Ready to get started? Give us a call! 855-290-5483

Dillon Fornaro

The Dark Web, Deep Web, and Surface Web: Understanding the Difference

Over the past several years, cybersecurity awareness has become much more prevalent in mainstream media, and for a good reason. The uptick in stories about the latest data breaches and rampant identity theft has brought about the use of terminology that was not well-known to the general public but commonly used throughout the infosec (Information Security) community. 

To the uninformed ear, these cybersecurity terms can be confusing and sound intimidating as they are commonly used as a scare tactic to sell you a product or service. While these products and services are valuable assets to leverage, it is essential to understand precisely what these terms mean, so you can make an informed decision on the services you need to protect your organization. In this article, I want to demystify a common cybersecurity term “the Dark Web” by discussing what makes the Dark Web different from the Deep Web and Surface Web. I’ll also share what you need to do to protect yourself and your data.

How Search Engines Work

Before we talk about the Dark Web, Deep Web and Surface Web, it is important to understand search engines and how they work. For those born before 2000, navigating the internet was a bit different. Google was just starting out, and Bing hadn’t even been invented yet. While there were other search engines available, they weren’t as well-known or as useful as the ones available today. If you wanted to find something on the internet, you needed a direct link to get there, as you couldn’t just search for a topic and have a list of relevant websites show up in your browser. Sounds cumbersome, right? Well, luckily for us, Google thought the same thing and acted by creating their search engine.

Crawling and Indexing Explained

There are two terms you should be aware of regarding search engines: crawling and indexing. Without getting too in-depth, crawling is the process of scouring the web in order to upload discovered websites to an ever-growing list in a database. This process is usually programmed so that newly created websites are automatically found and added to the database. Indexing, in its basic form, is just organization. The websites in the database are reviewed and organized based on different parameters such as keywords, topics, malicious vs. non-malicious, and many others. Crawling and indexing are the core features that allow search engines to work the way they do.

If you’re a bit confused, think of it like a library. A library crawls the world to purchase books worth adding to their shelves (the database). The books are then organized (indexed) based on genre. You then query the librarian (the search engine) for the type of book you are looking for, and they know exactly where to find it.

The Difference Between the Surface Web, Dark Web, and Deep Web

Now that you understand how search engines work, let’s decipher the terminology behind the Surface Web, Dark Web and Deep Web. We’ll start with the one that everyone is familiar with, the Surface Web, otherwise known as the Open Web.

The Surface Web

The surface web is what most people use daily. It consists of publicly available websites that a search engine has indexed. You are already familiar with how it works. You enter a keyword into Google, and all of the websites related to that topic will show up. You choose a website to visit, and the data on that website will be made available to peruse at your leisure. It’s as simple as that.

The Deep Web

The Deep Web is a little different because search engines do not index websites associated with it. This is important to understand before we can explain the Dark Web. Surprisingly, most websites available on the internet today are actually a part of the Deep Web, so you’re more than likely navigating to these resources daily. Since you can’t find these websites by searching for them, how exactly do you find them? A lot of the Deep Web consists of private databases and internal networks that require specific permissions to access. You are either invited to create an account for the website or utilize proprietary software that connects directly to the resource.

Some examples of this would be checking your bank account online. While you can search for Bank of America and access their public site, you can’t directly search for your bank account, right? Therefore, when you go to Bank of America’s website, you must click on a separate link to log in and enter your credentials to access your account. You have now moved from the Surface Web to the Deep Web as your account is a part of their internal database, which cannot be found by searching on Google. Another example would be accessing email through the Outlook application or web interface. You can navigate to the Outlook website directly or install the desktop client, which is publicly available to anyone who wants to download it. But, to gain access to your account, you must enter your username and password, which transfers you directly to a Deep Web resource as your data is not accessible directly through a Google search.

The Dark Web

Last is the infamous Dark Web. The Dark Web is actually a part of the Deep Web as a whole because it consists entirely of unindexed content. However, there are significant differences between the Dark Web and the Deep Web. The differences have to do with how the Deep Web and Dark Web are accessed, the anonymity of network traffic while browsing, and the types of data/activities they are commonly used for. To access the Dark Web, you need a particular browser that is developed specifically to talk to the servers hosting Dark Web content and link all of those services together through a proxy. The most common browser in today’s world is called TOR (The Onion Router) which was developed by the United States Navy to protect state intelligence. These browsers are designed to encrypt all traffic for privacy reasons, which is why many threat actors look to this type of web navigation to carry out illegal activities.

So, what types of things can you find on the Dark Web? Unfortunately, there are many distasteful themes, but for the purpose of helping you understand how to protect your data, I want to focus on the stolen credentials that are available for sale on the Dark Web. There are specific forums for the sole purpose of making money off of your stolen data. From usernames and passwords to credit cards and social security numbers, it all has a price, and people are willing to pay.

Protecting Your Data from the Dark Web

So, how do we stop your data from being sold on the Dark Web? Unfortunately, unless you work for a government agency with authority to decommission the websites hosting these forums, there isn’t much you can do to stop this data from being sold. Most people who aren’t in the infosec community won’t even be aware that their data is compromised.

That’s why you need to take a preventative approach. Awareness is key. That’s where Dark Web monitoring solutions come in. These solutions are designed to monitor the Dark Web and alert you to compromised credentials and stolen data. Knowing which credentials are compromised enables you to get ahead of the problem and take the appropriate action(s) to mitigate the risk.

Using identity theft protection through a third-party or your bank of choice can also play a huge role in keeping your identity safe. As I said earlier, awareness is key. Understanding what and, more importantly, how the data was compromised is critical for developing processes to prevent it in the future.

Kite Technology Can Help

At Kite Technology, we take a security-first approach in everything we do. As one of few Managed IT Service Providers in the country with the CompTIA Security Trustmark+ certification, KiteTech demonstrates our commitment to following security best practices and adhering to industry-recognized security standards and measures.

Our clients can focus on their business with peace of mind–knowing that we employ industry best practices and tools to keep their business systems and data safe and secure. To learn more about KiteTech’s Managed IT and Security Services, please reach out to schedule a conversation. We’d love the opportunity to talk with you and learn how we can help you protect your organization.

Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

How a Password Manager Can Help You Store and Secure Your Passwords More Effectively

The world is filled to the brim with technology. From smartphones to laptops, almost everyone has a presence in this technologically encompassed society we have built for ourselves. Our day-to-day consists of constantly logging in and out of devices, applications, and websites. While cumbersome, it’s necessary to do our jobs and move through the persistently growing tasks that require such a process. However, the sheer number of individual accounts tied to these responsibilities is becoming more and more overwhelming with each passing day. How are we expected to remember our credentials for every account we use? Better yet, how do we retain this information securely? Well, that’s where password managers come into play. 

What is a Password Manager

Password managers have been available for quite some time but are just now becoming ubiquitous in the workplace. Before the adoption of this solution, end users would commonly use a Microsoft Excel datasheet or hand-written notes to store their passwords. And while an Excel document can be password protected and a notebook locked behind a cabinet, this was far from secure. That is why developers created the password manager. A noteworthy response to an inevitable problem that we are all reminded of daily; our brains can only retain so much information, especially if it’s information that’s accessed infrequently. Password managers are a simple way to securely store your usernames and passwords. Whether it’s a service that you sign into regularly or a random website that you have to Google just to remember the name, all the information is stored under a single pane of glass. 

How Password Managers Work

The way password managers work is simple. First, you need to install the password manager software. This may be through a browser extension or a mobile/desktop application. Credentials used to authenticate against the various websites and services you use are tied to a master account associated with the password manager. This master account is the only username and password that you must remember. Once you’re signed into this account, websites that you visit and applications that you use will talk to the password manager, automatically filling in your saved credentials. If the information is not yet saved within the backend of your account, it will notify you to either add a new account or update an existing account with current information. It’s as simple as that. 

Other Password Manager Features

Password managers aren’t only a place to store your credentials. Top of the line offerings from the most popular branded solutions usually offer a robust feature set that includes various other perks. A popular example of this would be LastPass. LastPass is a very common password management solution that offers more than just storing credentials. It includes a dark web monitoring tool that checks your usernames and passwords against the latest data breaches and warns you when your passwords should be changed due to potential compromise. They also offer other features such as secure storage of bank accounts and credit card information which provides a simple way to pay online without having to pull out your wallet. Finally, they include a way to generate a random but secure password for all your accounts. This entices the consumer to stop reusing passwords across different services and aids in preventing compromise by brute force attacks.

Security Considerations 

However, you may think to yourself, what’s the catch? How can my usernames and passwords be stored under one roof and still be secure? Well, it’s completely reasonable to have these doubts. As a cybersecurity professional, I was skeptical myself. In the world of information assurance, we implement policies, processes, and solutions within our environments based on a risk management strategy. Within this strategy, we ask ourselves if the potential loss from a risk outweighs the benefit of using the solution in question. In this case, I objectively believe it does, although there’s a catch. 

Password Manager Security Best Practices

For the benefit to outweigh the risk, this type of tool requires maintenance. It’s the user’s responsibility to routinely check and ensure the data they provide is secured. Begin by initially logging into all the different websites and services that you use. Update your passwords with a strong and randomly generated phrase created by the manager itself. Ensure no single password is being reused across another site. Check your account information against their compromise monitoring service. If something is flagged, change it as soon as possible. Most importantly, ensure that you lock down the master account with an industry standard passphrase and configure multi-factor authentication. If someone were to compromise the master account, they will have the keys to the castle. 

Conclusion

There are a wide variety of answers when it comes to password management and storage. No single solution fits everyone’s needs. However, if you haven’t had the chance to use one yourself, I highly suggest you give a password manager a try and see just how convenient such a simple product can be in your everyday workflow.

To learn about the latest technology trends and best practices, check out the KiteTech Blog. We are constantly updating it with valuable resources to help you improve the way you work. If you’d like to learn more about Kite Technology’s IT Services, please reach out to schedule a conversation. We are here to help!

Dillon Fornaro

Dillon Fornaro

Security Engineerr
Kite Technology Group

Zero-Day Vulnerabilities – What They Are and How to Protect Yourself

Before discussing how you can protect yourself and your organization from Zero-Day vulnerabilities, it’s helpful to understand the term vulnerability as used in the cybersecurity industry. The National Institute of Standards and Technology, commonly referred to as NIST, defines vulnerability as “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” So, anything that threat actors can exploit in your environment is considered a vulnerability, even employees. 

What is a Zero-Day Vulnerability?

Zero-Day vulnerabilities are vulnerabilities in software actively being exploited in the wild but have not yet been disclosed to the software developer, or a patch has not yet been provided to fix the issue. These vulnerabilities are usually kept secret by threat actors and sold on the Dark web for a hefty price. Depending on how much damage this exploit would cause, they can be sold for thousands and even millions of dollars. 

If, at first, Zero Day vulnerabilities are widely undiscovered, how are they initially found? That’s a great question! There are many different ways that Zero Day vulnerabilities are uncovered, but some of the more common tactics are Threat Research and Vulnerability Disclosure Programs (VDPs). Not all Zero-Day vulnerabilities are found by malicious actors. There are legitimate organizations whose sole purpose is to research threat indicators in the wild and correlate them to potential vulnerabilities in the software being exploited. After confirming or even potentially confirming that a vulnerability exists, they would then reach out to the software vendor in question and disclose this information. This is usually done by following the organization’s Vulnerability Disclosure Program (VDP). These programs are designed to encourage Threat Researchers to come forth as well as anyone else who may have information regarding vulnerabilities in a software product. Most of these programs offer a monetary reward, and just like selling on the Dark web, the amount paid is substantial. These programs aren’t always available, but more organizations are adopting this tactic to fight back against the cybercrime industry. There has even been legislation adopted to push companies toward creating their own VDP. If you ever notice a software bug that you can replicate, it’s worth reporting it. You may just end up with some money in your pocket!

Protecting Your Business From Zero-Day Vulnerabilities

Unfortunately, due to the nature of the threat, we can only mitigate the risk, not completely eliminate it. But don’t worry; implementing the proper controls, processes, and procedures can significantly reduce the risk of compromise. The first step in protecting your business from Zero-Day vulnerabilities and attacks is simple patch management. Your company’s IT provider should be on top of issuing the latest updates to all of your software. Whether it’s your line of business application(s) or your computers’ operating systems, applying the latest security patches is crucial. The process for managing these updates to your company’s software should be written down in its own policy and, if possible, automated. 

Another way to protect yourself against these threats is even easier than patch management – you need to be aware of what’s going on. Researching the latest threat trends and keeping yourself up to date about active exploits will provide you with the information needed to proactively patch your systems or isolate that specific software inside your network. I recommend subscribing to a security newsletter if you aren’t actively working in the Cybersecurity industry where threat research is a part of your job. On another note, while vulnerability scanning won’t necessarily provide you with insight on Zero-Day vulnerabilities affecting your network, it does give you a clearer picture of the threat landscape of your environment. More visibility offers you greater control, and greater control gives you better protection. 

Last but not least, start depreciating your legacy software. Any applications that are no longer supported by the vendor won’t be receiving further security updates. It is extremely risky to continue utilizing end-of-life (EOL) software inside your environment, so it’s crucial to move away from these solutions as soon as possible. If your business is dependent on a product that’s in EOL and depreciating in a timely manner is not feasible, be sure to isolate any devices that contain the software from other areas of your network. Doing this will aid in preventing either malware or threat actors from moving laterally across your network in the event of a compromise. 

Vulnerabilities can be scary, especially when Zero-Days are thrown into the mix. However, with the proper security controls, processes, and procedures, you can significantly mitigate the risk to your business. If you would like to learn more about how Kite Technology’s Managed IT and Security Services can better secure your organization, please reach out to schedule a conversation. We would welcome the opportunity to discuss your company’s IT and security needs and help you develop a plan to improve your performance and security posture. 

Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

Steps to Improve Your Security in Light of Russian Cyber Threats

As news of Russian forces launching an attack on Ukraine hit the headlines on February 24th, it is vital that you keep security top-of-mind as the risk of cyber attacks and state-sponsored advanced persistent threats (APTs) is increasing substantially. We urge everyone to take steps to improve their security posture and stay extra vigilant.

Here at KiteTech, we persistently monitor new and ongoing cyber security risks like this and develop a plan of action to ensure that our clients’ resources and data are fully protected. Below is a list of recommendations for security services that are vital in protecting your business from cyber threats. 

Security Services That Protect Your Business

Multi-Factor Authentication

If we had to make a single recommendation for protecting your online accounts, it would be multi-factor authentication (MFA). Not only confirming this is turned on for your business, but ensuring your personal accounts are protected behind MFA as well.

Security Awareness Training

While industry standard security products are critical to protecting your organization, end users will always be your greatest risk. It’s crucial that you require employees to complete their annual security awareness training.

Antivirus/Endpoint Detection and Response (EDR)

Keeping antivirus signatures up to date is essential to protecting against known malware. Automatic updates should always be enabled for these products.

Geo-IP/Geolocation Filtering

Restricting access to accounts based on location has proven to be a very successful way of mitigating threats. While there are ways to circumvent these restrictions, its use in protecting against automated attacks is considerable. We encourage adopting this when available.

Cybersecurity Tips for End-Users

Now is the time to build a stronger line of defense against increasingly sophisticated cyber threats. Below are steps that end-users can take to ramp up their security practices.

  • Make sure MFA is turned on for all eligible accounts and working properly (can’t emphasize this one enough).
  • Keep an eye on your finances. Check for suspicious transactions and set up credit monitoring alerts.
  • If you have any backup emails or phone numbers tied to an account for recovery purposes, make sure they are updated with relevant information and MFA if applicable.
  • Utilize websites such as haveibeenpwned.com to check for compromised passwords. We have a subscription to ID Agent’s DarkwebID which features a live search function to check for password compromise tied to an email address. If you would like access to that, let me know.
  • If you aren’t using a password manager, I highly recommend moving towards the migration. It can be a lot of work, and some may be skeptical having all your passwords in once place, but the security features outweigh the risk. Some examples of password managers are LastPass and Dashlane.
  • Be wary of approving logins on the Microsoft Authenticator app. If you didn’t initialize authentication, deny the approval.
  • Take your time when reviewing emails with urgent or suspicious requests. Reach out to that person directly to validate. To those who may not be as tech savvy as others, don’t hesitate to ask for help. You’re not a burden for doing so whatsoever.
  • Be careful with what apps you allow to have access to what data, and consider only accepting necessary cookies for websites.
  • Make sure shared accounts are limited and all passwords for those are complex.
  • Be careful with pre-filling passwords, many websites don’t properly encrypt those and they have been common targets for keyloggers.
  • Most importantly, be extra cautious. Even with all the security controls out there, you as the end user will always have the keys to the castle.

It is more important than ever to make it a priority to improve your organization’s cybersecurity practices and train your employees to stay conscious of any suspicious activity. If you notice anything questionable, reach out to KiteTech immediately so we can investigate.

If you are not currently working with KiteTechnology and would like to learn more about our Managed IT and Security Services, please reach out and schedule a conversation. We are here to help!

Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

Preventing Mobile Cyber Attacks

Did you know that 40% of all mobile devices are vulnerable to cyber-attacks and exploits? 

As smartphones and tablets become increasingly common in the workplace, hackers aren’t necessarily just using your device to infect it with malware, but also to infect devices on the same network as you. 

In this post, we share a few helpful tips to help you stay secure when using your mobile devices.  

Apps

Applications are the lifeblood of a smartphone. However, not all are created equal. Make sure you are only installing apps that are available through your dedicated App Store. Depending on your device, this would either be Google Play for Android or Apple App Store for iPhones.

Wi-Fi

Set your applications to automatically update to ensure they have the latest security. If your wireless carrier is limiting the amount of data you are allowed to use on a monthly basis, consider turning on the feature that will only update your applications if you are connected to Wi-Fi. You can even set a schedule for when you know you’ll be home.

Browsers

The browser on your smartphone works the same way as it would on a desktop PC or a laptop. You should never save a username or password inside of a browser. If you are someone that is juggling a lot of different accounts like a lot of people today, consider using a password manager. 

Pay close attention to URLs. Just like when you’re browsing the web on a laptop or desktop, you always want to make sure that you’re on the correct site before inserting any information. 

Bluetooth

Bluetooth is a pretty simplified connection method. However, there are still ways to secure yourself from attacks associated with it. Turning off automatic Bluetooth pairing is an effortless way to prevent someone from illegitimately accessing your device. Also, if you’re not using Bluetooth, it is best to just turn it off completely. This will help protect from unwanted connections.

Vishing (voice phishing)

Spam calls are becoming extremely common on a day-to-day basis. How do we protect ourselves from people pretending to be someone they aren’t? Make sure you do not reveal any personal information over the phone unless you are absolutely sure who that person is. If you are hesitant, it is best to just hang up and call the direct number of the company or person in question. Also, be wary of urgency as scammers will try tricking you into thinking that this must happen now. I can assure you it doesn’t. 

Smishing (phishing via SMS)

Text messaging is becoming the most popular communication method between individuals. This just means that more people will start using this form of communication for malicious intent. Never click links or respond. The messages sent from unknown recipients always go directly to the source. Also, standard text messages are not encrypted if nonpublic information is being requestedit is best to use another form of communication to provide these details. 

I hope that these quick tips on mobile device security have been helpful. Remember, it is important to stay just as vigilant on your mobile devices as you are on your desktop PC.

If you would like to learn more about our Managed IT and Cybersecurity Services, please feel free to reach out. We would be happy to schedule a complimentary consultation to learn how we can help you operate more securely and meet compliance regulations.

Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

Top 3 Security Threats Related to a Remote Workforce

With so many businesses still having a distributed workforce, it is important to prioritize computer and network security.  While there are various security threats associated with employees working remotely, today, I will be focusing on the top 3 threats that you should be aware of and address to ensure that your employees and business are secure.

Home Networks

One of the main security risks of a remote workforce is the possibility of unsecured home networks. Did you know that according to PC Magazine, in a study of 2000 US residents, 23% of people reported that they are using default credentials on their router/modem, and 11% were not even sure of what their credentials are? That is very concerning with the number of cyber threats that are out there. Most home networks are set up by a local ISP and use a modem/router to provide WiFi. These home networks are often set up by a technician whose focus is function, but not necessarily security. Therefore, your network traffic may be open for anyone to snoop on without your knowledge. The best way to protect that data is to encrypt all non-public information you and your company send over the wire. This would require the use of a VPN (virtual private network). With the proper configuration of a VPN, your data will be encrypted in transit and unreadable to those who may be listening. To make sure you have a secure home connection, you will want to make sure that:

  1. You have encryption set up with a VPN to protect corporate data.
  2. Your WiFi has a secure password associated with it.
  3. Default credentials on all network devices are changed.

These three steps go a long way to ensure you have a secure home connection better defended from hackers with malicious intent.

Personal Computer Equipment

When the rapid shift to remote work took place last year, many employees started using their home PC to access company data and perform their business functions. While it is crucial to ensure that the devices in an environment that allow data to flow through the network are locked down, the machine that holds all your data- the PC, will be a hacker’s biggest target. According to Forbes.com, in a recent study, “56% of people were unable to bring equipment from their employer to work from home” and “a third admit to personally purchasing equipment to help them work remotely during COVID-19.”  That is an extremely high number of personal devices, considering how many people are still working remotely.  Furthermore, home PCs are often shared with children or significant others, further increasing your cyber risk. It is vital to your company’s security that remote employees use company-managed PCs or laptops. It takes the management out of the users’ hands and provides a higher level of security while handling the company’s data.

Cell phones and mobile devices are another component that need security when being used for company email and accessing files. Make sure your infrastructure management includes a plan for keeping these devices protected.

Security Updates

According to bleepingcomputer.com, “based on a sample size of 163 million computers, 55% of all programs installed on personal computers running Windows are outdated.” Whether it is a firmware update for your hardware or a software update for your line-of-business application, this is something that the typical end-user often does not take the time to do. What can you do about it? Turn on automatic updates. This can go a long way in ensuring that updates are installed, and personal devices remain secure. While many of the software companies’ releases may be feature updates, you will also get vital security updates that help prevent exploitation of vulnerabilities in the system. This brings me back to having company-provided hardware.  When your company provides and manages home devices, your IT department can manage, audit and ensure that updates are promptly and correctly installed, which will go a long way in protecting your company’s data. Keep your devices up to date!

These are just a few of the security risks associated with a remote workforce. Unfortunately, there are many more threats to consider as malicious actors continuously search for opportunities to access your company’s data. It is essential to keep security top of mind and continue strengthening your security posture. There are many resources out there that can help you evaluate your current environment and provide recommendations for improving your security standards. We at Kite Technology can be that resource and can help you identify vulnerabilities and provide the tools, like cloud solutions, you need to eliminate them. Contact us today to learn more.

https://www.pcmag.com/news/survey-shows-many-home-networks-are-insecure

https://www.forbes.com/sites/chriswestfall/2020/08/25/statistics-show-remote-workers-are-frustrated-many-still-unprepared-for-working-from-home/?sh=403987c848b3

https://www.bleepingcomputer.com/news/security/outdated-software-exposes-pc-users-to-security-risks-says-report/ 

adam atwell

Adam Atwell

Cloud solutions architect

Adam is passionate about consulting with organizations across the country to help them develop and execute a cloud adoption strategy that meets their business needs and future objectives. Adam oversees and manages our company strategy for Microsoft 365 adoption and is responsible for future growth and development inside Microsoft 365 and other cloud technologies.