m.a.collins

5 Ways to Harden Your CyberSecurity

We’ve all heard the latest security mantra these days: it’s not a matter of if you will face a Cybersecurity event – it’s only a matter of when.  We at TCS have seen a marked increase in the number of successful attacks recently.  Unfortunately, some of them didn’t need to happen.  Very simple things could have been done to mitigate the effectiveness of the attack, and those things were ignored despite our warnings.  Here are a list of things you can do to help secure your business from malicious attacks:

#1:  End User Security Awareness Training

The number one rule in all Cybersecurity is that your users are your #1 security vulnerability.  After all, good businesses usually train their employees to be super helpful and accommodating.  Malicious actors use that good-natured helpfulness to help themselves right into your network. 

Since the #1 security threat is your end user, the #1 thing you can do to is train your users to identify both low-tech and high-tech phishing attacks.

Low-tech phishing attacks:  Using the phone, letters in the mail, or other forms of low technology to attempt to gain information that they can use as an exploit.

High-tech phishing attacks:  Using email, banner ads, social media posts, etc. to dupe unsuspecting users into giving them access to information or systems that they can exploit.

#2:  Multi-factor Authentication (MFA or the older 2FA)

These days multifactor authentication can be built into just about any login.  There are different types of MFA, though.  Some applications of MFA and 2FA in the past have been very cumbersome to say the least.  However, just as with anything, progress has been made over time to streamline some of those historic barriers to MFA.  For instance, now with most MFA applications, you have the option to save trusted devices.  By using trusted devices, end users don’t have to use multifactor authentication every time they login from their trusted device.  The only time MFA is required is if someone tries to login from a new, untrusted device.  This type of scenario would be handy for someone who primarily uses a single device that is secured behind a next-generation firewall in an office with limited access.

Why is this so important, though?  Because phishing attacks have become so convincing that they sometimes get even the most well-educated user.  In this case, even if a malicious actor was able to obtain login credentials, those credentials would only be effective from the single trusted computer.  This provides your next-generation firewall and endpoint security software the opportunity to detect the malicious actions before they can do any harm.  If those actions are taken from a non-trusted computer, the malicious actors will not have the information needed to complete the login process, even though they have the correct username and password.

#3:  Anti-phishing Protection for Your Email Server

While phishing attacks occur through both low- and high-tech media, the easiest and most common is through email.  Having a scanner sitting on your email server that filters out phishing attempts before they get to your end-user’s Inbox is another layer of protection you can employ that doesn’t cost a lot of money.  Most Anti-phishing scanners can also provide banners to warn users of external emails, to raise the end-user’s suspicion of using any links opening any attachments.

#4:  Proper Microsoft 365 Domain and DNS Setup

Most people don’t realize that Microsoft provides several ways to help protect against another common form of attack – impersonation.  A lot of malicious actors have found if they can make their email look like it’s coming from someone from within your organization by impersonating and copying their email signature, mimicking the sender’s name, and sometimes even relaying the email through your email transfer server, that they can trick users into doing things they otherwise wouldn’t.  Properly setting up those Microsoft protections can help you guard against those phishing attempts via impersonation attacks.

#5:  Password Policies

Yes, it’s 2021 and we shouldn’t even have to cover password policies.  However, Nordpass.com (https://nordpass.com/most-common-passwords-list/) reports that the Top 10 passwords uncovered for 2020 were 123456, 123456789, picture1, password, 12345678, 111111, 123123, 12345, etc.  Yes, it’s enough to make the security expert lose all respect for society at large!  But apparently the message hasn’t gotten across yet.  So we’ll keep on saying the same thing we’ve been saying for over 20 years:  stop using simple passwords!

  1. Passwords need to be at least 8 characters long.
  2. Passwords need to include uppercase, lowercase, numbers, and special characters.
  3. Passwords need to be unique across all logins.
  4. Password history needs to be enforced to keep users from recycling old passwords.
  5. Passwords need to be changed at least twice a year and ideally once a quarter.
  6. A little fairy dust and unicorn blood couldn’t hurt, either. No, just kidding – but not kidding about 1-5.

“But I can’t remember all those passwords!”, you might be thinking.  Neither can I.  That’s why we have password managers, like LastPass or Roboform.  Even if you forget your password, there are easy ways to get it reset securely in a matter of minutes using your email recovery options.  You don’t have to actually remember the passwords anymore.

Bonus Tip:  We always try to overdeliver our promises at TCS.  In that vein, here is a bonus tip – employ geo-filtering on your Microsoft 365 accounts!

When I discuss security with business owners, I generally like to ask this simple question:  Do you want your company to be able to communicate with Russia, North Korea, and other countries known for their malicious internet activity?  I already know the answer to the question for 99% of small and medium sized businesses, but I like to ask it for effect.  With our next generation firewalls and advanced configurations within Microsoft 365, we have the ability to block intercommunication with countries known for their malicious actors.  This is often a simple way to render potential attacks ineffective, as many of those attacks are dependent upon some server operating in a remote country.  By limiting your communications only to those countries with which you need to interact, you harden yourself against attacks coming from those countries known for their malicious activity.

Action Item:  Please take a moment to place a reminder on your calendar to address at least one of these tips above within the next week!  Make this article count!

/by
Charlie Waters
, , ,

Extra! Extra!

Back to the future

Eight years ago around this time, I was busy in my secret lab cooking up my latest and greatest geeky tech project. A little scripting here, some hardware and networking there…not unlike the countless other times I’ve done this since my Dad bought my first computer (Commodore 64) when I was twelve. Except this time I was doing a proof of concept for a magazine article while working as the Senior Consultant for a Managed Service Provider. I guess that investment in my first computer paid off. Thanks, Dad!

Hakin9 Extra – Guide to Kali Linux: Kali Scanning for HIPAA

I was asked by Hakin9 Magazine to write an article for their (then) upcoming “Guide to Kali Linux”. But before we get to that, some background first – Linux is a popular free and open source operating system developed by Linus Torvalds. He created the new platform because he did not want to pay the expensive licensing fees for Unix, which was the operating system used in his university computer science courses. Today, Linux is the operating system that runs most of the Internet services we use every day. While many in the community debate whether “free” means “as in beer” or “as in speech”, Linux can be downloaded at no cost which makes it perfect for tech-savvy IT professionals who are seeking to build low-cost systems for niche applications. Windows and Microsoft Office are the business standard so Linux is not a recommended alternative for general business computing.

Kali Linux is what is called a Linux distribution or “distro” for short. Basically, it is a version of Linux with preinstalled applications and tools. Distros run the gamut from general purpose computing to niche applications. Kali, for example, is a security distribution and comes with computer forensic, penetration testing, and vulnerability scanning tools. It is the latter that was the focus of writing the magazine article. Specifically, how a low-cost, distributed system running Kali Linux on top of Raspberry Pi hardware (low cost non-Intel PC) could be used in the Healthcare industry to support HIPAA compliance. I chose OpenVAS as the application for vulnerability scanning.

The results from the proof of concept demonstrated the RPi+(Kali) Linux+OpenVAS combination was viable as an ad-hoc tool and could be further developed into an integrated, distributed reporting system. The gory technical details from the article can be found here: Hakin9 Extra – Guide to Kali Linux: Kali Scanning for HIPAA.

Back to the present

So what’s changed in the last eight years? In some ways, not much. In other ways, everything. Tools like Kali Linux are still useful and part of the solution. What has changed is the ever-evolving threat landscape and the cost of doing business due to the added layers of security needed to maintain business as usual. We have written other articles on defense-in-depth so I won’t get in the weeds on that topic here, but it is no longer the medical and financial industries (or other regulated business), but all businesses large and small that must invest in security to reduce risk and protect their business operations and data. The phrase often attributed to Vince Lombardi comes to mind, “Hope is not a strategy.”

Call to action

Great, we’ve identified a business problem…so now what?! Here’s the high level recipe for building an effective security strategy:

  1. Discuss the need for addressing security with the top levels of the organization. This cannot be a bottom-up initiative. Too much is at stake.
  2. Work with a trusted technology/security partner to explore options.
  3. Invest in educating yourself and your team about the risks and how implementing security tools and best practices help mitigate these risks.
  4. Measure the effectiveness of your security program to understand residual risk.
  5. Rinse and repeat.

With an intentional focus on security and developing a plan to monitor and assess its effectiveness over time, your business can reduce risk of data loss and downtime. Much like how Linux is not for the faint of heart, Information Security can be tough to understand, so IT professionals are happy to work with you to formulate a winning game plan. Be like Lombardi and don’t just hope the problem will go away on its own!

/by
m.a.collins

There’s Something Phishy About This Email!

I’m sure you have all received an email with an urgent matter that needs to be settled today or you could lose money FAST!!! Yes, those emails should raise some serious red flags in your mind; because the sender is hoping to catch someone in a desparate situation and take advantage of them. 

These emails are known as Phishing scams, and they are not limited to emails. They occur on low-tech platforms in the form of phone calls, and they come in higher tech forms like games, social media and webpage ads, emails and texts. Here’s what you need to know about them:

How do phishing attacks work?

Phishing attacks work by presenting some sort of bait to a consumer in the hopes of scamming them for money or information. In emails, they tend to present an urgent situation where if not acted upon immediately will exact some level of harm or inconvenience. Check out this example:

Notice how the email presents an urgent situation – an important delivery was missed. The bait is presented in the form of a link – click this link to confirm delivery notice. HOWEVER, the link is fake!!! The link NOT will direct me to the UPS as suggested, but it will take me to an alternate Vietnam-based website in this example.

How can I protect myself?

You need to take the following steps to protect yourself (we’ll start with the obvious):

  1. Keep Windows updated with the latest security updates.
  2. Install an active malware protection suite on all your smart devices – YES, even your Apple devices. Contrary to popular lore, Apple devices can get viruses and malware.
  3. Be alert and learn to identify the bait! The bait can come in various forms, and these scammers are getting really clever! Sometimes, they will even deliver on the content or offer they presented, but in the process they obtained an important login credential or installed some bit of malware encoded in the delivery process. Remember: anything that looks too good to be true probably is, especially on the Internet.
  4. Don’t give out any important information over the phone, by email or text. 
  5. Don’t open attachments you haven’t personally requested. Even then, it’s not the best idea. It’s easy to share files from cloud accounts like OneDrive, Dropbox, DattoDrive and the like; and that’s safer than using attachments.

Note: Neither Microsoft nor Apple will call you and request control of your computer! That is a popular phishing scam.

Yield not to temptation!

Those ads can be so tempting, right? No, I’m not referring to girly ads, though they would apply. You know…those ads that offer you the latest unclassified intel on JFK’s murder, or behind-the-scenes Woodstock photos never before seen, or Marilyn Monroe secrets revealed (how old does FB think I am?!!!). It’s not worth the risk! Don’t click on those ads. At best, they will disappoint. At worst, you just got baited and hooked!

But you don’t understand, this could be REAL!!!

OK, so yesterday you didn’t buy local like you were supposed to and ordered something off of Amazon. Today, you get an email from Amazon (supposedly) stating your recent order didn’t process properly, and you are going to miss out on that new pair of boots without which you absolutely cannot live! 

Yes, I realize the importance – here’s what you DON’T DO: for the love of all that is good, DO NOT click on any links in that email! Instead, open a new browser session and navigate to Amazon’s website directly.  From there, you can look at your order history. That’s the safest way to know for sure you are not taking the bait.

Report scams!

Microsoft has provided these excellent options for reporting scams (a direct link to all this information is provided below):

How to report a scam

You can use Microsoft tools to report a suspected scam.

  • Outlook.Live.com – If you receive a suspicious email message that asks for personal information, click the check box next to the message in your Outlook inbox. Click the arrow next to Security Options and then choose Phishing.
  • Microsoft Office Outlook – If you have a business email account and need next-level Anti-Phishing protection, contact TCS on how we can provide the best protection. We can also perform security awareness training drills that will help you score your employee security awareness levels with recommended training for those who need it.

You can also download the Microsoft Junk E-mail Reporting Add-in for Microsoft Office Outlook.

How to report tech support scams

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at Total Computer Solutions.

/by