We do really need to think about security. Properly.

I have just returned from an IT directors forum (conveniently held on a cruise ship) where I had the pleasure of meeting many IT security experts and sharing their thoughts and experience.

The frequency, complexity and skills involved in cyber attacks is increasingly exponentially. And, these attacks are becoming more and more targeted i.e. criminals are specifically choosing you, learning about you, then crafting specific methods to steal your data.

You need to think carefully about this. The people I spoke to over the last few days talk ‘when’, not ‘if’. Their opinion is that it will, without doubt, happen to you.

So what can be done about this? Some people say ‘nothing’ – if a determined hacker wants you, they will get you. Obviously they are not suggesting you don’t do anything, but you have to consider this when designing your systems and processes.

The first stage is that you need to understand the information you have and how important it is. What is the impact if someone does steal it. The best principles are to put your assets in bubbles of criticality, allowing you to better protect the parts which really matter. Then work out how that information enters and leaves that bubble. You may have one bubble inside another.

Protecting just at the perimeter is not the solution. You are far more likely to have a data breach from an insider, than an external attacker.

I feel that all the talks I have been to are mostly intended for larger businesses. However SMEs now really have to starting thinking about this too. It can be difficult to set aside the time to think about this, and even harder to start implementing changes.

There was once a day when people thought their system was secure because they enabled password expiry every 90 days. Even this seemed painful to users.

There are no simple answers unfortunately, and you have to think through your entire plan top to bottom. However some pointers to think about:

  1. Patch your servers. Regularly. Always.
  2. Segment your network. Does you HR database need to be on the same LAN as all your users? So isolate it, along with the people that need access to it.
  3. Think about your access permissions to your files. It may be easy to give access for everyone to everything, but they don’t need it. A malicious piece of code assuming the identity of a compromised account with glad take everything it can.
  4. Take away all those Administrator rights. If you need admin rights, setup a different account and use it only when you need to.
  5. Take away those admin rights from services too. Use dedicated service accounts for everything. Too many times I see a SQL server running as the domain administrator. It dosent need it. Everything should have separate accounts.
  6. Vet your staff. And make sure they are happy.
  7. Don’t leave easy workarounds in important processes. If staff circumvent it, an attacker certainly will.
  8. Take the quick wins – eg disk encryption (BitLocker is great!), think about removable media too though (again BitLocker can really help here)

The next interesting thing I learnt about is crisis management. Hell, if they say your data will get stolen, you may as well prepare to deal with the crisis when it happens (assuming you know you’ve been breached, it’s more than likely you won’t even know).

Some things I took away from it were:

  1. Train your staff. Make sure a consistent message is portrayed to customers (or journalists).
  2. This will no longer be IT’s problem, they won’t be able to fix this for you
  3. Respond fast – really fast. Seconds matter now. Social networking allows people to talk about you very effectively, a message will travel so fast, make sure it’s the right message. Oh and be humble and concise too.

Getting all this right takes time. Many people I know are looking to ISO27001, which is a good thing. But it’s tricky to do, time consuming and can be expensive. However, what I am also finding is that customers are now expecting it and requiring it. Especially if you a collaborating with someone else who is certified, customers will expect the whole chain to be certified.

So start thinking about IT security now and start making changes. This will forever be an evolving landscape – you won’t be able to fix it, it’s a constant battle you need to fight and be ready for every day.

Some other points that were brought up in the event, some I found amusing, but actually valid and thought provoking:

  1. Bugs – they can be bought really cheaply now. What’s inside that new plant pot that you received from a random person. What have you been discussing near it recently?
  2. ‘I only manufacture toilet rolls, why would anyone be bothered with me?’. I presume you have competitors? What if they knew all your cost prices and supply details you have with your customer. Wondering why you’re losing out on a load of deals? Maybe they know what you are offering. What if your complete accounts were published online.
  3. Would your staff be pleased if all their personal details and salaries were published on a website – it’s all inside that simple old payroll system!

DirectAccess 2012 with RSA deployment experience

I have just completed a large deployment of DirectAccess for a UK business. They were migrating from UAG and also wanted to implement RSA authentication.

The solution involved two separate load balanced arrays in different sites, RSA OTP authentication, Network Policy Health checks (NAP/HRA), Windows 7 client roaming between sites and ManageOut.

The deployment could have been a smooth experience, but I can across numerous issues, and errors in the Microsoft documentation – particularly when it came to multi-site setup and load balancing.

Microsoft have produced some nice lab guides and walk-throughs, but these are littered with errors, and there appears to be no official ‘meaty’ documentation on the setup; which I found unusual and frustrating. It feels like a they had a great idea with 2012 DA, but rushed it out the door, lacking large amounts of testing and detail.

I am pleased to say that the solution works well however!

Some issues I encountered were:

  • Amount of hacking required with Powershell to make Win7 client roaming work
  • Changing IP-HTTPS encryption certificate in the GUI resets some of that customisation, requiring rerunning of some scripts to ‘fix’ it after the change (Set-NetIPHTTPSConfiguration -PolicyStore PersistentStore -ServerURL “https://+:443/IPHTTPS”)
  • Adding a node to NLB sometimes gets the subnet mask wrong on the dedicated IP. In this case the subnet mask got set to 255.255.255.15 instead of 255.255.255.240. This caused a ‘misconfigured’ error.
  • Detail on a unified IPv6 address for DNS64 across the load balanced servers and sites, was lacking. It feels like a very dirty hack to add a common IPv6 address across all nodes. See 2.1.3.2 here http://technet.microsoft.com/en-us/library/jj735306.aspx
  • I found this custom IPv6 address seemed to ‘disappear’ often
  • Once you setup this custom DNS64 address you can use the GUI to add new DNS suffixes. It insists on an IPv4 address. You have to use powershell to add new ones: Add-DAClientDnsConfiguration -DnsSuffix ‘.domainname.com‘ -DnsIPAddress @(‘customipv6DNS64address‘) -Verbose -ComputerName ‘daservername
  • I also found the Windows 7 IP-HTTPS client sometimes got stuck in an error ‘No Usable Certificate(s) 0x103’. None of the MS blogs contained a solution. Restarting the IP Helper services resolve it – or just booting the laptop with no network connection. It seems to appear if it automatically connects to a 802.1x WPA Enterprise WLAN on startup.