The Least Sexy Advice You’ll Get Today

    NAGW Navigator: Volume 1 • Issue 3 • Spring 2018

    by A.J. Van Beest

    What if I told you just two things can solve most of your cybersecurity problems? (Cue “The Matrix” soundtrack.)

    Cybersecurity is a deep and complex problem, but at its core, it’s about two things: Reducing the number of ways you can be attacked, and recovering after an attack. The rest is just riffing on those themes.

    WARNING: None of this is new info. None of it is flashy. It is, however, solid gold. Do these things, and you’ll sleep better at night.  

    Step one: Patch All The Things

    Patch every digital device that you’re responsible for, as much as you are able. Patch the firmware, the operating system, and the applications and services. Oftentimes, this is as easy as “Apply Windows updates” or “sudo apt-get upgrade -y.”

    Do this for your web server. Do it for your CMS. Do it for your workstation, your phone, your smartbulbs… You get the picture.

    Applying these patches fixes outstanding security vulnerabilities and improves performance, and it’s the single best security return on your investment of time and energy.

    One caveat here: Sometimes you can’t patch things, for whatever reason (say, because a vendor for a mission-critical thing requires you to run Java 6.23 (I’m looking at you, State of Wisconsin)). That’s when you need a compensating control (a firewall, in-depth monitoring of a specific process, an application whitelist, etc.) in place. More about that another time.  

    Step two: Backup All The Things

    When disaster strikes despite our best preventative efforts, we need to have an easy, reliable way to recover and resume operations. Enter backups.

    To that end, we need to have solid backups of all our mission-critical stuff. Is your website important to your organization? Back up that CMS and your data. And backup the whole server while you’re at it (a snapshot of a VM is ideal here). Do you need the contacts and other data on your phone to *be there* when you need it? Better back it up, too.

    With good backups (especially good *off-site* backups!), when the worst happens to your systems, it’s a matter of a couple hours to move your backups into place, restore your production environment, and get rolling again. Without solid backups, you may be down for days or weeks, depending on the complexity of your environment, your documentation, the availability of other critical team members, etc.

    Just two things

    That’s it: Just patch and backup. Do those, and you’re eighty percent of the way to cybersecurity nirvana. Okay, maybe not *nirvana* but you’ll definitely have a better chance of avoiding those late-night “everything is on fire” phone calls.

    The Importance Of Running An HTTPS Website

    NAGW Navigator: Volume 1 • Issue 2 • Fall 2017

    Today, it is more important than ever for your websites to be accessible via HTTPS.

    HTTPS Everywhere banner

    HTTPS stands for Hypertext Transfer Protocol Secure and it is a method for encrypting your website data and demonstrating that your website is authentic. HTTPS uses the Secure Socket Layer (SSL) to provide data encryption and a safe tunnel between the visitor’s browser and the website server.

    With so many hacks and data compromises making the news, you want your visitors to trust that they have made it to your official site and that interactions with your website are secure. In the days to come, non-HTTPS content will become harder to access because web browsers now prevent mixed content from displaying. For example, if you try to embed an HTTP website within an HTTPS website using an iframe, web browsers will block the content from displaying.

    To ensure you are using HTTPS instead of HTTP, you need to install a security certificate on your web server. You can purchase a security certificate at around $200/year or you can use a free service such as Let’s Encrypt.

    This is such an important issue and we want you to become the champion of running an HTTPS website in your organization. Talk to your IT department, your website hosting vendors, and your cloud-hosted web application vendors and tell them you want to switch your website to HTTPS. You should also add this as a standard requirement for your request for proposals and software contracts.

    Together we can encrypt the web and make it a more secure experience for everyone!

    Reference Links

    #NAGW2017 Security Spotlight

    NAGW Navigator: Volume 1 • Issue 1 • Summer 2017

    "Report: Ransom Demanded After Newark Computers Hacked”

    “‘We Hacked Aberdeen City Council Website in Response to Trump’s Muslim Travel Ban’”

    “FBI website hacked by CyberZeist and data leaked online”

    As cyber threats become not only more numerous but more sophisticated and creative, are you doing everything you can to make sure your city or agency isn’t next? Two of our #NAGW2017 conference speakers are offering informative sessions which may help you avoid the headlines by keeping your sites secure.

    AJ Van BeestAJ Van Beest will provide an intensive four-hour pre-conference session focusing on cyber security. You’ll learn how to probe your business and code logic and analyze your defenses. A J will also show you examples of real-life attacks. All of this invaluable information will arm you with the knowledge and tools needed to make your own website harder, better, faster, stronger.

    AJ is a vulnerability assessment and management specialist and member of one of Wisconsin’s State, Local Tribal and Territorial (SLTT) Cyber Response Teams which teach government agencies how to avoid, prevent and respond to cyber attacks or threats. Response teams also help communities recover quickly and effectively when they’ve been affected by a cyber incident.

    Tony PerezTony Perez is Co-Founder and CEO of popular website security platform Sucuri. Tony’s #NAGW2017 session will take a close look at how political events may prompt attacks against government websites, as well as hacktavism movements which are becoming a mainstream force, compelling organizations and companies to face not only critical security challenges, but also political ramifications from disclosed information.

    Tony’s session will explore recent attacks on government agencies and will look closely not just at specific threats but also the psychology of the attackers.