Thank you for reviewing our video blog on Cyber Security Fundamentals.
If you are interested in having us provide you with a FREE 2 Hour assessment to identify and scope out a solution to address your cybersecurity gaps please click the link below and fill out the form. One of our security specialists will call you back and schedule your free onsite evaluation.
It doesn’t matter what industry you work in or the size of your business, cyber attacks and infections have no prejudice for or against anyone. If you use a computer handheld device or have a website, you are a target. Today we’re going to discuss some basic terminology and outline some steps that you can help that you can take to help protect your business from being victimized. Now, I promise we’re not going to go too far down the technical rabbit hole. Instead, we’re just going to focus on some low hanging fruit that you can address to start your business on the path to a more secure working environment. So what will you have to do to reduce your vulnerability? Today we’re going to talk about some of the common cyber security mistakes and how do we avoid them? Well, touch a little bit on ransomware and things that you need to know as well as creating basic security policies. This is one of my favorites. So let’s start with some common cybersecurity No no’s or common mistakes.
Take a walk around your office. More than likely you’re going to find at least a few desks with postit notes full of passwords stuck to the bottom of a computer monitor like a lay or shoved up underneath the keyboard. Yes, it’s convenient, but it also provides easy access to sensitive information from people who shouldn’t have it such as employees in other departments, cleaning crews at night and of course thieves during a break in. So what should you use instead of posted notes? There are a slew of online password managers, many of them being cloud based meet both PCI and Hipaa regulations. Hi-Tex is actually a vendor and supports utilizing the 1Password product. This is an excellent product that allows you to set up a master password so that you only have to memorize one unique complex password and then allows you to auto generate passwords for all other logins. We absolutely love it. So let’s talk about the passwords themselves. Using strong passwords is one of the easiest things you can do to help keep your data secure while choosing a passphrase makes it easy to remember and also makes it really easy to guess. And there’s nothing easy about regaining control over a computer that’s been compromised and whose data is being held for ransom. So here’s a few key tips on what to avoid when choosing a password. Avoid sweet sequences such as Q, w, e, r, t, y, you I,O,P, which if you’re paying attention is the first top row of letters on a standard keyboard layout, or maybe 1, Q, a, z 2, w, s x, which is just the first two vertical rows on the same keyboard.
Don’t use your favorite sports or favorite sports team. Don’t use birthdays especially your birth year. You should also avoid passwords that are just numbers, phone numbers, the address on your building or anniversary dates. These are all things that are easy to look up online. Also, avoid using first names as passwords and not just your first name. Avoid using names of friends and family. Again, these are all things that are posted online, particularly in social media, which creates just a dictionary for anyone trying to gain access to your environment to try to use password guessing with. Also stay away from swear words and phrases, hobbies, names of famous athletes, car brands, and the most current popular movie. All of these are widely used passwords and all of these are built into pass for dictionaries online.
We should also avoid reusing passwords. What I mean by that is every single login that you have should be unique. If a hacker gains access to just one of your accounts and you’re utilizing the same password, they’re going to gain access to every other account you have. There’ll be able to browse through your Internet search history as well as view all of your favorites that have been bookmarked and there’ll be able to utilize the same usernames and passwords that they gained access with initially as well as slight variations of it, most of which is all done through automation. Let’s move on to operating systems.
Technology is an important part of every small business, but it’s often not a priority. That’s how things like updating the operating system slip through the cracks or just get ignored until they become a serious security threat. For example, do you still have a computer running windows XP or a server on 2003 if you do, this creates a huge security vulnerability because these systems are no longer supported by Microsoft, which means they’re no longer getting security patches and fixes on a regular basis or at all for that matter. And it doesn’t just stop at your operating system. Firewalls and anti-viruses are two key points of entries that should always be UpToDate and protected. I don’t just mean you buy a firewall, you buy an antivirus, you install them, and then you forget him. You actually have to pay for subscriptions for most firewall vendors in order to get new software versions and definitions, especially if you’re using a UTM or a unified threat management device that’s doing any sort of antivirus scanning a spam, filtration, IPS or IDS services of any kind, as well as the antivirus that’s installed on your computers. Those have application updates that have to be deployed on a regular basis and at very least monthly, if not weekly virus definitions that have to be updated. So key things to look at, check for updates and replace old outdated equipment. Did you know that even a small gap between the time that a firewall update is available and when you actually install that update creates a risk during that period, you’re exposed and vulnerable to attacks that those particular patches are trying to resolve. And if your customer or a company that has to abide by any sort of federally regulated compliance’s such as PciDss or HIPPA, you’re not meeting your compliance regulations as long as those devices are out of date.
Now let’s shift a little over to the user side of the house. Lacks password policies and passwords that don’t expire create another security concern. If you don’t set passwords to expire regularly, there’s a good chance that a number of former employees still have access to your system and all the data. Now, that doesn’t necessarily mean that they’re going to do anything malicious, but why take the risk? Yes, employees might think updating passwords every 90 days or 60 days is a hassle at first, but the improved security from just implementing that one change is well worth it.
So let’s talk a little bit about malware and specifically ransomware. What is malware? Well, the term malware translates quite literally to malicious software. It’s an all-encompassing term that includes viruses, ransomware, worms, spyware, and generally any software that’s used to attain sensitive information without a user’s consent. Malware disrupts computer systems in a variety of ways, such as restricting access, encrypting files, corrupting data, and stealing personal information or just slowing the system down. Ransomware specifically is a software that locks the computer and retains control until a user pays a certain amount of money to the organization that created that ransomware, that encrypted all of their systems. A little bit of stats, the U.S. government estimates that there are now over 4,000 ransomware attacks being launched every single day. It’s a 300% increase over the attacks seen per day, just from 2015 and the 2016 Cybersecurity Intelligence Index. IBM found that 60% of all attacks that were carried out, we’re actually by insiders, and of these attacks, three quarters involved malicious intent while the other one quarter were inadvertent actors. IBM security research also found that healthcare, manufacturing and financial services, we’re at the top three industry lists under attack due to their personal data, intellectual property, physical inventory, and massive financial assets. So let’s talk a little bit about what ransomware has really cost us here in the real world.
It was recorded that in 2016 between $7,000 and $74,000 per hour were lost just in the small and medium business world. 44% of all small businesses report being a victim of a cyber attack, Ransomware victims paid out over $24 million in 2015 alone just to regain that data. What’s not noted here is that out of that 24 million that was paid out, only about three quarters of the organizations actually got all of their data back.
More importantly, is that the way ransomware encrypts files,the attacker never actually sees the files until you go to pay and have them decrypt the files. The files never actually leave your system. The software is simply installed, utilizes either an RSA token or some other encryption key and locks all the files out. In order to unlock those files, you actually at that point in time have to send the attacking agency a copy of those files so that they can decrypt them for you. Now not only have you paid their ransom, but they have a copy, a readable copy of all the data that you’ve just paid to decrypt.
Again, we’re talking about criminals and thieves, so do you really think they just handed back all of that data without keeping a copy for themselves?
Even with technical safeguards in place, it’s the employees who ultimately risk exposing a business to ransomware. Simple things such as clicking on an infected online advertisement or a pop up window or opening an attachment in an email is often to blamed for inviting ransomware onto a computer, so users truly are the most important line of defense. It’s important that you talk with your employees about ransomware and educate them on what it is and how they can help defend the business from it. Try getting the whole staff together for a training session and bring in a lunch. As a best practice you should require all new employees to complete an initial on boarding training and then offer an annual ongoing training for all employees moving forward.
The most effective way to educate your employees on ransomware is to actually show them examples of what it looks like so that they know the warning signs and are able to identify a suspicious message or attachment before they go about clicking. Once ransomware has infected a computer, a message typically displayed on the screen such letting the user know that the machine has been compromised. It’s helpful to share this type of information with employees so that even if it is too late and they are infected, they’ll know to alert management and ask for help right away.
So what can you do to help prevent those types of an infections, ransomware and other malicious activity? Really it comes down to the technical safeguards that are in place and it all starts at the top. Usually with your firewall device or an intrusion detection device such as Alert Logic, or with IPS, a system that you’ll get in a unified threatened management device UTM.
It’s also important to have a backup solution in place and frequently test the backups that are running to make sure that they work properly. If you are hit with ransomware, you’re going to want to be able to restore the operations as quickly as possible and having a recent backup to recover from is going to save you both time and money. Now, one of the important things to note is that if you’re simply using a pen drive or a external hard drive that’s attached via Usb to a computer, and that computer is locked by the ransomware odds are they did the same thing to that USB device, which means your backups are no longer valid as well. It’s very important to make sure that you have a backup system that is more robust, especially for businesses. At very least, you need to have a NAS device that has a little bit of an intelligence built into it with its own anti virus scanner and Ui to be able to identify and at least alert and tried to prevent ransomware attacks from occurring on the backup sets or use a cloud based backup provider.
Now let’s talk a little bit about creating security policies. Every successful business has developed formal documented IT security policies to govern operations both in their offices and out in the field. These policies educate employees and guide behavior in addition to protecting the business and adhering to compliance regulations. Equally important, successful businesses conduct regular reviews of these policies and revise them as necessary to adjust to the changes in their environment and business practices as they grow. First thing you should do is figure out who currently has access to the critical data infrastructure and applications in your environment. Note all your findings and then assess whether or not each person needs to have access to those items. You can then begin to limit or instate permissions to grant or deny access to sensitive information based on a user’s role or functionality that they perform for the business. For example, system administrators should have access to things that contractors should not. You’ll want to make sure there will be no uncertainty about who has access to what data sets.
So let’s talk a little bit about data retention parameters. This kind of goes into play and it works hand in hand with your backups. These types of policies are especially important in certain regulated industries that require retention parameters. Particularly HIPAA comes to mind and PCI, but really more for Hipaa with what we typically deal with here at Hi-Tex Solutions. Defining a data retention policy is critical because there’s an increased risk of data being stolen or compromised when it’s kept beyond those defined dates.
It also benefits you to actually have a retention and versioning policy in place for your data. Typically it’s going to be built into your actual backup software, as well as within the file system itself. This way, if there is any sort of compromise and you haven’t done, say a backup in the last 24 hours and you need to restore the previous day’s back up and then you can turn around and go back to the file system and do a versioning restore to bring that document as close to UpToDate as possible before the system became compromised.
Make sure your encryption and compliance needs are being met. Setting standards for encoding your information is another important part of security. Implement military grade 256 AES encryption technology to be used to secure data in the cloud and use SSL encryption technology for data that’s in transit. When developing a security policy, be sure to meet your industry’s compliance regulations. Certain industries are more regulated than others, but you should always stay informed about any pertinent regulations and make sure that your security policy addresses all issues necessary to help your business stay compliant. I’ll use HIPAA. It requires all covered entities to encrypt all of their storage technologies for data at rest. As an IT service provider, we can help you to determine what you’re liable for and how to make sure you comply with all requirements.
All right, so key takeaways from today’s video. First and foremost, back it up. Make sure you’re using the right backup technology based on both your company re requirements as well as any compliance and regulatory compliances that you might have. Secondly, make sure you’re taking all safeguards to protect your data by updating all applications and operating systems as well as keeping your firewall IOS’s, UpToDate, your anti-virus applications and definitions up to date and deploying a solid email security system. If you are ready to take the next step in securing your office let HI-TEX Solutions provide you with our comprehensive Network Audit by filling out the form here.