Here are four things we’ve learned about business continuity during COVID-19. 

• Small businesses need a (small) business continuity plan

You may not need a fifty-page document outlining a detailed business continuity plan with redundant locations, computers, servers, etc. If you manage a small business with 25 employees or less, a short document may be sufficient depending on the needs of your business.

• Every knowledge worker needs a laptop

Asking employees to take a desktop home, connect the peripherals, and work in the same room as their router because the desktop does not have wireless, is a bit much. Laptops, although more expensive, make the transition to working from home so much easier.  For most people, a 15-inch business class laptop with an i5 processor, 8GB of memory, 256GB SSD hard drive, and a webcam will work great.

• IT support needs the right tools in place before everyone heads home 

Before employees take any equipment home, IT support needs to verify that each computer has remote assistance software installed, a VPN client to connect to the business network, and remote agent software that allows command line access for scripting and support.  By having these tools in place, physical access to the device is no longer needed and remote support is available if the device is connected to the Internet.

• Everyone working from home needs high-speed Internet 

You will be surprised to find that a few employees do not have high-speed Internet, and this will limit the speed at which they can work from home. This is very frustrating to the employee and to IT support.  Plan to have a few cellular hotspots available or be prepared to pay for better Internet for a few employees. Some individuals may choose not to have home Internet or may live in rural areas that high-speed Internet is not available.

As we continue to social distance, we need to be vigilant in helping employees be successful working from home while further developing our business continuity plans.

Many of these breaches are a result of operating system vulnerabilities and configuration management, which in most cases are the responsibility of the customer.  To help provide guidance on responsibilities when using cloud services, Amazon has published information on their Shared Responsibility Model. This model clarifies which IT controls are the responsibility of the customer, which are Amazon’s responsibility, and which are shared.

There are three IT controls: Inherited Controls, Shared Controls, and Customer Specific. Amazon is responsible for Inherited Controls, which include physical and environmental controls. Shared Controls are things like patch management, configuration management, awareness and training. These controls are shared between Amazon and the customer. For example, Amazon is responsible for patching the infrastructure and the customer is responsible for patching the OS and application. The last control is Customer Specific. These are solely the responsibility of the customer and include things like service and communications protection or zone security.

The Shared Responsibility Model from Amazon is helping companies understand the compliance and security responsibilities in the cloud. Whether you are using Amazon Web Services or not, most cloud providers have similar models that clearly assign responsibilities of each party involved.  If you’re not familiar with your providers policy, make sure to review it and take responsibility for the security of your cloud applications.

Last year Sen. Chuck Schumer, D-N.Y., called for more scrutiny into popular DNA testing kits, saying unknowing customers may be putting their genetic information at risk of being sold to third parties.  Some fear that this is the case, even though DNA testing companies state in their privacy policies that consumers control how their data is used. In the future, what happens when these companies are sold or go out of business? Will your DNA data be sold to the highest bidder?

MyHeritage, a DNA testing company, leaked the data of over 92 million users last year that included email addresses and hashed passwords. Thankfully no DNA data was included in this breach. However, if companies don’t sell your DNA data, they might lose it to hackers in future breaches. Is it worth the risk? Some might say yes, but I would argue that it is not. Think about this: if your credit card is stolen what does your credit card company do for you? They disable the stolen card and send you a new card with a new number. If your DNA is stolen, what can a DNA testing company do for you? Your DNA can’t be replaced or changed and if it could, would you want it to? Your DNA is your make-up and should be considered Non-Public Personal Information (NPPI) and highly protected.

In the future our DNA may be worth a hefty price to hackers and identity thieves much like our other NPPI is today. We must proceed with caution when it comes to any unique, personal information about us including our DNA data. It is our responsibility to manage the security of our data and be informed about how companies use our data.

WordPress sometimes gets a bad rap for being insecure, but I have not experienced that when following these best practices.

1. Keep WordPress, plugins, and themes up to date by applying security patches
2. Deactivate and delete any themes or plugins that are no longer needed
3. Create a unique admin username and use a strong password
4. Install and configure a WordPress security plugin that can block common attacks
5. Only install trusted software from known sources

This approach will limit the attack surface and provide a solid layer of security. If you are new to securing websites, it is a good idea to consult with an expert. If your website is unfortunately hacked, you will need to find and patch the vulnerability as well as clean the site. This can be a challenge even for an experienced professional and can require hours of research. The only other fallback to keep in mind is daily backups of WordPress. If WordPress is compromised and unrecoverable, then you will have to rely on your backups to recover to a point in time before the date of compromise.

These are the day-to-day challenges in cybersecurity and these types of attacks only improve over time. Hopefully we can continue to improve our website defenses to keep up with new attacks.

Supply chain hardware modification attacks are troubling because we don’t have proven methods of detection like we have for some software attacks. This story, whether true or not, brings to light the attacks cybersecurity professionals may face in the workplace. The story claims, through many anonymous sources, that the Chinese government is involved in modifying motherboards made in China for SuperMicro, by adding a tiny chip that is smaller than a grain of rice. These chips are so small and undetectable that they were hidden on servers that were installed in data centers across the US. The only indication that there was a problem, sources stated, was after monitoring network traffic and detecting odd network activity. All companies named in the story are denying any knowledge of such a chip or that an investigation is taking place.

Are you currently checking your servers for supply chain hardware modifications before installing in your data center? What tools could you use and how would you know if there has been a breach? Until we find out more about other potential methods for detection we should monitor for abnormal network traffic inbound and outbound on server networks.

The attacks of tomorrow will be far superior and harder to detect than anything we have seen in the past, especially when it comes to nation-state actors. I would encourage you to take the time to read over this story so that you are aware of the types of attacks you may face now and in the future.

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Titan II ICBM at Site 571-7
Protection Through Power

I recently visited the Titan Missile Museum near Tucson, Arizona.  This was a fascinating place and I highly recommend visiting the museum if you are in the area.  The Titan II was capable of launching from its underground silo in 58 seconds and could deliver a nine megaton thermonuclear warhead to its target more than 6300 miles away, in less than thirty minutes.  Of the 54 Titan II missile sites that were in service between 1963 and 1987, the Tuscon site is the only one that remains.  The underground facility reminded me of Lost’s Dharma Initiative because of the age and colors of everything.  The computer systems and technology used to run the facility and missile were amazing.  Fifty plus years ago this would have been quite the feat to develop and relied on some very smart engineering.

I think the colors of the picture turned out great.  This photo was taken with my phone and the colors were enhanced with Snapseed.