I don't do this completely, but I'm migrating there, which is run everything on VM and do snapshots and full backups often.
That doesn't solve security issues with information compromise, but it does bypass cryptolock entirely. If someone gets in and locks your information, you just roll back to before and tighten security. Most VM management tools now days do this in a few clicks. Security is another issue. I really need to start using LONG username and passwords, which appears to be one of the best ways to defeat the brute force stuff. From: Af [mailto:[email protected]] On Behalf Of Tyler Treat Sent: Friday, September 30, 2016 5:31 AM To: [email protected] Subject: Re: [AFMUG] the future of internet security So lots of things - I just woke up so bear with me: Most are dominant on the Corp side, but are migrating to SMB. 2FA/MFA is big and getting bigger. Most of your major players support native integration with a 2FA provider. For example: log in to your company VPN with you AD credentials, Duo sends a push notification to your device that you accept before you're allowed in. Same goes for Windows servers. Yes, pretty much block all access that's not needed. Allow VPN from the world if you have to. Require access to anything else to be across the VPN. Microsoft has "Direct Access" which implements a seamless behind the scenes tunnel back to the "inside" of your network, though it requires IPv6 on any internal resource you need to access. Lots of things changing in the Windows world. Hybrid Cloud/On-Prem networks are starting to pop up, where you can be on net at the office with your local DC's, then talk to the great DC in the sky when you're on the road. The key is that no matter where you're at, you're sending all your traffic through your corporate controls. Mobile Device Management suites are doing the same thing for phones and tablets. Citrix and / or VDI has its use case too, where you can keep all the data in your friendly confines, and only send pictures across the wire. Admittedly more useful for helping with running "heavy" apps across the network for performance reasons, but there's a security play there as well. SQL injection is happening all the time as well, so be protective of your Webapps. Full disk encryption has it's place as well. I was at a Sophos meeting the others day where they claim to be able to stop Cryptolocker etc with their new "CloudIntercept" product. Certainly seems like a steep claim, but it's interesting. Which leaves you. You are the weakest link in all of this. Lots of stats out there about the percentage of hacks linked to social engineering. Phishing/Whaling via email is a huge deal right now and the emails are getting better all the time. Phone scams are still prevalent too. At the end of the day, it's all time and money. If you're targeted by someone who has one or both, they're going to get in some way. Your goal should be to raise the bar high enough that the dumb easy shit doesn't compromise you and that you have an active, well rehearsed recovery plan for anything critical. ___________________________ Mangled by my iPhone. ___________________________ Tyler Treat Corn Belt Technologies, Inc. [email protected]<mailto:[email protected]> ___________________________ On Sep 30, 2016, at 1:22 AM, CBB - Jay Fuller <[email protected]<mailto:[email protected]>> wrote: to be COMPLETELY ANAL i suppose you could deny ALL incoming access and permit ONLY the ip addresses you work from. then it is more work whenever you change a connection but i am aware of that policy. additionally, i suppose someone could spoof your ip. I keep hearing other security holes are large enterprise environments. you might lock the heck down on the corp network but then joe blow uses his company provided ipad with 4glte internet and connects right into something that isn't controlled by the internal network security policy and someone comes in that way.... robots, aren't they great? Script kiddies.... ----- Original Message ----- From: CBB - Jay Fuller<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Sent: Friday, September 30, 2016 1:10 AM Subject: Re: [AFMUG] the future of internet security i truly believe about 80% of all hacking is social engineering - - convince the company to let you in - - you're with the phone company to get faster internet. let me in the server room. i guessed my ex-girlfriend's cat's name. i have no idea what is involved in hacking the DNC phone records or hillary's emails... probably not social engineering. weak passwords? I know looking at a mikrotik log there are tons tons tons tons of random ips guessing root passwords... i usually just disable those ports. ----- Original Message ----- From: CBB - Jay Fuller<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Sent: Friday, September 30, 2016 1:00 AM Subject: the future of internet security Travis brings up a very good point with his randomware query.....and i caught the tail end of a discussion with i think it was cisco on some tv channel that i thought also raised some very good points. One thing I always like about trade shows and user group get togethers is conversations about topics like this. on tv the point was made that the internet is no longer coming "into one business" or a clearly defined demarcation point. with the advent of internet of things and distributed work environments there is no longer just one place to look at securing. as i thought about this it became very clear to me. for example, even our company is pretty distributed. we have up to five office staff that work from home at any given point in time - myself included. we use web browsers and the powercode WISP management system - that does reside from within our network - but on a public IP address. At my house (and at least two of our techs) they are not within our network footprint or the trees are so thick there is limited to no service here. so my connection comes in off a cable modem. I also have a voip phone - going back to our office - and our netsapiens voip switch. in the near future we will probably have voip phones, remote access to our office (i do have a mikrotik with a permanent vpn connection to the office, but the aforementioned devices are all public ip accessible), if i happen to be visiting my parents or at a location with nothing more than a windows pc, i can access powercode or plug my phone in and hopefully not have to create a vpn connection or a remote desktop connection or remember to clean those credentials off. in fact, even more annoying is a lake rental property we have with a pretty smart tv. i've watched some netflix out there inbetween renters but when i leave and come home 'cause it's rented, you better be sure you clean your netflix account off that smart tv... what about home security systems? connected homes? yes, i suppose they all login to the cloud and authenticate - hopefully by something more than just a username and a password. would be nice if they authenticated by serial number or something - (like a mac address?) but maybe we access those with our smart phones, over our verizon 4glte connection, and not our home wifi, or maybe my dad's ipad - which is provided by his company and has company software on it - and probably shouldn't access my home automation stuff. heaven forbid if my neighbor somehow accidentally connects to my home automation software instead of theirs - (hah, surely not) one thing i have seen a lot more of and am probably good with - is this two factor authentication. our rental management portfolio (homeaway) requires confirmation of both an email alert and txt alert to your phone before you can login (at least on a new device) - which i'm sure is set by a cookie. i've seen this in banks too - so it's obviously more secure - but i also saw it once (i think) on ebay or paypal - - where someone registered a disposal phone to my account - and then somehow used that to authenticate fraudulently - that took some tracking down. an associate recently notified me they wanted to change from using yahoo as "free email" (i told them it sold to verizon anyway, not a bad thing to look for something else) - to something else cause it now required a cellphone to be registered. i know from running a wisp about 40% of my customer base has a new cellphone number every three months. must be the dating folks... i suggested gmail - they laughed, said they didn't like gmail's clunky interface - - i have to admit i have been annoyed by it. i have one company on gmail's domain and spam gets "eaten" then never delivered - even if it is legitimate mail. after about three months of training the system i think it is finally delivering what it is supposed to - - but who knows. ok, i've rambled. but i think it's a good topic for discussion. what does security -- not network security (cause we're on like 15 different networks, no?) - - what does secuity look like moving forward? is the two-factor authentication becoming standard? what is better? Where do we go from here? Good day. :)
