Make Your Network Hack-Proof

When a business seems to be in any way profitable or powerful, there are always people who want to know what the business Has done, what it Is doing, what it's Planning to do... and most of all, what it and also its employees, have the Power to do. I call this, hunting HIPP - the search for a business's Has done, Is doing, Plans to do, and has Power to do data. Now, some of the people wanting all this are not in any way out of line - maybe senior management within or owners of the business, and they have rights to know, in many cases, all this. However, there are some other people who want to know all this, so they can wrongfully use it to profit off a business and/or the business's employees... These people are called cybercriminals, and are not only very resourceful, with surprising creativity, but they are patient and relentless, always looking for vulnerable routers, open Wi-Fi, access to filespace with data at rest, unencrypted communications... really anything they might can use to get HIPP and hurt the business.

HIPP hunters use the Internet to scan for ways to watch activity from and to a business's router(s), but the Internet is not the only way they can get what they're after. HIPP hunting cybercriminals look for ways to study a business by compromising and infecting devices that might have a chance for connecting to business's Local and/or Wide Area Networks - such as files that might be transported to an employee's device on a business network... as an example, using a hacked receipt scanning app on a smartphone that creates a file that is copied up to a business computer to be used to file an expense report. What was thought to be a harmless receipt, now only needs to be accessed by the computer on the business's network to be part of a vector for a Command and Control attack, also refereed to as "C2" or "C&C." Once this receipt file is opened by a computer with Internet access, C2 communications have a pretty good chance to be established, with the infected machine sending a harmless-looking "signal" to the cybercriminal's server, looking for its next to-do. This very small piece of innocent-looking code on this now infected computer, will continue to carry out scheduled commands from the cybercriminal's C2 server and sometimes will succeed in installing additional software to that infected computer.

One of these C2 installations may take several days or weeks or longer, because most these calls to a C2 server are scheduled to look random or to be associated with expected system processes. But, after the C2 process has the infected computer hosting all it's tiny pieces, the "most times" remote, but not always... cybercriminal's C2 server instructs the infected computer to put all the code pieces together and continue to poll the C2 server for next steps. And, to make this more serious, there could now be more than one infected computer... yes, possibly other computers have been compromised - the infected computer many times secretly finds other local computers open enough for having C2 actions performed and echos to them what the C2 server has sent to it.

Now, the cybercriminal has complete control of the infected computer(s) and can execute not only the malicious code it's put together, but many times... any code on the infected computer(s). These code executions can almost instantly create a simple botnet, which is a collection of infected machines on your business network - many times, this is how cryptolocker or ransomware takeovers occur. The cybercriminal's C2 server is now programmed and active and many times hosted locally in multiple places on the business network, advertising instructions for paying the cybercriminal, so the business can regain access to their own data and computers.

And, please note, a hacked receipt scanning app on a smartphone that creates an infected PDF for an employee that uses an open USB port to transfer the file to a computer, compromising a business's network... is just one way cybercriminals can take over a business. We've not even started talking about most of the more common ways cybercriminals get inside a business, like this dirty-dozen that cybercriminals use every minute of every day.

1. No or weak passwords for access to a business's network/computers
2. Lack of physical and/or wireless network data encryption
3. Nameserver or proxy server hijacking
4. User clicking a link or opening an attachment in a phishing email
5. Open internal networks
6. Outdated network equipment firmware
7. Infected backup data streams
8. Accessing through weak web browser plugins
9. Managed router dial-in modem console access
10. Teaming up with disgruntled or on-the-way-out employees
11. Weak code on public web servers that might have private access to a business's internal network
12. And probably the most unfortunate of them all... Allowing a smooth-talking "remote support" cybercriminal to access a business Windows PC to fix a common Windows glitch

And, maybe you think it doesn't get any worse than a HIPP hunting cybercriminal using C2 to successfully Ransomeware all a business's computers? Yes, cybercriminals can hurt businesses far more than this. Sure, a C2 compromise can make businesses pay a hefty Ransomware fee, take up bandwidth by putting in place crazy advertisement campaigns for all computers on a business's network, or even have a business's computers send mass email campaigns causing the business to be listed on email blacklists... But, not securing a business's internal and/or public/DMZ networks can also allow cybercriminals to use the business's network for highly illegal activities, and when law enforcement discovers the illegal activity originated from the business's network, many times, the business is held accountable. When something like this happens to a business, the negative publicity and legel fees can destroy the business.

Don't let this happen to your place of business - follow all these steps to Make Your Network Hack-Proof.

1. This work is not for everyone
   
   The steps you'll be reading in this article should allow you to Make Your Network Hack-Proof or at least come very, very close. However, doing this work does not come easy for at least 99.99972% of people... that means we've got less than 100,000 people in the USA that could do this work day in and day out and not get really sick of it or even worse, miss steps. Why is this work not for so many people?
   
   
   • Have you ever built a plastic model car? All these steps are very much like building a plastic model car. If you hurry through putting together the pieces, if you use not enough or too much plastic cement, if you press the freshly glued pieces together too firmly or not firmly enough, if you use corrosive paint or cleaner on the plastic, if you lose or break any of the pieces, if you do not adhere the stickers juuuust right, or if you do not follow the instructions of where to put what and when... your model car will not look like the pretty picture on its box.
   • Strict adherence to scheduled actions is a must and can't ever get sloppy or loose on exactly what's to be done, when. Each action normally has a dependence on actions to be taken in front of it, and if those "in-front-of-this-action" actions are not done as scheduled, the current action might make your network less secure. So, stick to the schedule and confirm each action succeeds as planned, before moving to the next scheduled action.
   • Very cool demeanor is a must, because when something does go sideways, such as a mis-ordered permit or deny in a firewall, or a breach, or equipment fails, or a router firmware update breaks everything, the person managing this work has to remain calm and be able to correct and/or back out what is needed to get everything back up and working. If the person doing this work shows any signs of being upset or frightened or even in a hurry, people who witness this, hear this, read text that tells them this... start to come unravelled, and that spreads quickly.
   • Required to work long hours with no break is rare, because when all these steps are followed, normally this work produces a very peaceful environment. But, there are times, when the person doing this work will be required to work at least 16 to 30 hours, with no breaks, having to be at attention and responsive, at all times.
   • S/he must be able to write and communicate policies to end users. Who's working to make a business network hack-proof will need to create and put in place training for all end users, so they'll easily recognize cybercriminals pretending to be internal IT support. S/he will also need to put in place a well thought out employee exit process, so once it's known an employee is leaving a business, access can be removed.
   • Wide breadth of knowledge makes this work a lot easier. And I mean, not just a good multi-protocol data network administrator, but s/he would really need good experience with: cross platform computers and operating systems, web and command line interfacing with switches and routers and firewalls, network and telecom cabling, running and standby power and transfer switches, software administration, able to work comfortably with people, flawless in-person/messaging/email/telephone communications skills, database administration skills, at least general trust principal preparations for SOC 1 and 2 compliance, and of course would need to know all realms of security and in general how equipment/code can be hacked/compromised.
2. No BYOD
   
   Only business-owned devices should connect to a business's network. Businesses are tightening and many are removing BYOD policies. BYOD was a celebration for the blooming of personal device connectivity, making life at work a little easier and bridging the gap for data portability. But, cybercriminals quickly started piggybacking this connectivity, using the springing up of loosely secured Wi-Fi, personal email connectivity, and USB and Bluetooth for external file system mounting to get access to business networks. And that's when IT leaders started being able to justify rolling back the newly created BYOD policies and stopping personal devices from being able to connect to business networks, mainly because of these reasons and more.
   
   
   • Many employees want the workplace to say No BYOD. Many people would like their employer to not allow connectivity for any BYOD devices, so when at work, they can focus on work, and not get distracted by some odd occurence a friend had looking through old photo albums, or a trending social media post, or one of their friends or family members calling to ask if they know where something is... Many employees want to go to work and do their work while they are there, being able to focus and apply themselves.
   • BYOD adds distractions to the workplace. Against the BYOD devices owners' wishes, most all the BYOD devices would have to be either controlled by the business to prevent vibrating and/or sounds or the business would have to require the device owners to change settings at the beginning and end of each work day.
   • You did what!?! You can't predict what employees might do using a BYOD device while on the business network. Employee behavior is too unpredictable on their own devices - think about this for a minute or so, and you'll understand. Not only do they get distracted, but they can have quick mood changes that lessen productivity and/or cause mistakes, and they may also view content on their BYOD device that is not suitable for the workplace, possibly negatively affecting other employees and/or customers.
   • Data ownership gets complicated with BYOD. When you have business data the employee has to have to do his/her job, but the data is stored on their BYOD device, they may be able to do their job, but the business's data is not being stored on business equipment. And when you require all business data to not ever be stored on BYOD devices, the employees complain and claim you are hurting their productivity. And, if you do not require this and their BYOD device gets lost or they leave the company... you not only no longer have your data, but someone else might.
   • Businesses are not able to easily manage security on the BYOD user devices. There'd have to be an approval process in place and managed for which applications could be used on BYOD devices and they'd have to stay patched and updated. AV/AM solutions would have to be installed and always updated. Operating system updates would have to be kept up to date. Then there's making changes to firewalls and adding/enforcing data encryption for all BYOD traffic. There is no way more than 1 out of every 10 employees would be able to handle doing even a part of this work to keep their BYOD devices secure. And, the business has no rights to control/manage BYOD device data, and if an employee loses data on a BYOD device, because of something that happened on the business network, the business could be held responsible...
   • Adding management of BYOD devices to your IT team is expensive. Employees do not welcome paying money for the remote management, backup, AV/AM, DNS security and any other software licenses required to secure BYOD devices as all other business devices are secured, and so the needed licenses have to be covered by the business. Mobile device management is not always a required skill for network administrators. They may know how to set up mobile devices, but knowing how to secure them, back them up, remotely access them, control their DNS, normally have to be researched and learned for IOS, Android, and Windows mobile devices.
     
   
   Prevent external data storage from being mounted. For Windows computers, use a group policy to set registry to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mountmgr] "NoAutoMount"=dword:00000001. You can also use DiskPart (automount disable) and MountVol /N if you can't easily set a group policy. On Apple Mac OS X, you can write a shell script that updates /etc/fstab adding noauto lines to prevent drives from automounting, but it's easier to use Disk Arbitrator.
3. Set and stick to a schedule for changing your passwords
   
   As long as you always make sure you have a back out procedure clearly defined and tested for when you happen to somehow mistype or forget your new passwords... changing passwords is one of the easiest things you can do to help keep cybercriminals out of your business. But, so you have a strong password changing regime, be extremely diligent in following a set password changing schedule that includes all these.
   
   
   • Define a custom password changing schedule, at the start of each year. It's best to not stick to the same day (example: always Thursdays) or date (example: always 1st day of each month) or time (example: always 18:00 CST) in your scheduling, because cybercriminals have ways of taking advantage of you if they know when you are changing your passwords. So, be creative when creating your password change schedule. Maybe reference the number value of the first letter of the all the months' names and take the last number on the right of the number value and use that for the date of the month and the PM hour of the day to change the passwords, with the ones that have 0 being the last day of those months at noon. January June July 0 (last day of month at 12:00 PM for these months), April August 1 (1st day of month at 1:00 PM for these months), March May 3 (3rd day of month at 3:00 PM for these months), November December 4 (4th day of month at 4:00 PM for this month), February 6 (6th day of month at 6:00 PM for this month), October 5 (5th day of month at 5:00 PM for this month), September 9 (9th day of month at 9:00 PM for this month).
   • Adhere to your defined password update schedule for firewalls, routers, switches, DHCP servers, DNS servers, Wi-Fi access points, syslog servers, domain controllers, remote access administration, proxy servers, terminal servers, and anything else that could be used to access any digital resource within your place of work.
   • Journal each of these password changing events. Yes, dedicate a notebook - yes, a paper notebook - and record date, day, time, device type, device name, device location, old password, new password, name of who updated the password for this device, and reference place where password change back out procedure for this device can be found. Make sure to write clearly and keep at least one new line between each device entry. And be very careful to not share this journal and store it in locked storage in a location where only you and your senior management know and can access.
   • When changing passwords always use a secure connection - https:// if with your web browser, ssh v2+ if connecting to a console or a command line.
   • Never use no password or default root, admin, administrator passwords for any device on your network, including modems - even for carrier managed routers - always open a ticket to have your carrier check their modems and make sure they confirm they are secured.
   • Always use a not so common password strength model, never telling anyone the model used to construct the password or any of the passwords used in examples of the model.
     
     Here's an example model for changing a password for a Wi-Fi Access Points mesh network that has connectivity to at least one of a business's production networks, but always create your own model.
     
     
     • lowercase last 2 letters of the make vehicle you drive +
     • lowercase first letter of the current month +
     • uppercase second letter of the current month +
     • your personal numeric birth YYYY backwards +
     • keyboard special characters above the last 4 numbers of a random number you generate for each monthly password change
       
     
     Example: The Wi-Fi network administrator drove a HONDA, current month is June, was born in 1972, and the month's random number is 106789.
     
     The 12 character password would be: dajU2791^&*(
   
   To communicate passwords to end users, such as for end users that absolutely have to have production Wi-Fi access to do their jobs, if you do not already know phonetics, learn and use phonetics. Unless you are writing passwords in your protected-by-lock-and-key journals, try to reduce writing down, texting, emailing, web communicating passwords. Yes, you'll be providing some passwords verbally, and being very comfortable with phonetics will help you and your users. As an example the dajU2791^&*( Wi-Fi password would be provided to those few users who justified need for Wi-Fi connectivity to your production network(s) over a telephone call with: lower delta lower alpha lower juliett upper uniform two seven niner one caret ampersand asterisk left parenthesis. If you're the one who'll be making your business's network hack-proof and while reading this, you're thinking to yourself, there's no way I will be doing this... I suggest you either re-consider the seriousness of this, quickly find something else to do with your time, or get in touch with a Managed Security Services Provider (MSSP) to do this work for you. As I included in the first step, this kind of work requires a very dedicated, no-nonsense type individual and if you are not that, and you attempt doing this yourself you'll be doing far, far more work than necessary or even worse, letting your business down. More and more business IT leaders are outsourcing this type work to MSSP's and they are nearly always surprised when they not only get no resistance from their senior management or business owners, many times properly outsourcing this work strengthens their job security and sometimes ends up increasing their salary.
   
   

   Phonetics
   For Say For Say A Alpha (AL fah) N November (no VEM ber) B Bravo (BRAH VOH) O Oscar (OSS cah) C Charlie (CHAR lee) P Papa (pah PAH) D Delta (DELL tah) Q Quebec (keh BECK) E Echo (ECK oh) R Romeo (ROW me oh) F Foxtrot (FOKS trot) S Sierra (see AIR rah) G Golf (GOLF) T Tango (TANG go) H Hotel (hoh TELL) U Uniform (YOU nee form) I India (IN dee ah) V Victor (VIK tah) J Juliett (JEW lee ETT) W Whiskey (WISS key) K Kilo (KEY loh) X X Ray (ECKS RAY) L Lima (LEE mah) Y Yankee (YANG key) M Mike (MIKE) Z Zulu (ZOO loo)	For Say For Say Space ; Semicolon ! Exclamation Point < Less than sign " Double quote = Equal sign # Number sign, hash, pound > Greater than sign $ Dollar sign ? Question mark % Percent @ At sign & Ampersand [ Left bracket ' Single quote \ Backslash ( Left parenthesis ] Right bracket ) Right parenthesis ^ Caret * Asterisk _ Underscore + Plus sign ` Grave accent, backtick , Comma { Left brace, left curly bracket - Minus sign | Vertical bar, pipe sign . Full stop, STOP (period) DAY-SEE-MAL (decimal) } Right brace, right curly bracket / Slash, forward slash ~ Tilde : Colon	For Say 0 ZEE-RO 1 WUN 2 TOO 3 TREE 4 FOW-ER 5 FIFE 6 SIX 7 SEV-EN 8 AIT 9 NIN-ER

4. Update your firmware regularly
   
   Of course it's nice to have a test unit for all devices you have when loading something as critical as new firmware, so you can test the loading of new firmware, but most network administrators do not have devices to use as test for all equipment. So, following these steps is very important.
   
   
   • Register all your network connected devices with the respective manufacturers and ask to be alerted when new production firmware is available. If this feature is not available for any of your devices, you'll have to set a schedule to check to see if new production firmware is available for the devices.
   • Journal each of these firmware updates. Yes, dedicate another notebook - yes, a paper notebook - and record date, day, time, device type, device name, device location, name/location of running firmware file and configuration, name/location of new firmware file and configuration (if changed), name of who updated the firmware for this device, and reference place where firmware back out procedure for this device can be found. Make sure to write clearly and keep at least one new line between each device entry. And be very careful to not share this journal and store it in locked storage in a location where only you and your senior management know and can access.
   • Proceed with the scheduling of the firmware update once you've assured the new firmware file looks to be healthy and you have a safe copy of the current running firmware file and the current running configuration file that can be reloaded if needed.
   • Alert all users of any expected downtime, and fully inspect and double check backups of running configurations before reloading firmware to any of your network equipment.
   • Proceed with the new firmware loads, one device at a time. Once each device is up on the new firmware, test to make sure the new firmware did not break anything.
   • Also check your new running configurations on all devices to make sure the loading of the new firmware did not reset any configurations.
5. Force DNS to use only selected servers
   
   Cybercriminals look for ways to have your networked devices use their DNS servers, instead of your DNS servers, so they can direct your communications to where they want you to go. Yes, by having you resolve host.domain names with their hacked up DNS servers, your devices are redirected to fake versions of the websites or webmail servers or file sharing you're attempting to visit. For example, let's say your business router's DNS configuration is "DNS hijacked." Each time you visit the webmail server the cybercriminal already knows your business uses, you'll be redirected to website that looks exactly like the webmail server your business uses... You'll see the same colors, same images, same content, and the correct URL in your web browser - everything will look like it normally does... except when you attempt to login to the webmail server with your username and password, you will not be able to access the server. What you've done is provide a a phishing website your webmail credentials, and now the cybercriminal is going to very quickly do everything possible to keep you from ever knowing they now have your webmail credentials. So, you try again, and now... you are able to login to the server and all you think happened was you somehow mistyped something or the saved form information from your web browser somehow got it wrong. What actually happens, as soon as the cybercriminal's script has recorded your failed attempt, the cybercriminal changes the nameserver entry, flushes your DNS nameserver cache, and has your web browser access your actual webmail server.
   
   Not every DNS hijack will be this serious - many are pretty petty in what they do. One way the cybercriminals make money is to create page views for advertisements, normally inappropriate and sometimes malicious ones. So, the DNS nameserver changes they make are for only servers that host advertisements, and all the rest of your DNS resolves are as unaffected. So, users might think they have ad-scripting malware, and they'll just keep flushing your web browser's cache. Then, for several days or longer, the cybercriminal will clear the changes to the DNS hijack and all will be back to normal. The cybercriminals change your DNS back to how it was before being DNS hijacked in an effort to keep the business from finding they have DNS hijacked your DNS configuration.
   
   To keep cybercriminals from hijacking your DNS, take control of your outgoing DNS traffic (using Cisco Umbrella/OpenDNS only as an example there are several DNS service providers that have highly respected reputations).
   
   
   • Force all DNS traffic to use port 53 for UDP or TCP on your router/firewall, requiring all devices making DNS resolve requests to use the Cisco Umbrella/OpenDNS servers set on your business's router/firewall. So, you are forwarding all DNS requests - no matter what DNS server or IP address the requesting device has within the resolve request - to the Cisco Umbrella/OpenDNS IP addresses.
   • Stop DNS over HTTP/S (DoH) In Cisco Umbrella/OpenDNS, enable the "Proxy / Anonymizer" content category and much of the servers used for these DNS requests will be blocked. And, block the IP addresses of known DoH providers on your firewall, and keep these up to date by referencing Cisco Umbrella/OpenDNS knowledge base.
   • Block servers used to bypass DNS over TLS (DoT). This uses the RFC7858 standard over port 853, such as the DoT provider, CloudFlare. So, blocking port 853 for UDP and TCP for the currently known DoT servers is a good start for stopping DNS over TLS, but again, keep up with this by reading/referencing Cisco Umbrella/OpenDNS's knowledge base.
6. Set up MAC filtering
   
   There are two types of network adapters - wired adapter using most commonly physical CAT5/6 Ethernet cabling and wireless adapter which wirelessly connects to remote Access Points (AP). Each of these adapters have a unique label known as a MAC address which represents identification for the adapter to join a network. A Mac address is formatted using 6 hexadecimal values referred to as 6 octets, normally separated by colons or dashes (example: A4:29:F0:16:DC:64). The first 3 octets of the MAC address are called its Organizationally Unique Identifier or its OUI and lets us know the vendor or manufacturer of the adapter that owns the MAC address. Vendors/manufactures purchase these 24-bit 3 octet values from and have them assigned and published by the Institute of Electrical and Electronics Engineers (IEEE) Registration Authority. The last 3 octets of the MAC address are called is Network Interface Controller (NIC) value and is a unique value within the vendor/manufacturer's OUI. So, together, the OUI + NIC 6 octets create a universally unique address for the adapter - and this is for wired and wireless adapters.
   
   Now, seeing each adapter has a unique value in its Mac address that is used to allow it to exist on a network, you can use a list of all the MAC addresses you would like to be able to access a business network to define access to really any network resource or connectivity.
   
   Most refer to this as MAC filtering and this is used to control access to Wi-Fi AP's and DHCP/bootp servers, but many times can be used for other systems and services.
   
   
   • Wi-Fi Access Point use
   • DHCP/bootp server address request/assignment
   • Access and routing rules in some firewalls and routers
   • Include/exclude for Syslog server logging
     
   
   MAC filtering mainly helps in preventing unwanted access to business networks, blacklisting or whitelisting certain computers based on their adapters' MAC addresses. But, many times MAC filtering is also used with DHCP/bootp to assign static IP addresses to devices.
   
   MAC filtering is not a security solution in itself, but is certainly a good add for making your network hack-proof. The one real downside of using MAC filtering is you'll need to collect the MAC addresses of all the devices you want allowed to connect to your network, but using ARP tables you can easily get from switches to match IP addresses with NetBIOS/NetBEUI device names (if you've not yet blocked NetBIOS on your networks), is not that much work. As for adding new and/or maintaining devices, if you make recording MAC addresses part of your network equipment deploys, this will require very little work.
7. Disable NetBIOS
   
   If NetBIOS is still allowed on your network, it's time to work toward disabling NetBIOS. NetBIOS was designed in to allow computers to communicate over an old IBM PC network, and as networking evolved towards only required the TCP/IP protocol umbrella, NetBIOS never dropped off, primarily as a failback for local name resolution to find NetBIOS announcing computers and/or locate shared file systems on an internal network. NetBIOS is not secure, and is now, very rarely needed on secured business networks. A business computer allowing NetBIOS, native or over TCP/IP, supplies your authentication credentials (in hash form) to all local resources it attempts to connect to, including when a cybercriminal is spoofing a trusted resource name on your network... Your Windows computer hands credentials out and the cybercriminals take them and don't look back, while using them in further breaching of your network. However, NetBIOS can easily be disabled on Windows computers, using these steps or even easier, through a group policy action you deploy.
   
   
   • Access Control Panel, Network and Internet, Network Connections, choose network adapter, and right click for Properties.
   • Find item "Internet Protocol Version 4 (TCP/IPv4)."
   • Click Properties, Advanced, choose the "WINS" tab, and choose "Disable NetBIOS over TCP/IP."
   • Click Apply and OK
   
   Domain Controller? NetBIOS is not needed for access to a Windows Domain Controller, unless you have some ancient non-TCP application that has to have session layer naming service. If you do have one of these legacy applications still running, it's time to find a way for it to run without NetBIOS or isolate it and provide access that does not require NetBIOS connectivity. If your machine has an IP address and DNS is working, it can join the Domain Controller using full domain suffix - and No NetBIOS is needed. And, so if your business is using a Domain Controller and wants to disable NetBIOS for all end-user computers, adding these lines in a Group Policy Object should do the trick:
   $regkey = "HKEY_LOCAL_MACHINE:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2}
   Try to get to where TCP/IP is the only communications protocol you need on all your networked devices.
   
8. Secure your Wi-Fi networking
   
   Most businesses have need for at least one Wi-Fi network. Unfortunately, most small to medium sized businesses do not have the skills needed to secure their Wi-Fi network. Outsourcing business Wi-Fi to a MSSP is certainly best, but if you are not in a position to do that, invest some money in Wi-Fi equipment that gets praise from at least 5 different wireless security references, and make sure the Wi-Fi equipment you put in place allows you to do these.
   
   
   • Create a Wi-Fi mesh network. Having a properly designed mesh Wi-FI network reduces the administration needed to keep the network secure.
   • Enable Wi-Fi encryption. And, for the passwords you use, read my "Set and stick to a schedule for changing your passwords" section, above and consider my example password change model for changing a password for a Wi-Fi Access Points mesh network that has connectivity to at least one of a business's production networks, but always create your own model.
   • Hide all Wi-Fi network names. This makes joining your Wi-Fi networks a little trickier, but keeps your Wi-Fi networks somewhat hidden from people who have not been provided your network name(s), such as cybercriminals roaming around looking for Wi-Fi spots to hack (sometimes called wardrivers).
   • Set up Wi-FI MAC filtering. Read my "Set up MAC filtering" section for turning on MAC address access control for your Wi-Fi access. And, for people who justify they need Wi-Fi access, have material available for them to be able to learn how to find their Wi-Fi adapter's MAC address and get it to you.
   • Create a guest network. Maybe leave out MAC filtering for access control, but still enable encryption, requiring passwords, and still hide network names. And, where you can, assign the guest network a different public IP address and make the private network to where it has no access to any of your production networks, and exists outside your router/firewalls.
   • Secure your W-Fi DNS. Read my "Limit DNS to Cisco Umbrella/OpenDNS" section and make sure to do all you can to channel all DNS lookups (normally port 53 UDP and TCP) to the Cisco Umbrella/OpenDNS servers - either use a MSSP for access to Cisco Umbrella servers or keep your Cisco Umbrella account current.
     
   Yes, this is a good bit of work, but if you are not able to have a proven MSSP manage your Wi-FI network, and you are not prepared to invest your time and energy to keep your Wi-Fi network secure, your business should reconsider the risks of having open Wi-Fi.
9. Deploy a good cybersecurity stack to all end-user computers
   
   What's a cybersecurity stack? A cybersecurity stack is a mix of mostly cloud-based software tools that work together to provide a stable, secure base image for a desktop computer. And, what this type stack does is take all the user administrative intervention out of the mix and secure the computer, taking advantage of industry leading cloud services to properly take care of the user's business computer. A good cybersecurity stack to deploy to all end-user computers would include these software and service tools.
   
   
   • Phish testing and anti-phish training. Always have in place Phish testing campaigns run by a leading Phish testing service company that sends test emails to all end users, trying to get them to click bad links or reply to the test email or open attached files. And, when any of these actions happen, the offending end user is automatically required to watch training videos to teach them what they did wrong and how to keep from making the same mistake(s).
   • DNS filtering/protection. Most successful MSSP's use DNS filtering/protection, but also combine with the steps I include in the "Force DNS to use only selected servers" section of this article.
   • Anti-Malware and Anti-Virus endpoint security. The most successful MSSP's use lean, inexpensive, powerful Host-based Intrusion Detection System (HIDS) endpoint security software that communicates all threats to a notification portal, instead of to the local desktop's screen. This allows the MSSP's notifications portal software to decide if the alert needs to be attended to or not, providing a seamless remote control session directly to the computer sending the notification, if needed.
   • Desktop data backup solution. Always include a data backup service within the stack that backs up all files in the computer's Desktop, Downloads, Documents directories to a reputable cloud storage service, scanning each backed up file to assure no infected files are added to the archives. If any files look to be infected, make sure notifications are sent to a notification portal, so you can investigate and resolve.
   • Complete office applications solution with information protection. Microsoft 365 with Azure Information Protection is the leading office applications and services solution at this time, but you certainly can't lose with Google G Suite - as long as you can get along without the core Microsoft applications like Word, Excel, Powerpoint, and Outlook. Using an industry trusted application suite that keeps not only all its desktop and online applications patched and secure, but also all its data transfers free of infections is certainly the right choice to make.
   • RMM with auto-patching and applications maintenance software. Always make sure to have RMM (Remote Monitoring and Maintenance) software running that takes care of: remotely monitoring all your networks and devices, the scheduling of all operating system updates, application uninstalls/installs, group policy updates, and any needed systems administrative actions that need to be done - and all this needs to happen without the end user ever seeing it.
   • No administrator rights. Make sure to use cloud-based authentication that includes no administrative rights for the end user and has a versatile environment for creating, managing, and pushing down group policies for all end users.
10. Tighten down your front line with Vulnerability Scanning and Penetration Testing
    
    Now comes the most time consuming and most critical part of making your network hack-proof... Once you've completed all these steps to make your network hack-proof, it's time for Internet and intranet scans for vulnerabilities and from the Internet penetration testing to see what you've missed, so you can truly tighten up configurations for your firewall(s), router(s), switch(es), and anything else the testing finds to have security holes. And, this is not just a one time thing... If you have relations with a good Managed Security Services Provider (MSSP), they'll run these tests on difficult-to-predict schedules for you, and will let you know when they find something they need you involved to resolve. However, if you are not using an MSSP to manage your business's network, you'll need to define a schedule similar to how I suggests you schedule changing passwords, and never miss doing this testing - normally at least once each month, but it's best to do them at the end of each week. Now, if you choose to do this work without the help of an MSSP, there are many ways you can do this - even some pretty good ones that are free to use, but with the security of a business at stake, it's best to use tried and true professional services to let you know where you stand with your network security. A safe bet is to use what many MSSP's use, Rapid7's Nexpose Vulnerability Scanner and Metasploit Penetration Testing, and maybe also subscribe to VERACODE and schedule VERACODE scans for web servers to keep at least your web servers' public code secure.
    
    
    • Vulnerability Scan. Vulnerabilities happen every day. Real-time intelligence is required to discover them, locate them, prioritize them for your business, and reduce exposure. Your vulnerability management software should have an on-premises option for monitoring exposures in real-time and adapting to new threats, always keeping reference data up to date, ensuring you can always act as quickly as possible to catch and resolve risks.
    • Penetration Test. Cybercriminals are always developing new ways to exploit and attack - the correct penetration testing software will help you use the cybercriminal's own weapons against them. Your penetration testing software will have to use an ever-growing database of exploits, allowing you to safely simulate real-world attacks on your network to teach you how to spot and resolve potential risks for all your networked devices, including web, email, proxy servers and any other servers that have an open communications path to your internal network(s).
    • Make good relations with the makers of the software/services you choose to use. Call their technical support, practice and get comfortable with their email support process, and use any forums they have available. Following all provided instructions for these scans, and keeping close communications with the software/services provider is a very smart investment.

- by Kevin Crothers, January 16, 2020
    linkedin.com/in/kevincrothers