Cybersecurity: Beyond Anti-Virus

Posted on by

Cybersecurity: Beyond Anti-Virus

INTRODUCTION

In the wake of the WannaCry Ransomware epidemic, this is a means to secure themselves beyond the typical advice regarding antivirus. This is not meant to devalue antivirus but rather to amplify ones personal information security, commonly known as cybersecurity. These steps are not all inclusive and should be considered as part of defense in depth. If you have any questions about this, email me at [email protected].

MY ANALYSIS

  1. Cloud file storage – which vendors are most secure and do you need to encrypt your files as well with vendors like google drive and dropbox?

 The cloud is a tricky place. While not as mature as other aspects of IT, cloud security is moving to the forefront, especially in the wake of events like the Dyn Denial of Service attack and the rise of ransomware. Seemingly, everyone has a cloud for you to store your documents in. Are they all secure? Of course not. Are some more secure than others are? Absolutely!
Commercial clouds (Google, Dropbox, iCloud, OneDrive) are starting to embrace security as a feature, but they somewhat lack in implementation. While your data is encrypted in transit and at rest, you have no control over the key (aside from the password you use to authenticate) and you have no control over those granted physical or logical access to the servers storing your data.
It is your personal decision whether to take advantage of this. The pricing make this very lucrative. For example, Dropbox Pro for personal use up to 1TB (1,000 GB) is $99 per year (billed annually) or $9.99 for month-to-month, billed monthly. Google Drive is comparable in pricing, but also offers a $1.99 per month package for 100GB.
What if I want to control my encryption keys you may ask? Fear not, similar to how Proton Mail (see more later) revolutionizes secure email in contrast to Google, Hotmail, and Yahoo, there are similar solutions for the cloud as well.
A couple that I am fond of are Tresorit and SpiderOak. In terms of pricing, Tresorit for personal use up to 1TB (1,000 GB) is $125 per year (billed annually) or $12.50 for month to month, billed monthly. SpiderOak is comparable in pricing, but is a little more expensive at $12 per month or $129 per year, but also offers 100GB, 250GB, and 5TB options.
SpiderOak also has Semaphor and Encryptr. Semaphor is a secure team collaboration solution (think a hybrid of Slack and Signal) and Encryptr is a password manager (more on those a little later).
What are the key benefits to using these? Simple, you can set your own key. You still cannot control who has physical access to the server, but you can control whether your data could be read if someone gains logical access to the server storing your data.
Another feature in these products is that they can also automate backups of your systems. After I had a 2TB external hard drive with my podcasts to be publish fall over and die on me, I went looking for a backup solution. I use Backblaze for this, but will be strongly considering shifting to SpiderOak or Tresorit for a unified ecosystem, despite having set my own key with Backblaze.
In summary about cloud storage, you have to decide how much control you want in securing your data. There may still be instances when you have to use something like Dropbox or Google Drive due to vendor limitations. That is fine. If you want additional security but still need to use those solutions, either encrypt the documents yourself using something like VeraCrypt (free) or Boxcryptor (freemium) and upload or migrate them from Dropbox/Google to SpiderOak/Tresorit. Another feature of all the solutions mentioned is that each have applications available for Windows, Mac OSX, Apple iOS, and Android for accessing your documents on the go.
A recurring theme in this article is that in terms of authentication, Multifactor Authentication (MFA) is highly encouraged. This will add a layer of security to your account. Any time it is offered, whether for cloud storage, email, or password managers, it should be used. Common implementations are Duo, Google Authenticator, and Yubikey.
Duo and Google Authenticator are built off one-time keys generated by cryptographic equations like RSA. Yubikey is similar in using such keys except it is a physical key in the form of a thumb drive vice a mobile app for Duo or Authenticator, adding an additional layer of security. The cryptography used in Yubikeys is currently being evaluated for FIPS 140-2 compliance. Yubikeys cost between $40 and $50 per key for the traditional keys and $18 for the limited functionality in the FIDO U2F key.

  1. What are you top best practices for email security

 Email is another function of our everyday lives. Everyone is seemingly offering free email, but for what purpose? They aren’t that nice, are they? No, typically, it is to build a marketing dossier on you to sell to vendors. If you’re getting something for free, chances are you are the product.
How do we use email securely? In this case, there are many aspects to approach this from. First, we have the age-old advice of not clicking suspicious links or open unsolicited emails. Beyond that, how do we ensure that the emails we are sending are secure? Encryption of course. How do we encrypt? There are several ways.
First, we can manually encrypt the documents in our existing free webmail using a PGP (Pretty Good Privacy) key and a solution like Mailvelope. This allows you to draft an email then encrypt it with your PGP key.
The challenge is that the recipient must have your key to decrypt. This is a simpler solution due to sites like Keybase. Mailvelope operates using browser extensions so that you can seamlessly encrypt without having to copy and paste. Mailvelope is free and open source. Even with using Mailvelope, keep in mind that free webmail providers like Gmail and Yahoo maintain the keys to any stored encrypted emails you may have or those decrypted by your recipients.
For a more advanced solution, you could use services like ProtonMail or Countermail. These are paid services that are highly endorsed by Open Source Intelligence (OSINT) and Personal Security experts Justin Carroll and Michael Bazzell, especially ProtonMail.
ProtonMail has three levels of service: Free, 4€ (about $4.50), and 24€ (about $26.50) monthly. The difference is the level of support and the limitations and features. ProtonMail offers end-to-end encryption (E2EE). ProtonMail does not handle keys, you do. They cannot decrypt your information and give it away or sell it.
You control the keys; therefore, if you forget the key, you are on your own and will have to create a new account. ProtonMail uses AES, RSA, and OpenPGP to accomplish the encryption. The only other caveat is that the E2EE is only when sending between parties using ProtonMail. If you use ProtonMail to send to a Gmail account without something like Mailvelope, it will transmit in clear text, without encryption.
CounterMail is similar with a single added option: USB Key support, similar to a Yubikey (something that FastMail does support). CounterMail is a little more expensive than ProtonMail. They do pricing on 3, 6, and 12 month terms that comes in at a maximum about $2 more than ProtonMail. The tradeoff for the USB key is less storage. You can pay a one-time fee for more storage, but it is hard to beat ProtonMail’s 5TB storage for $4.50 per month. By contrast, CounterMail does offer a secure chat client as well. FastMail is another alternative and does support the Yubikey, but is geared toward business use more so than personal from the documentation on their site.

  1. What password management vendor would you recommend, if any?

As demonstrated day in and day out by Troy Hunt’s Have I Been Pwned, the need for diverse passwords, meaning a unique password for each site and/or application used is more vital now than ever. With online giants like Yahoo, Myspace, and Adobe passwords being breached, there are good possibilities that you have already been affected.
The solution? More like, “A solution” is password managers. Can your password still become compromised using a password manager? Absolutely, but you only have to change it for that site or application and (if implemented properly – i.e. not using the same password across multiple platforms) you will be fine.
These applications will store your password, pass it to applications through your web browser, and even generate passwords of your defined length and complexity. The days of an annoying social engineer or OSINT investigator enumerating your password using a tool likePWDLOGY can be minimized. You can even generate random strings for use as password reset questions. This will enable you to be more social with people randomly asking for your mother’s maiden name.
We dive into password managers, starting with LastPass. This application used AES-256 bit encryption to secure your password vault. Your single password is the key to the vault (that LastPass does not have access to). This is common among password managers. The difference between LastPass and other managers is that the vault is synchronized by the application vice through a cloud provider like Dropbox (as an option for 1Password). LastPass is inexpensive at $12 per year and has Yubikey, Google Authenticator, and Duo support. There is also an Enterprise Edition.
Next is 1Password, it costs $2.99 per user (billed annually) or $4.99 per month (billed annually) for families. 1Password has similar capabilities as Google Authenticator, so there is no support there. 1Password does support Duo, but per the Agilebits site, has no plans to support Yubikey. Like LastPass, you have a local vault or you can synchronize it using a cloud provider like Dropbox. There is also an Enterprise Edition.
The final paid solution is Dashlane. This one was actually new to me. They have a free version on top of the paid version (at $3.33 per month billed annually). The kicker is that the free version does not support MFA or synchronizing across devices. There is also an Enterprise Edition. Dashlane supports Yubikey and Google Authenticator.
If free is more of your speed, there are totally free solutions aside from the free versions of the commercial products above. As mentioned in the Cloud section, SpiderOak has Encryptr. Furthermore, this tool integrates with SpiderOak cloud, but does not offer MFA. It does have mobile applications, as does all the solutions mentioned with the exception of KeePass (discussed in the next section). The final marketing bullet is that it is “Grandparent Friendly.”
The final solution is KeePass. It is an entirely free and open source platform. It is up to you in terms of how secure you want it to be. There are MFA plugins, but no inherent cloud support or cross device synchronization as a result of the open source nature of the software. If you like to tinker or want to avoid commercial software, this is your solution.

Conclusion

In conclusion, there are many ways to attain security in your personal life. Using a secure cloud provider, understanding the risk associated with cloud and email providers, mitigating risks, and having a comprehensive password cycle are the initial steps to securing yourself. These steps will not completely protect you, as there are still system vulnerabilities, vendor vulnerabilities, malware/ransomware, and social engineering/phishing attacks that can be used to compromise you as an individual. Take the steps above to reduce your attack surface and the attackers will likely pick an easier target.

References

  1. https://tresorit.com/pricing
  2. https://spideroak.com/about/price-list
  3. https://veracrypt.codeplex.com/
  4. https://www.boxcryptor.com/en/pricing/
  5. https://www.mailvelope.com/en/
  6. https://keybase.io/
  7. https://protonmail.com/
  8. https://countermail.com/
  9. https://www.yubico.com/start/
  10. https://duo.com/
  11. https://support.google.com/accounts/answer/1066447?hl=en
  12. http://keepass.info/
  13. https://spideroak.com/personal/encryptr
  14. https://www.dashlane.com
  15. https://1password.com/
  16. https://www.lastpass.com/
Enter your email address:


Delivered by FeedBurner

SUBSCRIBE TO OUR MAILING LIST

* indicates required



About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.