Phishing in Your Own Waters

If you own a small business or professional services firm, you depend on your employees to have enough tech savvy and common sense to avoid links in email messages or on websites that open your system to bad actors. No matter how much you trust them, you need to verify they’re doing the right thing. You can test your human security defenses by using your own phishing expedition to see how they’re doing.

We’ve become acquainted with independent cybersecurity firms by attending conferences over the years. We learn a lot from our peers and presenters – such as it takes an average of 244 days to detect a system breach and that using the cloud will be a necessity by 2028. We’ve also emphasized the need to have a thorough security audit, but as an IT firm, there’s only so much we can do. We also think that an IT firm is not the best organization to really get into the granular details of your security because we all have a vested interest in finding problems to fix.

An independent security expert can find the smallest breach openings in your system and tell you what needs to be done. One of the most fascinating tools they use is a phishing campaign aimed at everyone who works in your organization. They can plant fake links and QR codes and any other tool that a hacker can use to get someone to open a window into your system. They also have tools to mimic the follow-up methods that hackers use once somebody makes the initial click – or the first phone call to a bogus number.

The educational value of using your own phishing expedition is enormous. Not only will it help you patch up holes in your organization, but it also becomes a great teaching tool about why everyone needs to be vigilant. As we use more and more data to conduct business – and in our personal lives – it becomes more and more important to protect that data. You should remember that your organization is part of a data custody chain – a chain that can branch off in many directions. Intruders are highly sophisticated and well-funded – as well as very patient. They will do whatever it takes to get into your system and build tunnels to other systems. You put your reputation and integrity on the line every time you take in data and send it out.

AI will be able to generate untold amounts of data, but there is little it can do to eliminate misinformation automatically.

Eliminating misinformation requires real human intelligence and deliberate, active steps to prevent that first breach – the one that could take 244 days to find. At the risk of sounding like a broken record, in every location and on every device used to conduct your business:

  • Use a firewall and make sure it’s up to date.
  • Use anti-virus and malware software and make sure it’s up to date.
  • Install updates to operating systems and application software on every device you have. Those updates contain security patches and bug fixes to prevent intrusions.

We can help you arrange for a comprehensive security audit that includes a phishing expedition and a deep dive into your equipment and practices. Call us – 973-433-6676 – or email us to discuss your needs and develop a security action plan.

Holiday Security Alert

Holiday Security Alert —
Scammers love chaos, and they are in heaven this holiday season. With shortages and high prices sending everyone scrambling for gifts while we dash to the end of the business year and try to make plans to see family and friends, scammers have an abundance of opportunities to find a weak spot in anyone’s online armor and penetrate for all you’re worth. Here are our steps to stop the scams.

Continue reading

Strengthen Your Security

We’re probably as normal as we’re going to get with working at home, and that will put more pressure on businesses and employees to step up security. Virtual Private Networks (VPNs) have been around for a while, but we’ve never been completely sold on them. They can give you a false sense of security.

As we see it, they depend on too many people (and organizations) doing the right thing to work effectively. Essentially, they take you across somebody else’s network, and unless you’re the one who vetted the provider and set it up, you have no way of knowing if it’s safe. If you use a computer, cell phone or tablet on a compromised VPN, you’re providing multiple access points for anyone who’s hacked the VPN. It only takes one weak link to compromise a network, and it could take months before a security breach is found. That could be too late to prevent any damage, such as an intrusion of sensitive files or identity theft.

We’re OK with using a VPN while traveling. It’s generally good for a short period of time, and it’s likely to be used by a small group of people in your traveling party on known devices. Whether VPNs are reliably secure in certain communications environments is a debatable point. Given all that is going on today, we believe it’s better to err on the side of caution and use them in limited situations to meet specific needs.

There are much better steps to take, such as two-factor authentication and using mobile apps that store your password.

We’ve discussed two-factor authentication before. While it can take many forms, it generally works by sending a 6-digit code in a text message to a designated mobile device. You then need to enter that code on whatever device you’re using to log onto a website. The problem is that if you are near a cell tower that has been compromised, the communication involving your text message could be intercepted and redirected. It’s not likely in the United States right now; it was more of a problem with older towers. Still, it’s yet another reminder to keep your guard up at all times.

The authentication apps that save your passwords are run through Microsoft and Google, two behemoths that have an equally large stake in your security. The key factor here is that the password is stored in your device, not in the cloud. Anyone who steals your password this way must physically have your device, and they must know your username and password. That minimizes the chance you’ll be compromised – even with a lost or stolen phone.

We’re available to answer any questions you have about security on all your devices and across all networks. Call us – 973-433-6676 – or email us to talk about who uses various devices within your business organization or family and where they use them. We’ll help you develop a plan or policy, if necessary, to strengthen your weakest links and maximize security.

Who’s Your Office 365 Partner?

As an Office 365 administrative partner for almost all of our clients, we have extraordinary access to your systems – and a huge responsibility. You depend on our honesty and competency to keep your systems running and protect you from breaches. Some of our colleagues are not as good about this. Microsoft finally provided some tools to strengthen security.

We’re shocked it took Microsoft so long to do this, but they finally are requiring outside administrators, such as Sterling Rose, to keep two-factor authentication turned on at all times. We instituted this control years ago on all of our administrative accounts.

What brought the issue to a head? When Microsoft Office 365 went mainstream by making the subscription service available to individual users, families and small home-office businesses, it created a lot more accounts for us to service for our clients. It also created a password nightmare.

As administrators, we can go into accounts to see what’s needed to make sure you and anyone included in your subscription can do what’s needed. In most cases, we go in when called on to solve a problem. We are scrupulous about signing out properly, effectively shutting the door to your account on our end, and we have been scrupulous about two-factor authentication to protect access from our end.

In our opinion, the two-factor authentication covers the laziness or carelessness of some IT providers – and it also protects Microsoft from being responsible for any losses of data not connected to a Microsoft meltdown.

That puts the data-protection ball back in our court. We want to make sure you have your side of the court covered, and here are some things you can do. The big thing, of course is to have all of your files backed up. Microsoft OneDrive does this, but we don’t recommend it to be your only storage location. Azure, another Microsoft product, has backup and restoration capabilities, and there are other providers.

On our side of the court, we have two-factor authentication and other tools that fall under the label of cyber resiliency. Through the Information Technology Laboratory of the US Department of Commerce, a three-level approach to cybersecurity is being developed and refined. The first level, of course, is to resist penetration by cybercriminals. It’s an approach that’s been around, but we’ve learned that no defense can be entirely impervious.

Thus, we have two additional layers. One layer seeks to limit lateral movement within a system once it’s been penetrated. The strategies include barriers to gaining permissions to move laterally within a system, a technique that hackers use to get to other systems. Defenses can include time limits to lock out an intruder or limit the amount of data that can be exported from a system under attack. Another defense is to provide misinformation. Another layer of security will allow a system to operate while under attack so that business won’t be disrupted.

This gets us back to why it’s so important that Microsoft hardened its defenses for Office 365. It provides one more defense against penetration. At the same time, it provides another reason for your IT providers to have access to your system.

We have access to some of the tools needed to limit lateral movement within a system, many of them customized to your needs. Call us – 973-433-6676 – or email us to set up an appointment to discuss your needs and implement a plan.

Neglect – The Silent IT Killer

We saw all the signs of classic neglect when we started with a new client who had been dissatisfied with their previous service provider. The fact that updates were never installed was horrifying because the client was in a financial services field. We can’t say if there was willful or accidental neglect, but the lack of updates could have killed a business.

What we saw can happen in any office where a company owner or manager has lost trust with their IT service provider: They stumble onto an issue. In many cases, businesses trust their IT providers to the point that they don’t keep their passwords on-hand (much less up to date) and don’t learn how to check to make sure updates have been installed. For this client, it seems that automatic updates were turned on and then turned off.

We know that some IT providers and some users don’t like automatic updates because they want to be able to monitor how changes take effect or make sure all the bugs are out. We don’t agree with that practice, and this is an example why. When automatic updates are turned off, it’s too easy to miss a notification when one is available, and that can lead to all sorts of security risks. Bugs in updates are inevitable, and patches to fix them are issued pretty quickly.

In this case, the server hadn’t been updated for nearly two years (keep this time period in mind), but we didn’t learn that until the client forced the previous IT provider to send the passwords for the server and the firewall. Everyone should remember that you own your passwords – and remember that you should keep them stored in a safe but accessible place.

Once we got access, we learned that the physical server and firewall had not been updated for two years. The firewall had no security or operating system updates since 2012. We told the client they had to update everything immediately.

We also found that their Wi-Fi network was not properly segmented, and that allowed access to everything through their guest network. That was neglect on somebody’s part, and I’ll blame the previous provider. That’s something that should be taken care of without any excuses.

At that point, I took out my Dashlane password manager and immediately generated new passwords with random numbers, case-sensitive letters and special characters. I printed them out and reviewed them all with the client to make sure they knew all of them correctly.

You can avoid these problems by making sure you get automatic updates and by knowing all of your passwords. You can also make up for past neglect by checking yourself to see when the last updates were installed – as long as you have all of your passwords.

If you have a server, you can look at the date of your last update through your control panel. If you see a huge gap between the day you check and the last installation, that’s a bad sign. In the case of the new client, who had issues with a previous service provider, the last server update was nearly two years before we found the problem.

On a computer running Windows 10, you can simultaneously push Control, Alt and Delete to bring up Task Manager. Click on the Performance tab and highlight the CPU button on the left. You should see Uptime in the bottom center of the screen. The columns, looking left to right, measure days, hours, minutes and seconds. Uptime is calculated from the most recent restart. If your uptime is 30 days or more, it’s a sign that you likely are not getting updates or not rebooting to clear out trash from your system. In one case, we saw an uptime of 286 days.

You can set up automatic updates for Windows and many of your applications. If you see or believe that your updates are woefully out of date, call us – 973-433-6676 – or email us to set up an appointment to walk you through the update process free of charge. You can’t fall behind on security.

Password Problems Revisited

To take our discussion of vanishing passwords one step farther, some recent service calls for clients who’ve been hacked – some multiple times – have provided still more reasons to move on to newer technologies.

We are getting numerous calls from clients to help them set up Dashlane, including one client who has been hacked seven times. We tried to get them to use Dashlane or Password Keeper. Now, they’re ready to do it the right way. They’re ready to move beyond the annoyance of having to remember or look up passwords for security and type them into a website. For now, Dashlane or another password manager can resolve the issue for most people who are fearful of trading passwords for newer password-less technologies.

As we’ve noted, people set up passwords that are easy to remember or type. There’s generally enough repeatability that a code cracker can solve the puzzle you’ve tried to create. That happened with our client, whose bank account was hacked. As we were setting up Dashlane and downloading emails, we noticed the client had been getting alerts that the password had been changed. They had not made those changes. It took a phone call to resolve that issue, and it took Dashlane to ward off the hackers.

We should note here that there are a couple of important side lessons to learn from this experience. The first is on you: Call the company – and don’t necessarily use the phone number in the email; get one from their website. The second is on the companies: Make it easier to get a human on the phone when somebody has a security issue. We went through five layers of voice prompts before talking to a person.

Once the “alert” issue was resolved, we were able to fully install Dashlane. The process does take time. Installing any password manager requires you to pay attention to details and maybe some repetition. For financially sensitive accounts, you may want to generate another round of new random-pattern passwords as an extra layer of security. A password management program should allow you to print a copy of your database with all of your passwords – just in case there’s a mistake or if you decide to stop using the program. It should also work across all of your devices: computers, phones, tablets, etc. If you are one of the growing number of people who use an infotainment system in your car like a computer, you might want to change sensitive passwords frequently – as often as once a week.

Again, you only need to remember your master password for the password manager, and that can be a tremendous time saver, especially if you need to access a website from a mobile device.

But again, we believe you should use password-less technologies. They’re more secure, and they are easier to use than many perceive. For example, many Windows 10 computers have Windows Hello, and you can use that to add a fingerprint reader. The reader itself is about the size of a wireless mouse device and plugs into a USB port. Similarly, many mobile devices can use your fingerprint to verify you are the owner and user. If your computer or device has this capability, we strongly urge you to use it.

Many computers and devices also have built-in cameras that can be used for biometrics, and some advanced security measures use locations and usage patterns in place of passwords. As a backup, all of these measures have provisions for a PIN or a password if the biometric program can’t be used or if you don’t want to use it.

We can help you set up a password manager or – better still – go password-less. Call us – 973-433-6676 – or email us to get answers to your questions or to set up an appointment to manage your online security.

Network Strength and Costs

With more and more devices in our homes – more than you think – you need to strike a balance between speed and cost. Keeping your network strong and secure is a given, but you should look at what you can hardwire into your gateway to maximize speed and free up wireless capacity for devices and systems that can’t be wired.

Many people have looked to simple solutions such as EERO, which plugs repeaters into power outlets in homes and offices. It’s known as a wireless mesh system, and it’s a technology that hasn’t won us over. The modules are repeaters, and the problem is that each time you repeat, you cut signal strength, and that diminishes the speed of the network to deliver signals to the target computer, TV, tablet or smartphone.

You might think you don’t have that many devices on your network, but you’d be surprised. In our house with four people, we have a dozen computers, tablets and smart phones, several automated systems for the doorbell and for turning on certain lights. We also have a Sonos sound system with seven speakers around the house. I haven’t added in smart TVs, which many households have. Most of them use a USB antenna to connect to their home wireless network, and then people use the wireless network to stream movies and shows – especially if they’ve cut the cord on cable TV.

Depending on your provider, you can get Internet connections ranging from 15 megabits per second (of data transmission) to 1 or 2 gigabits per second. Many users in moderately connected homes have service ranging from 50 to 300 megabits per second (mbs). The faster the speed, the more data it pushes through per second. However, your TVs, computers and devices on your wireless network may not be getting the full speed you’re paying for because of repeaters and the number of devices using the network at a given time.

You can maximize wireless performance and your Internet costs by hardwiring some computers and smart TVs and then determining how much speed you need to support your wireless devices. Wired computers and TVs will get the full benefit of your connection speed, and you may not need as fast (and expensive) a connection as you think.

To use our house as an example, we have a 150mbs connection, and we use it more for downloading large files than for streaming movies and shows. With hard wiring, it works fine. If I would double the speed to 300mbs, it would cost $90 per month more. That’s $1,080 more per year, and I wouldn’t get the full performance because of the wireless penalty.

With smart TVs and streaming becoming more popular, TV manufacturers are heading off potential problems with customer satisfaction by including Ethernet connections in their units. Taking advantage of the hardwiring capability can help you avoid problems elsewhere in your home.

In the office, hardwiring as many components of your system to the network is essential. Hardwiring grantees your computers and peripherals will work at the speeds you’re paying for, and it will free up wireless capacity for the devices that you must have, such as phones and tablets.

Regardless of whether you have a home or business network, remember that your service speed can be increased or decreased without a visit from a technician. You can see how one connection speed works and then have your provider raise or lower it from their service center.

We can help you by installing the wiring and connecting your equipment. We can also help you analyze your system’s performance to find the right combination of speed and cost. Call us – 973-433-6676 – or email us to set up an appointment to discuss your needs.

Network Security More Vital Than Ever

In helping a new customer work through some set-up issues, we found an outdated Wi-Fi security system. With more hackers finding more ways to get into more systems for more personal information, it’s just plain stupid not to make sure you have a secure Wi-Fi system and a strong password.

Let’s start with a secure router. The technology is mature, as far as IT goes, and the current security technology, known as WPA 2 (Wi-Fi Protected Access – the second generation), works very well if you set it up properly. It’s also not that expensive, especially in relation to the value you need to protect, but we’ll get to that farther down in this article.

We were astounded when we found an ancient WEP security system on a new Wi-Fi installation when we began servicing a new client. WEP stands for Wired Equivalent Privacy, but in today’s practical terms, you might as well call it WET, as in wet paper towel. If you have a password with a long, totally random combination of numbers and letters (that you’ll never remember), it’s probably WEP. While the password may be hard to type, it’s pretty easy for a hacker to crack.

The client still had an old WEP Wi-Fi because they were told it would be an expensive, time-consuming project. However, they “wasted” a considerable amount of money because they somehow wound up with enterprise-level equipment. Along with getting worthless advice, they had a pound-wise, penny-foolish Wi-Fi system with vulnerable security that had cumbersome management steps.

If their Wi-Fi was old enough to have the older security technology, then it was old enough to replace. The radio in the average router begins to lose its power after three or four years, anyway, so our client probably wasn’t getting performance in addition to not getting the most up-to-date security and a more efficient way to grant access to those who need it.

In today’s offices with the BYOD (Bring Your Own Device) environment, WPA 2 works very well. You can make a password easy to remember – just make it long – so that your authorized users can get their smartphones and tablets onto the network. That boosts productivity. At home, we’re streaming more, and that needs a good network.

Regardless of how you use your network, security is paramount. If an outsider gets into your network through a hole in your Wi-Fi, they’re already past the firewall. Once they get that far, it’s easy to get into any computer or server on your network and get financial information, medical records and anything that they can use to make money at your expense. You could also be responsible for somebody else’s criminal activity, such as distributing child pornography.

We can help you install and set up a new Wi-Fi with WPA 2 security. We can also help you set up filters to keep employees or children from accessing specific websites. We can do it all over the phone and through remote access. Call us – 973-433-6646 – or email us to discuss your options and set up your system.