Better Security in Three Easy Steps

With the holidays just around the corner, most people are turning their attention to turkey, presents, and long drives to visit friends and family.  As a cybersecurity professional, I always see this as the Season of Spoofing, where bad guys send you convincing emails about packages left on your doorstep, and gift card balances you’ve left behind, all with the goal of stealing your credentials, like some overseas Grinch who doesn’t want you to get any presents.

So, in the spirit of giving, I’d like to kick off this holiday season by giving you three easy steps that you can take towards avoiding the Grinch this year.

Step 1:  Better Passwords

I’m sure we’ve all heard the speech:  Password must be 8+ characters in length, contain a letter, number, special character, and must be changed every 90 days.  But did you know that even those are often easily guessed?  And even worse, they’re often used on multiple accounts, creating a domino effect.  If one is compromised, they’re all compromised.

So, consider using a password manager such as LastPass or RoboForm to generate secure passwords, that are unique to every website.  This will make your passwords significantly more secure.

Step 2:  Security Awareness Training

Now that we have better passwords, let’s make sure we keep them to ourselves!  We can do that by training employees how to spot malicious emails, and what to do when they’re found.  And more importantly, put that training to the test!  A system that sends harmless emails to your employees to trick them into clicking a suspicious link will let you know who “gets it”, and who needs a little extra help.

Step 3:  Multi-Factor Authentication (MFA)

I saved the best for last.  Sometimes referred to as “two factor authentication”, MFA is a fantastic strategy for keeping your data secure.  Every time there’s a login from an unexpected computer or location, you’ll be notified and prompted to either allow or deny the login, from an app on your phone (which is also protected by a passcode, right?).

If you’re using Office 365 for your email, you already have the ability to turn on MFA.  It does take a little work to get up and running, but once configured, we’ve found that folks love the peace of mind that comes with this level of security.

Now, it wouldn’t be Thanksgiving if I didn’t give you something, right?  So, here’s my gift for you, to help you get started with Step 1.  Complete the contact form on the sidebar during the month of November and we will provide you with a Weak Password Report, for free!  This will show you any weak or non-expiring passwords that are used on your network and start you on the path to better security.

The Personal Assistant I Didn’t know I Needed

I’m fortunate enough to have not one, but two personal assistants.  Alexa, my first assistant, is fantastic.  She’s my personal DJ.  She tells me the weather.  She even adjusts the thermostat in my house.  Google, my second assistant, is also fantastic.  He’s my navigator.  He knows all the traffic spots to avoid.  He even gets people on the phone for me.  But recently, I was introduced to a third personal assistant that I didn’t even know I needed:  Cortana 

Cortana is Microsoft’s artificial intelligence (AI) built into Windows 10.  A late comer to an already crowded space, Cortana often gets overlooked because of her lack of integration into other ecosystems, such as Amazon and mobile devices.  But Cortana has two very strong points in her favor: 

 

  1. She is deeply integrated into the Microsoft ecosystem 
  2. She has a monitor to show me things 

As a working professional, I rely heavily on Microsoft’s services.  My corporate data is stored in Office 365.  I use Outlook to check my email.  My computers are Windows 10.  And because Cortana is built in, she can help me manage it all. 

“Hey Cortana, what’s on my calendar?” 

Because Cortana *is* Windows 10, she uses the built-in Calendar app to retrieve this information, which takes a little setup at first.  She can read this information out to me, but she can also display it on the screen. 

“Hey Cortana, launch Outlook” 

Yes, I could’ve reached for the mouse and done this myself, but this way is much cooler AND I didn’t have to put my coffee down! 

“Hey Cortana, what time is my flight?” 

When I booked my flight, the airline sent me a confirmation via email.  Cortana is able to locate and provide me this flight information, even though I didn’t put it on my calendar. 

“Hey Cortana, how long will it take to get to BWI airport?” 

Sure, I could’ve asked Google.  But my phone is in the other room.  Cortana can provide that information immediately, and I can get back to work. 

Some of the best things, she does without me needing to ask.  Yesterday, I emailed a client promising to send them a report in the morning.  This morning, Cortana popped up to make sure I remembered to send that report.  If I have an appointment out of the office, she lets me know when it’s time to leave. 

Alexa’s and Google’s jobs are safe.  What they do to enrich my life cannot be replaced.  But when it comes to staying focused and getting work done, Cortana is my right hand! 

 

Malware Moves to Office 365

Another day, another scam!  This one is aimed directly at your Office 365 mailbox!

Our partner, KnowBe4, has released a video showing proof of a concept social engineering attack that would allow a hacker to remotely encrypt your entire Office 365 mailbox in a matter of minutes.  The attack works like this:

You receive an email claiming to be an enhancement to your spam filtering.  Clicking the link prompts you to sign in to Office 365 and grant the new spam filter access to your mailbox.  Shortly after that, you’ll see your emails encrypt right before your eyes.

 

If you want to see the hack in action, you can check it out here: https://youtu.be/VX59Gf-Twwo

This attack takes advantage of Microsoft’s lack of a verification process for apps that access Office 365, so it’s very simple to replicate and deploy.  You’ll certainly be seeing this one in the future!

Social Engineering is the process of attempting to trick a person into allowing an attacker to gain access to confidential information, often by compromising security credentials.  Ready for some fun facts?

  • In 2016, 65% of enterprises were the victim of a Social Engineering attack.
  • 66% of the malware came from malicious email attachments

So, the big question:  What can you do to protect yourself?  Well, there are three key things that will go a long way towards improving your defenses!

 

1:  Tune Your Spam Filter

It’s not enough to just deploy a spam filtering and call it a day.  You need to make sure you’re taking advantage of all of the features it has to offer, such as language filtering, anti-spoofing, and country-based filtering.  In 2017, we blocked almost 25 MILLION spam messages for our clients!

 

2: Know Your Enemy

Education on how to identify threats, known as Security Awareness Training, is a crucial part of any Cybersecurity Program.  We recommend that all staff with computer logins regularly receive training that helps them identify and deal with suspicious emails and phone calls.  This training should be followed up with regular testing, to ensure you’re providing the right training to the right people.

We chose to partner with KnowBe4 because they do both!  Their package provides an easy and effective way to keep track of both your training and testing initiatives.  For a small monthly cost, you gain visibility into your network’s weakest link.

 

3: Have A Backup Plan

Office 365 has some built in recovery options, but most are tuned towards protection from human error, not malicious attacks.  If you’re relying solely on Microsoft’s built-in recovery options, you’re leaving yourself open.  Bolstering Microsoft’s options with a cloud-based backup strategy is critical to quickly recovering from an incident.

A Cloud Backup Solution can provide cloud-based backups of email, OneDrive, and Sharepoint deployments.  With one click, we can recover an entire mailbox that’s been compromised!

There are plenty of other methods to enhance your security, such as multi-factor authentication and mobile device management, but if you implement the three strategies outlined above, you’ll be well on your way to a safer experience!

NY DFS Changes Again

The saga continues!  IIABNY recently learned that NY is requiring that all license holders file their exemption status on the Department’s website.  This means that each individual that has a producer license must go to the NY DFS portal, and submit their exemption status by September 27th.  You can read more about IIABNY’s efforts HERE.

Thankfully, the process is quick and painless, once you know where to go.  To help your folks stay compliant, we’ve put together the following instructions:

 

 

 

  1. Browse to the NY DFS website: https://myportal.dfs.ny.gov/web/cybersecurity/
  2. Click “Create Account”, and put in your name and email address. Then, click “Save.”  DFS will email you a temporary password.
  3. The link in the email that you receive will not work, so please note the password and refer back to these instructions for the proper website link. Once you enter your credentials, you’ll be prompted to enter a permanent password.
  4. Once logged in, you’ll click the “Submit Cybersecurity Notice of Exemption” button on the left.
  5. Type your Entity ID in the field. Your Entity ID is the same as your license number.  The rest will prefill for you.  Click “Next”
  6. For your Exemption Reason, you’ll want to choose 500.19(b). 19(b) is an exemption for employees and agents that work under the Cybersecurity Program of another Covered Entity.  Click “Next”
  7. Enter in your personal contact details and check the box to swear/affirm. Click “Submit”.

Once submitted, you should receive a confirmation via email.  Please forward a copy to your licensing manager, and keep a copy for your own records.