Author: Brett Bogler

7 most common IT security mistakes made by startups

1. Personal and professional borders.

Convenience often compromises security. A recent trend is having employees bring their own devices rather than providing company laptops and phones. However easy this may sound, it creates a large window of opportunity for company data to get in the wrong hands. Furthermore, when an employee leaves the organization it makes it increasingly hard to ensure that no sensitive corporate data has been stored on the device.

2. Ignoring two-step authentication.

Two-step authentication is a sure fire way to add an extra layer of security and its easy too. Some are as simple as having a code sent to your iphone while others allow you to confirm your identity with the tap of a finger. Password breaching is becoming more and more common, it is wise to beef up password security up front rather than pay the consequences later on.

3. Insufficient exit protocols.

Companies that depend on part time and freelance employees are often less established in their exit procedures once an employee has left the organization. It is important to have a set of protocols in line so a uniform method is in order. When sensitive data is left on personal employee devices, data loss, account access and information sharing is most certainly in the future. Don’t let this be you! It may not even be the malicious intent of the employee, perhaps they aren’t the data has left with them. Either way, data loss has occurred and sensitive data is out there unprotected, and unmanaged. Make policies known, and if you don’t have data policies and security guidelines in place consider adding this to your organization.

4. Forgoing SSL from the beginning.

SSL (Secure Sockets Layer) is easily implementable from day one.  It should be enabled by default in every website. It reassures your users, while upgrading the security level of your communications.

5. Failing to prioritize security.

Security is often something that startups think can be left untouched until a later date or when the company has reached success. Security should be implemented from day one not only to protect your organization but to protect client information. Security is not a gray area, it should be just as important as payroll, HR, financing, etc. Don’t ignore security best practices, and make sure to stay current on the latest security software and updates to protect your organization from attack.

6. No internal policies and infrastructure.

If you think about it, startups have a great position regarding data security because they have the opportunity to apply the most current and best industry practices from the start. No outdated systems or struggle to get employees on board with new internal policies. One mistake often made by startups is not giving enough attention to internal policies. Invest adequate resources in the infrastructure of your organization, what equipment for you need? How will you manage IT security? Software? Think about proactive responses rather than ignoring the obvious.

7. No suspicious activity notifications.

What will you do if your organization is attacked and all your data is either encrypted or lost entirely? How will this affect you financially? One breach can take you from quick stardom to barely making it by. Don’t let this be you! Stay on top of information security.

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: 10 Data Security Mistakes Startups Can’t Afford to Make

best practices of the most secure companies

Companies are threatened by malware, human adversaries, corporate hackers, hacktivists, and can be hacked in the most unsuspecting ways such as over copper wire. Because of this, we have complied a list of best practices used by highly secure companies. Tailor these to fit the needs of your organization and keep your data safe!

Know what you have: Most companies have no idea what they really have going on in the security department. To ensure the security of your organization, establish an accurate inventory of your organization’s systems, software, data, and devices. To be secure you have to know what to protect. The most secure companies have strict control over what runs where, because each platform is another opportunity for vulnerability.

Remove, then secure: Unneeded programs present unneeded risks. The most secure companies look over IT inventory and remove what they don’t need. More often than not, companies have large numbers of patches and other unnecessary junk piled up that no one really knows about…if your company isn’t IT savy…bring in an establish IT company to handle this task for you. They know what needs to be fixed, patched, updated, deleted, etc.

Run the latest versions: Updates have purpose. The latest software and hardware will have the latest built-ins and security features. It is the responsibility of the owner of the product licenses to keep updates current. Older versions look like a big fat glass of water on a hot day for hackers. Don’t give them the opportunity!

Patch with speed: Patch all critical vulnerabilities within a week of the vendor’s patch release. If your company takes longer than a week to patch, the risk of compromise is increasingly high. Basically, if you think about it most of your competitors will patch on time because they are smart or they have a great IT team in their hear. So if they are all secure and your organization is unpatched, hows that going to look to hackers? Like an invitation that’s how. Now, that being said people will still tell me they like to wait to patch in case of glitches that could lead to operational issues. The most secure companies more often than not, experience little to no disturbance because of patch glitches. The odds are more in the favor of being hacked, so patch away!

Education: As with anything that requires a team effort, it is best to educate all users about the threats the company is currently facing or most likely will face. Education that is led by professionals, and involves the entire team, is the most effective. Not everyone will be on the same page when it comes to the inner workings of the IT world, but at least inform employees on the best practices, how to identify suspicious activity, what to do in the event of a security crisis. Yes it is extremely crippling when the vulnerability comes from the mistake of an employee, but the worst thing that can be done in this event is not informing the right people to fix the problem.

2015-12-08-1449558163-8356450-cybers

 

 

 

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit:Effective IT security habits of highly secure companies

Cisco Firewall flaw allows hackers to take control of devices

cisco_patches-680x400

Recent headlines this week reported that three models of Cisco wireless VPN firewalls and routers from the small business RV series contain a critical unpatched vulnerability that hackers can use to take control over devices. In the Web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router and RV215W Wireless-N VPN Router, you’ll find the vulnerability. Attackers only need to send an unauthenticated HTTP request with custom user data and the vulnerability can easily be exploited if the devices are configured for remote management.

Unfortunately this is not the only unpatched vulnerability within the three Cisco models, the company also warns of a cross-site scripting (XSS) flaw as well as two buffer overflows that could risk denial-of-service conditions. Exploiting the buffer overflows  requires attackers to have an authenticated session in the devices’s Wed-based interface. But the XSS flaw is easily triggered by tricking authenticated users to click on malicious URLs. Successful exploit allows attackers to acess sensitive browser-based information. The XSS flaw, because it can be combined with other vulnerabilities, makes it difficult for users to find a mitigation strategy without patches. If users were to disable external management in their devices in an attempt to protect themselves from this vulnerability, the devices will still be exposed through the cross-site scripting flaw.

Unfortunately, no patches are available for any of the 3 security flaws. Cisco plans to release firmware updates that will address the latest flaws sometimes within the third quarter of 2016.

 

 

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: Flaws expose Cisco small-business routers, firewalls to hacking

5 Ways to Spy a Hacker in Your Network

download

1. Search for the telltale signs of a breach. 

Port Scans? Excessive failed log-ins? When a hacker infiltrates an unfamiliar network they need to learn the topology of the network, looking for vulnerable points of access in servers. From this point they can pinpoint administrative users and data stores.

2. Look for a “normal” user performing administrative tasks. 

By using native tools on computers and servers, hackers can stay under the radar for much longer than if they were to use known attack tools. Anti-virus software should pick up on malware and attack tools, but not normal administrative tools. Determining who the admins with the organization are can significantly lessen the worry. Active Directory aids in establishing user roles and privileges with which you can then use to see the applications and devices used by administrators or that are managed by administrators. Awareness about what the administrators within the organization are using, should make it easier to spot when an attacker is looming in the background.  If a hacker takes control of a administrator machine and begins performing tasks, you’ll be able to identify if this is normal or suspect activity.

3. Look for a device using multiple accounts and credentials to access network resources. 

Hackers, both internally and externally, generally steal user account information or generate fake accounts in order to gain access to the network. In order to spy indicative markers of of attack activity, analyze credential usage. Make sure to monitor network traffic and analyze log from the authentication and authorization infrastructure in your network. Extract data and look carefully to see how many systems each user interacts with, and monitor abnormalities.

4. Look for an attacker trying to find valuable data in file servers. 

By figuring out what Windows file shares are accessible, attackers hunt for important data such as intellectual property and banking information, or once they find important data they will encrypt it and the rest is history. A valuable signal would be to spot abnormalities in file share access. This is a preventative measure for spotting both hackers and employees considering insider theft.

5. Look for the command and control activity or persistent access mechanisms. 

Keep an eye on outbound communication. Attackers need to be able to communicate between the Internet and endpoints they control within your network. There could be malware and Remote Access Trojans in your network, so be mindful of indications of malicious software phoning home.

 

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit:Five signs an attacker is already in your network

How to Ensure Company Data Does Not Leave with Employees

employee data

More often than not when an employee leaves an organization, they take company data with them. Some may not even realize they still have access to the data, and others may never do anything malicious with the data at all. Even still it is important to plan ahead in the event that an employee did leave with the intention of using company data for malicious purposes. In a national study conducted by Biscom, one in four employees leave their job with company data, showing how this is a great vulnerability hole for business data. In the act of prevention, Biscom CEO, Bill Ho, offers us a best practices to implement.

Establish clear employee policies on handling company data and information

Make sure all employees are made aware of company policy when it comes to handling company data. Research done by Network World showed that a hude chunk of employees, 84 %, reported there were no policies within their organization preventing them from taking company information. Ensure comprehensive policies are clear, and outline that all information, documents, and data created by the employee or any employee for that matter is considered company property.

Incorporate data ownership and handling policies into employee agreements

Make sure the language in such documents is specific and easy to understand, and immediately laid out to employees from Day 1. Clear ramifications and procedures from the start will lessen any complaints in the future, as well as miscommunication that the policies do not exist.

Add data protection and security discussions to new employee orientation and training

Take time to incorporate data protection and basic security protocols into conversation with employees. Make your team aware of the expectations when handling company data in order to minimize data breaches. Communicate policies with personal devices, social media, and consumer versions of file sharing and collaboration tools. Monitor permission-based access and user controls to the best of you ability.

Understand how to re-organize an attack or social engineering ploy

Know when is the necessary time to cancel accounts, block access and deny permissions. This is crucial in protecting company data from internal threats. Critical information that is unprotected and exposed can be detrimental to an organization.

Encourage reporting of suspicious activity

Make it very clear to employees that any suspicious activity should be reported immediately. Tell employees who to notify and what to do in this event. It has been shown that some of the largest breaches of data stem from an internal source. Sometimes these are mistakes made by employees that end up costing the organization a lot of money and data. Teach employees the basics on what is safe and what is suspect.

Train on best practices continuously and often — practice makes perfect

It is advised that quarterly meetings are held to inform employees on data threat prevention. This sets up a safe environment from employees to gain clarity and for supervisors to acknowledge what policies need to be beefed up.

Establish data classification and access permissions – limit access to those who need it, e.g. using the principle of least privilege

Streamline control and access to only the employees that directly require it. Only give permission to information employees need. It is advised that a spreadsheet is kept that lists each employee and their permitted access to tools and apps. This will aid in monitoring who has control as well as what access needs to be blocked once an employee has left the institution.

Create a response plan and practice it 
Keep a solid information technology company on hand to help aid in the mitigation of access. Always keep an emergency response plan for if/when data has been breached. This creates a clear process for members of the organization to follow in the event of crisis, avoiding excess chaos. This emergency plan may also be necessary if an employee leaves on poor terms and proceeds to steal of misuse company data they have acquired.

If you would like to educate yourself in more detail about the information presented in this blog post please visit: How to prevent data from leaving with a departing employee

U.S. alone has lost $960 million to CEO Fraud

CEO Fraud

 

Over the past three years, victims in the United States alone have lost over $960 million to fraudulent email scams. That is nearly a billion dollars! Actually, closer to 3 billion, as FBI figures that include global data from international law enforcement and financial groups  show a loss totaling $3.1 billion. Even worse, if you think about the 22,143 victims, that is a pretty hefty chunk of cash demanded of each victim.

Scammers “pretend” to be a business executive at a firm, company, or trusted supplier, and easily fool members of the organization into thinking that the claims are legitimate. I use the word pretend loosely, as not much is needed for hackers to get into character and slide by any suspicion. By hacking into email accounts within an organization, scammers are able to gain control of email, and send off as many fake emails as they wish. The email may contain something mentioning a wire transfer of money. We call this type of cybercrime “CEO Fraud” and “The Supplier Swindle”.  This type of crime is not limiting to only internal email access, some hackers choose to create fake email accounts that may resemble those of the CEO or suppliers. In other cases scammers pretend to be lawyers that are handling confidential matters and therefore force the victim into giving up the cash. So far such scams have requested wire transfers to over 79 countries, and according to the FBI, mostly going to banks located in China and Hong Kong.

The FBI also noted that occasionally and without warning, hackers will follow up this CEO Fraud with an attack via ransomware. In these cases victims have received emails that contain links or attachments that when clicked, begin the installation of malware on the host. If opened, data becomes unavailable and the hacker has all the power until the ransom is met, if they even decide to let up once that ransom is met.

The FBI has provided a little insight into avoiding such attacks, letting us know that these scams are planned carefully and not every company is a target. Company employees are advised to be extra careful when posting to social media, or otherwise broadcasting information. As we have all heard before, spam should not be opened and any unfamiliar emails/attachments should not be opened. The FBI also warns that any and all wire transfers should be verified with phone calls between parties. Not a

There are ways to ward off the danger, although the advice doesn’t leave us feeling totally secure. The FBI said the scammers study their targets carefully, so company employees should be careful about what professional details they post to social media. Spam should never be opened, and any wire transfers should be verified with telephone calls between the subjects. It has been shown that at least 31 percent of the time the scammers use an account pretending to be the CEO, so keep that in mind.

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: Companies pay out billions to fake-CEO email scams

VR market takes a stab at the enterprise

Random42-Oculus-GearVR-HeadsetAccording to Forrester Research, there will be 52 million units of virtual reality head-mounted displays by 2020. This is in part due to the businesses and consumers that are becoming VR users. However, Forrester advises a strong marketing and executive plan to incorporate virtual reality into the enterprise. Although upbeat, as products such as Samsung Gear VR and Google Cardboard will boost adoption, there is an ecosystem of VR that is emerging. The devision is not entirely clear, as headsets will be split between high-end and mid-tier adoptions. Forrester Research did not gauge the market for the cheaper VR headsets such as Google Cardboard. In addition, Microsoft cited that there will be 80 million VR headsets by 2020, but this number is only a variable and could include the lower end VR headset models.

Forrester Research argues that there could be a VR market right now in 2016, but uses the age old support tactic of “the technology is 95 percent there”, isn’t that what every major tech startup says when no one is biting on their new technology? Despite my calling their bluff, I do think VR is going to blow up in the next few years, however if we are being realistic for the enterprise, I think augmented reality is going to blow VR right out of the enterprise water. Before 2020.

 

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: Enterprises to target VR market, virtual reality headsets to hit 52 million by 2020

DDoS Attacks Increase by 137.5 Percent

b66b95478fThe content delivery network,  Akamai, recently released it’s  Q1 2016 State of the Internet – Security Report, where the company found somewhat terrifying increases in DDoS attacks. There has been a 125 percent increase in distributed denial of service, aka DDoS attacks year over year but there has been a 35 percent increase in the average attack duration. But why is this? Comparing this years first quarter to that of 2015, in 2015 the average attack lasted around 15 hours, now that has increased to 16 hours. In addition, the type of attack has changed. Massive DDoS attacks that are 100 Gigabits per second are now increasingly common, with 19 of these attacks in the first quarter of 2016. This is nearly triple the number of massive attacks in 2015. An 137.5 percent increase to be exact.

In total, Akamai witnessed 4,523 DDoS attacks in 2016’s first quarter. Major Ugh. Furthermore in the first quarter of 2015, there was an average of 15 attack events per targeted customer, now that average has jumped to 29 attacks per targeted customer. By repeating attacks on the same customers rather than going after more targets, the amount of attacks per target dramatically increased.

In previous years, we saw hackers shying away from protected networks. Now hackers continue to try to infiltrate networks no matter if they are protected or not, hoping that eventually one of the defenses in place will fail. In addition to this, repeat attacks have increased due to the DDoS platforms becoming less expensive and easier to use. No hacking or networking skills are required anymore for DDoS attacks. Furthermore, DDoS for hire sites are now in place that enable anyone with Bitcoin to launch multiple simultaneous attacks from an easy-to-use interface with a menu of attacks.

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: DDoS attacks increase over 125 percent year over year

Windows 10 – Taking Tricks from Malware

Windows 10

 

Microsoft has been long pushing its users to jump aboard the Windows 10 train. But have they crossed the line?

Tech writer for Computer World, Preston Gralla, explains how Windows 10 took over his wife’s computer, installing the Windows 10 update without her permission. Gralla was understandably skeptical when his wife came into his office frustrated with Microsoft and complaining about the new update. How could the largest software platform, installed on PCs and Laptops alike, just blatantly ignore a users preferences and install new software without permission?

Microsoft has been aggressive in it’s attempts to get users to upgrade to Windows 10 before July 29th. Pop-ups began to appear on user computers urging them to update, but the action could be easily blocked with a quick click of the X in the pop-up window. Sounds just like any other pop-up, easy enough to understand. It started when Microsoft began quietly downloading the bits needed for the Windows 10 upgrade without telling users. Then this spring, Microsoft took it one step further. Changing everything we users know to be true about the X button in the upper right corner of any pop-up, Microsoft flipped the script. When the upgrade app appeared on user screens, and a user decided to click the X in the top right corner to avoid the installation, Microsoft did the exact opposite of what the user intended, taking a NO for a YES and installing Windows 10 on the user’s PC. Extremely frustrating to anyone thinking they had just avoided that action.

As Computer World’s Gregg Keizer points out, Microsoft violated it’s own recommended policy by changing this action on their upgrade app. Microsoft advises developers to maintain the action of clicking the X to close a dialog box to halt any action the box might take. Microsoft writes on it’s website for design guidelines, “The Close button on the title bar should have the same effect as the Cancel or Close button within the dialog box. Never give it the same effect as OK.”. Well, What the bleep Microsoft. You did exactly what you advise others not to do, giving the action of clicking X the same effect as OK.

Preston Gralla points out the painful resemblance of Microsoft’s shady acts to that of malware. Microsoft’s document  “How to prevent and remove viruses and other malware.” warns, to never click agree or OK to close a window suspected to be spyware. Instead Microsoft advises to click the red X in the corner of the window or press Alt+F4 to close the window. Hm. Even more ironic, Microsoft defines Spyware, “Spyware can install on your computer without your knowledge. These programs can change your computer’s configuration or collect advertising data and personal information.”

Well Microsoft, let’s make a list.

  • The Windows 10 upgrade downloads bits onto a user’s PC without permission or knowledge.
  • Changes a user’s computer configuration to meet the agenda of Microsoft.
  • By default, Windows 10 collects advertising data and personal information.
  • If a user tries to stop the Windows 10 upgrade, by doing exactly what Microsoft advises users to do with any other application, click the X in the right corner of the dialog box if you do not wish to receive the upgrade, the upgrade installs anyway!

If these tricks were tried by any other company, especially with malicious intent, I would be writing a blog post about a new form of Malware. It appears Microsoft has taken notice to the aggressive push of malware and tailored a few of these features to benefit the push of the latest Windows 10. Not even Microsoft can advise users and developers to do one thing and then employ the complete opposite when it is to their benefit, eventually one of us is going to realize something fishy is going on. Windows 10 is not malware, and upgrading isn’t going to crash your computer or hold your data hostage. However, being upgraded to a new operating system is a lengthy installation that can have significant consequences for the user. Some applications may no longer work with the new OS, the length installation means time taken away from the work day, and learning a new OS is not particularly thrilling to most of the population. Not to mention the violated feeling most will endure when they find out Microsoft ignored their preferences and installed the upgrade anyway.

Take your own advice Microsoft.

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit:How Windows 10 Became Malware

With Algorithms comes Voice, with Voice there is No Offline

InformationAgeAutomationThe device in your hand, the one that half of you are most likely using to read this blog post, has been so fantastically adapted to the preferences of the user that sometimes we tend to read over how that device works for us. In the past decade alone mobile devices have taken a great leap into innovation, especially within the global smartphone market. Remember the Motorola razer? Yeah.

Perhaps it is hard for the population to have a desire to learn how such devices are working for us, rather than just learning how to control the device itself. For instance, Amazon. I can decide that I want to buy a pair of fuzzy cat socks, find the socks, buy the socks with one click, have them delivered same day, and that task has become a fleeting occurrence in my memory. But not to Amazon.

By quantifying or behavior, companies can deliver marketing strikes to potential customers that are so specific it is almost scary. The platforms that package this behavior are even more successful, making serious money selling it to advertisers. This is what the marketplace looks like with the innovation of algorithms. So when I decide to buy those fuzzy cat socks, and proceed to move on to reading an article on the web only to be startled by an advertisement on my webpage for fuzzy bunny socks, my brain does a little double take. How did they know that? Are they watching me? No. It’s Algorithms. Algorithms people.

Taking this idea one step further, think about those devices you don’t just click with, you talk with. You are literally telling your device what you want, what you like, what you need. You think developers haven’t noticed? Getting users to utilize voice control is a surefire way to use algorithms in an even bigger way. The always listening digital assistant devices we employ are doing exactly what we should already assume they do, always listening. These devices may only be activated into service by specific voice prompts but in order for that to work that microphone needs to always be turned on.

Now, I’m not saying any of this is a bad thing, in fact I think it’s brilliant. My point lies within understanding the technology that is working for you, if only at a minor level, so that technology can continue to work better for you, the user. Voice and audio activity items help technologies such as Google, understand what the user is saying when using voice search features, so you better believe those voice snips are saved in order for the device to be able to recognize that voice again. Eventually those snips will be perused for marketing data points in the form of audio content analysis, just like algorithms picked up on my purchase of fuzzy cat socks.

Technology is literally becoming unavoidable, and in my personal opinion that isn’t the worst thing in the world. Who doesn’t want a personal digital assistant to know exactly what you need when you need it? With a link to get it?

 

 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: With Voice, Offline No Longer Exists