Better Security in Three Easy Steps

With the holidays just around the corner, most people are turning their attention to turkey, presents, and long drives to visit friends and family.  As a cybersecurity professional, I always see this as the Season of Spoofing, where bad guys send you convincing emails about packages left on your doorstep, and gift card balances you’ve left behind, all with the goal of stealing your credentials, like some overseas Grinch who doesn’t want you to get any presents.

So, in the spirit of giving, I’d like to kick off this holiday season by giving you three easy steps that you can take towards avoiding the Grinch this year.

Step 1:  Better Passwords

I’m sure we’ve all heard the speech:  Password must be 8+ characters in length, contain a letter, number, special character, and must be changed every 90 days.  But did you know that even those are often easily guessed?  And even worse, they’re often used on multiple accounts, creating a domino effect.  If one is compromised, they’re all compromised.

So, consider using a password manager such as LastPass or RoboForm to generate secure passwords, that are unique to every website.  This will make your passwords significantly more secure.

Step 2:  Security Awareness Training

Now that we have better passwords, let’s make sure we keep them to ourselves!  We can do that by training employees how to spot malicious emails, and what to do when they’re found.  And more importantly, put that training to the test!  A system that sends harmless emails to your employees to trick them into clicking a suspicious link will let you know who “gets it”, and who needs a little extra help.

Step 3:  Multi-Factor Authentication (MFA)

I saved the best for last.  Sometimes referred to as “two factor authentication”, MFA is a fantastic strategy for keeping your data secure.  Every time there’s a login from an unexpected computer or location, you’ll be notified and prompted to either allow or deny the login, from an app on your phone (which is also protected by a passcode, right?).

If you’re using Office 365 for your email, you already have the ability to turn on MFA.  It does take a little work to get up and running, but once configured, we’ve found that folks love the peace of mind that comes with this level of security.

Now, it wouldn’t be Thanksgiving if I didn’t give you something, right?  So, here’s my gift for you, to help you get started with Step 1.  Complete the contact form on the sidebar during the month of November and we will provide you with a Weak Password Report, for free!  This will show you any weak or non-expiring passwords that are used on your network and start you on the path to better security.

Fileless Malware Attacks Increasing

Ransomware has been far from low-profile since its inception several years ago. Everyone knows what the file-encrypting malware does, and they all know that paying the ransom can make the nightmare go away by decrypting the files located on their computer. As if the threat of losing data forever wasn’t enough, you’re staring down a ticking clock while this is going on. Nowadays, ransomware is becoming more difficult to manage through various tactics.

Businesses are forced to invest in IT security to prevent themselves from making the next headline regarding cybersecurity (or lack thereof). Unfortunately, even the best and most comprehensive security solutions can’t help you if the file is already on your computer or network. If the malware has gone wireless, there’s a very real possibility that this can happen. We’ll help you understand the concept of fileless ransomware, and why it’s not a good thing for users and organizations.

The reason why hackers are so intent on making their malware fileless is because security professionals and organizations have really stepped up their game in recent years to fend off these infections. 99.9 percent of all would-be malware attacks were actually turned away outright in 2017, emboldening users and convincing hackers that they need to take new measures to get victims. Thus, the arms race continues with the development of new types of ransomware.

Ransomware has represented a shift in the way that businesses look at the dangers of the Internet. Fileless malware takes this a step further by attacking the default Windows tools (Powershell and Windows Management Instrumentation) to support malicious activity. Since these tools are on every Windows machine, these types of attacks are effective at hitting a lot of users where it hurts.

How it Works

Fileless ransomware is generally dispersed in the same way as traditional malware–through phishing emails and messages. This is why it’s so important for your business to train employees on how to identify suspicious messages. However, rather than using email attachments or downloading malware onto the system directly, fileless ransomware will instead run a macro in the RAM of a machine to create a command line and run the application. In this situation, the program doing the encrypting is actually PowerShell or WMI (talk about a stab in the back). A message is then shown indicating that the files have been encrypted and are being held until payment is received. Once this happens, the user is given a short amount of time to make a decision regarding the fate of their files.

We at Kite Technology know the frustrations and challenges associated with network security, and you can bet that we know a thing or two about how to keep ransomware off a network. To learn more about how we can help your organization keep itself safe, reach out to us at 855-290-KITE.

A Look at this Year’s Worst Cybercrimes

It’s fair to say that today’s organizations are faced with more online threats than ever before. To properly manage the information systems that they depend on for productivity, redundancy, and operational management, they need to ensure that they are doing what they need to do to mitigate problems stemming from the continuous flow of threats.

To give our readers just a taste of what they are up against, we’ve decided to put together a list of the most devastating hacks, infiltrations, and malware attacks that have happened so far in 2018. Additionally, we provide some telling statistics that will put into perspective just how important your network security and cybersecurity initiatives are.

Public

January
  • The Department of Homeland Security was affected by a data breach that exposed information about 247,167 current and former employees.

March

  • Atlanta, Georgia was targeted by a ransomware attack called SamSam. This resulted in a massive problem for their municipal infrastructure. The ransom price given was $51,000, but Atlanta’s leadership refused to meet these demands. Overall, the numbers show that Atlanta has spent more than 10 times that number in the fallout of the attack. Some estimates place the actual cost of this event at nearly $20 million.
  • India’s national ID database, Aadhaar, leaked data of over a billion people. This is one of the largest data breaches in history. A user could pay 500 rupees, equal to about $7, to get the login credentials that allowed anyone to enter a person’s 12-digit code for their personal information. For 300 rupees, or about $4.20, users could also access software that could print an ID card for anyone associated with the database.
  • Cambridge Analytica, a data analytics company that U.S. President Donald Trump used to help his campaign, harvested personal information from over 50 million Facebook users without asking for their permission. Facebook hasn’t called this a data breach, but Cambridge Analytica has since been banned from using the service thanks to this event.

June

  • A hack of a U.S. Government-funded active shooter training center exposed the personal data of thousands of U.S. law enforcement officials. This also exposed which police departments aren’t able to respond to an active shooter situation.

Private

January

  • 280,000 Medicaid records were exposed when a hacker attacked the Oklahoma State University Center for Health Sciences. Among the information exposed were patient names, provider names, and full names for affected individuals.

February

  • An unsecured server owned by Bongo International, a company acquired by FedEx, leaked over a hundred-thousand files of FedEx customers. Some of the information leaked included names, drivers’ licenses, national ID cards, voting cards, and utility bills.

March

  • Orbitz, a travel booking site, fell victim to a security vulnerability that exposed 880,000 customers’ payment card information. There was also about two whole years of customer data stolen from their server.
  • French news site L’Express left a database that wasn’t password-protected up for weeks, despite being warned about the security issues regarding this.
  • 134,512 records regarding patients and financial records at the St. Peter’s Surgery and Endoscopy Center in Albany, NY were accessed by hackers.
  • MyFitnessPal, an application used by Under Armor, exposed about 150 million people’s personal information to threats.
  • The WannaCry ransomware claimed another victim in Boeing, which stated that “a few machines” were protected by Microsoft’s 2017 patch.

May

  • Thanks to Twitter storing user passwords in a plaintext file that may have been exposed by internal company staff, the social media titan had to force hundreds of millions of users to change their password.
  • An unauthenticated API found on T-Mobile’s website exposed the personal information of all their customers simply through the use of their cell phone number. The following information was made available: full name, address, account numbers, and tax IDs.
  • A bug found in Atlassian development software titles Jira and Confluence paved the way for hackers to sneak into IT infrastructure of several companies and one U.S. government agency.
  • Rail Europe, a popular server used by American travelers to acquire rail tickets, experienced a three-month data breach that exposed credit card information to hackers.

June

  • A marketing company named Exactis had 340 million records stolen from it, but what’s most shocking about this is that they had accumulated information about nearly every American out there. In response to the breach, there was a class action lawsuit made against the company.
  • Adidas’s website was hacked, resulting in a loss of a few million users’ personal and credit card information.
  • A hacker collective called Magecart initiated a campaign to skim at least 800 e-commerce sites, including Ticketmaster, for sensitive information.

That list of traumatic security issues all occurred  in the first half of 2018. This doesn’t consider the major hacks that are still affecting people from 2017 and before. Some examples include the Friendfinder hack that exposed 412 million user accounts, and the well-documented Equifax data breach that leaked the financial information of over 147 million people. Here are some of the statistics to help put in perspective the state of Internet threats at present:

  • In 2017 over 130 large-scale breaches were reported, a 27 percent increase over 2016.
  • Nearly 1-in-3 organization have experienced some sort of cyberattack in the past.
  • Cryptojacking (stealing cryptocurrency) increased 8,500 percent in 2017.
  • 100,000 organizations were infected with the WannaCry ransomware (400,000 machines).
  • 4 billion WannaCry attacks were blocked in 2017.
  • The average monetary cost of a malware attack is $2.4 million.
  • The average time cost of a malware is 50 days.
  • Ransomware cost organization’s over $5 billion in 2017.
  • 20 percent of cyber attacks come from China, 11 percent from the United States, and six percent from the Russian Federation.
  • Phone numbers are the most leaked information.
  • 21 percent of files are completely unprotected.
  • 41 percent of companies have over 1,000 sensitive files left unprotected.
  • Ransomware is growing at 350 percent annually.
  • IoT-based attacks are growing at about 500 percent per year.
  • Ransomware attacks are expected to quadruple by 2020.
  • 7 percent of web requests lead to malware.
  • There were 54 percent more types of malware in 2017 than there were in 2016.
  • The cybersecurity market will be worth over $1 trillion by 2025.

If this list is as scary to you as it is to us, you’ll do your best to secure your network, data, and infrastructure from Internet-based threats. For more information about how to facilitate a comprehensive cybersecurity strategy, call us today at 855-290-KITE.

Tech Tips: Securing Your Email Messages

Due to the popularity of email in the business world, it’s an extremely popular method of attack for hackers. They can easily send countless messages to targets all over the world with the click of a mouse. Therefore, you have to take email security very seriously. The repercussions of not doing so could be swift and severe. This week’s tip is dedicated to informing your employees of email best practices for the office environment.

Password Security

Passwords might not be the most convenient way to keep accounts secure, but it’s certainly one of the most popular. It’s a best practice to keep different passwords for each of your different accounts, but your employees won’t see it that way. They’ll see it as an inconvenience at best, and it takes more than just simple passwords that are easy to remember to keep your organization’s data safe.

Too many users simply enter in some personal details about themselves, a significant number, and click done, thinking it’s an appropriate password for them. Hackers and cybercriminals know this, and they try to take advantage of it any way they can. This includes looking up sensitive information about the target that they might find on an employee’s personal Facebook page. These kinds of social engineering tactics can be used to dig up dirt on just about anyone in your organization, providing hackers with just enough information to make targeted attempts at guessing passwords.

So… if your password is based on your dog’s name and the year you were born (and both of these can be found on your page), it’s likely that a hacker can use common tools at their disposal to hack your account. This issue compounds when the password is used for multiple accounts.

This issue can be resolved easily enough through the use of a password manager. These applications can store passwords in a secure, encrypted vault and call them only when they are needed. Depending on the email application used, employees might not even really think about their email passwords because the app doesn’t always ask for it, making it difficult to keep passwords top of mind.

Two-Factor Authentication

2FA is a method used to augment password security by requiring a secondary code to access accounts or information. 2FA works by automatically generating a new passcode that is sent to a secondary email address or phone number each time you try to log into an account. These types of solutions make it so that a hacker needs much more than just your original password. They need access to all of your mobile devices and other accounts, too, making the effort to access your account more trouble than it’s worth.

Stop Clicking on Links and Attachments

If you receive an email and it has a link or attachment, your first instinct might be to click on it. Unfortunately, this habit can lead to a hacking attack, as scammers understand that the need to click on a link or attachment can be somewhat compulsive. An intern and CEO alike could make such an easy mistake, making this an effective method of spreading viruses and malware across systems. These phishing attacks can be tricky to identify, but there are certain giveaways that can make it easier. Links to external sites that are unrelated to the subject matter, poor spelling and grammar, and suspicious email domains are a few examples. Always make sure you trust the sender before downloading an attachment or clicking on a link.

 

Your Emails Won’t Be Secure Without these Safeguards

Are your employees putting your organization’s security at risk due to poor email practices? This is a question that all business owners need to consider–especially if you deal in sensitive information. We recommend that all businesses utilize a two-pronged approach to email security, including both technology measures to secure communications on the technical side and training to secure on the human side.

We’ll discuss some of the various measures you can take to keep your email communications as secure as possible, including encryption, spam protection, and employee awareness.

Email Encryption

Encryption plays a key role in defending your organization’s data from outside eyes. The way that it works is relatively simple to understand. Data sent on an unencrypted connection can be viewed while it’s in transit, making this kind of communications easy enough to intercept. When data is sent along an encrypted connection, the data is scrambled for all those who don’t have the encryption key to unscramble it. This means that even if someone does manage to steal data while it’s in motion, they won’t be able to read it or decipher it without the encryption key found on the recipients’ end.

Depending on your industry, you might even be required to equip your systems with encryption protocols to keep data secure while it’s being sent. Examples include healthcare, government, and other highly sensitive industries that handle confidential information.

Spam Protection

When there are employees using email, there will always be spam messages and phishing attacks that could potentially expose sensitive information or credentials to would-be hackers. It’s a necessity that your organization has an enterprise-level spam protection solution filtering messages that hit your inbox. This essentially minimizes the chance that someone will click on a malicious link or download a suspicious attachment in a spam message. Since spam can be sent to countless users all over the world with the click of a button, it’s an ideal way for hackers to spread their influence without much work.

Phishing attacks, on the other hand, are more difficult to protect against, as they have to be identified as malicious before they can be handled properly. Scammers can personalize messages to the user and get them to act impulsively when exposed to them, creating situations where an otherwise good employee would expose your organization out of fear that they would get into trouble for not acting. This is where the next part of email security comes into play: employee training.

Conditioning Your Employees for Security

As is the case with most network security, you can’t truly achieve it without the help of your employees. Since they are the ones handling your organization’s data in email, they need to be aware of how their actions could expose your business to malicious entities. One way you can do this is by providing them a list of best practices to check for when in doubt of an email’s authenticity. You should have them look for the following:

  • Sender email address: If the email address comes from an obscure email domain that doesn’t have any rhyme or reason to it, it’s likely that it’s a spam message.
  • The sender’s intent: If the sender is urging you to take immediate action, like paying a bill or claiming a reward, think twice before clicking on any links or making any payments.
  • Spelling and grammar: Often times hackers come from countries where English isn’t necessarily their first language, making emails from them filled with spelling and grammar errors. If the message doesn’t look professional, it’s best to avoid it.
  • Unrequested attachments: Hackers like to spread threats like malware and viruses through email attachments. If you receive a message with an unrequested attachment, think twice before downloading it. Double-check who it comes from and whether or not it’s legitimate.
  • Sketchy links: Before clicking on any links in an email, hover the mouse over it to see where the link goes. If it doesn’t go where the link says it goes, don’t click the link.

 Of course, the biggest thing to keep in mind is when in doubt, ask your IT department about the message. This is especially the case if the message seems to be from Windows support or an IT company asking to remote into the device. If your business wants to get started protecting its assets and reinforcing email security, look no further than KiteTech. To learn more, reach out to us at 855-290-KITE.

 

How Your Backup System Provides an Immediate ROI

Data backup has the nasty misconception that it’s only worth having if you actually use it, but this isn’t necessarily the case. Businesses let this misconception get in the way of an important aspect of business continuity, simply because they don’t want to waste money on something that they won’t actually need. Little do they know that data backup is the only thing standing in the way of your organization failing forever.

There are certain parts of backup and disaster recovery that business owners like yourself need to determine before investing in a solution. You can break the average enterprise-level data backup solution into three distinct parts–all of which work together to ensure you reap a positive return on your investment, with or without a data loss incident.

Data Backup

First, you’ll need to choose a backup platform. Small businesses have a lot of options, like network attached storage, hard disk drives, and tape backup drives, but by far the most efficient one is cloud storage. No matter the system you use for your data backup, though, you should always look at your data as an asset. Therefore, it needs to be protected in whatever way you can to ensure its continued safety and longevity.

Kite Technology can offer you a comprehensive data backup and disaster recovery solution that uses network-attached storage to push copies of your data to the cloud, where it’s safe from external threats. This is the kind of data backup that every organization needs–the end-to-end data backup that keeps an infrastructure safe even under the worst scenarios.Some data isn’t necessarily important, though. Small businesses collect a lot of data, and it can be difficult to gauge the importance of some of the minor data that you collect. Data analytics help your business determine what data is most important, and what you can do to keep it safe.

Data Recovery

If you want to yield a positive ROI, data recovery is where this begins. Your organization needs to set acceptable parameters for how much data you want to restore. You’ll need to clearly define both a recovery time objective (RTO) and a recovery point objective (RPO). It’s critical that you should have both of these outlined before investing in a data recovery system.

Your recovery point objective is determined by how much data you need to have restored to keep operations going, while recovery time objective is how much time can your business sustain itself without it’s data. These figures aren’t necessarily static, as they will likely change over time as your business’ needs change. Different systems might carry different data, so naturally they will have varying RTOs and RPOs.

The ROI Equation

Now it’s time to put together your return on investment in the form of a calculated equation. This is great for determining value because numbers are hard to argue with, whereas an opinion might only provide a subjective value that can easily be discarded.

● Determine your business’s hourly realized revenue. This will be the amount of revenue your organization takes in over the year and divided by the total working hours of your staff. ● Identify how much you can stand to lose both with and without a data backup system. ● Multiply the hourly realized revenue with both figures you calculated in the last step. Next, take down the difference. This will represent your total avoided loss in the form of dollars. ● Once you’ve done this, plug the figure into the following formula to measure your backup system’s ROI.

ROI = (Avoided loss – Cost of backup and recovery system x 100%)

The numbers say it all–a data backup solution yields a positive return on investment, with or without your organization suffering from a disaster. If your business wants to get started with data backup, reach out to us at 855-290-KITE.