Blog

November 25th, 2016

2016november25_security_aIf you’ve read this blog before, you already know security is paramount to the success of any small business. We cover the ever increasing cases of security violation in big and small businesses, as well as national and international organizations where data, applications, networks, devices and networks have been illegally accessed by unauthorized people. But today we want to look at simple preventative measures to ensure these risks never befall your organization.

Limitation of lateral data transfers

Employees not being educated on data sharing and security is one of the biggest reasons for internal data breaches. It’s a good idea to limit access to important data and information by restricting access privileges to only a small number of individuals. Also, you can decide to use network segmentation to cut unnecessary communication from your own network to others.

Keeping your machines and devices updated

Internal breaches might also occur when employees work with unguarded or unprotected machines. They might unknowingly download malware, which normally wouldn’t be a problem if machines were properly managed. Updating your operating systems, antivirus software, business software, and firewalls as often as possible will go a long way toward solidifying your defense systems.

Use monitoring and machine learning to sniff out abnormalities

It’s not all on your employees, however. Network administrators should employ monitoring software to prevent breaches by analyzing what is “normal” behavior and comparing that to what appears to be suspicious behavior. Cyber criminals often hide in networks to exploit them over a long period of time. Even if you miss them the first time, you should monitor suspicious activity so you can recognize impropriety and amend security policies before it goes any further.

Creating strong security passwords and credentials

No matter how often we say it, there’s always room for improvement when it comes to your passwords and login procedures. In addition to text-based credentials, you should require other methods whenever possible. Great for fortifying your network, fingerprints and smart cards, for example, are much harder for cyber criminals to fake. Regardless of which factors are used, they must be frequently updated to prevent breaches, accidental or otherwise.

Security Insurance

In the end, no system is perfect. Zero-day attacks exploit unknown gaps in security, and human error, accidental or otherwise, can never be totally prevented. And for this reason, small businesses need to start embracing cyber insurance policies. These policies help cover the damages that might occur even under a top-of-the-line security infrastructure. Considerations for selecting a policy include legal fees, first and third-party coverage, and coverage for reputation rehabilitation.

The field of cyber security is overwhelming -- even for seasoned IT professionals. But not for us. We spend our days researching and experimenting to craft the best security solutions on the market. If you're interested in one of our cutting-edge cyber-security plans, call us today.

Published with permission from TechAdvisory.org. Source.

Topic Security
November 10th, 2016

2016november10_security_aThe old cold-call scam is still a popular way for fraudsters to dupe people out of their money. But now they're taking their tactics to the computer generation, and it can be surprising just who is falling for the new tech-related fraud. Read on to find out how scam artists are targeting the younger generation -- and succeeding.

Results Conclude Youth is more Gullible

Microsoft recently conducted a survey of 1000 computer users of all ages and from many of the largest countries in the world to find out how many of them had been scammed by phony "technicians" claiming to be employees of Microsoft or other major computer conglomerates. The results were startling when studied demographically. Researchers discovered that seniors, who were traditionally viewed as the major victims of such fraudulent schemes, were not the most likely group to fall for the scam.

Research indicated that although seniors were most likely to buy into a telephone scam, they still did not fall for the act as much as younger age groups. The study found, in fact, that between the ages of 18 and 24, people were 2.5 times more likely to fall for the scam than seniors. Those between the ages of 25 and 34 were three times more likely than seniors to be tricked.

The scam that the Microsoft company recently studied involved the following scenario: Either a person calls claiming to be a technical support technician, or an email or pop-up alerts you that your computer is locked or otherwise compromised. In order to fix the problem, you need to call someone and pay for a program or provide access to your computer so some purported technician can solve the problem "remotely."

If you fall for this scam, you are giving them funds for a false program or access to your computer -- which also allows them access to your personal data and the ability to install malware onto your system. The study revealed that two-thirds of those surveyed (around 660 people) had experienced the scam first-hand. One in five had listened long enough to hear the story, and 1 in 10 actually gave the scammer money.

Why the Younger Demographic Became Easy Victims

While older adults often respond more to phone calls, younger people have learned to ignore phone calls, saving them from being phone victims. However, because younger adults spend the majority of their time online and often remain acutely aware of the status of their computer and online presence, they are more prone to react to a pop-up or email claiming that their computer is in danger. Nearly 60% of the adults aged 18-24 in the study say they were exposed to the scam through pop-up ads or online correspondence.

The takeaway here is simple: Cybersecurity is about more than just firewalls and antivirus software. You need to shore up the human side of your protection protocols. The best way to start is by doing some quick research on social engineering in our previous blogs, but ultimately you’ll need something a little more thorough. Contact us today for more tips and to ask about scheduling a cybersecurity training for your employees.

Published with permission from TechAdvisory.org. Source.

Topic Security
October 25th, 2016

2016october25_security_aCyber security is becoming more and more important in an increasingly digital age. While many people and businesses know how important their online security is, they may not know what types of online security are best, nor the differences between the most commonly available options. There are two security authentication measures that are quite similar in name and that are often used. These are known as two-factor authentication and two-step authentication. Read on to get to know some of the key differences so you can be sure you understand your cyber security better.

If you are seeking out a way to improve your business's cyber security, both for your business itself as well as for your customers, you are likely looking at your authentication process. Two-step and two-factor authentication are two of the most commonly used options in cyber security. And in current cyber security, many businesses use the terms two-step and two-factor authentication interchangeably.

There are, however, subtle differences between the two. A two-step authentication process requires a single-factor login (such as a memorized password or biometric reading) as well as another of the same type of login that is essentially sent to the user. For example, you may have a memorized password for your first step and then receive a one-time-use code on your cell phone as the second step.

Two-step authentication does function to add an extra step in the authentication process, making it more secure than a single-step authentication (i.e. just the password). However, if a person or business is hacked, it will do only a little to stop hackers from getting a hold of whatever they are looking for.

On the other hand, there is two-factor authentication (sometimes referred to as multi-factor authentication), which is significantly more secure. This type of authentication requires two different types of information to authenticate. For example, it could be a combination of a fingerprint or retinal scan as well as a password or passcode. Because the types of information are different, it would require a hacker a great deal more effort to obtain both forms of authentication.

In essence, every two-factor authentication is a two-step authentication process, but the opposite is not true. With this information in mind, you can be certain that you are using the right type of authentication in your business to keep your business and customer information as secure as possible.

Your network needs the best security technology has to offer. What type of authentication that results in is just one of hundreds of choices that must be made to achieve that end. To take the stress out of securing and protecting your network, call us today for all the help you could ever ask for.

Published with permission from TechAdvisory.org. Source.

Topic Security
October 7th, 2016

2016october7_security_aSocial engineering is the ability to manipulate people into willfully giving up their confidential information. The data varies, but in terms of cyber security this usually means passwords and bank information. Criminals are using social engineering to gain access to your business and its network by exploiting employees who often don’t have a clue about what is happening. Avoiding it is a matter of training, and we’re here to educate you on the subject.

As more and more of our information moves into the digital realm, criminals are turning to social engineering to trick people into trusting them with their delicate information. People often trust others too easily and make themselves the targets of easy attacks from criminals. These attacks may come in the form of messages, baiting scenarios, fake company responses, and many others.

Most often, messages are sent to users in the form of an email that might contain a link or something to download. Although they may look legitimate, these emails often contain viruses; once the link is opened or you attempt to download it, a virus latches onto your computer, giving its creator free access to your email account and personal information.

Emails such as these can also come with a compelling story about needing help, winning the lottery, or even paying taxes to the government. Under the veil of legitimacy, criminals will ask you to trust them with your account details so they can either reward you or help you avoid fines and punishments. What you actually get is a bad case of identity theft.

In another scenario, criminals will bait their targets with “confidential information regarding their account.” This may come in the form of fake company messages that appear to be responses to your claims, which are followed up by a request for login details. While victims believe they are slamming the door on a crime by providing their information, they’ve actually provided their attackers with the keys.

There are several ways people can avoid becoming victims of social engineering. First, always ensure that you delete all spam from your email, and thoroughly research sources before responding to claims from a company -- even if it seems like the one you normally use.

The same applies for links. Confirm the destination of any link before clicking on it. Sites like bit.ly are often used to shorten long and cumbersome links, but because users have grown accusomted to them they are often used to hide malacious misdirections.

Never give out sensitive information that includes your password, bank information, social security, or any other private details. No respectable financial institution will request this type of information through email or a site other than their own. If you’re unsure, navigate away from the page you’ve been sent to and visit the page you believe to be making the request. If the address doesn’t have the letter ‘s’ after ‘http,’ it’s likely a scam.

Last but not least, check that all your devices are protected by the most recent antivirus software. While the strength of social engineering lies in the fact that it’s people-driven rather than technology-driven, antivirus software can help detect and prevent requests from known cybercriminals.

Cyber security is essential to the success of any modern business. Don’t let yourself become victim to criminals who have mastered the art of social engineering. While we’re proud of our extensive experience as technology professionals, we also have more than enough expertise to keep your business safe from those who are using people-based exploits. Get in touch with us today for all your security concerns.

Published with permission from TechAdvisory.org. Source.

Topic Security
September 21st, 2016

2016september21_security_aAs with all technology, trendy phrases come and go with the passing of every IT conference and newly released virus. And when dealing with cybersecurity, keeping up with them all can mean the survival -- or demise -- of a business. If you’re looking for a list of the industry’s most relevant terms, you’ve come to the right place.

Malware

For a long time, the phrase ‘computer virus’ was misappropriated as a term to define every type of attack that intended to harm or hurt your computers and networks. A virus is actually a specific type of attack, or malware. Whereas a virus is designed to replicate itself, any software created for the purpose of destroying or unfairly accessing networks and data should be referred to as a type of malware.

Ransomware

Don’t let all the other words ending in ‘ware’ confuse you; they are all just subcategories of malware. Currently, one of the most popular of these is ‘ransomware,’ which encrypts valuable data until a ransom is paid for its return.

Intrusion Protection System

There are several ways to safeguard your network from malware, but intrusion protection systems (IPSs) are quickly becoming one of the non-negotiables. IPSs sit inside of your company’s firewall and look for suspicious and malicious activity that can be halted before it can deploy an exploit or take advantage of a known vulnerability.

Social Engineering

Not all types of malware rely solely on fancy computer programming. While the exact statistics are quite difficult to pin down, experts agree that the majority of attacks require some form of what is called ‘social engineering’ to be successful. Social engineering is the act of tricking people, rather than computers, into revealing sensitive or guarded information. Complicated software is totally unnecessary if you can just convince potential victims that you’re a security professional who needs their password to secure their account.

Phishing

Despite often relying on face-to-face interactions, social engineering does occasionally employ more technical methods. Phishing is the act of creating an application or website that impersonates a trustworthy, and often well-known business in an attempt to elicit confidential information. Just because you received an email that says it’s from the IRS doesn’t mean it should be taken at face value -- always verify the source of any service requesting your sensitive data.

Anti-virus

Anti-virus software is often misunderstood as a way to comprehensively secure your computers and workstations. These applications are just one piece of the cybersecurity puzzle and can only scan the drives on which they are installed for signs of well known malware variants.

Zero-day attacks

Malware is most dangerous when it has been released but not yet discovered by cybersecurity experts. When a vulnerability is found within a piece of software, vendors will release an update to amend the gap in security. However, if cyber attackers release a piece of malware that has never been seen before, and if that malware exploits one of these holes before the vulnerability is addressed, it is called a zero-day attack.

Patch

When software developers discover a security vulnerability in their programming, they usually release a small file to update and ‘patch’ this gap. Patches are essential to keeping your network secure from the vultures lurking on the internet. By checking for and installing patches as often as possible, you keep your software protected from the latest advances in malware.

Redundant data

When anti-virus software, patches, and intrusion detection fail to keep your information secure, there’s only one thing that will: quarantined off-site storage. Duplicating your data offline and storing it somewhere other than your business’s workspace ensures that if there is a malware infection, you’re equipped with backups.

We aren’t just creating a glossary of cyber security terms; every day, we’re writing a new chapter to the history of this ever-evolving industry. And no matter what you might think, we are available to impart that knowledge on anyone who comes knocking. Get in touch with us today and find out for yourself.

Published with permission from TechAdvisory.org. Source.

Topic Security
September 2nd, 2016

2016September2_Security_ARemember in 2012 when Dropbox’s data, which contained details of around two-thirds of its customers, were leaked? At the time, Dropbox reported that a collection of users’ email addresses had been stolen, but it wasn’t until recently that the company discovered that passwords had been stolen as well. So what does this mean for Dropbox users?

Despite the unfortunate incident, Dropbox has implemented a thorough threat-monitoring analysis and investigation, and has found no indication that user accounts were improperly accessed. However, this doesn’t mean you’re 100 percent in the clear.

What you need to do

As a precaution, Dropbox has emailed all users believed to have been affected by the security breach, and completed a password-reset for them. This ensures that even if these passwords had been cracked, they couldn’t be used to access Dropbox accounts. However, if you signed up for the platform prior to mid-2012 and haven’t updated your password since, you’ll be prompted to do so the next time you sign in. All you have to do is choose a new password that meets Dropbox's minimum security requirements, a task assisted by their “strength meter.” The company also recommends using its two-step authentication feature when you reset your password.

Apart from that, if you used your Dropbox password on other sites before mid-2012 -- whether for Facebook, YouTube or any other online platform -- you should change your password on those services as well. Since most of us reuse passwords, the first thing any hacker does after acquiring stolen passwords is try them on the most popular account-based sites.

Dropbox’s ongoing security practices

Dropbox’s security team is working to improve its monitoring process for compromises, abuses, and suspicious activities. It has also implemented a broad set of controls, including independent security audits and certifications, threat intelligence, and bug bounties for white hat hackers. Bug bounties is a program whereby Dropbox provides monetary rewards, from $216 up to $10,000, to people who report vulnerabilities before malicious hackers can exploit them. Not only that, but the company has also built open-source tools such as zxcvbn, a password strength estimator, and bcrypt, a password hashing function to ensure that a similar breach doesn’t happen again.

To learn more about keeping your online accounts secure, or about how you can protect your business from today’s increasing cyber threats, give us a call and we’ll be happy to help.

Published with permission from TechAdvisory.org. Source.

Topic Security
August 18th, 2016

2016August18_Security_AEvery time we learn about a cyberattack that has affected so many businesses, we invest in security technologies that will safeguard our systems. This year, however, social engineering attacks have taken center stage in the Rio Olympics. Using various scams, hackers can circumvent network security systems by convincing gullible users into giving away sensitive information. But spectators aren’t the only victims. Without knowing the most common social engineering exploits, your business’s data is also at risk. That’s why we have compiled four of the most frequently used social engineering scams to help protect you and your business.

Phishing Phishing scams are perhaps the most common type of social engineering attack. Usually seen as links embedded in email messages, these scams lead potential victims into seemingly trustworthy web pages, where they are prompted to fill in their name, address, login information, social security number, and credit card number.

Phishing emails often appear to come from reputable sources, which makes the embedded link even more compelling to click on. Sometimes phishing emails masquerade as government agencies urging you to fill up a personal survey, and other times phishing scams pose as false banking sites. In fact earlier this year, fraudulent Olympics-themed emails redirected potential victims to fake ticketing services, where they would eventually input their personal and financial information. This led to several cases of stolen identities.

Tailgating

What’s the best way to infiltrate your business? Through your office’s front door, of course! Scam artists can simply befriend an employee near the entrance of the building and ask them to hold the door, thereby gaining access into a restricted area. From here, they can steal valuable company secrets and wreak havoc on your IT infrastructure. Though larger enterprises with sophisticated surveillance systems are prepared for these attacks, small- to mid-sized companies are less so.

Quid pro quo

Similar to phishing, quid pro quo attacks offer appealing services or goods in exchange for highly sensitive information. For example, an attacker may offer potential targets free tickets to attend the Olympic games in exchange for their login credentials. Chances are if the offer sounds too good to be true, it probably is.

Pretexting

Pretexting is another form of social engineering whereby an attacker fabricates a scenario to convince a potential victim into providing access to sensitive data and systems. These types of attacks involve scammers who request personal information from their targets in order to verify their identity. Attackers will usually impersonate co-workers, police, tax authorities, or IT auditors in order to gain their targets’ trust and trick them into divulging company secrets.

The unfortunate reality is that fraudsters and their social engineering tactics are becoming more sophisticated. And with the Olympics underway, individuals and businesses alike should prepare for the oncoming wave of social engineering attacks that threaten our sensitive information. Nevertheless, the best way to avoid these scams is knowing what they are and being critical of every email, pop-up ad, and embedded link that you encounter in the internet.

To find out how you can further protect your business from social engineering attacks, contact us today.

Published with permission from TechAdvisory.org. Source.

Topic Security
August 1st, 2016

2016August1_Security_AIn computers, as in war, encryption is a way of encoding sensitive information so only authorized parties can make use of it. Unfortunately, computer hackers have developed ways to infiltrate your company's network and systems, take your confidential data hostage, and unlawfully encrypt it. Pay them a ransom and you may or may not get it back.

The way in which these nefarious operators commandeer your information and deny you access usually involves some fairly sophisticated stuff. The ransomware they install on your system is essentially a virus that “locks up” your data, and it can’t be unlocked unless you pay them for the keys.

Some of these data-encrypting viruses are strong, such as the CryptXXX strain. It has been infecting businesses for the past few months, and its latest mutation can’t be quelled by decryption programs found for free on the internet.

Two relatively new types of ransomware aren’t quite as virulent as CryptXXX, but we’d like to bring you up-to-date on them nonetheless. Here’s a look at what they’re called, what they do, and how you can defeat them should your business be impacted.

PowerWare

The first of these recent ransomware varieties is called PowerWare, which also goes by the name PoshCoder. It imitates a more complex ransomware program called Locky, although with less effectiveness.

This spring, PowerWare was discovered attacking healthcare organizations through Windows PowerShell, a scripting application used for systems administration. Fortunately, programmers at hi-tech security firm Palo Alto Researchers were able to quickly create a decryption tool named “powerware_decrypt.py” that unlocks ransomed data with relative ease.

Implementing the fix, however, does call for a bit of technical know-how, so if your IT department is experienced in this area it shouldn’t be a problem. The code that can cure you from PowerWare is published online and is free.

BART

The second new ransomware breed that we should address is called BART. Instead of employing intricate information-encrypting algorithms to take command of your data, BART will stash away your files inside password-protected ZIP folders… and you have to pay for the password.

These infections aren’t hard to identify as the imprisoned files will appear with “.bart.zip” added to their original name (for example, “spreadsheet.xlsx.bart.zip”). Thankfully, not only are they easy to detect, but for antivirus firm AVG, they are easy to decode.

Applying the remedy that AVG has produced requires an unaffected copy of one of the files that’s been locked up. And if you can’t locate one somewhere on your network, a good IT services firm will be able to. The BART decryption tool is also available online at no cost.

The fact is, there are some shady, technologically savvy characters out there who are willing to do us harm. Keeping them at bay takes vigilance. So if your business doesn’t have the resources to stay safe and secure from threats like ransomware - or, in the event that you’ve been hit, you’re not sure how to recover your data without paying the ransom - call us today to talk things over.

Published with permission from TechAdvisory.org. Source.

Topic Security
July 14th, 2016

2016July14_Security_ADon't be put off by the tech jargon of security experts you find in forums and self-help books. A managed service provider is what you need to break down complex security ideas into easy-to-understand language. However, they generally focus on installing and managing protection software that's often far too complicated to operate without their help. And when that’s the case, what can you do to improve the safety of your business and its data? Keep reading for 5 effective, down-to-earth cybersecurity measures that you not only need to know, but need to put into action

1. Two-Factor Authentication

Did an attacker get your password? With two-factor authentication they’ll still need your mobile device to do any damage. Here’s how it works: every time you log into a service that requires a password, the service will send a code to your mobile device for another layer of authentication. Nowadays, most internet services have this option: Google, Facebook, Twitter, Instagram, Skype, Slack, etc. Check a full list here to see if you could be using two-factor authentication on any of your online accounts.

2. Password Manager

Say goodbye to the bygone era of memorizing a long list of different passwords for the various websites and services you use. Password manager software may have been around for a long time, but it’s still a viable solution for improving your login integrity. After installing it, all you need to do is create one secure master password and let the software do the rest. It will store and encrypt all of your passwords in one place for future reference and help generate random, more secure passwords for any new logins.

3. Keep All Software Up to Date

Update all of your software and your operating system as often as possible -- it’s that simple. New versions come with better protection and fix any newly discovered loopholes. If you are too busy or can’t find the time to do it, check for an automatic update option. Any excuse for postponing updates will feel a lot less valid when it means a security breach or system crash.

4. Disable Flash Player

Adobe Flash Player may be what allows you to play Candy Crush during your work breaks, but it has boasted such a poor security record that most experts recommend that users block the plugin entirely. Most internet browsers have the option to block Flash by default, while allowing you to enable blocked content you deem acceptable by simply right-clicking and selecting Run this Plugin.

5. HTTPS Everywhere

When dealing with technology, long acronyms tend to scare off novice users before they even make it to step two. But don’t panic, there’s only one step to this trick. ‘HTTPS Everywhere’ is a browser extension that forces your browser to automatically navigate to sites using a secured encryption, if the site allows it. The thing is, a significant percentage of websites offer HTTPS connections but don’t present them as the default. When that’s the case, ‘HTTPS Everywhere’ gives your browser a gentle nudge in the right direction.

While in-depth security measures need to be implemented and managed by experts, little steps like the ones listed here can be just as important. Check back often for more helpful cybersecurity tips, but if you have more urgent security needs for yourself and your business, our experts are ready and waiting to offer a helping hand -- why not reach out to us today?

Published with permission from TechAdvisory.org. Source.

Topic Security
July 5th, 2016

programming concept: text wordpress with gears over businessman handWordPress is one of the most popular and reliable content management systems on the market, and for this reason it is also one of the most frequently targeted platform for hackers. Websites that are running older versions of WordPress are often vulnerable to security breaches and data leaks. Seeking to correct a number of bugs, WordPress recently updated to version 4.5.3, a release that doesn’t provide much additional functionality but is highly recommended by the WordPress security team. Here’s what you need to know about their latest security update.

What’s new in WordPress 4.5.3?

The latest WordPress version includes fixes for more than two dozen critical vulnerabilities, including:
  • Redirect bypass in the WordPress customizer API
  • Two separate cross-scripting problems via attachment names
  • Information disclosure bug in revision history
  • Denial-of-service vulnerability in the oEmbed protocol
  • Unauthorized category removal from a post
  • Password change by stolen cookies
  • Some less secure sanitize_file_name edge cases
All vulnerabilities were found by members of the WordPress community. In addition to the security issues listed above, WordPress 4.5.3 fixes 17 maintenance issues from its predecessors 4.5, 4.5.1 and 4.5.2 (See full list).

WordPress update process

Many sites have an automatic background update, meaning that website admins will receive an email, confirming the update. If your website doesn’t support this feature, you can trigger manual updates by logging in to your WordPress dashboard and click on the ‘Please update now’ link, which is clearly visible on the top of the page.

Before you perform the update, however, we highly advise you to make a backup of your website. This is so that you can quickly restore your site in the event that something goes wrong. Once you have your backup ready, you can go ahead and update your site with the push of a button. Alternatively you can download WordPress 4.5.3 here and install it via File Transfer Protocol (FTP).

It’s important to update to the newest versions of WordPress to ensure that you have access to all of its functionalities and to keep your data and website visitors safe from potential security threats. Google will also demote websites that are running old versions of WordPress in its search results pages - all the more reason why you should regularly check for WordPress updates. If you have any questions about WordPress security, feel free to get in touch with our experts today.

Published with permission from TechAdvisory.org. Source.

Topic Security