complete surprise.

So there you have it – the latest blockbuster to hit your screen is a non-western that’s actually more about protecting your little patch of the world than stealing money from a stagecoach or “finding gold in them thar hills”.

You can find more information about the Essential Eight here, or better yet is to ask someone who knows this stuff and can make it happen for you, allowing you to focus on more productive endeavours.
Implementing one will give you an improvement in your security, but getting all 8 will prepare you for a blockbuster!

PS. What’s your favourite western?

Cyber Security eBook Free Download

Calvert Technologies