General IT Security advice from Weald IT

Please note that this “General IT Security Advice” does not cover every possible security risk and solution. To explain, it is a prompt based on our helpdesk notes and logs with some additional information collected for ISO27001.

Version 2, updated 14.7.2022

Multi Factor Essential

All users

Multi Factor is now Essential
It is now considered essential that ALL POSSIBLE users should use 2FA – Multi Factor Authentication.  This requires a second form of authentication to let you in to a platform.  This can be an authenticator app on your phone, a text or a device.  The reason for this is to prevent your password being phished/compromised and then allowing your emails or anything within that platform to be used against you or others.

Simplify and reduce changes with 2FA
One of the advantages of using 2FA is that you can then use a slightly simpler password, and not have to change passwords on such a regular basis.  As an example – a number of words and numbers that can be remembered with special characters dividing – e.g. Support.055.Help! – which combined with MFA – would be very acceptable for most.

Enforce not Enable
We note that in Microsoft 365 – if using MFA, you must ENFORCE, not just ‘enable’ otherwise legacy authentication methods will allow single factor.

If not using 2FA – Complex Passwords and 90 Change Applies
If you are not able to use 2FA, then the old rules apply – proper complex passwords, changed on a regular basis.  Use a password generator such as Dash lane – 16 characters with symbols.

Products

Use Defender for Microsoft 365 – from just £ 1.51 per user per month
Protect against impersonation, use safe links and safe attachments (sandbox).
This will protect Email, OneDrive & Teams.

Use Anti Virus at the Endpoint

Many AV products now have Ransomware Protection which use behaviour monitoring to identify attacks. Make sure this is enabled or use the wizard which turns on ransomware protection. We realise this can be intrusive, but it works.

Attachments
BLOCK as many attachment types as possible – even all but PDF if your business allows it.
Do NOT open attachments from unknown sources. If in doubt send it to IT to check first.
Unsure? don’t open it.

Online Phishing Education and Testing

Online education – we can help you set up Phish Insight from Trend

Use these free resources without any set up.
https://www.opendns.com/phishing-quiz/
https://www.sonicwall.com/phishing/phishing-quiz-question.aspx

Phishing, Middle Man Attacks and other scams

Do NOT accept “internal emails” that say transfer money here and there to unknown account and sort codes.

**Cover your business**
Issue statements to clients and suppliers along the lines of:
“We will NEVER ask you by email alone to alter account details.  We will never ask you to move your money or ask you to transfer funds to a new sort code and account number that we provide”

**If you are asked by a supplier to change account details**
Use an old fashioned procedure, verify account changes by phone before changing on your bank.
We realise that banks have improved and now account name verification normally takes place.

If someone asks you something unusual involving a bank transaction, stop and query it.

Examine the sender domain, i.e. wealdcomputer.com instead of wealdcomputers.com.  If an email is sent from support@wealdcomputer.com, it is unlikely to have the normal email personality associated to Weald but for the unwary, there is potential for phishing.

Be aware your internal emails can be compromised and may appear to come from your Manager or Director.

Be suspicious if the language of the email looks wrong for the person who sent it.

Encryption

Mobile Device and Device Encryption
For anyone travelling with a laptop, please encrypt your device using Bitlocker.  On Windows 10, this is not turned on by default.  Use Search, Bitlocker to find the Managed Bitlocker application.
Most modern phones are encrypted by default, but please check.
For Modern PC’s with SSD, there is no reason not to turn this on too. In addition, this removes the risk of data being compromised on PC disposal at end of life.
This can be done by security policy if you have the relevant subscriptions and tools in place.

Ransomware

General and ransomware type:
Backup is usually the best way to recover from ransomware.  Make sure you are backed up and/or replicated. In addition, please ask us to test it or use automated DR Testing.

** Make sure the backups are not on a visible share on the same network that you use daily **

IF IN DOUBT, TURN IT OFF
If you click something dodgy that seems to be making the computer go slow and something is happening…TURN THE COMPUTER OFF – press the button until it goes off.
Get someone to check it – Do not turn it back on, take it to an expert to examine and deal with.

Don’t browse to dodgy web sites, or if you must do it at home and use a tablet, not your windows PC.

Do NOT connect to work with your home computer that has been used for ‘leisure’
Do NOT let your kids use your WORK laptop for playing games and internet browsing.

Be aware that Word and Excel documents are not automatically safe, they can run Macros.
Do not assume your AV or Malware package will stop the modern viruses and ransomware. We are now in the age of the “file-less” virus and they are only as good as the last set of updates and definitions.

Do NOT set up personal email accounts on work computers.

General IT Security advice for Management and Finance

Backup and DR testing is the way to recover from ransomware and many other threats. Make sure it works, have a daily checking procedure.

Most banks do now, but please make sure payment batches require authorisation via second factor and verify against internal batch records.
Be careful with payment batches, we have seen them hacked and modified.
Do back the IT Department to back MFA and Password policies.

Where possible, do NOT habitually use “faster payments”. These are not reversible.

HMRC, PAYE etc DO NOT send you emails about refunds.  Don’t click to get a refund.
Your BANK will probably not email you, or if they do it will come from a known account manager.

Starters and Leavers Procedures for Employees.
Have a leavers procedure that includes revoking access for everything granted on the starters procedure. The reason for this is that having lots of ‘active directory users’ present increases risk, even if you have changed the passwords.  Don’t have generic AD accounts with easy passwords.  This may be web accessible via Outlook Web Access.  This is a way in.

Shoulder Surfers not silver surfers
When out of the office, be aware of “SHOULDER SURFERS” – they exist on trains!

For IT People:

Some general IT security advice for IT people.
Consider blocking all attachments except PDF – it might be hassle but the returns are great!
Do not allow the use of PPTP pass through (1723) – use an SSL VPN instead.
Use account locking on password attempts – 3 or more ?
Do have a 90 day change policy on passwords if not using 2FA
Look at enforcing a company wide 2FA policy on 365
Set up user education and testing.
Look at device encryption for your mobile workers
MDM – mobile device management is worth considering.
Do not use open RDS connections for remote access (3389)
Disable accounts on the server that you do not recognise. Disable first, ask later.
Consider two factor authentication for any web accessible systems.
Always check who has Global Admin or Domain Admin rights.

General IT Security Advice
IT Security Advice