Securing your Digital ShopFront is no different to a Physical one¶
In this edition of the Cyber Insights blog, I want to cover the often-overlooked topic of business cybersecurity external posture, written mainly for business executives.
Over the past 12 months, I have had several discussions with business leaders and small startups about the image their organisations are portraying to potential attackers, usually cybercriminals seeking ransom money.
When explaining the need for basic cybersecurity hygiene to these business leaders, I usually use an analogy from the physical world: “In your home, would you install a secure door? Would you add a lock that has a certain level of security? Would you install an alarm system and some cameras? What do you think a criminal staking out his next ‘mark’ would make of your home if you had these measures in place as opposed to not having them? Would it influence his decision to burglarise your home at the earliest opportunity?” After considering this, most people I speak to agree it makes sense to have basic controls in their home and their business. You see, criminals behave opportunistically and optimise their “Return on Investment”.
At this point in the discussion, I usually have an engaged audience asking me, “So, what should we do to make us a less enticing target?” This opens up the topic of external cybersecurity posture management.
External cyber security posture¶
How a business secures its external perimeter and assets reflects its efforts to secure the whole organisation. In other words, lacking any other information available to a burglar, leaving the door open makes him feel the urge to opportunistically barge in and steal as much as possible. On the other hand, having state-of-the-art security visible on the outside of your house is likely to make the burglar skip your house and seek other targets.
On the Internet, the visible “assets” are your Domain Name System, your website, email system, and finally any system accessible over an Internet. While these would warrant their own articles, I cover these from the point of view for business executives here. Each area then contains keywords for IT teams to learn more about.
Domain Name System¶
The Domain Name System (DNS) acts as the yellow pages on the Internet so your prospects, partners, and clients can find you. It tells them how to find your website, send you email, and communicate with your company. Your IT team manages and secures the information in your DNS database.
By design, your DNS zone information is open to read by anyone who knows what questions to ask. Leaving your DNS in a less than optimal state of security opens you up to further probes by criminals.
As a critical system, the DNS should be managed by experts, and access to make any changes should be secured by state-of-the-art security controls.
Keywords for IT teams: DNSSEC, Domain Registrar, multi-factor authentication, DNS primary, secondary, and shadow zones, DNS zone data transfers, Domain Lock, dangling DNS
Website¶
The website is your company’s public portal, presenting your company, perhaps even allowing clients to purchase your products and services.
There is a fair amount of technologies and standards involved with running a website that portrays your company as cybersecurity conscious. Your teams should carefully select the website hosting provider, enrol security certificates, enforce strong encryption, and set up strong authentication (where applicable).
Keywords for IT teams: HTTPS, cookies, certificates, PKI, Strict Transport Security, HTTP headers, HTTP methods
Email¶
When I talk to business executives, many don’t appreciate the importance of the email system functioning correctly and reliably. We sort of take email for granted—that is, until emails are not being sent or received. Suddenly, some business processes may stop or slow down significantly.
Emails on the Internet are sent through a network of Simple Mail Transfer Protocol (SMTP) servers. That’s an oxymoron—email is far from simple. The email-related internet standards have made it one of the most complex internet protocols, likely second only to DNS. I rarely see an organisation configuring its email system correctly and securely. These gaps have an impact on deliverability: the major email providers like Google and Microsoft have put controls in place to block or limit emails from organisations that have not secured their email systems to required levels. Do your clients and partners complain they are missing your emails? Misconfigurations on your side could be the reason. And no, asking clients and partners to add your emails to their allow list does not solve the underlying issue.
Keywords for IT teams: SPF, DMIM, DMARC, MTA-STS, DANE, TLS
Conclusion and next steps¶
Internet technologies are complex. Not every IT “expert” possesses the required expertise to ensure your business “window shop” portrays your company as taking cybersecurity seriously.
If you have any doubts or want to check your company’s exposure to cyber risks, do contact me.