Part 3 – Your Organisations Cyber Security Journey – Hardware
Welcome to Tetrabyte’s simple monthly series on cyber security for small business. We guide you through the key elements in understanding your business and creating plans to manage your cyber security.
Hardware
Parts 1 and 2 helped you build the asset log and find the issues in your organisation.
In this part we start to look at the why and the how. Having a good understanding of what you need to do and why supports your decisions on investment in Cyber Security working on a cost benefit analysis.
In several areas you’ll note I make reference to the two week rule, this is relevant to security updates only and not new features of bug fixes which are nice to have but not relevant to this article. The advise is based on the UK Governments Cyber Essentials security standard and requires that organisations install security updates within two weeks of their release. This is important as developers often release security updates and announcement of vulnerabilities at the same time, meaning that delays in updating leave you exposed to published vulnerabilities.
1 – Firmware
Firmware is the ‘software’ that runs on hardware at a base level. On some devices it simply provides an interface to other software, and on other devices it provides an interface that you can access directly. As per any software, after the original development stage, it will need updating in future, this will be because as technology develops, they might find vulnerabilities and bugs in the original software, or they may wish to add additional features or compatibility with new devices and operating systems.
While from a security standpoint we are not greatly concerned with new features and compatibility, we do need to ensure that if a security issue is detected, we get that patched up. Failure to do so can lead to bad actors gaining access to the device. From there, they could take the data stored in the device, or they could use that device as a staging point to attack another location in your network bypassing your perimeter firewalls etc.
So how do you update these and when?
This is largely going to be determined by what the device is and what access you have. Below are some common examples.
Computers, Desktops, Laptops, Servers:
These devices contain many individual components that all run there own firmware. You might find the motherboard has a ‘BIOS’, your storage control or network card may have its own firmware too, especially in servers.
Updating these can be a significantly varied task depending on your device manufacturer. Well known brands such as Dell or HP provide centralised update software, this scans your device and helps you update everything. Other manufacturers may require you to search out every individual component and seek that manufacturers update site.
Tedious as this may sound, it’s critical to security and the centralised update systems are one of the reasons there is significant value in working with leading brands.
Many well known brands will allow ‘automatic’ updating via this software and unless you have a ‘Software Security Team’ directly managing these in house, automatic updates should be enabled where possible. If its not possible, then you will need to note this down and build a checking procedure and schedule to ensure that updates are installed within two weeks of release.
Network Printers, Routers, Switches, Scanners:
These devices often lack centralised updates. Instead, you need to find the device on your network, connect to a web interface, login and then follow that devices update procedure. These will all be slightly different depending on the manufacturer.
Many well known brands are building centralised management platforms that you may be able to take advantage of especially in the networking sector, Look out for these options with your devices, especially if you have multiple devices from one brand.
You should look for automatic update features but many of these devices wont include this. So you need to build per device specific procedures and schedules to check these. The normally standard in Cyber Security is to install updates within two weeks of release, so you should consider this when building your schedule.
Other Devices:
You may discover other devices on your network that don’t have a web interface to update, a common example of this may be something like an Amazon Alexa smart speaker. These are often not updated by connecting directly but rather require specialised software such as a mobile phone apps or Desktop software to find the current firmware and update them. Again these will be device specific and you should consult the manufacturers documentation about this. Once again, building update procedures and schedules is key to maintaining this security.
2 – Operating Systems
The operating system is one step up from firmware and is the normal area that people think of when they think about updates. Both Microsoft Windows and Apple MacOS have built in update systems to maintain updates.
From a security point of view, you need to be ensuring these are turned on and cannot be disabled by end users, configured correctly to your business needs and comply with the standard of installing security updates within 2 weeks of release.
Consideration should be given to Mobile phones and how these are managed for updates too, Mobile device have access to significant amounts of business data and their security should be of the same priority or higher than desktops and laptops, especially in BYOD environments where users may be more relaxed on security as it’s a personal device.
Running the updates is often very easy and for most small businesses using automatic updates is enough, as businesses grow they should consider monitoring these installs to ensure each update does indeed install correctly and is not missed, and large organisations may wish to take management of this away from the automatic updater and roll up updates in test waves in a controlled release.
3 – End of Life
Organisations should be aware of when hardware goes ‘End of Life’. This means that the manufacturer is no longer planning to resolve any further security issues as they consider the product to be obsolete.
Planning for end of life should be built into IT budgets and consideration of support lifecycles may be a priority when selecting new devices.
End of life products expose all the same vulnerabilities as out of date firmware and operating systems and should be avoided where possible with risk mitigation put in place where not.
4 – Administrative Access
Most devices come with local login details that allow administrators to connect to the device and configure settings required. These are protected by an administrative username and password combination.
With this bad actors can gain access to configuration settings, imagine a scanner than emails every scan to someone malicious without you knowing or a network switch that copies all data to another port allowing data capture.
While it’s becoming less common these days many device do still come with ‘default manufacturer logins’, this means the manufacturer has setup one set of logins and all new devices have this same login. The issue being that a bad actor can lookup the login online and gain access to the device with full administrative access.
Other devices may have ‘Default Device logins’ these are a step up in that that are unique to every device produced, often attached to a label on the device or using a feature such as the serial number. This is more secure but someone with physical access to view the device can still capture this and use it to gain administrative access.
Cyber Security requires that you change all device logins, they should be set to new custom values, unique per device, at least 16 characters and preferably, stored in a secure password management system. If Multifactor authentication is available for the device, this is a critical step too.
For Desktops, Laptops and Servers etc. Administrative access should be restricted to specific admin users. This will mean that general staff do not have administrative access unless absolutely needed. Where staff do have administrative access, this should require additional training to ensure they know how and when they are authorised to use such access and staff should ensure that their admin account is NOT their main day to day work account, this should be separated to prevent accidental elevation or privileged access abuse.
5 – Physical Access
Along side digital access businesses should consider physical access issues. Laptops and Mobile devices are easy targets when travelling, even desktops can be compromised during a building break in. Staff should be provided with locks for laptops, suitable carry bags with discrete laptop storage and devices that have no need to move should be locked or secured to desks and furniture.
Servers and NAS drives should be secured in locked ventilated cabinets or rooms.
Staff policies should let staff know what you expect of them with their devices, you may require staff to return laptops to the office at the end of the day or have policies around using mobile phones in public places such as while walking down the street.
6 – Data Encryption
Device theft or loss will still occur within your organisation and as such, plans for managing and mitigating risks on these devices should be in place before an incident occurs.
Data Encryption on laptops, desktops and mobile devices prevents bypassing password and other security steps to access stored data. Encryption is a common feature built into most modern operating systems, Microsoft, Apple & Android all provide encryption options on devices to ensure the security of data. You should ensure this is enabled and that staff cannot disabled it without administrative access. Its also a good idea to ensure you are managing the encryption keys, these provide a failsafe if something goes wrong and ensures you can continue to access your data.
Hopefully this has given you a good insight into the risks and techniques you can deploy to protect your hardware. This is a great first step and you will see many overlaps with this information as we discuss security from other point of view in this series.
