Many people think of cyber security as a specialized skill set handled by that one smart guy you hire to handle it, but as the world progresses, we find that you can’t just rely on someone else to be your sole gatekeeper for your entire computer system. As cyber-security experts have gotten better and better at making secure systems, criminals have gotten equally better at targeting the weakest link in these systems. And in today’s world, that link is typically the end-user.
The Risk of Not Knowing Cybersecurity Best Practices
When you check your email, it is up to you to decide if and email is fraudulent before clicking on any links. When you are on the web, and you are asked to enter a credit card or other personal information, it is up to you to know if the website you are connected to is both secure and legitimate. When you download an app, you have to decide if the permissions that app is requesting are actually things the app needs or if there is an underlying trojan trying to get the privileges it needs to bypass the security features built into your device. When you get a phone call warning you of a problem, you need to decide if the person you are talking to is actually your service provider, or someone trying to get you to divulge sensitive user account info.
Not knowing how to make these choices can be disastrous. One bad click, is all it takes to get your entire network encrypted by ransomware or install spyware that steals all your passwords.
Making IT Services and Personal Responsibility Work Together
This where your IT consulting firm comes in. If you have not received a Cybersecurity Policy from them request one. For most organizations, this should include:
- Criteria for evaluating if an email, website, link, or application should be trusted.
- Restrictions on what websites and services you may access from your work machine.
- Restrictions on what information can saved and transmitted under various circumstances.
- Protocols for defining what information is confidential, and how to handle its storage and transmission.
- Instructions for identifying security redflags
- A policy for ensuring that employees are regularly trained on emerging security threats.
Don’t have a Cybersecurity Policy yet? Don’t settle for a one size fits all solution. ComSolutions’s expert security analysts can review your business model and help you determine the best approach for your business and regulatory compliance.
October 16th 2017, US-CERT publicly disclosed a vulnerability at the core of the WPA-2 encryption protocol. This vulnerability affects nearly every modern encryption configuration used for transmitting information across the internet, especially Linux and Android devices. The KRACK exploit was discovered by security researcher Mathy Vanhoef before it could be implemented for widespread misuse; however, now that this issue is public knowledge, it is extremely important for businesses to update their systems to protect against it.
How Serious is this Vulnerability?
In terms of how harmful this exploit can be, it is extremely serious:
- It can be used to steal any encrypted information that is transmitted from or received by your computer or mobile devices.
- It can be used to inject various forms of malware into local networks and website.
- It affects all kinds of internet enabled devices; however, the most serious threats of injection are specific to Linux and Android.
The good news here is that a hacker needs to be within range of someone’s wifi network to implement it; so, the likelyhood of it being used against your home computer is fairly low. The most likely candidates for this attack are big businesses and smaller businesses that handle secure information.
Due to the potential damage that this exploit could cause, we strongly urge our clients to review their local networks to ensure that all of their connected devices are properly patched.
Equifax revealed on Sept 7th, 2017 a data breach that compromised the personal information of 143 million users. This breach is reported to have exposed a number of sensitive pieces of personal information including Social Security numbers, birthdays, driver’s licenses, credit card numbers, and credit dispute documents.
To find out if your information has been compromised, visit:
What to do if you’ve been compromised?
- Check your bank and credit card statements for suspicious charges.
- You should make a habit of this. Many hackers wait months or even years to use your stolen information.
- Take an inventory of your online services that may be linked to your bank account or credit card.
- Make sure each account is using a different password to isolate breaches if they occur.
- Make sure you know what services you do and do not actually have so that you can better recognize fraudulent charges.
- Check your credit report for unexpected activity. Equifax is offering one free year of premium tracking to help users stay vigilant of issues that arise from this breach.
In light of the storms heading toward the Gulf of Mexico, ComSolutions wanted to share a few reminders to help make things a little easier when an emergency arises.
- Please note the following. If you are bringing your server or computer equipment with you or just want to leave it in place, please be sure to follow proper shutdown procedures. Remember that it is never safe to power a server off without following a specific protocol. To prevent damage, there is a specific order in which your equipment should be shutdown. If you’re unaware of how to shutdown your server or equipment orderly, CSI would be happy to assist. Please call our office at 504-224-9475 Ext 2 or email email@example.com to schedule a call or an on-site appointment.
- If you plan to work while out of town, here is a basic kit that can make working on the road easier:
- Plastic storage bin to carry the following
- Extension cord / surge protector
- Network switch and RJ45 patch cables
- Wireless router or WiFi HotSpot
- External drive(s) or NAS unit that we have identified.
- A list of all of your vendors, customers, and primary points of contact
- A copy of your insurance policies, agents phone number, and your business checkbook in the event of relocation.
- Setup an employee social media page for emergency communications
- Call ComSolutions at 504-224-9475 Ext 2. with any questions
- If you already have a cloud disaster-recovery plan with CSI, please call us so we can schedule a phone interview or appointment to review this. Remember to stay safe, keep us informed of your plans, and keep our contact info handy should you need any assistance.
March 31st is World Backup Day, but it’s important to backup more than one day per year! Here’s why.
Data can be lost in a number of ways including:
- Operating systems crashes
- Data corruption
- Hardware failures
- Lost or stolen devices
- Natural catastrophes including fires, flooding, etc.
- Accidental file deletion
- Failed or incompatible upgrades, patches, or other improvements to your system
- Deliberate sabotage by a disgruntled employee
- April Fools Day pranks gone too far… one more reason to do backups on March 31st
Remember don’t just back your data up, have a backup plan! This means having a comprehensive strategy for dealing with all of the above. Your backup plan should include solutions to all of the following common problems:
- If your entire workplace is destroyed by a catastrophe, do you have an off-site copy of your data to work from?
- Do your backups go back far enough to insure that you will have a good copy of your data, even if a virus or corruption gets saved to your most recent backup?
- Do your backups include all of the system settings required to restore your work to a new device without having to undergo lengthy reconfiguration issues?
- Do you have a place to restore your data and software to?
E911 Legislation and Compliance
As of 2017, your company or institution can be legally liable for 911 calls that fail to provide the correct location of the caller. As of December 31, 2016, if your system does not meet these standards, you have a legal obligation to change your phone system immediately in order to avoid stiff fines and penalties ranging from $500.00 to $5,000.00 per offense.
What does E911 compliance require?
- Calling 911 cannot require an outside access key such as having to press * to dial out (common in hotels and offices).
- A call to 911 must relay the detailed, physical location of the phone down to the room number, floor, or office number. Police, fire fighters, and paramedics use this exact information so they are sent to the correct location, avoiding any delay reaching the emergency.
- If disconnected, emergency dispatchers must be able to call the phone back directly without getting an auto-attendant, answering service, call center, or remote switchboard.
- 911 calls connect to the agency within closest proximity to the caller — not the central phone system’s location (e.g., corporate headquarters).
These safeguards are already built into our VoIP phone systems, but if you are unsure if your phone system meets these specifications, give us a call and we’ll make sure that you are covered.
Yesterday, Yahoo confirmed claims that 500 million user accounts were stolen as of a 2014. The data that was compromised includes names, emails, passwords, telephone numbers, and the answers to account security questions. If your account is one Yahoo suspects was compromised, you’ll be prompted to enter a new password as soon as you log on. If you use the same password on other accounts, you should change those, too.
How to Minimize Risk
While there is nothing you can do to prevent these breaches, there are a number of best practices that you can use to prevent exposure from these kinds of attacks:
- Pick better passwords: When information gets stolen, the time it takes the hacker to decipher your password is directly proportionate to how common and complex of a password you are using. Avoid common passwords and patterns such as “12345”, “qwerty” or “password” and if you use any actual words in your password, pair them with a few random letters and numbers as well.
- Change Passwords Often: Often times these attacks don’t become clear until well after the data is stolen, but if you change your password often, the stolen information will likely be outdated by the time the hacker tries to exploit it.
- Never Reuse Passwords: Just like changing your password can prevent stolen info from being used against you, reusing old passwords can re-open you to risk from old breaches.
- Update Security Questions: Just like passwords, these can be stolen and used against you as well.
- TWO-FACTOR AUTHENTICATION: Adding a second type of authentication, like a one-time code sent over text message, can greatly secure your online accounts making them hard to get into even if your information gets stolen.
Contact us today to find out more about how to secure your company’s online accounts.
With the increase in frequency of Malware and Ransomware attacks over the past few months, we felt the need to make our clients aware of this threat and offer a best practices summary to assist our clients in defending their networks.
What does it look like and how does it work?
There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.
- Prevent you from accessing Windows.
- Encrypt files so you can’t use them.
- Stop certain apps from running (like your web browser).
They will demand that you do something to get access to your PC or files. We have seen them:
- Demand that you pay money.
- Make you complete surveys.
Often, the ransomware will claim you have done something illegal with your PC, and that you are being fined by a police force or government agency. These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC. There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.
Crowti (also known as Cryptowall), and FakeBsod are currently the two most prevalent ransomware versions. These two families were detected on more than 850,000 PCs running Microsoft security software between June and November 2015.
Please remember once your files are encrypted, you cannot recover them but must restore a fully tested backup and also have removed the threat from your entire system and server.
What can I do to protect myself and my company?
- Always verify who the email sender is:
If the email is coming from a bank, verify with your bank if the message is legitimate. If from a personal contact, confirm that they actually sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of a virus or spam campaign.
- Double-check the content of the message.
There are usually errors or discrepancies that you can spot such as a claim from a bank or a friend that they have received something from you? Try to go to your recently sent items to double-check their claim. Such spammed messages can also contain an executable (.EXE) or ZIP file attachments. Never open .EXE, PHP, HTML or script file attachments within an email. Always confirm with the sender that any ZIP attachments are also legitimate.
- Refrain from clicking links in email.
In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly.
- Refrain from clicking pop up ads on websites offering software upgrades.
In general, clicking on popups should be avoided. You can contact the software vendor’s website or CNC to obtain an updates necessary for your software.
- Use a reputable Antivirus security suite.
It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently send out new variants, to try to avoid detection, so this is why it is important to have both layers of protection. Most malware relies upon remote instructions to carry out their misdeeds. If you run across a ransomware variant that is so new that it gets past anti-malware software, it may still be caught by a firewall when it attempts to connect with its Command and Control server to receive instructions for encrypting your files.
- Backup important data.
Unfortunately, there is no known tool to decrypt the files encrypted by ransomware. One safe computing practice is to ensure you have accurate back-ups of your files. You will also need to ensure all data is being saved properly and guarantee your backups validity. Please contact CNC for your data backup options right away.
CNC advises that you do not pay the ransom
Paying the criminals may never get your data back. There have been plenty of cases where the decryption key never arrived or where it failed to properly decrypt the files. Plus, it encourages criminal behaviour.
We want to discuss the importance of having server images and solid backups of all data. This is the single most important part of your defence. CNC would like to review and verify the type of data backups you are currently using and then discuss our findings in detail. CNC will be reaching out to schedule an appointment and we would be glad to provide you with updated options for your system.
Microsoft has been getting more and more aggressive with their upgrade to Windows 10, but it is important to make sure that all of your important programs are compliant with Windows 10 before going through with the upgrade. This is very important since there are a number of mainstream and proprietary business applications that have known compliance issues with this new OS.
Since Microsoft began offering free upgrades last year, reverting Windows 10 upgrades have become one of our most common tech support calls. In many cases these were the unintentional result of Microsoft’s automatically scheduled upgrades. There are several reasons why people have chosen not to go to Windows 10 just yet, but from a business perspective, the process of updating and then reverting Win 10 can cause a lot of down time.
If you have decided that your company would not benefit from upgrading, we have a couple of solutions that can disable Windows 10 upgrades on your machines until YOU are ready to make the switch. The ideal solution, if you are running Windows Pro, is a server level patch that will disable the upgrade dialogues across your network. Our remote technicians can also log into individual machines to prevent updates, we just need a list of those employees and a means of contact.
Love it or hate it, Windows 10 is eventually going to phase out 7 & 8, but this migration process should be done on your terms after your company has had the opportunity to prepare and test for the upgrade. Not because Microsoft decided to arbitrarily pick your name out of a hat.
If you are interested in blocking Windows 10 upgrades, give us a call at 504-224-9475 and we can do the rest.
The legal requirement of websites to be handicap accessible has been a point of hot debate since the 90’s, but in
August of 2016 (This decision has been deferred until 2018), that debate is finally expected to take a major turn in favor of our handicap community by requiring most websites to adopt the same handicap accessibility requirements as federally funded websites.
Understanding the new Section 508 Compliance Standard
In 1990, the Americans with Disabilities Act (ADA) changed the face of this country by legally requiring that places of public access be handicap accessible. Now we see wheelchair access and handicap parking available for every restaurant, doctors’ office, entertainment establishment, and government agency. At the time, however, the internet was so new that most people did not consider these companies’ websites as a necessary point of access for handicap individuals.
In 1998, congress released a list of legally required compliance standards that apply to all federal and federally funded websites that ensured that people with color-blindness, poor vision, total blindness, deafness, slow reading, paralysis, and seizure disorders could access these sites. These standards came to be known as Section-508 Compliance, or more simply “508”. The new 508 standard is not going to be a new law. Instead, it is a decision expected to be made by the Department of Justice to consider websites as a “place of public access” since so many public services are now only available online. Read more about this here.
What about International Compliance Standards?
While the United States was the first country to establish guidelines for handicap access, many other nations have chosen to adopt the more clearly defined international standard of accessibility known as WCAG 2.0. If you do business internationally, please check this list of nations and territories to see if your website is required to meet accessibility standards under the laws of other countries.
If you are unsure if your website meets your legal obligation for Accessibility, or if you have other accessibility questions, please contact our Web Development department today!
*article updated on 11-22-16 to reflect the postponed date of this ruling.