Blog

March 20th, 2014

Security_Mar17_ASecurity of a business's systems and networks should be important to many business owners and managers. In fact, an increasing number of companies are implementing security strategies. While these strategies do keep businesses secure, there is one critical element that could cause plans to fail, leading to an increased chance of a breach of security: The audit.

Auditing and the security security strategy

Auditing your company's security is important, the only problem business owners run across is where and what they should be auditing. The easiest way to do this is to first look at the common elements of developing security strategies.

These elements are: assess, assign, audit. When you develop a plan, or work with an IT partner to develop one, you follow the three steps above, and it may be obvious at the end. In truth however, you should be auditing at each stage of the plan. That means you first need to know what goes on in each stage.

During the assessment phase you or your IT partner will need to look at the existing security you have in place. This includes on every computer and server and also focuses on who has access to what, and what programs are being used. Doing an assessment should give you an overview of how secure your business currently is, along with any weak points that need to be improved.

The assignment phase looks at actually carrying out the changes you identified in the assessment phase. This could include adding improved security measures, deleting unused programs or even updating systems for improved security. The main goal in this phase is to ensure that your systems and networks are secure.

Auditing happens after the changes have been made and aims to ensure that your systems are actually secure and have been implemented properly. Throughout the process you will actually need to continually audit and adjust your strategy.

What exactly should be audited?

When conducting an audit, there are three factors you should focus on:
  1. The state of your security - Changing or introducing a security plan usually begins with an audit of sorts. In order to do this however, you need to know about how your security has changed in between audits. Tracking this state and how it changed in between audits allows you to more efficiently audit how your system is working now and to also implement changes easier. If you don't know how the state of your security has changed in between audits, you could risk implementing ineffective security measures or leaving older solutions open to risk.
  2. The changes made - Auditing the state of your security is important, but you should also be auditing the changes made to your systems. For example, if a new program is installed, or a new firewall is implemented, you will need to audit how well it is working before you can deem your security plan to be fully implemented. Basically, you are looking for any changes made to your system that could influence security while you are implementing a new system. If by auditing at this point, you find that security has been compromised, you will need to go back to the first step and assess why before moving forward.
  3. Who has access to what - There is a good chance that every system you have will not need to be accessed by every employee. It would be a good idea that once a security solution is in place, that you audit who has access to what systems and how often they use them. This stage of the process needs to be proactive and constantly carried out. if you find that access changes or system access needs change, it would be a good idea to adapt your the security strategy; starting with the first stage.
If you are looking for help developing a security strategy for your business, contact us today to see how our managed solutions can help.
Published with permission from TechAdvisory.org. Source.

Topic Security
February 20th, 2014

Security_Feb17_AThere are numerous ways business security systems can be compromised. A common way is phishing - tricking people into giving up important information via email. Original phishing methods are now well known, and increasingly less effective. So hackers have become more skilled and have adapted their phishing methods into a new form of catching people out with what experts have labeled as spear phishing.

What is spear phishing?

Spear phishing is a specialized type of phishing that instead of targeting a mass number of users, as normal phishing attempts, targets specific individuals or groups of individuals with a commonality e.g., an office.

Generally a hacker will first pick a target and then try to learn more about the related people. This could include visiting a website to see what a company does, who they work with, and even the staff. Or they could try hacking a server in order to get information.

Once they have some sort of information, usually a name, position, address, and even information on subscriptions, the hacker will develop an email that looks similar to one that another organization might send e.g., a bank. Some hackers have been known to create fake email accounts and pose as a victim's friend, sending emails from a fake account.

These emails are often similar to official correspondence and will always use personal information such as addressing the email to you directly instead of the usual 'dear sir or madam'. The majority of these emails will request some sort of information or talk about an urgent problem.

Somewhere in the email will be a link to the sender's website which will look almost exactly like the real thing. The site will usually ask you to input personal information e.g., an account number, name, address, or even passwords. If you went ahead and followed this request then this information would be captured by the hacker.

What happens if you are speared?

From previous attack cases and reports, the majority of spear phishing attacks are finance related, in that the hacker wants to gain access to a bank account or credit card. Other cases include hackers posing as help desk agents looking to gain access to business systems.

Should someone fall for this tactic, they will often see personal information captured and accounts drained or even their whole identity stolen. Some spear phishing attacks aren't after your identity or money, instead clicking on the link in the email will install malicious software onto a user's system.

We are actually seeing spear phishing being used increasingly by hackers as a method to gain access to business systems. In other words, spear phishing has become a great way for people to steal trade secrets or sensitive business data.

How do I avoid phishing?

Like most other types of phishing related emails, spear phishing attempts can be easy to block. Here are five tips on how you can avoid falling victim to them.
  • Know the basic rule of business communication - There are many basic rules of communication, but the most important one you should be aware of is that the majority of large organizations, like banks, social media platforms, etc., will not send you emails requesting personal information. If you receive an email from say PayPal asking you to click a link to verify your personal information and password, it's fake and you should delete it.
  • Look carefully at all emails - Many spear phishing emails originate in countries where English is not the main language. There will likely be a spelling mistake or odd wording in the emails, or even the sender's email address. You should look out for this, and if you spot errors then delete the email immediately.
  • Verify before you click - Some emails do have links in them, you can't avoid this. That being said, it is never a good idea to click on these without being sure. If you are unsure, phone the sender and ask. Should the email have a phone number, don't call it. Instead look for a number on a website or previous physical correspondence.
  • Never give personal information out over email - To many this is just plain common sense - you wouldn't give your personal information out to anyone on the street, so why give it out to anyone online? If the sender requires personal information try calling them or even going into their business to provide it.
  • Share only essential information - When signing up for new accounts online, there are fields that are required and others that are optional. Only share required information. This limits how much a hacker can get access to, and could actually tip you off. e.g., they send you an email addressed to Betty D, when your last name is Doe.
  • Keep your eyes out for the latest scams - Pay attention to security websites like those run by the major antivirus providers, or contact us. These sites all have blogs where they post the latest in security threats and more, and keeping up-to-date can go a long way in helping you to spot threats.
If you are looking to learn more about spear phishing or any other type of malware and security threat, get in touch.
Published with permission from TechAdvisory.org. Source.

Topic Security
February 14th, 2014

Security_Feb11_AOur computer systems need a high level of protection against harmful viruses, worms and other malware currently spreading like wildfire over the Web. If you have a layered security or defense in depth strategy in place, then you’re probably well protected. But if not, then our guide will surely help you protect your computer systems.

Just like the human body, a computer system can also be attacked by many viruses that can infect and disrupt computer operations. And what's worse is it doesn’t just disrupt the operations of your computer, but these viruses and other malware can gather sensitive information or even gain access to other private and secured computer systems on the same network.

Although computer viruses aren't deadly, they can spread at an unimaginable rate across your entire computer system, affecting your database, networks and other IT-related sources. You can get these viruses by opening bogus email messages, downloading unknown file attachments, and accidentally clicking ads that pop up your screen. This is why there is a need for a strong and effective security system to protect your network.

One of the tested and proven security strategies used today is defense in depth. This concept focuses on the coordinated and organized use of multiple security countermeasures to keep your database safe from intrusive attackers. Basically, this concept is based on the military principle that a multi-layered and complex defense is more difficult to defeat than a single-barrier protection system.

The defense in depth strategy assures network administrators by working on the basis of the following guiding principles:

Defenses in multiple places

The fact that many viruses can attack the network system from multiple points means that you need to deploy strong defense mechanisms at multiple locations that can endure all types of attacks.

Defense in depth focuses on areas by deploying firewalls and intrusion detection to endure active network attacks and also by providing access control on servers and host machines, to resist distribution attacks from the insiders. This multi-layered defense also protects local and area-wide communication networks from denial of service attacks.

Multiple layered defense

Defense in depth is an extremely effective countermeasure strategy, because it deploys multiple layered defense mechanisms between the attacker and its target. Each layer of the defense has a unique mechanism to withstand the virus attacks. Furthermore, you need to make sure that each layer has both detective and protective measures to ensure the security of the network.

The reason for wrapping the network with multiple layers of defense is because a single line of defense may be flawed. And the most certain way to protect your system from any attacks is to employ a series of different defenses that can be deployed to cover the gaps in the other defenses. Malware scanners, firewalls, intrusion detection systems, biometric verification and local storage encryption tools can individually serve to protect your IT resources in a way others cannot.

Perhaps the final layer of defense should be educating your employees not to compromise the integrity of the computer systems with potentially unhealthy computer practices. As much as possible, teach them the dos and don’ts of using the computer, as well as how they can prevent viruses and other computer malware coming in and destroying your system.

If you’re looking to give your computer systems better protection against the harmful elements that the internet can bring, then give us a call now and we’ll have one of our associates take care of you and help defend your business.

Published with permission from TechAdvisory.org. Source.

Topic Security
February 11th, 2014

Security_Feb10_AThe 2014 Olympic Winter Games is underway and athletes from all over the world have made their way to Sochi, Russia to compete. As with almost every other Olympic Games, there have been a number of issues for organizers to deal with. However, unlike the last Olympics, one of those complaints is about hacking of mobile devices and computers.

Hacking at the Winter Olympics 2014

Well before the Olympics even started in Russia, the Russian government said that they will be surveilling phone and computer communications. Many scoffed at this, writing off the government as being overly ambitious and boasting about a nearly impossible task. The thing is, the Internet in Russia may not be as secure as many believe, being full of hackers. At least according to a report aired on NBC shortly before the games started.

In the report, reporter Richard Engel took new, never opened laptops and mobile devices to Russia and used them. He found that within 24 hours all of the devices had been hacked, exposing the data stored within.

In part of the segment, Engel and a security expert go to a local coffee shop in Moscow and search for Sochi on a mobile device. Almost immediately the device is hacked and malicious software downloaded. Engel notes that the hackers have access to data on the phone along with the ability to record phone calls.

In a follow-up segment, Engel explains a bit more about the laptop issues. When he boots one up and connects to the Internet, hackers are almost immediately snooping around the information, transferring from the machine to the networks. Within a couple of hours, he received a personalized email from a hacker welcoming him to Russia and providing him with some links to interesting websites. Clicking on the link allowed the hackers to access his machine.

One issue is that it hasn't been stated in any reports whether the Russian government is behind this, or if it's hackers out to steal information. While you can be sure that the Russians are monitoring communication during the Winter Olympics, it is highly likely that they are not the ones installing malware on phones, rather it's probably organized crime rings or individual hackers.

I'm not at Sochi so why do I care?

As a business owner half the world away you may be wondering why this news is so important to you, or why you should care. Take a look at any tech-oriented blog or news channel and you will quickly see that the number of attacks on devices, including malware, phishing, spam, etc. is on the rise. It's now likely a matter of when you will be hacked, not if.

Combine this with the fact that many businesses are going global, or doing business with other companies at a big distance. This has caused many people to go mobile and the tools that have allowed this are laptops and smart devices. Because so many people are now working on a laptop, phone or tablet, these devices have become big targets. The main reason for this is that many people simply don't take the same safety precautions they take while on the office or even the home computer.

Hackers know this, so logically they have started going after the easier targets. The news reports concerning Russia highlight this issue and is a warning business owners around the world should be aware of, especially if they are going to be traveling with computers or phones that have sensitive information stored within.

That being said, there are a number of tips you can employ to ensure your data is secure when you go mobile. Here are six:

1. Use cloud services wherever possible

Cloud storage services can be incredibly helpful when traveling. They often require a password to access and are usually more secure than most personal and even some business devices. If you are traveling to an area where you are unsure of the security of the Internet or your devices, you could put your most important data in a trusted cloud storage solution.

This is also a good idea because if your device gets stolen, the data is in the cloud and is recoverable. If you have data just stored locally on your hard drive, and your device is stolen, there is a good chance it's gone forever. For enhanced security, be sure to use a different password for every service.

2. Back up your data before leaving

Speaking of losing data, it is advisable to do a full system backup of all the devices you are taking with you before you leave. This will ensure that if something does happen while you are away, you have a backup of recent data that is recoverable.

3. Secure and update all of your devices

One of the best ways to ensure that your data is secure is to update all of your devices. This means ensuring that the operating systems are up-to-date and any security updates are also installed.

Also, ensure that the programs installed on the devices are updated. This includes the apps on your phone, including the ones that you don't use.

You should also secure your devices by not only having an antivirus and malware scanner but also requiring a password to access your device.

4. Watch where you connect

These days Internet connections are almost everywhere. In many public spaces like airports, coffee shops, restaurants, etc. many of the connections are open, or free to connect to, and don't require a password.

While this may seem great, hackers are known to watch these networks and even hack them, gaining access to every bit of information that goes in and out of the network. When you are traveling, try avoiding connecting to these networks if you can. If you really have to, then be sure not to download anything or log into any accounts that hold private data.

5. Know the risks of where you are going

Before you leave, do a quick search for known Internet security issues in the area you will be visiting. If you find any news or posts about threats you can then take the appropriate steps to secure your system ahead of time.

6. If in doubt, leave it at home

In the NBC report, Engle finishes by telling viewers that if they are at all unsure about the security of their devices, or are worried about their data, they should leave the device at home, or delete the data before going. This is a good piece of advice and maybe instead of deleting data completely, you could move it to a storage device like an external hard drive that you leave behind.

If you are looking to learn more about ensuring the security of your devices while you are away from the office contact us today. We have solutions to help.

Published with permission from TechAdvisory.org. Source.

Topic Security
January 23rd, 2014

Security_Jan20_ATechnology is becoming increasingly complex and many small to medium business owners and managers are finding it an increasing challenge to manage their systems, while also ensuring that they are secure. One way to prioritize security is to turn to an IT partner, many of whom offer managed antivirus solutions. While this is a viable option, it can still be a slightly confusing topic.

What exactly is managed antivirus?

By now, most people are familiar with the term 'antivirus'. They know that the majority of solutions are a monthly or yearly subscription that they pay for. By subscribing, the company that created the program will update virus databases, allowing scanners to identify viruses during a computer scan. This type of antivirus software is often referred to as unmanaged, largely because the end-user has the ability to deny updates, turn off the scanner, or uninstall it.

A managed antivirus solution is provided by IT partners. These tech experts take care of installing the software on computers and other devices, and will then manage the solution. They will also ensure that scanners are up-to-date and scans are scheduled for a convenient time, thus protecting computers. The best way to think of these solutions is that they are specifically provided by a company to look after your computers and protect them from viruses.

Benefits of managed antivirus solutions

Companies that choose to integrate a managed antivirus solution generally see five main benefits.
  1. All systems will have the same level of security - With a managed service, your IT partner will make sure to install software on all your systems. This means that there should be the same program installed on your systems, and that the antivirus will be updated to ensure that systems are protected from new security threats that come along.
  2. It is easier to manage - Managing your antivirus solution can be a tough task, especially in larger companies where different solutions may need to be employed. By working with an IT partner, your antivirus solutions are managed by tech experts. This is a great solution for business owners who aren't too familiar with technology, or an overworked IT department.
  3. The solutions can be low-cost - Most managed antivirus solutions are offered as a monthly package, where companies pay per user. For some companies, this solution is more affordable per user than a non-managed solution. This is especially true if you have a high number of users and need to purchase multiple licenses.
  4. Management is continual - With unmanaged solutions, many users turn the antivirus protection off because it can slow their computer down or because they believe their usage habits are not compromising security. Managed antivirus solutions usually can't be uninstalled or turned off, meaning your systems are continually protected.
  5. Your systems are truly protected - Regardless of how secure your systems are and the steps you take to ensure that malware doesn't get through, the chances are you will eventually be infected. When you are, it may be tricky to actually completely remove the virus. IT partners are trained in how to do this quickly and efficiently and can usually completely remove the virus, ensuring that your systems are truly secure.
If you are looking for a managed antivirus solution, contact us today as we may have a solution that will work with your business.
Published with permission from TechAdvisory.org. Source.

Topic Security
January 9th, 2014

Security_Jan07_AEach new year, experts like to take time and look back at the past year, and try to figure out what to expect in the coming year. It is also a good time to take a look at existing business systems and see if they are ready to handle whatever the coming year can throw at them. When it comes to security, the first step to ensuring your company is ready for the year, security wise, is actually knowing what to expect in 2014.

Here are four security threats businesses should be aware of in 2014.

Increased attacks on cloud end-points

Cloud-based systems saw solid growth throughout 2013, with numerous systems being introduced and older systems reaching new levels or maturity. Small to medium businesses in particular were heavy adopters of these systems. Because of this, we expect to see an increase in attacks against cloud providers.

Providers know this and take steps to ensure security of systems on their end. Hackers know this too, so will be likely going after the weaker points - end users. It is expected that hackers will begin targeting users of cloud systems with various schemes that try to gain control of computers and mobile devices. Once access is gained, they will go after their main target: Corporate or personal clouds and the data stored within.

This could pose a problem for many companies, especially those who access cloud systems from their mobile devices. January and February would be a good time to look into the security of all of your systems, ensuring that your cloud-based systems are secure on all devices.

Mobile malware will continue to gain popularity

Take a step back for a minute next time you are in public and look at how many people have smartphones or tablets in their hands. Chances are, at least 60% or higher will. It is fairly obvious that the mobile device is the most popular trend in tech at the moment, and whatever is popular is also a target.

We predict there will be an increase in mobile malware attacks throughout 2014. This could see either an increase in the number of apps that have malware in their code, or websites that host malware. When you visit a site with this malware, you are informed that you need to update an app, and when you agree to this the malware is downloaded and installed.

This could prove to be a tough for companies to manage, especially since the number of mobile users will likely grow. If you haven't started looking into how to secure mobile devices, now would be a good time to start.

Growth in social engineering scams targeting mobile users

Social engineering is the act of essentially tricking people to give away confidential information. Hackers have been using this for years - for example, emailing users telling them their bank account has been compromised, and that if they click on the link in the email and enter their account info, the account will be secured. In reality, the link is to a fake site that captures information which can then be used for any number of illegal activities.

As we mentioned above, the number of mobile users is steadily increasing. This means that it is highly likely that hackers will begin to target these users with mobile specific social engineering. This could be tricking them into downloading an app which then steals information stored on the phone, or simply targeting those who use just their tablet.

In order to prevent this from happening, you need to brush up on how most social engineering schemes work. You should also encourage your employees to look where the links in emails lead to and be aware that generally, most major businesses like banks don't email customers asking for passwords or user names.

Windows XP will become a big target

Microsoft will stop support for Windows XP and Office 2003 in April of this year. What this means is that they will no longer be offering security updates, software updates or support for these products. It is a sure thing that these programs are about to become a big target, and that new security loopholes and exploits will be found on a regular basis after the cessation of support.

For businesses that are using a newer version of Windows like 7 or 8, you should be secure from these exploits. If you are using XP on the other hand, you might want to upgrade as soon as possible. Contact us, we can help with that.

From the overall looks of things, we think this year will see a drastic increase in mobile based security threats, along with attacks on older versions of software. Now is a good time to review your strategies regarding both mobile and the software/hardware you use, to ensure that it is secure. If you would like help with this, please contact us today for a chat.

Published with permission from TechAdvisory.org. Source.

Topic Security
December 27th, 2013

Security_Dec23_AThere were numerous security threats throughout 2013, many of which put small to medium business user's data and systems at risk. Many companies have implemented security systems, such as virus scanners, that protect their assets and business operations from most threats. One area type of security threat that still exists however relates to passwords.

Many of the major security threats that harm a business have one factor in common - a hacker gaining access to systems by cracking a user's password. The one reason hackers are able to get into systems again and again is largely because users often don't pick strong enough passwords.

Even what we might perceive to be a strong password may not actually be as secure as we think. Sure, when you enter a new password many websites have a bar that indicates how strong your password is, but the issue is, these so called strong passwords are becoming easier to guess as more websites utilize the same requirements.

Think about the last time you changed your password. You were likely told to key in a password longer than 6-8 characters, with at least one capital letter, one number, and a special character like '!' or '$'. Many major systems have these exact, or at least very similar, requirements for password setting. However, If this is the norm, and you use a password like this too often then your passwords likely aren't as secure as you might believe them to be.

The reason for this is because of the way hackers usually capture passwords. The most common method adopted is brute force - getting a username then trying every password combination until the hacker finds one that works. There are programs you can download from the Internet that try thousands or more passwords a second, and many now include special characters, numbers, and capital letters, which makes finding passwords even easier.

How do I know if my password is secure?

In an effort to showcase how unsecure some passwords are, Microsoft's Research (MSR) Center and an intern from Carnegie Mellon University developed a password guesser called Telepathwords.

The way it works is you enter the first few letters of your password and the system guesses the next. It uses common letters and combinations to help gauge the effectiveness of a password. For example, if your password begins with the letter 'v', it will tell you that 'I', 'S' and 'A' are the most common letters to follow. If the next letter of your password isn't one of these three, there is a good chance it is more secure. If the second letter is one of these three, then your password is less secure. This may sound a little complicated, but you should check out the system here.

It is eerie at how accurate the next letters and characters often match, and this is a good tool to determine whether to create a more robust password. You don't have to worry about testing your password out either as Microsoft has noted that they don't track the keystrokes, so you password should remain secure.

How do I create a stronger password?

Ask 10 experts and you will likely get 10 different answers as to what makes a strong password. Here are three different ways to create secure passwords:
  1. Use an algorithm - The easiest way to do this is take the first letter of a saying and add a number before or after. You can also create a saying and take the first letter of each word, then add the first letter of the website, followed by the last, and then a number. This method is best for when you have a large number of websites you access on a regular basis, it can help you remember your passwords for each without you having to write these down.
  2. Use a sentence or saying - For systems that allow you to have spaces in your password, try using a random saying like, 'Dogs like pudding cups'. Sayings like this are harder to crack. This is largely because they include the space and are longer than usual.
  3. Use an acronym - Come up with a saying that describes you e.g., 'I've worked at a gas station for 20 years', and take the first letter/number of each word to create: 'Iwaagsf2y'. This gives you an easy to remember password that can be adapted for other sites.
Regardless of what type of password you develop, you should be aware that even strong passwords can still be cracked with enough persistence. So, you should be sure to change passwords on a regular basis and also not to use the same one twice. This will limit the chances of hackers being able to access your other accounts.

If you are looking for more ways to secure your systems, we can help, so get in touch with us today.

Published with permission from TechAdvisory.org. Source.

Topic Security
December 12th, 2013

Security_Dec09_AAs a business owner you probably have more than one issue on your mind at any given time. One challenge many owners and managers worry about is the security of their organization and the systems used. One of the weakest links, security wise, is the password, as these can be quite easy to crack. This is why many companies introduce password policies. However, quite often these policies are not effective.

If you are in the process of implementing a password policy, or are looking for a way to ensure that your business is as secure as possible, you need to be aware of at least four common password policy pitfalls.

1. Complex password requirements aren't complex at all

One of the most common elements of a password policy is the requirement that passwords be complex. Many require that the password has at least one number, or a special character like '!' or '&', and possibly even a capital letter.

While this may seem like it serves to make passwords more complex, many users will often use a simple password and replace words with a character, or add it at the end. This really doesn't make the passwords complex, it just makes them more difficult to guess.

Because so many systems have these requirements in place, hackers have started to include these factors when they develop password crackers. This means that the are still able to guess many passwords relatively quickly.

2. Lack of a lock-out

A common way hackers get into systems is through a method called brute force. This is essentially entering different passwords and variations until you come across the correct password. While this method can take a while, if your password system doesn't have a lock-out rule - whereby the account becomes locked after a set number of failed attempts - you will eventually see a security breach.

3. Password changes are forced too often

In order to keep systems secure, many companies force their users to change their passwords on a regular basis - usually every 90 days. While this is a good idea, some take it a bit too far, for example forcing employees to change passwords every two weeks.

This may seem like a good idea, but all it does is encourage users to pick easy to remember passwords. And, any password that is easy to remember is likely easy to guess too.

4. Only focusing on digital passwords

Because the number of password protected systems we use is increasing, many business users are struggling to remember all of the passwords they use. When this happens, the easiest solution is write to them down.

When making a note of passwords, most people don't take any steps to hide them, often leaving a sticky note attached to their monitor or written in a notebook casually left open on their desk. Needless to say, this is a real security issue.

How should I ensure a strong password policy?

Here are four actions you can take to ensure not only stronger passwords, but a policy that is effective.
  1. Try using passwords that are sayings and have spaces. Believe it or not, a random saying like "rude horses get pizza" is actually way more secure than any one word password with characters. Take a look at this XKCD comic for an interesting graphic on passwords.
  2. In order to minimize passwords and systems falling to brute force attacks, you should set a lock-out rule. It should be fair in that you shouldn't lock users out of their accounts if they fail one attempt. Most companies using this method set a limit of 3-5 attempts.
  3. You should ensure that your passwords are changed on a regular basis - most companies set every 90 days, and this is fine. In order to maximize security, it is a good idea to set it so that the same password and numbers can't be used, because most employees will just enter another number or character at the end or beginning. In other words, ensure the password is as different as possible.
  4. The most obvious point is to remind your employees not to write their passwords down and leave them in an easy to find area. If they have to write passwords down, tell them to use a code or even hide the piece of paper/lock it away in a secure safe. The other step you could implement is two-factor authentication, such as a user needing to enter a numerical code or piece of information when trying to access a system. Implementing a system like this and recording it in the policy will greatly reduce the chances of your passwords being stolen.
If you are looking for help with your password policy, or with the security of your business and systems, please contact us today.
Published with permission from TechAdvisory.org. Source.

Topic Security
November 29th, 2013

Security_Nov25_AThere is a growing trend among many businesses of connecting to the office from outside, or doing work remotely. In order to do so, most users require an Internet connection, often using public Wi-Fi connections. The issue with many public Wi-Fi connections is that they may not be as secure as you think, and could lead to increased security threats and even loss of data.

If you or your employees work outside of the office, and rely on, or frequently connect to public Wi-Fi connections, there are three security dangers you should be aware of.

1. Fake networks

The number of businesses offering free Wi-Fi to customers, especially coffee shops and restaurants, is growing. Some hackers have actually taken to setting up networks with names that are the same as a location or business in hopes that people will connect to it, believing it is an open network.

The issue is that they may have attached data monitors that collect data - including passwords and other private information going into and out of the network. Some have even gone so far as to set up a portal site that one must navigate to in order to log in and use the service - similar to what you see when you use most public Wi-Fi connections. Only these sites are loaded with malware which can be installed onto your system once you log in.

In order to avoid this, it is a good idea to look at the name of the network you are actually connecting to and check whether there is more than one with a similar name, or if there are any spelling mistakes. If you are unsure, the best approach is to check the name of the network at the business which is providing this connection.

2. Shared files or folders

Both major operating systems - OS X and Windows - have files and folders that automatically share any folders and files put into them with other users on the same network. Some business users put important files in these folders while at the office in order to allow colleagues access to them.

The problem with this is when you connect to a public Wi-Fi connection. Other people on that network may also be able to see those files. If you didn't take the important files out of the folder, they could potentially steal the data contained within. Hackers know this, and may sit on the networks looking for other computers with shared files.

In order to avoid this, you should ensure that you aren't sharing files stored in public folders on your computer. Try using other ways to share documents like a cloud storage provider.

3. The man-in-the-middle

A man-in-the-middle attack is a form of hacking where the hacker uses technology to actively listen to or capture data being transmitted over a network. What this means is that if there is someone capturing data, they could theoretically gain access to anything that gets sent outside of the network. This could include private files, passwords and more.

If you or an employee connects to the office remotely while connected to a public network, one way to minimize the chances of data being intercepted is by using a VPN. These connections set up a direct link between the computer and the home network, and make it difficult for those who aren't part of that network to connect to and view data that is transmitted over this connection.

On top of this, it is a good idea to avoid entering passwords or other important information like bank account and ID numbers while connected to public networks.

If you are looking for ways to keep your data secure while out of the office, get in touch with us today to see how we can help.

Published with permission from TechAdvisory.org. Source.

Topic Security
November 12th, 2013

2013Nov12_Security_AOne of the first steps many companies take when they are looking to secure their computers and networks is to implement an anti-virus or malware program and scanning. While this will go a long way in deterring network intrusions, malware can still sometimes find a way to get onto your systems. In order to minimize the potential damage you need to know how exactly malware can circumvent your anti-virus software to infect your systems.

There are several ways in which malware can be introduced to your systems, even those protected by anti-virus scanners or other security measures. Here are three you might need to know about::

1. Attacking remote users

Traditionally, business was  carried out in a physical office. This means that companies only had to protect internal networks and systems. However, businesses are increasingly going mobile and relying on off-site workers. Problems can arise though when steps are not taken to ensure the security of these endpoints - laptops, tablets, mobile devices, etc.

Attackers know this, and have started to attack remote workers who may not be as secure as the company's internal systems. This becomes an even bigger issue when the infected device is brought back to the office and connected to the network - thus likely introducing the malware into your systems. It's necessary to ensure that all remote employees and devices are secure in order to protect your core systems and that they are also following the same security protocols used on-site and in-house..

2. USB infections

The majority of malware is introduced to systems via the Internet and websites. This is the reason why almost all virus-scanners focus on web-based intrusions. To a large extent, these scanners do what they are supposed to and keep companies secure. Hackers are always looking for new ways to attack systems though, and one avenue is through USB drives.

Some of the more popular USB-based malware takes advantage of Auto-Run - when an external hard drive, or USB flash drive is plugged in, this feature automatically opens the drive. The malware on the drive is configured to install itself when the drive boots up and is accessed, thus infecting systems.

To limit the chances of being infected by malware you should either provide drives for your employees to use, or approve drives that come in from outside sources. If you use USB drives to transfer files or share files between computers, try looking into other options like cloud storage drives. Finally, disabling Auto-Run and scanning drives with a virus-scanner, (many programs can actually do this), could go a long way toward deterring infections.

3. Anti-virus misses malware

While many companies have anti-virus scanners and software to deter malware infections, in order for these programs to work they often require daily or weekly updates. These updates contain information about new forms of malware discovered, along with detection and handling rules.

However, many companies may not be allowing the virus scanners to update. Because of this, systems are at an increased risk of being infected by newer malware. Therefore, ensure that your anti-virus scanners are not only up-to-date but are set to scan on regular intervals.

Beyond this, it is important to know that while anti-virus scanners will go a long way in preventing infections, they are often a step behind the newest malware. Taking steps to prevent malware, such as limiting downloads, educating employees and establishing a security policy can also help.

Finally, if you are worried about the security of your systems, working with an IT partner can prove to be one of the most successful ways of minimizing security threats that could harm your organization. IT partners can implement a plan to lower infection rates and employ experts who are able to work with you to restore your systems quickly should they become affected.

If you are looking to make your business more secure, get in touch with us today.


Published with permission from TechAdvisory.org. Source.

Topic Security