Blog

March 20th, 2014

Security_Mar17_CAny business that employs technology in any aspect will eventually begin to worry about how secure their systems are. In order to ensure security, many companies implement a security strategy. While these strategies are a great way to ensure the security of your business systems and data, there is one element that many business owners forget: The audit.

Auditing and the security security strategy

Auditing your company's security is important, the only problem business owners run across is where and what they should be auditing. The easiest way to do this is to first look at the common elements of developing security strategies.

These elements are: assess, assign, audit. When you develop a plan, or work with an IT partner to develop one, you follow the three steps above, and it may be obvious at the end. In truth however, you should be auditing at each stage of the plan. That means you first need to know what goes on in each stage.

During the assessment phase you or your IT partner will need to look at the existing security you have in place. This includes on every computer and server and also focuses on who has access to what, and what programs are being used. Doing an assessment should give you an overview of how secure your business currently is, along with any weak points that need to be improved.

The assignment phase looks at actually carrying out the changes you identified in the assessment phase. This could include adding improved security measures, deleting unused programs or even updating systems for improved security. The main goal in this phase is to ensure that your systems and networks are secure.

Auditing happens after the changes have been made and aims to ensure that your systems are actually secure and have been implemented properly. Throughout the process you will actually need to continually audit and adjust your strategy.

What exactly should be audited?

When conducting an audit, there are three factors you should focus on:
  1. The state of your security - Changing or introducing a security plan usually begins with an audit of sorts. In order to do this however, you need to know about how your security has changed in between audits. Tracking this state and how it changed in between audits allows you to more efficiently audit how your system is working now and to also implement changes easier. If you don't know how the state of your security has changed in between audits, you could risk implementing ineffective security measures or leaving older solutions open to risk.
  2. The changes made - Auditing the state of your security is important, but you should also be auditing the changes made to your systems. For example, if a new program is installed, or a new firewall is implemented, you will need to audit how well it is working before you can deem your security plan to be fully implemented. Basically, you are looking for any changes made to your system that could influence security while you are implementing a new system. If by auditing at this point, you find that security has been compromised, you will need to go back to the first step and assess why before moving forward.
  3. Who has access to what - There is a good chance that every system you have will not need to be accessed by every employee. It would be a good idea that once a security solution is in place, that you audit who has access to what systems and how often they use them. This stage of the process needs to be proactive and constantly carried out. if you find that access changes or system access needs change, it would be a good idea to adapt your the security strategy; starting with the first stage.
If you are looking for help developing a security strategy for your business, contact us today to see how our managed solutions can help.
Published with permission from TechAdvisory.org. Source.

Topic Security
March 6th, 2014

Security_May03_CAs a business owner or manager you face important security issues on a daily basis to look after business computers and systems. From malware to bugs in software, there is almost always a security issue to be dealt with and it can be an uphill battle dealing with them. But, knowledge is power and knowing about security threats can help you battle them more effectively. One of the latest threats to come to light is a bug in Apple's software that all Apple users should know about.

About the bug

News broke on many security websites mid-February about a potentially critical security flaw in Apple's systems following the company releasing an update to their mobile operating system, iOS.

The update notes released by Apple noted that the patch "provides a fix for SSL connection verification." This is a fairly common update as it is aimed at improving the security of communications between websites and the device. However, security experts found out that without the update attackers who can connect to a network are able to capture sensitive information being sent in banking sessions, email messages, and even chat messages using what's called an SSL/TSL session.

What exactly is SSL/TSL?

Secure Sockets Layer (SSL) and Transport Layer Security (TSL) are used in networks to essentially establish an encrypted link between a server and your computer. They are most commonly used to secure websites and the transmission of data. Take a look at some websites and you may see a padlock on the URL bar, or https:// in the URL. This indicates that the website is using SSL or TSL encryption to protect the data that is being transmitted e.g., your bank account information on a website.

In other words, SSL and TSL are used to ensure that information is exchanged securely over the Internet.

What was the problem and what software was affected?

It was found that there was a bug in the code Apple's software uses to establish a SSL connection which causes the whole SSL system to fail, potentially exposing data that should have been encrypted to anyone connected to the network with the right tools.

According to security experts, this bug has been found to affect devices running older versions of iOS 7, OS X 10.8 and newer, Apple TV, and possibly iOS 6. It is important to note that the bug is only found in Apple's SSL technology. Any app that uses Apple's version of SSL could be affected.

Has Apple solved this?

Luckily, Apple has released updates to all of their devices that should solve this security exploit. If you have not updated your device or computer since the middle of February you could be at risk.

How do I prevent my systems from being affected?

The first thing you should do is to update all Apple related apps and devices, including all mobile devices. If you are unsure about whether your apps are secure enough, try using another app, especially another browser. The reason for this is because browsers like Chrome and Firefox all use a different SSL technology and are unaffected by this bug.

You should also remain vigilant and not connect to any open or public Wi-Fi connections or even secured Internet connections that could be easy to break through. Basically, as long as you update you should be fine. However, it may be worthwhile using another browser if you are really worried about whether you have a secure connection.

If you are looking to learn more about this security flaw, or how you can secure your business from threats like this, contact us today. We can help.

Published with permission from TechAdvisory.org. Source.

Topic Security
February 20th, 2014

Security_Feb17_COne of the most common threats to business and individual systems is phishing. This form of hacking is well known and many users have educated themselves on the more traditional methods used by hackers. This has forced hackers to come up with different phishing techniques, and one of the methods that is causing problems is spear phishing.

What is spear phishing?

Spear phishing is a specialized type of phishing that instead of targeting a mass number of users, as normal phishing attempts, targets specific individuals or groups of individuals with a commonality e.g., an office.

Generally a hacker will first pick a target and then try to learn more about the related people. This could include visiting a website to see what a company does, who they work with, and even the staff. Or they could try hacking a server in order to get information.

Once they have some sort of information, usually a name, position, address, and even information on subscriptions, the hacker will develop an email that looks similar to one that another organization might send e.g., a bank. Some hackers have been known to create fake email accounts and pose as a victim’s friend, sending emails from a fake account.

These emails are often similar to official correspondence and will always use personal information such as addressing the email to you directly instead of the usual ‘dear sir or madam’. The majority of these emails will request some sort of information or talk about an urgent problem.

Somewhere in the email will be a link to the sender’s website which will look almost exactly like the real thing. The site will usually ask you to input personal information e.g., an account number, name, address, or even passwords. If you went ahead and followed this request then this information would be captured by the hacker.

What happens if you are speared?

From previous attack cases and reports, the majority of spear phishing attacks are finance related, in that the hacker wants to gain access to a bank account or credit card. Other cases include hackers posing as help desk agents looking to gain access to business systems.

Should someone fall for this tactic, they will often see personal information captured and accounts drained or even their whole identity stolen. Some spear phishing attacks aren’t after your identity or money, instead clicking on the link in the email will install malicious software onto a user’s system.

We are actually seeing spear phishing being used increasingly by hackers as a method to gain access to business systems. In other words, spear phishing has become a great way for people to steal trade secrets or sensitive business data.

How do I avoid phishing?

Like most other types of phishing related emails, spear phishing attempts can be easy to block. Here are five tips on how you can avoid falling victim to them.

  • Know the basic rule of business communication - There are many basic rules of communication, but the most important one you should be aware of is that the majority of large organizations, like banks, social media platforms, etc., will not send you email requesting personal information. If you receive an email from say PayPal asking you to click a link to verify your personal information and password, it’s fake and you should delete it.
  • Look carefully at all emails - Many spear phishing emails originate in countries where English is not the main language. There will likely be a spelling mistake or odd wording in the emails, or even the sender’s email address. You should look out for this, and if you spot errors then delete the email immediately.
  • Verify before you click - Some emails do have links in them, you can’t avoid this. That being said, it is never a good idea to click on these without being sure. If you are unsure, phone the sender and ask. Should the email have a phone number, don’t call it. Instead look for a number on a website or previous physical correspondence.
  • Never give personal information out over email - To many this is just plain common sense – you wouldn’t give your personal information out to anyone on the street, so why give it out to anyone online? If the sender requires personal information try calling them or even going into their business to provide it.
  • Share only essential information - When signing up for new accounts online, there are fields that are required and others that are optional. Only share required information. This limits how much a hacker can get access to, and could actually tip you off. e.g., they send you an email addressed to Betty D, when your last name is Doe.
  • Keep your eyes out for the latest scams - Pay attention to security websites like those run by the major antivirus providers, or contact us. These sites all have blogs where they post the latest in security threats and more, and keeping up-to-date can go a long way in helping you to spot threats.

If you are looking to learn more about spear phishing or any other type of malware and security threat, please don’t hesitate to call CCR, we would be happy to help you.

Published with permission from TechAdvisory.org. Source.

Topic Security
February 14th, 2014

Security_Feb11_CAs information technology systems get more complex, computer malware also gets stronger and more aggressive. An effective security strategy to protect your computer system from a variety of malware is to employ the concept known as defense in depth. In its simplicity, it involves implementing multiple secured layers wrapped around your computer system.

Just like the human body, a computer system can also be attacked by many viruses that can infect and disrupt computer operations. And what’s worse is it doesn’t just disrupt the operations of your computer, but these viruses and other malware can gather sensitive information or even gain access to other private and secured computer systems on the same network.

Although computer viruses aren’t deadly, they can spread at an unimaginable rate across your entire computer system, affecting your database, networks and other IT-related sources. You can get these viruses by opening bogus email messages, downloading unknown file attachments, and accidentally clicking ads that pop up on your screen. This is why there is a need for a strong and effective security system to protect your network.

One of the tested and proven security strategies used today is defense in depth. This concept focuses on the coordinated and organized use of multiple security countermeasures to keep your database safe from intrusive attackers. Basically, this concept is based on the military principle that a multi-layered and complex defense is more difficult to defeat than a single-barrier protection system.

The defense in depth strategy assures network administrators by working on the basis of the following guiding principles:

Defenses in multiple places

The fact that many viruses can attack the network system from multiple points means that you need to deploy strong defense mechanisms at multiple locations that can endure all types of attacks.

Defense in depth focuses on areas by deploying firewalls and intrusion detection to endure active network attacks and also by providing access control on servers and host machines, to resist distribution attacks from the inside. This multi-layered defense also protects local and area-wide communication networks from denial of service attacks.

Multiple layered defense

Defense in depth is an extremely effective countermeasure strategy, because it deploys multiple layered defense mechanisms between the attacker and its target. Each layer of the defense has a unique mechanism to withstand the virus attacks. Furthermore, you need to make sure that each layer has both detective and protective measures to ensure the security of the network.

The reason for wrapping the network with multiple layers of defense is because a single line of defense may be flawed. And the most certain way to protect your system from any attacks is to employ a series of different defenses that can be deployed to cover the gaps in the other defenses. Malware scanners, firewalls, intrusion detection systems, biometric verification and local storage encryption tools can individually serve to protect your IT resources in a way others cannot.

Perhaps the final layer of defense should be educating your employees not to compromise the integrity of the computer systems with potentially unhealthy computer practices. As much as possible, teach them the do’s and don’ts of using the computer, as well as how they can prevent viruses and other computer malware from coming in and destroying their system.

If you’re looking to give your computer systems better protection against the harmful elements that the internet can bring, then give us a call now and we’ll have one of our associates take care of you and help defend your business.

Published with permission from TechAdvisory.org. Source.

Topic Security
February 11th, 2014

Security_Feb10_CIt's 2014, and that means that it's an Olympic year. This year the Winter Olympics are being held in Sochi, Russia. As with almost every other Olympics there has been a number of organizational issues to deal with to ensure the Games run smoothly. Unlike other events however, one of this year's big issues is hacking of the computers and phones of attendees and visitors.

Hacking at the Winter Olympics 2014

Well before the Olympics even started in Russia, the Russian government said that they will be surveilling phone and computer communications. Many scoffed at this, writing off the government as being overly ambitious and boasting about a nearly impossible task. The thing is, the Internet in Russia may not be as secure as many believe, being full of hackers. At least according to a report aired on NBC shortly before the games started.

In the report, reporter Richard Engel took new, never opened laptops and mobile devices to Russia and used them. He found that within 24 hours all of the devices had been hacked, exposing the data stored within.

In part of the segment, Engel and a security expert go to a local coffee shop in Moscow and search for Sochi on a mobile device. Almost immediately the device is hacked and malicious software downloaded. Engel notes that the hackers have access to data on the phone along with the ability to record phone calls.

In a follow-up segment, Engel explains a bit more about the laptop issues. When he boots one up and connects to the Internet, hackers are almost immediately snooping around the information, transferring from the machine to the networks. Within a couple of hours, he received a personalized email from a hacker welcoming him to Russia and providing him with some links to interesting websites. Clicking on the link allowed the hackers to access his machine.

One issue is that it hasn't been stated in any reports whether the Russian government is behind this, or if it's hackers out to steal information. While you can be sure that the Russians are monitoring communication during the Winter Olympics, it is highly likely that they are not the ones installing malware on phones, rather it's probably organized crime rings or individual hackers.

I'm not at Sochi so why do I care?

As a business owner half the world away you may be wondering why this news is so important to you, or why you should care. Take a look at any tech-oriented blog or news channel and you will quickly see that the number of attacks on devices, including malware, phishing, spam, etc. is on the rise. It's now likely a matter of when you will be hacked, not if.

Combine this with the fact that many businesses are going global, or doing business with other companies at a big distance. This has caused many people to go mobile and the tools that have allowed this are laptops and smart devices. Because so many people are now working on a laptop, phone or tablet, these devices have become big targets. The main reason for this is that many people simply don't take the same safety precautions they take while on the office or even the home computer.

Hackers know this, so logically they have started going after the easier targets. The news reports concerning Russia highlight this issue and is a warning business owners around the world should be aware of, especially if they are going to be traveling with computers or phones that have sensitive information stored within.

That being said, there are a number of tips you can employ to ensure your data is secure when you go mobile. Here are six:

1. Use cloud services wherever possible

Cloud storage services can be incredibly helpful when traveling. They often require a password to access and are usually more secure than most personal and even some business devices. If you are traveling to an area where you are unsure of the security of the Internet or your devices, you could put your most important data in a trusted cloud storage solution.

This is also a good idea because if your device gets stolen, the data is in the cloud and is recoverable. If you have data just stored locally on your hard drive, and your device is stolen, there is a good chance it's gone forever. For enhanced security, be sure to use a different password for every service.

2. Back up your data before leaving

Speaking of losing data, it is advisable to do a full system backup of all the devices you are taking with you before you leave. This will ensure that if something does happen while you are away, you have a backup of recent data that is recoverable.

3. Secure and update all of your devices

One of the best ways to ensure that your data is secure is to update all of your devices. This means ensuring that the operating systems are up-to-date and any security updates are also installed.

Also, ensure that the programs installed on the devices are updated. This includes the apps on your phone, including the ones that you don't use.

You should also secure your devices by not only having an antivirus and malware scanner but also requiring a password to access your device.

4. Watch where you connect

These days Internet connections are almost everywhere. In many public spaces like airports, coffee shops, restaurants, etc. many of the connections are open, or free to connect to, and don't require a password.

While this may seem great, hackers are known to watch these networks and even hack them, gaining access to every bit of information that goes in and out of the network. When you are traveling, try avoiding connecting to these networks if you can. If you really have to, then be sure not to download anything or log into any accounts that hold private data.

5. Know the risks of where you are going

Before you leave, do a quick search for known Internet security issues in the area you will be visiting. If you find any news or posts about threats you can then take the appropriate steps to secure your system ahead of time.

6. If in doubt, leave it at home

In the NBC report, Engle finishes by telling viewers that if they are at all unsure about the security of their devices, or are worried about their data, they should leave the device at home, or delete the data before going. This is a good piece of advice and maybe instead of deleting data completely, you could move it to a storage device like an external hard drive that you leave behind.

If you are looking to learn more about ensuring the security of your devices while you are away from the office contact us today. We have solutions to help.

Published with permission from TechAdvisory.org. Source.

Topic Security
January 23rd, 2014

Security_Jan20_CLet's face it, technology, while essential, is getting increasingly challenging to manage. Many business owners are struggling to ensure that all of their systems are not only working properly but are also secure. One solution many turn to is the skills and support of an IT partner. These tech partners offer a wide variety of managed services, including managed antivirus solutions that help ensure systems are more secure. However, many business managers are not totally sure what managed antivirus solutions actually are.

What exactly is managed antivirus?

By now, most people are familiar with the term 'antivirus'. They know that the majority of solutions are a monthly or yearly subscription that they pay for. By subscribing, the company that created the program will update virus databases, allowing scanners to identify viruses during a computer scan. This type of antivirus software is often referred to as unmanaged, largely because the end-user has the ability to deny updates, turn off the scanner, or uninstall it.

A managed antivirus solution is provided by IT partners. These tech experts take care of installing the software on computers and other devices, and will then manage the solution. They will also ensure that scanners are up-to-date and scans are scheduled for a convenient time, thus protecting computers. The best way to think of these solutions is that they are specifically provided by a company to look after your computers and protect them from viruses.

Benefits of managed antivirus solutions

Companies that choose to integrate a managed antivirus solution generally see five main benefits.
  1. All systems will have the same level of security - With a managed service, your IT partner will make sure to install software on all your systems. This means that there should be the same program installed on your systems, and that the antivirus will be updated to ensure that systems are protected from new security threats that come along.
  2. It is easier to manage - Managing your antivirus solution can be a tough task, especially in larger companies where different solutions may need to be employed. By working with an IT partner, your antivirus solutions are managed by tech experts. This is a great solution for business owners who aren't too familiar with technology, or an overworked IT department.
  3. The solutions can be low-cost - Most managed antivirus solutions are offered as a monthly package, where companies pay per user. For some companies, this solution is more affordable per user than a non-managed solution. This is especially true if you have a high number of users and need to purchase multiple licenses.
  4. Management is continual - With unmanaged solutions, many users turn the antivirus protection off because it can slow their computer down or because they believe their usage habits are not compromising security. Managed antivirus solutions usually can't be uninstalled or turned off, meaning your systems are continually protected.
  5. Your systems are truly protected - Regardless of how secure your systems are and the steps you take to ensure that malware doesn't get through, the chances are you will eventually be infected. When you are, it may be tricky to actually completely remove the virus. IT partners are trained in how to do this quickly and efficiently and can usually completely remove the virus, ensuring that your systems are truly secure.
If you are looking for a managed antivirus solution, contact us today as we may have a solution that will work with your business.
Published with permission from TechAdvisory.org. Source.

Topic Security
January 9th, 2014

Security_Jan07_CIn the first few weeks of each new year, you often see business leaders and managers setting goals for the year to come. Most of these goals are determined based off of trends that have been identified as valuable. When it comes to security however, it is a good idea to not look at trends but potential threats. By knowing what could threaten your business in the year to come, you can better prepare and protect.

Here are four security threats businesses should be aware of in 2014.

Increased attacks on cloud end-points

Cloud-based systems saw solid growth throughout 2013, with numerous systems being introduced and older systems reaching new levels or maturity. Small to medium businesses in particular were heavy adopters of these systems. Because of this, we expect to see an increase in attacks against cloud providers.

Providers know this and take steps to ensure security of systems on their end. Hackers know this too, so will be likely to go after the weaker points – end users. It is expected that hackers will begin targeting users of cloud systems with various schemes that try to gain control of computers and mobile devices. Once access is gained, they will go after their main target: Corporate or personal clouds and the data stored within.

This could pose a problem for many companies, especially those who access cloud systems from their mobile devices. January and February would be a good time to look into the security of all of your systems, ensuring that your cloud-based systems are secure on all devices.

Mobile malware will continue to gain popularity

Take a step back for a minute next time you are in public and look at how many people have smartphones or tablets in their hands. Chances are, at least 60% or higher will. It is fairly obvious that the mobile device is the most popular trend in tech at the moment, and whatever is popular is also a target.

We predict there will be an increase in mobile malware attacks throughout 2014. This could see either an increase in the number of apps that have malware in their code, or websites that host malware. When you visit a site with this malware, you are informed that you need to update an app, and when you agree to this the malware is downloaded and installed.

This could prove to be a tough for companies to manage, especially since the number of mobile users will likely grow. If you haven’t started looking into how to secure mobile devices, now would be a good time to start.

Growth in social engineering scams targeting mobile users

Social engineering is the act of essentially tricking people to give away confidential information. Hackers have been using this for years – for example, emailing users telling them their bank account has been compromised, and that if they click on the link in the email and enter their account info, the account will be secured. In reality, the link is to a fake site that captures information which can then be used for any number of illegal activities.

As we mentioned above, the number of mobile users is steadily increasing. This means that it is highly likely that hackers will begin to target these users with mobile specific social engineering. This could be tricking them into downloading an app which then steals information stored on the phone, or simply targeting those who use just their tablet.

In order to prevent this from happening, you need to brush up on how most social engineering schemes work. You should also encourage your employees to look where the links in emails lead to and be aware that generally, most major businesses like banks don’t email customers asking for passwords or user names.

Windows XP will become a big target

Microsoft will stop support for Windows XP and Office 2003 in April of this year. What this means is that they will no longer be offering security updates, software updates or support for these products. It is a sure thing that these programs are about to become a big target, and that new security loopholes and exploits will be found on a regular basis after the cessation of support.

For businesses that are using a newer version of Windows like 7 or 8, you should be secure from these exploits. If you are using XP on the other hand, you might want to upgrade as soon as possible. Contact us, we can help with that.

From the overall looks of things, we think this year will see a drastic increase in mobile based security threats, along with attacks on older versions of software. Now is a good time to review your strategies regarding both mobile and the software/hardware you use, to ensure that it is secure. If you would like help with this, please contact us today for a chat.

Published with permission from TechAdvisory.org. Source.

Topic Security
December 27th, 2013

Security_Dec23_CThe number of accounts and websites we have to log in to is growing, and will continue to do so for the foreseeable future. One downside of this increased activity is that security breaches will also continue to rise as well. When it comes to security, often the weakest points are the passwords people use. Far too many passwords are weak and easily guessed, which puts systems and data at risk.

Many of the major security threats that harm a business have one factor in common – a hacker gaining access to systems by cracking a user’s password. The one reason hackers are able to get into systems again and again is largely because users often don’t pick strong enough passwords.

Even what we might perceive to be a strong password may not actually be as secure as we think. Sure, when you enter a new password many websites have a bar that indicates how strong your password is, but the issue is, these so called strong passwords are becoming easier to guess as more websites utilize the same requirements.

Think about the last time you changed your password. You were likely told to key in a password longer than 6-8 characters, with at least one capital letter, one number, and a special character like ‘!’ or ‘$’. Many major systems have these exact, or at least very similar, requirements for password setting. However, if this is the norm, and you use a password like this too often then your passwords likely aren’t as secure as you might believe them to be.

The reason for this is because of the way hackers usually capture passwords. The most common method adopted is brute force – getting a username then trying every password combination until the hacker finds one that works. There are programs you can download from the Internet that try thousands or more passwords a second, and many now include special characters, numbers, and capital letters, which makes finding passwords even easier.

How do I know if my password is secure?

In an effort to showcase how unsecure some passwords are, Microsoft’s Research (MSR) Center and an intern from Carnegie Mellon University developed a password guesser called Telepathwords.

The way it works is you enter the first few letters of your password and the system guesses the next. It uses common letters and combinations to help gauge the effectiveness of a password. For example, if your password begins with the letter ‘v’, it will tell you that ‘I’, ‘S’ and ‘A’ are the most common letters to follow. If the next letter of your password isn’t one of these three, there is a good chance it is more secure. If the second letter is one of these three, then your password is less secure. This may sound a little complicated, but you should check out the system here.

It is eerie at how accurate the next letters and characters often match, and this is a good tool to determine whether to create a more robust password. You don’t have to worry about testing your password out either as Microsoft has noted that they don’t track the keystrokes, so you password should remain secure.

How do I create a stronger password?

Ask 10 experts and you will likely get 10 different answers as to what makes a strong password. Here are three different ways to create secure passwords:

  1. Use an algorithm - The easiest way to do this is take the first letter of a saying and add a number before or after. You can also create a saying and take the first letter of each word, then add the first letter of the website, followed by the last, and then a number. This method is best for when you have a large number of websites you access on a regular basis, it can help you remember your passwords for each without you having to write these down.
  2. Use a sentence or saying - For systems that allow you to have spaces in your password, try using a random saying like, ‘Dogs like pudding cups’. Sayings like this are harder to crack. This is largely because they include the space and are longer than usual.
  3. Use an acronym - Come up with a saying that describes you e.g., ‘I’ve worked at a gas station for 20 years’, and take the first letter/number of each word to create: ‘Iwaagsf2y’. This gives you an easy to remember password that can be adapted for other sites.

Regardless of what type of password you develop, you should be aware that even strong passwords can still be cracked with enough persistence. So, you should be sure to change passwords on a regular basis and also not to use the same one twice. This will limit the chances of hackers being able to access your other accounts.

If you are looking for more ways to secure your systems, we can help, so get in touch with us today.

Published with permission from TechAdvisory.org. Source.

Topic Security
December 12th, 2013

Security_Dec09_CWhen it comes to the security of the systems and the data in your business, you likely have a good security system in place and your systems are largely secure. That being said, there is one common weak link that all businesses share - the password. If a hacker can crack a password, they will often have full access to your systems. In an effort to try and control this, many companies have password policies. But, are they really effective?

If you are in the process of implementing a password policy, or are looking for a way to ensure that your business is as secure as possible, you need to be aware of at least four common password policy pitfalls.

1. Complex password requirements aren't complex at all

One of the most common elements of a password policy is the requirement that passwords be complex. Many require that the password has at least one number, or a special character like '!' or '&', and possibly even a capital letter.

While this may seem like it serves to make passwords more complex, many users will often use a simple password and replace words with a character, or add it at the end. This really doesn't make the passwords complex, it just makes them more difficult to guess.

Because so many systems have these requirements in place, hackers have started to include these factors when they develop password crackers. This means that the are still able to guess many passwords relatively quickly.

2. Lack of a lock-out

A common way hackers get into systems is through a method called brute force. This is essentially entering different passwords and variations until you come across the correct password. While this method can take a while, if your password system doesn't have a lock-out rule - whereby the account becomes locked after a set number of failed attempts - you will eventually see a security breach.

3. Password changes are forced too often

In order to keep systems secure, many companies force their users to change their passwords on a regular basis - usually every 90 days. While this is a good idea, some take it a bit too far, for example forcing employees to change passwords every two weeks.

This may seem like a good idea, but all it does is encourage users to pick easy to remember passwords. And, any password that is easy to remember is likely easy to guess too.

4. Only focusing on digital passwords

Because the number of password protected systems we use is increasing, many business users are struggling to remember all of the passwords they use. When this happens, the easiest solution is write to them down.

When making a note of passwords, most people don't take any steps to hide them, often leaving a sticky note attached to their monitor or written in a notebook casually left open on their desk. Needless to say, this is a real security issue.

How should I ensure a strong password policy?

Here are four actions you can take to ensure not only stronger passwords, but a policy that is effective.
  1. Try using passwords that are sayings and have spaces. Believe it or not, a random saying like "rude horses get pizza" is actually way more secure than any one word password with characters. Take a look at this XKCD comic for an interesting graphic on passwords.
  2. In order to minimize passwords and systems falling to brute force attacks, you should set a lock-out rule. It should be fair in that you shouldn't lock users out of their accounts if they fail one attempt. Most companies using this method set a limit of 3-5 attempts.
  3. You should ensure that your passwords are changed on a regular basis - most companies set every 90 days, and this is fine. In order to maximize security, it is a good idea to set it so that the same password and numbers can't be used, because most employees will just enter another number or character at the end or beginning. In other words, ensure the password is as different as possible.
  4. The most obvious point is to remind your employees not to write their passwords down and leave them in an easy to find area. If they have to write passwords down, tell them to use a code or even hide the piece of paper/lock it away in a secure safe. The other step you could implement is two-factor authentication, such as a user needing to enter a numerical code or piece of information when trying to access a system. Implementing a system like this and recording it in the policy will greatly reduce the chances of your passwords being stolen.
If you are looking for help with your password policy, or with the security of your business and systems, please contact us today.
Published with permission from TechAdvisory.org. Source.

Topic Security
November 29th, 2013

Security_Nov25_CThe Internet has become an integral part of all businesses, with some companies employing remote workers. Many business owners and managers also check their email or connect to office systems while on the road, maybe even connecting to the Internet on the many open or public Wi-Fi networks available. While these connections are useful, they can pose a security risk to many businesses.

If you or your employees work outside of the office, and rely on, or frequently connect to public Wi-Fi connections, there are three security dangers you should be aware of.

1. Fake networks

The number of businesses offering free Wi-Fi to customers, especially coffee shops and restaurants, is growing. Some hackers have actually taken to setting up networks with names that are the same as a location or business in hopes that people will connect to it, believing it is an open network.

The issue is that they may have attached data monitors that collect data - including passwords and other private information going into and out of the network. Some have even gone so far as to set up a portal site that one must navigate to in order to log in and use the service - similar to what you see when you use most public Wi-Fi connections. Only these sites are loaded with malware which can be installed onto your system once you log in.

In order to avoid this, it is a good idea to look at the name of the network you are actually connecting to and check whether there is more than one with a similar name, or if there are any spelling mistakes. If you are unsure, the best approach is to check the name of the network at the business which is providing this connection.

2. Shared files or folders

Both major operating systems - OS X and Windows - have files and folders that automatically share any folders and files put into them with other users on the same network. Some business users put important files in these folders while at the office in order to allow colleagues access to them.

The problem with this is when you connect to a public Wi-Fi connection. Other people on that network may also be able to see those files. If you didn't take the important files out of the folder, they could potentially steal the data contained within. Hackers know this, and may sit on the networks looking for other computers with shared files.

In order to avoid this, you should ensure that you aren't sharing files stored in public folders on your computer. Try using other ways to share documents like a cloud storage provider.

3. The man-in-the-middle

A man-in-the-middle attack is a form of hacking where the hacker uses technology to actively listen to or capture data being transmitted over a network. What this means is that if there is someone capturing data, they could theoretically gain access to anything that gets sent outside of the network. This could include private files, passwords and more.

If you or an employee connects to the office remotely while connected to a public network, one way to minimize the chances of data being intercepted is by using a VPN. These connections set up a direct link between the computer and the home network, and make it difficult for those who aren't part of that network to connect to and view data that is transmitted over this connection.

On top of this, it is a good idea to avoid entering passwords or other important information like bank account and ID numbers while connected to public networks.

If you are looking for ways to keep your data secure while out of the office, get in touch with us today to see how we can help.

Published with permission from TechAdvisory.org. Source.

Topic Security