Firstly I’ll get this out of the way. I’m in no way an IT person, and I know many here are. I can manage to troubleshoot specific problems with a big sticky plaster, but it’s more luck than judgement if anything works.

Been thinking a bit about the small network I have here at work. We’re on a leased line tinterweb, most PC’s running win 10 pro and only relying on windows defender as protecion from nasty people.

it’s grown from a few PC’s linked through a switch to a broadband line to this, with frustrations with Norton, McAffee and AVG, so we ditched them in favour of in built windows. Our IT department doesn’t exist.

Not sure whether our leased line is an open door, or whether there’s anything the ISP provide as part of their package. I don’t think so though.

question is, what should be in place?

We don’t have a server on site, it’s all online (sharepoint) and we operate from workstations essentially.

maybe I’m sounding a bit dumb about it, but since getting the leased line, and being in touch with lots of related companies about it, we’re unsurprisingly getting increasing number of cold calls asking about our firewalls and security. Whilst I manage to fob them off, I do start to wonder if there should be more in place, and could do with some impartial, non sales advice?

Thanks

Does the network have a firewall device ?

There are two types of company. Those who know they’ve been hacked, and those who don’t know they’ve been hacked…

If you’re not hosting or have any mail servers on site then you’re probably at the lower end of the risk scale. It is all down to risk though, leased line doesn’t make you any more susceptible (Edit: Check what the line provider have included and if there is any firewall, most broadband routers have a crude firewall, many leased lines don’t.

I would probably judge it on your level of trust in your employees not to click sh!t and bring something nasty in. Most virus stuff I’ve dealt with has been down to someone doing something stupid, the more staff you have the increased odds that someone will be a bit slack over e-mails and clicking links.

Also check each PC and assume it’s had a ransomware infection that renders it impossible to restore and you have to buy a new one.

What would you lose by having to replace the PC? Do you have all the licences, are there any files that are critical or things like accounts software with wages databases that aren’t backed up.

It’s all down to how much it would cost if you had a disaster.

Sort out some kind of offline backup for any files on PCs and make sure it’s stored safe, preferably offsite. Cloud backup is usually not sufficient, if you do get hit by ransomware and the encrypted files sync with the cloud storage then you’re screwed.

If your mini audit starts sounding expensive then consider getting someone to handle a firewall and backups. You can install Firewalls yourself but they are incredibly easy to mess up and make ineffective. I’d probably look around for reputable local companies and get multiple quotes. See if any other people in the area use someone for their business.

The various anti-virus products go through development cycles so some are better than others, oddly enough, Norton do seem to have done a bit of work for the 2016 package and it’s not too bad, despite being terrible in the past.

Thanks.

The policy here is that any files located on the PC are files you can afford to lose should you download something stupid and need a format (the PC, not the person, unfortunately)

This works for the most part, mostly stops people moaning too much if they lose their stuff.

Onedrive is the only thing we allow sync, no syncing sharepoint.

The most we get is the odd bit of malware/toolbars/search hijack (, normally pretty easy to remove, and restricted to those who like to online shop.

I’ll look into AV for individual PC’s and see what firewalls we have. The router we have is ISP configured, but routed through a Draytek wireless router prior to the switches, all a bit bitty, but it works.

I’ll have a closer look at the draytek config to see if there’s firewall built in to that, should be something I think.

Get a proper AV, and depending on your market sector – encryption for workstations.

Sounds like your main weakness, apart from the obvious virus route is through the physical robbery/loss of workstations and laptops. (this is your ‘attack vector’).

5 main things to consider usually.

1) the one everyone forgets/neglects is backups. sharepoint will protect you as long as 1) EVERYTHING is in it 2) and that your sharepoint admin/s isn’t also a normal user who could be compromised. (because a compromised user could delete the backups too!)

2) hijacking/data loss via virus/malware on workstations. either via browser exploits or installing dodgy software. get a proper AV solution.

3) theft (type 1). someone breaking in to the premises and taking all the computers. would they get data that is business critical? even if they wipe all the PCs have you lost things that should have been backed up?

4) theft (type 2). data leakage. this is an employee stealing and selling data

5) accidental leakage. things like peple leaving laptops, USB sticks on trains without them being protected.

solutions

1 – backup software
2 – anti virus
3 – encryption, backup software
4 – data leakage protection
5 – data leakage protection / encryption

The policy here is that any files located on the PC are files you can afford to lose should you download something stupid and need a format (the PC, not the person, unfortunately)

Nice idea but you need to check regularly that people aren’t just using their desktop for that ‘important’ bit of work :(. It’s not unusual for folks to not understand that and have GB of stuff that is ‘only temporary’.

Windows Defender is fine. Anyone telling you different is probably selling AV. You’d be far better expending your efforts on making sure all your software is up to date and teaching people not to click on stupid crap.

A firewall is a good idea, though the ISP-configured router probably has a basic firewall built in. Worth asking the question though.

For your size of setup I’d be considering an OpenDNS subscription to block undesirable websites.

Backups, backups, backups.

It’s not unusual for folks to not understand that and have GB of stuff that is ‘only temporary’.

that’d be the MD….

we’ve had quite a few catastrophic losses of data due to old equipment to know that when it’s gone, it’s gone.

Thanks for all the advice, much appreciated, I can propose a few things to the rest of the ‘IT’ group here and get a spend budget.

At a basic level there are online firewall checkers that scan your system remotely and let you know what’s “open” and what isn’t;

Obviously, going to a random website and basically telling them you’re unsure about how defended your system is and asking them to scan it for you isn’t without risks… I’ve not used it for a while, but the following one was the go-to one a few/lot of years ago;

https://www.grc.com/x/ne.dll?bh0bkyd2

next up then, and something fairly easy to tick off.

decent AV that’s not going to grind a medium specced PC to a halt?

Also check each PC and assume it’s had a ransomware infection that renders it impossible to restore and you have to buy a new one.

Eh? I’d love to know what ransomware can break hardware.

(Ok granted, there was CIH and BadBIOS, but CIH was 15 years ago and BadBIOS is essentially mythical so we can file these under “exceptional.”)

Yep the GRC link above is a good check. Whilst it says it’s scanning your computer is actually scanning your network endpoint which normally means your router or firewall. So for example if I try it on my phone or PC whilst connected to my home WiFi it will give me the same IP address as it’s actually poking my firewall.

yeah just tried that, reassuring. 🙂

Most of the above, bu also don’t have people using admin accounts for routine day-to-day stuff. You should really restrict admin access, but expect a bit of resistance on that!

Eh? I’d love to know what ransomware can break hardware.

(Ok granted, there was CIH and BadBIOS, but CIH was 15 years ago and BadBIOS is essentially mythical so we can file these under “exceptional.”)

I know, but the idea is to think the PC is gone, could have said burst into flames or stolen. Just as unlilkely but a good way of considering what is on the PC that may need backups.

decent AV that’s not going to grind a medium specced PC to a halt?

Endpoint Protection is the corporate version of Defender. I think you need MSSC (System Center) for that though, and that’s about a grand IIRC (plus costs of a server and OS to run it on). TBH though, if you’re moving from any “home” AV to a managed enterprise solution you’re going to have your pants pulled down. For ten users I wouldn’t bother myself.

I know, but the idea is to think the PC is gone, could have said burst into flames or stolen. Just as unlilkely but a good way of considering what is on the PC that may need backups.

Considerably more likely I’d suggest, but yes, I see where you’re coming from now and totally agree.

Yep the GRC link above is a good check.

Not that I can think of anything better offhand, but I do find Steve Gibson to be a bit… sensational. I’m always wary of people who use RANDOM CAPITALS and bold text to point out to everyone how right they think they are.

Windows Update on auto, and I’d probably invest in Malwarebytes for the PCs and you’ve done the most pragmatic parts – assuming you’re behind a NAT router there is some likely sort of firewalling going on.

I’d switch on the Windows Firewall too and let it annoy me into opening the ports for necessary stuff.

Don’t run as Administrator, elevate as required with a local Admin account, ideally with a password you can bring yourself to use regularly .. else everyone just goes back to being an admin.

Could get a little NAS box with 4Tb mirrored drives as your ‘local backup’ – would be small enough to take offsite at weekends etc.

For AV I’m a fan of eSet. Not because it is much better than the free windows stuff but because I can have a central place where I can see that it is still switched on everywhere, having the latest definitions and I can force scans to run regularly. You do need to have a least on machine on to act as a ‘server’ though but it doesn’t need to be a server

BUT

As has been said already here users are your biggest issue. AV is good enough now that it is more effective to do targeted phishing attacks. Once you have someone’s email address and login then you can scan all their emails to look for what typical invoices look like and who approves them. Then it is simplicity itself to take one from a year ago that is about due, doctor it to use a different bank account and then send it marked urgent for someone to pay saying it has already been approved by xxxx. It’s a modern equivalent of an old scam and I’ve seen it already :(. It’s horribly easy to get caught if you’re not ready

Could get a little NAS box with 4Tb mirrored drives as your ‘local backup’ – would be small enough to take offsite at weekends etc.

Doesn’t handle ransomware unless you also do multiple offline backups of the NAS

Asset + Threat + Vulnerability gives rise to Risk which is mitigated by the application of controls.

Asset = Data
Threat = Ransomware
Vulnerability = Users
Risk= data loss
Control = backups or AV or user training or all of the above.

First identify your assets, then what the threats to those assets are, understand the vulnerabilities which the threats may exploit. This will enable you to quantify the risk and create a mitigation plan.

The quantification is essential to decide whether controls are cost effective or not.

On this short summary, the entire security industry is built.

Beaten to it but most people have missed this – no Admin access for your users. To both stop them installing software themselves and to lessen the chance of malware installing via website etc.

Also, something like OpenDNS to block dodgy websites.

Ensure you have sufficient backups and that you can actually restore. If someone did get onto your system and encrypted your data, would your backups be safe and accessible to you?

If you had a malicious employee, what damage could they do and could you recover from it?

I work for one of the companies mentioned above, in a non-AV related R&D division. Recent visitor from HQ gave presentation giving an overview of current company stuff and said ransomware is the biggest threat out there today.

btw As an aside ESET might be better to known to people who have been around a while as Dr NOD or nod32.

The quantification is essential to decide whether controls are cost effective or not.

On this short summary, the entire security industry is built.
+1

What do you have, what is important what is the risk and what are the regulatory/customer requirements.

ransomware is the biggest threat out there today.

He / she isn’t wrong. However, stopping executables running from temp directories almost wholly mitigates ransomware (or at least, it stops Cryptolocker dead in its tracks).

Can’t think why an an AV vendor might fail to mention this… (-:

To add I can have my desktop or laptop rebuilt (including all data via cloud) in a couple of hours in the event of something going badly wrong, theft is probably a bigger worry as that removes the hardware.

As an aside ESET might be better to known to people who have been around a while as Dr NOD or nod32.

To be fair, ESET are pretty good (I remember Nod32 but not Dr NOD). I’ve used their (your?) online scanner many a time when the onboard AV has been nobbled (or never installed in the first place).

Last time I looked (ok, it was a while ago) there was no cheap / free centrally managed corporate AV solutions out there, it was megabucks. If ESET are doing it for free as someone alluded to earlier, I’d certainly check it out at least.

(Help I seem to have become addicted to parentheses (brackets))

Sorry, as said.. in R&D for non-AV. not sales etc so don’t know 🙁

He / she isn’t wrong. However, stopping executables running from temp directories almost wholly mitigates ransomware (or at least, it stops Cryptolocker dead in its tracks).

Yes a good hardening tactic. I guess the point of AV is, ‘install and forget’ without having to harden each endpoint manually.

Suits enterprise and small companies without IT resources equally in that regard?

theft is probably a bigger worry as that removes the hardware.

and data.. 😉 hence backup and if data is sensitive there’s whole other can of worms with lost devices.

Just for the dummies here….

However, stopping executables running from temp directories almost wholly mitigates ransomware

How would one achieve this? Non-admin account?

And secondly, what is this opendns that people keep mentioning?

Backups, backups, backups.

From Cougar above, if it doesn’t exist in 3 separate places when digital it doesn’t exist. Also any form of RAID is not a back-up.

From personal experience the Netgear Prosafe equipment is apparently EOL they are getting out of the sector. I’m currently on the lookout for a suitable replacement for when the current hardware firewall dies.

How would one achieve this? Non-admin account?

Ideally through Group Policy but that doesn’t help you. Have a look at this:

https://blog.brankovucinec.com/2014/10/24/use-software-restriction-policies-to-block-viruses-and-malware/

You don’t have GPOs, but there’s a similar standalone thing on Windows (7 at least, I’m not in front of 10) – Local Security Policy. Run that, go to Software Restriction Policies / Additional Rules, right-click and add path rules.

Important Caveat: some legitimate software might require rights to run from %appdata% etc (shoddy practice but here we are) so test on a donor PC and be prepared to have to whitelist things.

what is this opendns that people keep mentioning?

OpenDNS provides “smart” Internet DNS servers which filter out the bad stuff according to whatever policy you sign up for (most DNS servers will just blindly forward any and all name lookups). So you could have it drop known hostile websites for instance, or e-grumble, or social media sites.

Also any form of RAID is not a back-up.

Oh, I could hug you. I’ve had so many arguments in the office about this that I’m thinking of getting cards printed. (And coincidentally, I’ve got a customer’s server on its way back to me right now to look at due to catastrophic failure of its primary RAID array, and that’s proper enterprise-grade hardware RAID and not some fakeRAID shite in a bargain basement home NAS enclosure.)

If ESET are doing it for free as someone alluded to earlier,

Not free but only around 25 quid a year for their Endpoint Security product so complete bargain in my book. The price is amazingly random though and their website never seems to work properly if looking at the price online. And don’t even attempt to buy online in the Benelux countries 🙁

Not free but only around 25 quid a year for their Endpoint Security product

Hm. The endpoint is generally the cheap bit, it’s the central management stuff that usually costs big. You can download their “remote administrator” from the site directly but it’s not clear whether it’s free or a trial. A quick glance on their site for pricing says “contact us for a quote” which doesn’t instil me with confidence, but it also says remote admin comes with all their product suites?

The remote administrator bit appears to be free, at least it didn’t use up any of my licences. It asks for a licence code but only to administer the licences for the clients that attach to it. The price I have paid has only been for the endpoints as far as I can see

Yeah, I just edited my post but you’d already replied. That’s pretty sweet, I’m impressed.

One of my co-workers is also a “RAID IS NOT A BACKUP” evangelist 🙂

don’t know about ERA licencing, but for our enterprise stuff.. you get the console free if you buy more than 5 licences.

btw nod32 -> dr nod = doctor = health, ISIS is the egyptian goddess of health (marriage & wisdom), and ESET is an alternate spelling. hence why the logo is a pill shape.

Hah, I never knew that. I wondered what NOD stood for, so hit Wikipedia.

https://en.wikipedia.org/wiki/ESET_NOD32

The acronym NOD stands for Nemocnica na Okraji Disku (“Hospital at the end of the disk”),[1] a pun related to the Czechoslovak medical drama series Nemocnice na kraji m?sta (Hospital at the End of the City).

So ok, that’s pretty clever. However,

The first version of NOD32 – called NOD-ICE

That right there is stark raving genius. I’d have been smug for days if I’d come up with that (and given that the creators are Slovakian, was the double meaning even intentional?)

The RAID thing was impressed on me by the first IT consultant we employed when I was handed the hot potato like the OP.
I occasionally remind the business owner that this is still in force. And using old disks from home to secure business critical data is a false economy, a new one is £70 for Gods sake. (He’s a management accountant by training).