Posts

m.a.collins

Cybersecurity: The Razor’s Edge Between Education and Scare Tactics

TCS is committed to educating our client base and small-to-medium sized organizations at large about Cybersecurity – the existing threats out there and how best to protect against and mitigate the effects of those threats.  To some, that can sound scary.  The scary reality is that there are real threats out there that can disable and sometimes even pose an existential threat to your company or organization.  Sticking our collective heads in the sand is not a viable option.

The Distinction between Scare Tactics and Education

So what is the distinction between educating about scary topics and using scare tactics?  Education first seeks to increase awareness, not for the sake of scaring but for the sake of providing reasonable dialogue regarding ways to protect against those scary outcomes.  Scare tactics seek to manipulate emotion and shutdown dialogue.  They present no discussion, but only seek to scare someone into a decision.  Education, on the other hand, presents the potential scary scenarios and then reasons through a range of solutions to protect against them.

For instance, there is a world of difference between informing someone that accounts tied to their organization are available for sale on the dark web, and detailing every scary outcome that could result from that vulnerability.  Scare tactics use threatening language to get their desired outcome while education seeks to have a simple conversation.  The fact of the matter is that those accounts for sale on the dark web may not have the most current password associated with that login, which makes it less of a threat.  Nevertheless, a conversation can be had regarding how even old passwords can give attackers clues as to how you typically approach creating your passwords.  Simply changing the password may not be the best solution in that scenario. 

TCS Is Committed to Cybersecurity Education

Is your MSP doing a good job of educating you on those matters?  Do you know whether you have compromised accounts on the dark web?  If your internet/email domain has been online for more than a few years, then chances are you do have some compromised accounts.  The real question is, do you know what those accounts are and what have you done as a result?  The only thing that makes this scenario scary is the unknown.  TCS seeks to take out that unknown and educate organizations on how they can respond in a way that mitigates the ill effects of compromised accounts.

Coming out of the Dark

What differentiates TCS from other MSPs?  In this context, TCS doesn’t want you to be in the “dark” (pun intended) regarding your Cybersecurity position.  We encourage all Cybersecurity education, whether it comes from TCS or not.  Hopefully, if someone comes along and mentions to one of our clients that they have compromised accounts on the dark web, our customer is educated in Cybersecurity enough to respond, “Of course we do, and we’ve responded in these ways to mitigate the effects of those compromised accounts.”  When a prospect responds in a way that indicates they are unaware of what that means or the potential ramifications for what that means, we see opportunity to educate – not for the aim of scaring them, but to the end that they comprehend what’s at stake and how best to protect themselves against it.  Sure, there is a fine line there; but TCS is committed to education, not emotional manipulation.

/by
m.a.collins

5 Ways to Harden Your CyberSecurity

We’ve all heard the latest security mantra these days: it’s not a matter of if you will face a Cybersecurity event – it’s only a matter of when.  We at TCS have seen a marked increase in the number of successful attacks recently.  Unfortunately, some of them didn’t need to happen.  Very simple things could have been done to mitigate the effectiveness of the attack, and those things were ignored despite our warnings.  Here are a list of things you can do to help secure your business from malicious attacks:

#1:  End User Security Awareness Training

The number one rule in all Cybersecurity is that your users are your #1 security vulnerability.  After all, good businesses usually train their employees to be super helpful and accommodating.  Malicious actors use that good-natured helpfulness to help themselves right into your network. 

Since the #1 security threat is your end user, the #1 thing you can do to is train your users to identify both low-tech and high-tech phishing attacks.

Low-tech phishing attacks:  Using the phone, letters in the mail, or other forms of low technology to attempt to gain information that they can use as an exploit.

High-tech phishing attacks:  Using email, banner ads, social media posts, etc. to dupe unsuspecting users into giving them access to information or systems that they can exploit.

#2:  Multi-factor Authentication (MFA or the older 2FA)

These days multifactor authentication can be built into just about any login.  There are different types of MFA, though.  Some applications of MFA and 2FA in the past have been very cumbersome to say the least.  However, just as with anything, progress has been made over time to streamline some of those historic barriers to MFA.  For instance, now with most MFA applications, you have the option to save trusted devices.  By using trusted devices, end users don’t have to use multifactor authentication every time they login from their trusted device.  The only time MFA is required is if someone tries to login from a new, untrusted device.  This type of scenario would be handy for someone who primarily uses a single device that is secured behind a next-generation firewall in an office with limited access.

Why is this so important, though?  Because phishing attacks have become so convincing that they sometimes get even the most well-educated user.  In this case, even if a malicious actor was able to obtain login credentials, those credentials would only be effective from the single trusted computer.  This provides your next-generation firewall and endpoint security software the opportunity to detect the malicious actions before they can do any harm.  If those actions are taken from a non-trusted computer, the malicious actors will not have the information needed to complete the login process, even though they have the correct username and password.

#3:  Anti-phishing Protection for Your Email Server

While phishing attacks occur through both low- and high-tech media, the easiest and most common is through email.  Having a scanner sitting on your email server that filters out phishing attempts before they get to your end-user’s Inbox is another layer of protection you can employ that doesn’t cost a lot of money.  Most Anti-phishing scanners can also provide banners to warn users of external emails, to raise the end-user’s suspicion of using any links opening any attachments.

#4:  Proper Microsoft 365 Domain and DNS Setup

Most people don’t realize that Microsoft provides several ways to help protect against another common form of attack – impersonation.  A lot of malicious actors have found if they can make their email look like it’s coming from someone from within your organization by impersonating and copying their email signature, mimicking the sender’s name, and sometimes even relaying the email through your email transfer server, that they can trick users into doing things they otherwise wouldn’t.  Properly setting up those Microsoft protections can help you guard against those phishing attempts via impersonation attacks.

#5:  Password Policies

Yes, it’s 2021 and we shouldn’t even have to cover password policies.  However, Nordpass.com (https://nordpass.com/most-common-passwords-list/) reports that the Top 10 passwords uncovered for 2020 were 123456, 123456789, picture1, password, 12345678, 111111, 123123, 12345, etc.  Yes, it’s enough to make the security expert lose all respect for society at large!  But apparently the message hasn’t gotten across yet.  So we’ll keep on saying the same thing we’ve been saying for over 20 years:  stop using simple passwords!

  1. Passwords need to be at least 8 characters long.
  2. Passwords need to include uppercase, lowercase, numbers, and special characters.
  3. Passwords need to be unique across all logins.
  4. Password history needs to be enforced to keep users from recycling old passwords.
  5. Passwords need to be changed at least twice a year and ideally once a quarter.
  6. A little fairy dust and unicorn blood couldn’t hurt, either. No, just kidding – but not kidding about 1-5.

“But I can’t remember all those passwords!”, you might be thinking.  Neither can I.  That’s why we have password managers, like LastPass or Roboform.  Even if you forget your password, there are easy ways to get it reset securely in a matter of minutes using your email recovery options.  You don’t have to actually remember the passwords anymore.

Bonus Tip:  We always try to overdeliver our promises at TCS.  In that vein, here is a bonus tip – employ geo-filtering on your Microsoft 365 accounts!

When I discuss security with business owners, I generally like to ask this simple question:  Do you want your company to be able to communicate with Russia, North Korea, and other countries known for their malicious internet activity?  I already know the answer to the question for 99% of small and medium sized businesses, but I like to ask it for effect.  With our next generation firewalls and advanced configurations within Microsoft 365, we have the ability to block intercommunication with countries known for their malicious actors.  This is often a simple way to render potential attacks ineffective, as many of those attacks are dependent upon some server operating in a remote country.  By limiting your communications only to those countries with which you need to interact, you harden yourself against attacks coming from those countries known for their malicious activity.

Action Item:  Please take a moment to place a reminder on your calendar to address at least one of these tips above within the next week!  Make this article count!

/by