[David Strom's Web Informant] Simple steps to secure your SMB network

David Strom david at strom.com
Fri Nov 11 15:09:59 EST 2016


Web Informant, November 11, 2016: Simple steps to secure your SMB network

If you run your own small business network, chances are your security could
be better. Consider these two news stories that I posted this week on my Inside
Security newsletter <http://inside.com/security>:

ITEM #1: A group of hackers shut down the heating system on a block of
apartments in Finland
<https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/>
last month. The issue was a lack of any firewall protecting the HVAC unit,
which was controlled by a computer that had a public IP address. You can
bet now they have one to protect their systems.

ITEM #2: An auto dealership CRM used by more than 100 dealers has leaked
their customers’ and employees’ data online
<https://mackeeper.com/blog/post/299-car-dealership-provider-leaky-crm>,
mainly because their backups were all unencrypted and accessible to
hackers.

Many small businesses don’t have basic security measures such as encrypted
backups (let alone any backups) or firewalls, and these news nuggets should
give them pause. I wanted to take things a step further and recently spent
some time hardening my network doing three simple tasks. All of them can be
accomplished in under an hour, if you have some basic knowledge and skills,
and if you are careful at following the various instructions and
interpreting the results. Nevertheless, it took me a lot longer: either
because of my own stupidity or sunspots or whatever.

The three tasks are to harden your WordPress installation, do a better job
of scanning your ports, and add a basic level of security to your email
domain. Let’s review what is involved.

*WordPress hardening  *

There are two basic ways to run a WordPress blog: one is by using your own
server and the other is by using the free hosting service and having a
server at YourDomain.Wordpress.com. I have used both and get into the pros
and cons here in a previous post <http://blog.strom.com/wp/?p=1091>.
Assuming you have control over your own server, there are numerous sites
that keep track of WordPress plugins and other vulnerabilities, we will
just mention a few here:

·       *Securi maintains this site* <https://wpvulndb.com/> and they
recently discuss a DDos attack on v4.5.3 and XSS and SQL injection attacks.
It is always a good idea to stay current with WordPress versions.

·       If you want some motivation about making your WP site more secure,
you should read these suggestions
<https://premium.wpmudev.org/blog/wordpress-security-tips> from WPMUDEV.
Some are easy to implement, others will take some time.

·       This *site has a description of a few vulnerabilities *with
detailed information on how they are compromised (they also have a free WP
plug-in to protect your site). If you get into tracking vulnerabilities,
they also have a bug-bounty program.

·       And *Network World has an article *that goes into best practices
about operating your WP site. You can also review many of these on the
WordPress
Codex <https://codex.wordpress.org/Hardening_WordPress> that are more of a
general security nature too.

·       Finally, you should download the *Wordfence*
<https://www.wordfence.com/> plug-in and use it to protect your server.
They also have on their site details about general security topics,
including an article about how *WP-based botnets*
<https://www.wordfence.com/blog/2016/08/hacking-wordpress-botnet/> get
started. Their plug-in is free for basic services, and you can upgrade if
you want more. I had some trouble when I first installed the plug-in and
got to inadvertently test their support team, which was excellent. When I
re-installed it, it worked fine.


*Scan your ports*

For many years I have been a big fan of Steve Gibson’s Shields Up
<https://www.grc.com/x/ne.dll?rh1dkyd2> port scanner. It is well worth
using, because it is simple, free, and will take just a moment to look at
your network router and see what open ports you have. The big limitation is
that it only scans the first 1000 ports: that was fine years ago when the
Internet was just a gleam in Al Gore’s eye, but now life has gotten more
complex. I would also suggest using BullGuard scanner
<http://iotscanner.bullguard.com/>, which will scan more ports. When I did
this on my Uverse-connected network, it found port 7547 open. I hadn’t seen
this port before and found this mention on PC World
<http://www.pcworld.com/article/2861232/vulnerability-in-embedded-web-server-exposes-millions-of-routers-to-hacking.html>,
which has to do with the embedded webserver that is used to manage my
Uverse DSL modem. There isn’t much you can do about it, unless you want to
switch to a cable ISP connection.

*Secure your email server*

I have written extensively on using email encryption for your day-to-day
emails, but there is another way to approach better email security and that
is by adding an automatic digital signature to each outgoing email headers
using a protocol called DKIM, which stands for Domain Keys Identified Mail.
Most email hosting providers now support this protocol, Google’s help page
starts here <https://support.google.com/a/answer/174124> for their hosting
services. DKIM is a lot like the public/private key infrastructure that PGP
and others use to encrypt messages. You have your choice of key lengths
(choose the longer and more secure 2048-bit keys if your provider supports
them).

Google’s help pages are very explicit as to the steps you need to take. You
basically need to do three tasks: first, you obtain a key from your email
hosting provider. Then, you add a DNS entry for your domain provider (which
is my case is my ISP). Then you want to take a few days and check to make
sure that you did this correctly, using this verification service
<http://dkimvalidator.com/>.

Good luck with securing your domain and servers. Feel free to share other
simple tips here as well.

This piece has a lot of hyperlinks, you might want to read and comment on
it here:

 http://blog.strom.com/wp/?p=5659
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20161111/9504fde1/attachment-0002.html>


More information about the WebInformant mailing list