What cyber security steps are you taking?

[billybob99]

Can you imagine wanting to share a document or collaborate with sub-contractors and people on the go, or someone asking to take a look a some recent pictures - yes, let me just go and plug in my external hard drive.

If you're storing an absolute ton then you might need something more bespoke.

Otherwise Dropbox and the other solutions out there are for convenience and speed - they're target market are people/companies that value this over the cost of a GB.

£15.99 / year for 100GB is more than enough - I don't want to make backups of backups of backups all day.

I want to share a file with certain people, be able to revoke their access and all that good stuff, quickly and securely, especially when on the move.

 

[ffox]

Niche!!!

I work in the creative industries - that's 8% of the UK economy! One point behind manufacturing!

Yep. That's what I said - Niche.

By your figures 92% of business doesn't need your storage capacity - Your call

 

[Clinton]

But, it's not the storage that matters, you also get -

• Email hosting with 50 GB mailbox and custom email domain address
• Web versions of Outlook, Word, Excel, and PowerPoint (desktop versions of applications not included)
• File storage and sharing with 1 TB OneDrive storage
• Inform and engage with communication sites and team sites throughout your intranet using SharePoint
• Host unlimited HD video conferencing meetings with up to 250 people
• Host meetings for up to 10,000 people with Skype Meeting Broadcast or Microsoft Teams live events.
• Get a hub for teamwork with Microsoft Teams
• Collaborate across departments and locations with Yammer
• Use intelligent video to create, manage and share live and on-demand content across your organization
• Search and discovery with Delve
• Plan schedules and daily tasks with Microsoft Teams
• Manage tasks and teamwork with Microsoft Planner
• Maximum number of users: unlimited
• FastTrack deployment support with purchase of 150+ seats at no extra cost
• 24/7 phone and web support

I've estimated that the percentage of businesses that could use all those facilities is 0.00143%. A bit more niche than @The Byre 's business.

Your call

 

[ffox]

I've estimated that the percentage of businesses that could use all those facilities is 0.00143%. A bit more niche than @The Byre 's business.

Typical response

I said

Use which services you require, there is no extra charge for any of them, and ignore the rest. At £6 per month that's pretty good value don't you think?

It doesn't matter what a particular business needs, just use what you want. No additional cost, no loss of service.

 

[Clinton]

I said



It doesn't matter what a particular business needs... just (sell them the stuff as a benefit anyway!)

I rest my case.

 

[ffox]

I rest my case.

Sorry @Clinton you'll have to elaborate on that. It is Sunday morning and second sight valve isn't working too well yet.

 

[Clinton]

See the bit in bold - that's often the attitude of dodgy salesmen who think this: I won't worry about what the customer needs, I'll sell him my sh*t anyway and tell him it will solve all his problems!

Incidentally, with cloud service failures becoming a regular event, I'm talking about why people should avoid cloud here.

 

[ffox]

See the bit in bold - that's often the attitude of dodgy salesmen who think this: I won't worry about what the customer needs, I'll sell him my sh*t anyway and tell him it will solve all his problems!

Just to be clear. I said that it makes no difference to the customer if they take all of the services in the package, or just one service in the package, the price and the service remain the same.

A simple analogy - If you were buying an ice cream and the vendor ask if you want a flake and a wafer and a cherry on top, all in the advertised price, you can decline one or another or all three, or can have the lot all together. You, the customer, can chose.

Office 365 offers all sorts of goodies that many will never deploy and never use. But, as a business develops, grows and changes, they may become desirable - MS make sure that they are always there and can be picked up by the customer at any time.

 

[HostXNow]

Use a password manager like LastPass or 1Password
Have local and offsite backups (use a few different services)
2FA - Two Factor Authentication is very important!
Do not store your credit card details on any site if you can help it. Try to pay with something like PayPal if possible.

Those alone will help a lot.

 

[estwig]

 

[Deleted member 315707]

Always amazes me how people got blind trust in one OS. Security software should be installed on any OS. Also, not sure how Linux is going to protect from fishing sites and browser injection scripts.

This is a ridiculous statement to make. It's not blind trust, it's globally recognised that Linux is far more secure than Windows. This whole thread is just paranoia. Viruses can't infect Linux systems in normal desktop use in the same way as Windows viruses can. All programs run from system binaries that cannot be modified by user-level security.

If user-data can somehow maliciously gain execute permission, which is nigh on impossible, at most it can destroy data but can't replicate itself and therefore its not a valid vector for viruses. It's a possibility for personally targeted attacks, but only they it would be so specifically targeted at you, you're probably already aware Putin's on your back.

As for fishing, and to some extent XSS, anti virus isn't going to protect you from users entering passwords where they shouldn't nor viewing dodgy websites... the main thing here is Linux again can still not be thwarted and your article is disingenuous at best as it requires an already compromised system.

 

[Inva]

My way of general purpose security:

0. Know what security is about
1. Linux
2. Never use any "cloud" services (aka "check this box if you're not very bright")
3. Keep everything in my own local file server and my own off-site backup location
4. Communication between machines restricted to keys and IPs
5. Use a password pattern which only I know
6. Use disposable email
7. Avoid Google everywhere. Use StartPage.com instead
8. Use VPN (optional, as it has pros and cons)
9. No social media

 

[Nico Albrecht]

This is a ridiculous statement to make. It's not blind trust, it's globally recognised that Linux is far more secure than Windows. This whole thread is just paranoia. Viruses can't infect Linux systems in normal desktop use in the same way as Windows viruses can. All programs run from system binaries that cannot be modified by user-level security.

If user-data can somehow maliciously gain execute permission, which is nigh on impossible, at most it can destroy data but can't replicate itself and therefore its not a valid vector for viruses. It's a possibility for personally targeted attacks, but only they it would be so specifically targeted at you, you're probably already aware Putin's on your back.

As for fishing, and to some extent XSS, anti virus isn't going to protect you from users entering passwords where they shouldn't nor viewing dodgy websites... the main thing here is Linux again can still not be thwarted and your article is disingenuous at best as it requires an already compromised system.

Where do we start. Os Linux is as vulnerable as any other OS on the market and has many security flaws as well. Here is a very basic example of a security flaw in most Linux distributions: https://www.techworm.net/2019/06/li...tM02qpqNIj3gUg_Jy9pR3R9I8xH6EtGnhe8GdgaRmLRvc

As mention before running Linux does not protect you any better and 3rd part security solutions may be required. Also, most threats might not target Linux directly but they can become carriers and infect other systems.

 

[Inva]

Linux is as vulnerable as any other OS

Exactly! That's why everyone who has sensitive documents puts it on Windows, duh!

 

[ffox]

Linux is as vulnerable as any other OS on the market and has many security flaws as well.

Of course it is vulnerable and of course it has flaws. Linux accounts for less than 1% of OS in use around the globe (view this here), Windows has nearly 40%. This is why Windows systems get hit more frequently by more attack vectors than Linux.

It doesn't matter what OS you use on PC or server, it will have weaknesses and can be compromised.

This is the main argument for migration to the cloud. In O365 SharePoint data is stored as BLOBs (Binary Large Objects) in a database. The entire DB is encrypted at rest, the data transport to and from the DB is encrypted. The user device may also be encrypted (users choice).

Microsoft can, and do, afford to spend more on protecting data stored in their data centres than even very large business can in local LAN.

Sure, files stored in the DB can be corrupted by stuff like Ransom Ware, but as posted up thread this will only affect the current version. Other versions will still be good and that leads to faster recovery from attack.

Any file infected with virus or malware has no spread or propagation vectors because there is no access to any OS or subsystems from the DB. The only thing that can become damaged is the local device.

If the data is safe in the cloud the device can be cleared down, rebuilt and reconnected.

This represents a most effective DRP.

 

[Inva]

[...] It doesn't matter what OS you use on PC or server, it will have weaknesses and can be compromised.

"Linux is equally vulnerable to every other OS, so let's move our files to a Linux cluster where it will be safe".

 

[ffox]

"Linux is equally vulnerable to every other OS, so let's move our files to a Linux cluster where it will be safe".

I can go with that. So, for your average small business, what would a Linux cluster cost to deploy and maintain? Most business owners would prefer the answers in either £ or hours of effort per year.

 

[Clinton]

Just in case people think cloud is the answer to life, the universe and everything, let me advise that not everyone agrees:

Safety is central to cloud service success. This faith can now be cruelly exploited, with people's belief in the security of the cloud turned against them.

In Microsoft's case they came up with this ransom ware protection. And it is a step in the right direction, but it's not infallible. Ransomware is going to get smarter and eventually it will exploit the 30 day time limit or exploit other flaws in this "protection". And even without ransom ware getting smarter there are flaws in this system.

So in addition to cloud being a pain in the ass from the connectivity point of view (you have to be online etc), and the blind trust you need to place in a third party that has been compromised more than once in the past, it is not fantastic protection against ransom ware.

But the article at the first link has a suggestion:

Keeping a separate, offline backup of important files is now vital to both home and business users. Do it now — it might be the action that helps you restore your vitals following an unexpected ransomware infection

 

[ffox]

Hi @Clinton

[Sigh] Once again you demonstrate a complete lack of understanding of how O365 works and benefits the user.

The items you feature in your last post are both very old (March 2017 and April 2018), and also demonstrate the respective writers' lack of appreciation of even basic IT security.

In Microsoft's case they came up with this ransom ware protection.

Introduced in 2018, this is additional protection over and above the inbuilt security provided by versioning. Yes, of course Ransomware can infect the files in cloud storage, but the older version of the file will be good and recoverable.

So in addition to cloud being a pain in the ass from the connectivity point of view (you have to be online etc), and the blind trust you need to place in a third party that has been compromised more than once in the past, it is not fantastic protection against ransom ware.

Again - good connectivity is not a PITA, it should be a significant part of the security model. Other than recovery and restoration, local files should only ever be used when connectivity cannot be achieved and, in these days, that should be rare.

 

[Inva]

I can go with that. So, for your average small business, what would a Linux cluster cost to deploy and maintain? Most business owners would prefer the answers in either £ or hours of effort per year.

£0 because you don't need a cluster for anything. You can open your program, do the work, save. Just like you would do in Windows or Mac.

 

[Clinton]

The items you feature in your last post... demonstrate the respective writers' lack of appreciation of even basic IT security.

Funny how you're the only one who understands IT security and how every article out there screaming about organisations moving away from public cloud services, or warning about major risk with them, is written by a moron!

ZDNet says:

There were so many incidents of significant downtime at public cloud hyperscale providers like Microsoft Azure and Amazon Web Services that there are simply too many to actually count. How are we supposed to migrate to public cloud infrastructure or use it as a business continuity solution if we can't actually reliably depend that it will be there when we need it?

A user says (in his case Google, but it could happen with MS or anyone else):

This is about the “no-warnings-given, abrupt way” they pull the plug on your entire systems if they (or the machines) believe something is wrong. This is the second time this has happened to us.

Synopsys:

a Ponemon Institute study indicated that a data breach overall data breaching was three times more likely to occur for businesses that use the cloud than those that don’t... A 2017 study by CGI and Oxford Economics gauged the costs resulting from data breaches in the last five years at more than $50 billion, according to a Fortune article.

All morons!?

 

[Noah]

Yes, of course Ransomware can infect the files in cloud storage, but the older version of the file will be good and recoverable.

I'm a real bastard black-hat hacker, and I wait 60 days before popping up the ransomware demand. Dastardly to the maxx, d00d!

 

[ffox]

Funny how you're the only one who understands IT security and how every article out there screaming about organisations moving away from public cloud services, or warning about major risk with them, is written by a moron!

and

All morons!?

Maybe, maybe not. People who write articles do so for many reasons and most of them are not altruistic. For every anti cloud article or report you come up with I can come up with an equally pro cloud article.

Try -
https://www.computerworlduk.com/cloud-computing/cloud-computing-trends-2019-3689701/
and
https://www.techradar.com/news/the-future-of-cloud-computing-in-2019

But this is a fruitless method of discussion as we each will believe what we choose to believe until categorically proven wrong.

A more concrete argument is probably to ask - "where is the money going"?

Apple, Microsoft, Amazon and Google are trillion dollar companies and all are achieving their most significant growth in cloud services.

£0 because you don't need a cluster for anything. You can open your program, do the work, save. Just like you would do in Windows or Mac.

Nothing is for free. If you want to deploy a Linux cluster, you first need the computers, add to that the network, plus the knowledge and technic to create the structure. In O365 this is simple and the result is reasonably secure straight out-of-the-box.
Is a Linux cluster this simple?
How secure is it?
How much technical knowledge do I need to ensure that unauthorised users cannot access the data stored there?
Where, geographically, can I gain access to the data without compromising security?

Costs if you please.

I'm a real bastard black-hat hacker, and I wait 60 days before popping up the ransomware demand. Dastardly to the maxx, d00d!

Noah. It doesn't matter if you are superman. There is no 60 day, or even 10 year, limit on the security of file versions.

The limit only applies to deleted files, not encrypted file. Anyone concerned about security of data will deploy a local, physical, off site backup for critical data. This is as simply done with cloud as it is with LAN stored data.

 

[Taskenator.com]

Usually having 2-factor authentication enabled on computers and accounts.

 

[Noah]

Noah. It doesn't matter if you are superman. There is no 60 day, or even 10 year, limit on the security of file versions.

I was suggesting that a ransowmware operator would ensure backup files were also ransomware-encrypted as they are created, wait until a standard period elapses, and then encrypt the local files too and issue the ransom demand.

Yes, there are ways to combat this - which can then be circumvented; security tennis.

Anyway, just an observation really. I'll shut up now.

 

[Clinton]

People who write articles do so for many reasons and most of them are not altruistic.

I agree. Articles evangelising cloud are often written by people who have a finger in the pie or are just going with the crowd (because they sense that it's "cool" to be in favour of cloud). Just like forum posts

But why is it that it's only the anti-cloud articles that lack merit or are written by morons?

Some of the smartest independent thinkers I know, and people who've often made spot on tech predictions, are not in favour of public cloud.

Just to be clear, I make no money from people choosing or not choosing any cloud solution.

 

[KM-Tiger]

Some of the smartest independent thinkers I know, and people who've often made spot on tech predictions, are not in favour of public cloud.

There is an important distinction here between public and private cloud.

Both are 'cloud' in the sense that data is accessible, and can be worked with, via the internet and across devices. With public cloud you hand over your data to a third party, with private cloud you do not, and retain full ownership and control.

For those wary of handing their data over to a third party, Nextcloud is the leading private cloud project and well worth a look.

 

[ffox]

I agree. Articles evangelising cloud are often written by people who have a finger in the pie or are just going with the crowd (because they sense that it's "cool" to be in favour of cloud). Just like forum posts

Nothing 'Cool' about it. Look where the money is going and see where the expansion is in the IT world. Individual opinions matter less than overall global direction. Small business benefit hugely from this as they can benefit from tools provided for the larger organisations.

Office 365 provides, for instance, full active directory control and security without the need for the operatives in the business to either understand the nuances of IT security, or employ an external provider to configure the security set up. For most small business that is a real benefit and saving. Just follow the instruction on the packet and you are done.

This is just one of many hundreds of advantages of going for the 'cool' option.

There is an important distinction here between public and private cloud.

Off the top of my head I can't thing of a single private cloud setup that is anywhere near as price competitive as O365 or G Suite. If you know of one, please advise.

 

[KM-Tiger]

Off the top of my head I can't thing of a single private cloud setup that is anywhere near as price competitive as O365 or G Suite. If you know of one, please advise.

It's not a question of price, but of data security requirements.

For instance, I have clients that work on extremely sensitive commercial data for their clients. NDAs expressly forbid public cloud storage.

 

[ffox]

It's not a question of price, but of data security requirements.

Price is a principle factor for most businesses. NDAs and the like radically change specification, but most SMEs just want devices that can interact effectively and reasonably securely.

The question, even for large business, can be expressed as cost over benefit (or requirement).

Unless you are selling solutions that is.

 

[Inva]

ffox,

1. Storing backups costs money, you can't simply have an older version. Especially if you don't keep it on your own storage, as you seem to advocate (cloud everything!)
2. On the part you quoted me regarding clusters, i said you don't need a cluster.
3. Linux still safer than Windows even if only because Linux users and admins are a lot more knowledgeable than Windows counterparts.
4. Funny how when mentioning those articles i thought the exact thing with Clinton. Paid articles go both (or all) ways.

"Cloud" is not in the interest of the client it's in the interest of the company that provides it.

Especially those plans which "you pay what you use" and that seems so nice and fair doesn't it? But there's a catch, you actually pay more if you keep the server on and what kind of server doesn't need to be on 24/7?

Then you're left wondering why you paid x3 of what a dedicated would cost

 

[Clinton]

Off the top of my head I can't thing of a single private cloud setup that is anywhere near as price competitive as O365 or G Suite. If you know of one, please advise.

Off the top of your head is completely the wrong place to start!

You could start here or here or anywhere else. But not at the top of a head that is stuck in the (Microsoft) cloud. Wrong place. Wrong place. Wrong place.

 

[ffox]

Funny how when mentioning those articles i thought the exact thing with Clinton. Paid articles go both (or all) ways.

Sorry @Inva . It was not @Clinton who said or thought anything regarding articles -

Maybe, maybe not. People who write articles do so for many reasons and most of them are not altruistic. For every anti cloud article or report you come up with I can come up with an equally pro cloud article.

Maybe you ought to read what you are quoting a little more carefully.

Linux still safer than Windows even if only because Linux users and admins are a lot more knowledgeable than Windows counterparts.

It may be, but using O365 or G Suite means that you are not dependant on Windows. You can use these platforms with Linux clients if you wish. The point is that if a client becomes compromised you can put it aside for rebuild and use another client to keep processing for your business. Threat of cross infection is reduced and recovery is faster.

Especially those plans which "you pay what you use" and that seems so nice and fair doesn't it? But there's a catch, you actually pay more if you keep the server on and what kind of server doesn't need to be on 24/7?

Strange how you keep sidestepping the question of how much a local LAN costs in terms of both hardware and the cost of internal, or bought in expertise.

You could start here or here or anywhere else. But not at the top of a head that is stuck in the (Microsoft) cloud. Wrong place. Wrong place. Wrong place.

Can't see the attraction, unless you are a business that can afford full IT section, or you want to do it yourself.