Stop Hackers from Even Trying…
My last blog article covered mostly non-technical measures to protect your information. Today I want to dive deeper into the technical aspects of securing your computers that can give you an edge over the wily hacker. If you manage your network and employ professional IT technical staff, chances are they’ve already taken the steps necessary to secure your network and devices, but check with them all the same. The same is true if you pay a service provider to manage your network systems. If you have volunteer IT staff, ask them to read this article — it will be thought-provoking and helpful.
For your desktop computers and portable devices, the days of antivirus programs being your sole protection are long gone. You need to deploy a holistic approach, layering your defenses to thwart all but the most determined attackers. That’s right, even if you do all these things and more, a determined hacker could still compromise your network. Your goal isn’t to stop all the attacks — that is impossible since the hacker only has to get it right one time. Generally, they go after the “low-hanging fruit” — organizations that pay little to no attention to information security. Your focus should be on becoming a more difficult objective. Even a moderate effort on your part will make it more difficult for hackers looking for easy opportunities (making it more likely they’ll pass on attacking your church or organization).
Adding Layers of Protection for Your Desktop Computers
Antivirus applications have matured over the years but are still relatively easy to bypass (especially via email phishing and social engineering). There is a new emerging concept called “endpoint protection” that is replacing antivirus solutions. Rather than identifying individual viruses and working on blocking them, companies now focus on spotting suspicious behavior and locking down key services on computers and computerized devices to prevent tampering.
Ensure you apply all vendor-supplied updates to your web browsers, programs (apps), and the operating system:
- In your browser, locate the Help menu item and select “About.” This will show you if your browser needs updating.
- Other frequently used applications also have an update feature similarly accessed.
- For Windows 10, tap the Windows key and type “Check for Updates.”
- For macOS, choose Apple menu > System Preferences, then click “Software Update.”
The firmware that controls the computer startup process, called either UEFI or BIOS, also needs updating from time to time. Most computer manufacturers include a utility on the computer to perform this function. You should set a calendar reminder to do this at least twice a year.
A firewall is an application that filters information coming to your system from the internet and blocking potentially harmful programs. The software blocks most programs from communicating through the firewall. To use the firewall, you simply add a program to the list of allowed programs to communicate through the firewall.
For Windows 10, tap the Windows key and type “Firewall.” For maximum security, set the firewall to “Active” on all networks.
- Choose “System Preferences” from the Apple menu.
- Click “Security” or “Security & Privacy“.
- Click the “Firewall” tab.
- Unlock the pane by clicking the lock icon in the lower-left corner and enter the administrator username and password.
- Click “Turn On Firewall” or “Start” to enable the firewall.
Bring Your Own Device (BYOD)
The decision to allow staff to access your church’s network with their personal device should be outlined in your information security policy. BYOD poses a risk to your data and systems since you don’t control the device and cannot be certain it’s not compromised in some way. If BYOD is allowed, ensure device owners read our upcoming blog article on security for your phone and follow the steps to harden their devices.
Employing Network-Level Protections
If you maintain a local area network within your church or a wide area network between campuses, you should pay close attention to this section. Your “footprint” is much larger than if you only have a couple of independent computers in your office, and your risk exposure is much greater. A good place to start with securing your network is by implementing the SANS Critical Security Controls. A great guide to use for your church is the CIS Controls SME Companion Guide.
In addition to the control implementation in the guide, these are some specific tips to check off:
- Do not use a web browser on a server. It’s an unnecessary exposure that could lead to severe compromise. If you need to go to a website to download applications or patches, do so from a desktop or laptop computer, scan the files, then transfer them to the server.
- One of the easiest ways to defend your systems is to patch them regularly. “Patch Tuesday” is a familiar trope to your IT staff (given some of the difficulties encountered when a defective patch is issued, it justifies their eye rolls when you mention it). However, critical security updates are routinely sent out and need to be applied as soon as possible in most cases.
- As with server patching, patching your routers has a similar urgency.
- Routers employ access control lists that can cut down on malicious web traffic from even entering your network. Over time, you can disallow all but the necessary internet traffic into your network.
These differ from software firewalls as they are a dedicated device that sits between your network and your internet connection. They function as the gateway to the internet and are critical to configure and maintain. If you operate a hardware firewall, ensure your IT staff have received training on that particular device before being allowed to configure or maintain it.
Wireless access points (WAP)
Chances are high that you have at least one WAP in your environment, and likely several. These provide WiFi service to your staff and congregation. There are many guides for secure configuration available, but make sure you disable Wired Equivalent Privacy (WEP), an outdated and broken security algorithm still found on many WAPs.
Simplified computers, these devices are often overlooked for defensive measures. Here are seven steps to help harden your kiosk to prevent someone from tampering with or hacking them. Some of these may require assistance from the kiosk application support team.
- Enclose the device to prevent access to external ports, especially the USB port.
- Password protect the system BIOS. This subsystem controls the boot-up of the system.
- Avoid using a physical keyboard when possible and instead opt for an onscreen keyboard with the system keys (Ctrl, Alt, Del, F1-F12, etc.) removed.
- Prevent right-clicking on the mouse if equipped. The kiosk application may need to be modified to ignore the right mouse button.
- Prevent access to the file system. If the kiosk runs a web browser, this is difficult, as all anyone has to do to view and open files is type “c:\” in the browser address bar.
- Restrict access to external websites. If the kiosk runs a web browser, simply whitelist the specific sites you need in the browser to prevent web surfing.
- Ensure the kiosk service runs at boot time. Called a “watchdog” service, in Windows, you can set it up as a startup service.
Point of Sale (POS) devices
The Payment Council Industry (PCI) Council publishes security standards that POS devices must adhere to. If you have a merchant account for accepting credit or debit card payments, PCI Data Security Standard Requirement 9 is your standard for securely configuring your POS system. You must attest annually via your PCI Self-Assessment Questionnaire that your POS systems are secure. For more information, see the PCID DSS Guide.
While this seems like a lot to do, in reality, it is only a baseline for securing your systems. If you have volunteer IT support, do whatever you can to provide secure configuration training for them. It may cost to provide this. However, it is much less expensive than recovering from a data breach due to poor configuration security in the long run. The potential legal and reputational recovery effort alone for the church would be expensive and draining to your staff and congregation.