For the majority of startups, small and medium businesses, the risks mostly relate to the phones and computers. Being in this situation myself with a background in IT Security, I thought I would share the easy low costs tips and tricks of securing your IT devices.

Before taking action, we must first understand how we are exposed to hackers and thieves who could access our computers.

To make it easy, let’s divide the attack surface in 3 categories easy to remember:

• The targeted malware, coming after you
• The physical hardware loss or theft
• The commodity malware, attacking the masses

First, let’s clear the targeted malware.

The chance of being hacked directly early on in the business is unlikely. However, targeted malware vector of attack grows as your business matures and starts disturbing competitor market.  The main reasons for this attack vector are:

• Cyber Criminals see you as profitable target.

Example:

A group of criminal could be targeting the finance department to gather all the information necessary to wire money out of your accounts. Many medium size business fall victim of such attacks and suffer important losses hurting their cash flow.

• Cyber Criminals are funded by your competitors to get information or to sabotage your business.
• Your competitors might also get state sponsored hacking support in parallel without them even knowing about it. Corporate espionage is much more popular than most people expect.

Example:

A popular attack from competitors is to get copies of quotes from your business to under bid you. Many CEOs and Co-founders come to me and explain me how they were targeted and hacked. Some are at risks because of international contract negotiation. When business owners share their story with us, it’s typically because they lost a contract unexpectedly and wondered what happened, looking for internal traitors, when in fact, there were none, they were simply hacked. Their privacy had been breached.

Second, let’s discuss commodity malware.

Lately, commodity malware such as ransomware has picked up momentum. As you may already know, ransomware encrypts all existing files on your device and asks you for bitcoins in exchange to decrypt these files. This type of attack is targeting the masses to infect as many hosts as possible. An attack such as this significantly impacts business operations and adds financial implications in order to recover encrypted files. The rising numbers of ransomware attacks motivate businesses to harden their IT security posture.  Even large enterprises are suffering from ransomware attacks.

So, what is the simple way to improve your IT security posture? Backups!

• Test your backups
• Keep more than one backup
• Don’t forget to encrypt your backups

Another popular commodity malware is used to build and control botnets. Botnets are swarm of infected computers or internet connected devices. They are used to perform many tasks. The most popular: Distributed Denial of Service attacks (DDoS). These type of commodity attacks are constantly raising in size and capacity. The most recent attack on Dyn is certainly a proof of the potential damage that can be caused by DDoS.

Let’s cover the loss or theft of devices.

As more and more of our information is centralizing to our devices such as our phones, computers, the loss of them can create irreparable loss of personal, business data. Some IT security services offer features to wipe out lost devices remotely. My advice would be not to rely on such features.  From all devices that have been lost or stolen by Arc4dia’s staff and clients, none have ever connected to the Internet that would have allowed to send the remote wipe (erase all information).

In my opinion, the only practical protection here is to have a good password and full disk (device) encryption. With the latter, you can expect that your device will have to be reset for usability, which will erase your documents, before it ends up being sold on the black market.

To sum up the protection against theft, good password + full disk (device) encryption.

Note

On an iPhone, the disk encryption is always on. Simply put a strong pin or password combined with the wipe on too many failures option.

On Android, in most cases, you have to turn on device encryption in the settings. It also lacks the wipe on too many failures feature. You will need to install an App called Locker for this or equivalent.

For the Mac, the disk encryption is easily turned on in the security settings.

https://support.apple.com/en-us/HT204837

On a Windows computer, the disk encryption can be turned on in the security settings. However, it does require the Pro or higher version to enable Bitlocker. 

https://support.microsoft.com/en-us/instantanswers/e7d75dd2-29c2-16ac-f03d-20cfdf54202f/turn-on-device-encryption

There a few basic tactics that can be considered and implemented with minimal or no additional cost.

• Be different and avoid software used by the masses
• Be disciplined and aware

What does this mean in practice? It depends on your situation, but there are many generic choices applicable to most of us.

Start with avoiding the top 4 cyberattack vectors:

• Flash
• PDF
• Microsoft Office Documents
• Javascript

By avoiding or limiting these 4 cyberattack vectors, you will most likely prevent 99.9% of attacks against startup, small and even medium size businesses or personally.

Example:

Amazon asked to remove any Antivirus software installed from every employee’s computer!  Why? Recently, Antivirus engines have been easier to hack then the systems themselves, putting Antivirus users arguably at more risk than without it.

Let’s evaluate the most critical software, the web browser.

I cannot stress enough to avoid using Internet Explorer, Edge and Safari, only use it where it is necessary due to legacy reasons.

I recommend using Chrome browser instead. Why? Chrome is built by a team of experts who greatly care about security and minimizing its attack surface. It is not to say that it is perfect, but, in my opinion, it is more secure than the browsers mentioned above.

Chrome has been offering click to play on Flash for much longer than any other browsers, a feature you must make sure is enabled. Click to play on Flash feature prevents hidden Flash module code from running and leaving only the Flash you see to run. Flash is really cycling out of the internet, less and less websites require Flash now to run properly.

To make sure this feature is on, go to Chrome settings –> Show Advanced Settings –> Content Settings –> in Plug-ins, select “Let me choose when to run plug-in content”

https://support.google.com/chrome/answer/142064?hl=en

In addition, Chrome sandboxes your PDF opening it in a process of its own with limited access to your system. This is a great default feature and no action is required to benefit from it.

You can also enable Javascript whitelisting.

What does this mean? Almost every website runs Javascript code in your browser by today’s standard. Almost every non-document attack requires Javascript execution to work. No Javascript, no successful exploitation.

Now, the big problem is that we require Javascript to enjoy the browsing experience, making online payments, listening to music and videos, etc. One possible solution is to use a feature similar to Click to Play on Plugins such as Flash. We can enable Whitelisting on Javascript. However, this will break many websites dynamic and rendering. It takes a little bit of time to manage Javascript whitelisting which can be frustrating. On the up side, you will break a lot of attacks by making them impossible to work against you. Being a user of Javascript whitelisting myself, I’ve come up with a few tricks up my sleeve to avoid some annoyances.

First, here’s how to enable this feature in Chrome.

Go to Settings –> Show Advanced Settings –> Content Settings –> In Javascript section, select “Do not allow any site to run Javascript”

Don’t worry, you can still let Javascript run easily wherever you would like to. Here’s how

1. Go to www.youtube.com or www.gmail.com or any site you use daily.
2. The first time you will load the chosen website, you will see this icon “<>” with an x at the end of the URL bar (where you typed in the website). To enable Javascript for this website, click on this icon, from the menu that appears, select “Always allow Javascript on <website>”.

3. Then re-enter the website by either re-typing the website or simply selecting it again and pressing ‘enter’. This time, the website will load with Javascript and the “<>” icon will not appear.

Voilà! You are now blocking all external and indirect Javascript, saving yourself from many bad Javascript out there.

The most annoying problem that you will encounter is when shopping online. Sometimes you need to whitelist 4 different websites to allow one single transaction to go through. Most of the time, by the time you allow all the websites to work, your purchase will fail and you have to do it all over again. Thankfully, there is a simple way to work it. In such cases, I simply use another browser, such as Firefox, that runs Javascript by default.

Now that we’ve limited our exposure through the browser, we can get back to discuss how to safely use documents.

Documents are the attack vector of choice of commodity malware because exploitation leveraging documentts is cheaper and easier to develop. They are also used in targeted attacks.

How can anyone prevent or avoid document attacks? The logic is not to open the document, or in certain cases, not to “look” at it. However, this is not a very practical solution.

Before opening the document, it is important to assess if the document is actually something for you from someone you know. It’s far from a perfect solution, but you will block certain incoming attacks.

Example

You received an invoice via email, is it really an invoice you were expecting? If not, it’s likely a document with an exploit in it. Simply delete the email, don’t open it. You can even tag it as SPAM or phishing in Gmail.

Simple and easy solution to avoid document exploits is to Let Google Doc open it for you.

1. Login to Google Drive (Free) and
2. Upload the Word document, PDF, Excel, pretty much anything to it.
3. Then, you can open the document as a preview or even convert it to Google’s native online Docs.

This doc opening technique is a strong protection mechanism because in the process of conversion, Google will filter out any suspicious part of it by scanning document for potential malware. If it cannot convert it, it could be because of exploitation attempt.

In theory, we can use Microsoft One Drive with the same results.

We lose some privacy in the process to open docs via Google or Microsoft, but most of the day to day files are not that sensitive and keeping your computer and phone clean is more important.

Another recommendation is to avoid using Adobe Flash on your computer. Simply don’t install it or uninstall it. Chrome will run Flash more securely as it is running in a sandbox.

Adobe Reader and Preview on the Mac are also frequent vector of attacks. Choose another software to read your PDFs, arguably less secure but not targeted and remember, you can safely read PDFs on your Google drive.

Anti-Virus or not, Sandboxing or not, these techniques will keep you safe from many attacks. It has worked for me for several years keeping the number of successful attack to minimal levels. In a following blog, we will discuss what we can do to detect attacks that will make it through.