by Lim Seng Siew, Director OTP Law Corporation

In the first and second parts, we talked about what is a phishing attack and what to do if you are a victim. In the third part we talked about the simple steps to take to protect yourself against an attack. In this fourth and final part of the series about Cyber-hygiene and Phishing, we will talk about other, more complicated, steps that you can take to reduce the chances of being a victim of a hack.

Steps With Assistance Basket

The suggestions in this basket are much more technical than just installing an anti-malware (one of the simple steps in the earlier article) onto your computers and may require your IT provider to help.

Configure Your Email Servers

Your email servers can be configured to ‘prevent’ your emails from being spoofed. I use ‘prevent’ in parentheses because, as I had said earlier, it is not possible to prevent hacking, just making it more difficult for a hacker.

What you tell your IT provider is “Please configure my email servers to enable SPF, DKIM and DMARC. I want to prevent our emails from being spoofed and so that our emails are not marked as spam by other email servers.”

To briefly explain what they mean and do.

SPF stands for “Standard Policy Framework”. What SPF does is to allow email servers receiving your email to verify that the email comes from your domain and is authentic, and not forged or spoofed.

DKIM stands for “Domain Keys Identified Mail”. What it does is to add a digital signature to every message sent from your organisation. Receiving email servers will read the signature and verify whether message actually came from you. DKIM also prevents message content from being changed when the message is transported between servers.

Finally, DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”. DMARC tells the receiving email servers what to do with messages from your organisation when they don’t pass either SPF or DKIM. Failed messages can either (a) continue to be sent to the recipient, (b) quarantined or sent to the spam folder, or (c) rejected, ie not sent to the recipient. Usually as a start, you might want to choose the first option (continue to be sent) until you are certain that only false emails are tagged. Whichever option is chosen, DMARC also sends reports that tell you which messages pass or fail SPF and DKIM. These reports can help you identify possible email attacks and other vulnerabilities with your email servers.

Like the password checker, CSA has its Internet Hygiene Portal (at https://ihp.csa.gov.sg/home where you can check if your website and email are secure.

Back-Ups Including Off-Site Back-Ups

In our everyday life, we have ‘back-ups’ for many things: the spare key to our front door or keeping a properly inflated spare tyre in our car.

The same should apply to your business data. You cannot assume that the information that you store will always be safe and accessible. Even if you are not a victim of a hack, negligence of a staff or a system corruption (physical storage devices do breakdown sooner or later) can result in lost data. Regular and systematic back-ups will ensure that if the information is lost, it can be restored from the back-ups.

Experts advise making several back-up copies of valuable files and safekeeping them in different places. This is to plan for the contingency that your first back-up option becomes corrupted.

Some planning and discussion with your IT provider will be necessary. Questions such as the following need to be asked and answered: Do I need to do daily incremental back-ups? Do I need to do weekly or monthly complete back-ups? Do I need real-time back-ups? Do I do the back-ups on removable devices? On external hard drives? On dedicated back-up devices? On the cloud?

Another key question is “Where is the data that I want backed-up stored?” If your staff stores the files in multiple devices and locations, must all these devices and locations be backed-up? Or should your staff be educated and trained to store all the files in one place (say a dedicated folder on your file servers) so that only that place needs to be backed-up?

At least one back-up copy should be kept off-site or in a reliable cloud service. If your on-site files, including your on-site back-ups, fall victim to ransomware or is destroyed by fire, you will have that off-site copy or cloud copy from which to restore and reconstruct your files.  However, bear in mind that restoring from off-site back-ups is not as easy as copying files back into your system after it has been restored or cleaned of any malware. Further, you have to ensure that the off-site or cloud back-up copies are immutable copies of your data, ie that they cannot be encrypted or corrupted by ransomware. So regular testing of your back-up and restoration process should be carried out.

Encryption

Encryption is a cybersecurity measure that protects your data even if the data is stolen. A hacker will have to ‘crack’ the decryption key before he can get his hands on the data. With strong encryption, decrypting files can take years of computing power.

Both data stored or backed-up on your devices or the cloud (termed ‘data at rest’) and data that is moving across the internet or a private network (termed ‘data in transit’) should be encrypted.

Data in transit is usually encrypted by the application used to transfer that data. As an example, many instant messaging apps encrypt all messages sent and received between their users. Websites that have “https” as part of its web address also encrypt all traffic between its web server and the web browsers of its visitors.

Similarly, many cloud storage providers encrypt both data in transit (ie data that is moving between the user and the cloud storage) and data at rest (ie data that is stored in the cloud storage).

It probably would not make sense to encrypt ALL files generated by a business. So, you will need to discuss with your staff and your IT provider to see what types of data would benefit from encryption and what would not. In short, a risk-based assessment will have to be undertaken.

Files that are copied or backed-up onto removable storage devices should be encrypted, especially if these devices are going to be physically moving around. Thus, if the storage device is lost or stolen, the data remains safely out of the hands of the thief or hacker.

Do not overlook the data encryption tools that are already incorporated in some of the common operating systems like the Encrypted Files System (EFS) in Microsoft’s Windows and Android Encryption in Google’s Android. By default, no file is encrypted for both systems. EFS can be enabled by users (or through Group Policies) on a per-file, per-directory, or a per-drive basis. Encryption in Google’ s Android is generally either a full-disk encryption (FDE) or a file-based encryption (FBE). Confusing? Yes, it can be. That is why help from your IT provider will be useful.

A useful point to note. Whether encryption has been used is factor taken into consideration by the PDPC to determine if an organisation has or has not taken reasonable steps to secure the personal data it collects.

Monitor

“Don’t know, don’t ask” is definitely not one of the mantras to be adopted where cyber-hygiene is concerned. The fact that you had been hacked or that hacking is on-going but you know nothing about it is not only embarrassing when it is subsequently discovered, but can potentially mean that prima facie, you did not take reasonable steps to secure your data.

Proactive monitoring can give you early warning signs of an impending attack, whether they are specifically directly at your organisation or as part of a global tidal wave. Servers, routers, applications and systems that are used by your organisation should be configured (again, with the help of your IT provider) to either generate periodic (say weekly) reports or have real-time monitors to spot any suspicious activities. However, do not overreact when you see such reports for the first time. There will be many suspicious activities. Hackers routinely use bots to scan multiple systems, including yours, for vulnerabilities such as vulnerable codes that have not been patched. In today’s day and age, these activities are part of the ‘background noise’. What you should be looking out for are changes to the ‘background noise’ that might indicate either that you are being targeted or that some vulnerability has been detected.

Steps With Consultation Basket

This third and final basket of suggestions is one that will require consultation between various stakeholders, including senior management, staff, and the IT provider as they involve longer term planning, top management decision, and operational changes. You don’t have to implement all the suggestions but only adopt what suits you and your practice.

Consider Implementing Zero Trust Policy

Zero trust policy is basically a philosophy that states no one, whether inside or outside the network, should be trusted unless their identification has been thoroughly checked. Zero trust assumes that every attempt to access the network or an application is a threat. Traditional security models are based on the ‘moat and castle’ or ‘perimeter defence’ model, that is a moat surrounding the castle and anyone inside the castle is assumed to be a friend. A zero trust model doesn’t make that assumption. It in fact goes a few steps further in that the user or device, even after verification, is granted only the minimum of permissions necessary to perform an authorised task and for only a limited period of time.

The weakness of the perimeter defence model is that the perimeter has all but disappeared with the proliferation of devices that ‘connect’ to your system. This is the result of employees working from home (WFH) in the wake of the global pandemic. Such devices include desktops, laptops, smartphones, tablets, smart TVs and other internet of things (IoT) devices. As a result, hackers have many more points to breach security controls.

Implementing Zero Trust Policy is not easy. Some of the considerations include:

• Verifying the identity of authorised users, often using 2FA. In newer implementations, the authentication is via an authenticator app.
• After the user is verified, the device from which the user seeks authentication also needs to be verified. This usually requires some sort of device management system.
• After the user and device used have been verified, then permissible access of the user and device needs to be verified. As an example, if a user logs in using a laptop with VPN, then the user can have access to certain pre-defined segments of your network or to certain pre-defined folders of your server. If the user logs in using an IoT device (which is generally views as having a higher risk), then the user is only allowed to access an even more restrictive segment of the network or server.
• Some zero trust implementations also verify the types of services that a user or device is permitted to have access to. As an example, a user using an IoT device may only have ‘read only’ access to certain services while a user using a laptop will have full access to the same services.

As the considerations are varied with numerous factors to be taken into account, you will need to work with your key staff and with an experienced IP provider to implement any zero trust policy. Further, it is likely that as you gain more experience, the policies will have to be modified to suit the working requirements of your organisation.

Reduce Your Attack Surface

One of the aims of any cybersecurity plan is to reduce the attack surface. The smaller the attack surface, the easier and cheaper it is to protect. Unnecessary complexity can result in poor management and higher chances of mistakes that allow greater opportunities for hackers to gain unauthorised access to your systems.

The simpler step is to disable all unnecessary or unused: (a) software or applications; (b) computers or devices; and (c) user and admin accounts. However, this is not as easy as it sounds. Many of us allow staff to use their own laptops, tablets and mobile-phones (the Bring Your Own Devices or BYOD ‘culture’), for them to work from home (or for that matter, anywhere), and to use thumb-drives as a means of transferring or transporting files. Just these three steps have increased the attack surface multi-fold and made things more complicated. It makes scanning for vulnerabilities more difficult but makes implementing the zero trust policy more important.

This cannot be done over-night because you do not want to disrupt your existing work processes that has been in place for a while. The cost for doing so also needs to be weighed against the savings. As an example, you should consider buying laptops for your entire office. That way, you can set the configurations for the laptops and only allow these laptops to access your office system. Any access from mobile devices (even your staffs’ own devices) can then be restricted to read-only access to limit any potential harm caused by such devices.

Consider Cloud Services

I will not be dealing with the decision whether to or not to migrate to the cloud. Rather I am just going to weigh cloud versus on-premise solutions from a cybersecurity standpoint. Hybrid WFH makes cloud services an important alternative to on-premise or hosted solutions although both of them have their own security issues.

An important point to keep in mind, the cloud is not the solution to any hacking problem. A careless employee who gives out login credentials in reply to a phishing email will compromise the cloud service. So, training and all the previously discussed suggestions are still important.

Further, the larger and established cloud service providers would have, either as a default or as an option, some of the cybersecurity solutions that I have suggested for a user to choose from. Discuss the options with your IT provider and the cloud service provider you are considering.

I have listed some factors to be considered when deciding between cloud or on-premise solutions.

The Summary

In summary and to recap all four parts:

• Have a Written Breach Management Plan – Include C.A.R.E. (Contain, Assess, Report, Evaluate)
• Prevention is Better Than Cure – Practice Cyber-hygiene
  1. Simple Steps
     1. Have Anti-Malware / Update Software
     2. Practice Password Hygiene:

Strong password / Different Accounts, Different Passwords / 2FA / Don’t share passwords / Don’t login over unsecured wi-fi / Change passwords regularly / Use password manager

• Learn to Spot Phishing Messages:

Mismatched or Misleading Information / Beware of Homograph attacks / Use of Urgent or Threatening Language / Promise of Attractive Rewards / Request for Confidential Information / Unexpected Emails & Suspicious Attachments

1. Training & Keeping up to Date

1. Steps With Assistance
   1. Configure Email Servers – SPF /DKIM / DMARC
   2. Back-Ups – Multiple Copies & Off-site Copies

• Encryption

1. Monitor Your Systems

1. Steps With Consultation
   1. Zero Trust Policy
   2. Reduce Attack Surface

• Consider Cloud Services

• Key Resources
  1. CSA’s Password Checker (https://www.csa.gov.sg/gosafeonline/Resources/Password-Checker)
  2. CSA’s Internet Hygiene Portal (https://ihp.csa.gov.sg/home)
  3. Talk to us at OTP Law Corporation. Our website site is otp.sg

If you have a need to seek legal advice on your cybersecurity situation or just require legal assistance in any way, please reach out to us at enquiries@otp.sg or +65 64383922.