Happy 2020! Now, about Windows 7…

Happy New Year to all. We hope everyone back back to work rested and ready for the challenges this year will bring. First and foremost, let’s talk Windows 7. This Operating System from Microsoft goes into End of Life on January 14, 2020. This means that this Operating System will not receive essential updates, including Security.

In the Enterprise world, Microsoft have been shouting from the hilltops about this deadline for over two years, strongly suggesting that you plan an upgrade or replacement to Windows 10 (please, skip Windows 8!).

Enterprise users that have Microsoft Enterprise Agreements (Volume Licensing) have the ability to enroll Windows 7 devices into the Extended Security Updates (ESU) programme. This is a per-device cost, per year, available for only the next three years. The cost increases drastically each of those years (looks to be $25, $50 and $100 for year one, two and three).

For business without Enterprise agreements, or for consumers, the options are:

  1. Upgrade to Windows 10
  2. Get a new device with Windows 10 included
  3. Take no action and stay on Windows 7

In order, many people are reporting that the free upgrade path to Windows 10, available three years ago, still works. Windows 7 and 8 users will have been bugged over and over to upgrade. Head to the control panel and following the instructions to upgrade. Alternatively, there are some semi-technical steps to carry out to download the Windows 10 Upgrade Tool (https://www.microsoft.com/software-download/windows10). As with any upgrade, ensure your files are backed up first, just in case.

Get a new device is the easiest, but most expensive and time consuming option. You will have benefits such as a performance improvement with the new hardware, but you will need to transfer your files and re-install any software and settings.

undefinedThe final option is not really an option at all, but there will still be plenty of people that this will apply to. With any Operating System version that goes End of Life, usually some nasty exploits or hacks are deployed to the world the day after; when the manufacturer is under no obligation to patch or fix the issue.

For everyone, ensure you have moved away from Windows 7 as soon as possible.

IT over the holidays

As Christmas fast approaches, it is easy to focus on doing your day-to-day job, counting down the days until the holiday starts, and not consider what happens to the IT over the holidays.

If you work with in a smaller organisation, maybe you are already resided to the fact you will be on call over the festive period or will have to remote in to resolve whatever issues come up as part of your checks. If you work in a larger organisation, maybe it’s someone else’s responsibility and you’ll just clock out on your last day, leaving work at the office, in the hands of the skeleton staff.

In either scenario (or anywhere in between) it is worth spending some time a few weeks before the holiday to prepare the environment to be unattended, or otherwise not managed by your star team members, for a period of time. Before I had a child I normally worked over the major holidays, saving my holiday allocation for other times of the year. Most people expect to have the major holidays off though.

Whilst the below is not exhaustive, consider the following.

Some things to consider on the technical side:

  • Ensure your backups are scheduled and error free (you check them regularly anyway, right?), and you have sufficient capacity (space for cloud or disk storage or spare tapes) to cover the period.
  • Have key metrics or events logged and configured to send notifications or run remediation scripts (you are automating, right?).
  • Disable administrative accounts are not needed when people are not in the office. Obviously, don’t lock yourself out of the network, but neither do you need to leave admin accounts used by contractors who won’t be working active.

Some things to consider on the management side:

  • Apply a change freeze, starting at least a week before you break and end at least a week after you come back, where changes to the infrastructure are postponed until after the holidays to reduce the chance a change causes unexpected behaviour or failures. Obviously there are exceptions, but these should be carefully considered and of a critical nature. Make sure you get agreement from management to enact this and get it properly communicated to the business so they know why there may be a delay.
  • Some people view the holidays as the ideal time to apply major changes on systems that otherwise always need to be available. Ensure this is covered under change control (see previous bullet), is fully planned, everything you need is available, relevant support agreements are in place and you are able to rollback the work if needed (backups or replacement hardware).
  • If you offer IT support over the holidays, is this agreed (with you as well as your boss) and has it been communicated to the business to ensure expectations have been set? If you are in a team, establish a rota so the burden isn’t on a single person.
  • Is your Disaster Recovery (DR) and Business Continuity Process (BCP) up to date, distributed amongst the business and emergency contact details available to all involved?
  • Should the worst happen and you need to head into the office, do you have access? Key’s, codes, authorisation (are you on the list if you need to get past the security guard), security passes.

Hopefully this gives you ideas of things to consider that often trip up IT departments over the holidays, leaving the business exposed or causing major disruption, if only to your well deserved time away.

We hope you enjoy a happy Christmas and New Year.

Cybersecurity!

There are commonly two trains of thoughts on cybersecurity in an organisation. From the IT side, the view is often ‘security is everyone’s responsibility’, whilst from the individuals perspective ‘the IT should protect me from the security stuff so I can just get on and do my job!’.

Whilst both views are entirely valid, they are usually present in an organisation and there is often a wide gap between these camps where breaches end up occurring. We have seen it all too often where IT throws a mandatory 30 minutes cybersecurity online training session at everyone and places a few posters around the building. They then come down hard on individuals when they click on a malicious link or otherwise do something that would make the IT Security folks scream in frustration.

The truth is that to get the required action, malicious actors most often target the most susceptible part of any IT system; the individuals who are trying to get their job done.

Maybe it is a person in Finance juggling multiple pressures, who receives dozens of invoices via pdf each day from all sorts of unknown sources and is expected to open each of these and load them into the organisations finance system. It only takes a moment to open a single malicious file, but when your job is to open files all day for processing, is it only the individuals fault if they open this file?

Maybe it is the receptionist; the first point of contact in an organisation, who is trying to present a friendly image and lets a caller know information that could help a malicious actor infiltrate the IT network.

We think that training needs to go hand-in-hand with tested processes in handling situations and what/how information should be disclosed alongside IT systems that stop malicious activities, either at the gateway (mail filters and URL sandboxing, for example from Mimecast or Proofpoint) or on the end-compute device (Antivirus, firewalls, web scanning, policies and restrictions).

Technology certainly plays a part but historically is very binary with allowing or blocking things (yes or no) and whilst technologies such as machine learning is being integrated into all sorts of solutions to help with grey-areas between yes and no; to automate making informed decisions as to if something falls into yes or no categories, inevitably things will fall through the IT security systems and be presented to the individuals.

Maybe training should be tailored to provide tips and techniques to improve the general security hygiene that can apply to individuals personal IT habits, rather than just at work. Maybe IT should be clear what protection is being used, but explain that threat actors are constantly changing their habits and that we need their help to protect the data, processes and systems. Carrot before the stick approach; you don’t want someone who has clicked on a malicious link by mistake to then not report it to IT for fear of repercussions. Maybe processes should allow for appropriate checks and balances to catch malicious activities and be regularly reviewed and tested. Maybe, maybe, maybe…

In short, this is an area where there is no one best or single way to deliver the perfect security. This needs to be tailored to the organisation based on the IT teams and systems in place, the organisation culture and risk management. We suggest you cannot rely solely on IT systems or training alone.