Who’s Your Office 365 Partner?

As an Office 365 administrative partner for almost all of our clients, we have extraordinary access to your systems – and a huge responsibility. You depend on our honesty and competency to keep your systems running and protect you from breaches. Some of our colleagues are not as good about this. Microsoft finally provided some tools to strengthen security.

We’re shocked it took Microsoft so long to do this, but they finally are requiring outside administrators, such as Sterling Rose, to keep two-factor authentication turned on at all times. We instituted this control years ago on all of our administrative accounts.

What brought the issue to a head? When Microsoft Office 365 went mainstream by making the subscription service available to individual users, families and small home-office businesses, it created a lot more accounts for us to service for our clients. It also created a password nightmare.

As administrators, we can go into accounts to see what’s needed to make sure you and anyone included in your subscription can do what’s needed. In most cases, we go in when called on to solve a problem. We are scrupulous about signing out properly, effectively shutting the door to your account on our end, and we have been scrupulous about two-factor authentication to protect access from our end.

In our opinion, the two-factor authentication covers the laziness or carelessness of some IT providers – and it also protects Microsoft from being responsible for any losses of data not connected to a Microsoft meltdown.

That puts the data-protection ball back in our court. We want to make sure you have your side of the court covered, and here are some things you can do. The big thing, of course is to have all of your files backed up. Microsoft OneDrive does this, but we don’t recommend it to be your only storage location. Azure, another Microsoft product, has backup and restoration capabilities, and there are other providers.

On our side of the court, we have two-factor authentication and other tools that fall under the label of cyber resiliency. Through the Information Technology Laboratory of the US Department of Commerce, a three-level approach to cybersecurity is being developed and refined. The first level, of course, is to resist penetration by cybercriminals. It’s an approach that’s been around, but we’ve learned that no defense can be entirely impervious.

Thus, we have two additional layers. One layer seeks to limit lateral movement within a system once it’s been penetrated. The strategies include barriers to gaining permissions to move laterally within a system, a technique that hackers use to get to other systems. Defenses can include time limits to lock out an intruder or limit the amount of data that can be exported from a system under attack. Another defense is to provide misinformation. Another layer of security will allow a system to operate while under attack so that business won’t be disrupted.

This gets us back to why it’s so important that Microsoft hardened its defenses for Office 365. It provides one more defense against penetration. At the same time, it provides another reason for your IT providers to have access to your system.

We have access to some of the tools needed to limit lateral movement within a system, many of them customized to your needs. Call us – 973-433-6676 – or email us to set up an appointment to discuss your needs and implement a plan.

Who’s in Your Electronic Wallet?

Complacency is likely to be the greatest threat to your online security. The FBI recently reported that the padlock icon and HTTPS:// in a website cannot be trusted all the time in letting you know a site is safe. With the cost of SSL-TSL certificates falling, it’s cheap for crooks to set up malware sites and lure you in. We’ve discussed on-line shopping security and keeping other transactions secure, but the FBI’s warning compels us to revisit a few ideas.

First, what is an SSL-TSL certificate? The certificate is an acknowledgement that the owner of a website has installed SSL or TSL technology provide secure communications over a computer network. The certificates are granted by third-party providers, such as VeriSign, which is now owned by Symantec. The certificate shows us HTTPS (Hyper Text Transfer Protocol Secure) in a secure website’s URL. You can view the certificate by clicking on the lock symbol on the browser bar.

What do SSL and TSL stand for? In short, SSL stands for Secure Sockets Layer, the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems. It’s designed to prevent criminals from reading and modifying any information transferred, including potential personal details. TLS (Transport Layer Security) is just an updated, more secure, version of SSL. Symantec still refers to security certificates as SSL because it is a more commonly used term. SSL certificates can also cover other internet- based communications, and they come in various levels. If you are curious, you can click here to read more from Symantec than you might want to know.

What you should know, the FBI reports, is that cybercriminals are more frequently incorporating website certificates when they send emails that imitate trustworthy companies or email contacts. They’re typically phishing schemes used to acquire sensitive logins or other information by luring potential victims to a malicious website that looks secure.

We’ve published many articles that call for the internet industry to provide more safeguards, but as we’ve always noted, cybercriminals are working just as a hard to defeat current and developing security tools. One industry executive hit the nail on the head by noting that cybercriminals can’t work around an aware user, who has been trained to look for misspellings in the URL of a web page and knows not to trust a padlock icon. Addressing her firm’s corporate business targets, the executive called on organizations to invest in solid, continuing training programs.

We echo the FBI, which says the following (familiar) steps can help reduce the likelihood of falling victim to HTTPS phishing:

  • Do not simply trust the name on an email: question the intent of the email content.
  • If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
  • Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
  • Do not trust a website just because it has a lock icon or “https” in the browser address bar.

The FBI encourages victims to report information concerning suspicious or criminal activity to their local FBI field office, and file a complaint with the IC3 at www.ic3.gov. If your complaint pertains to HTTPS/SSL/TSL issues in a phishing expedition, write “HTTPS phishing” in the body of the complaint.

You can protect yourself by being prudent and deliberate when opening emails and clicking on links, and you can support your efforts by installing, updating and using anti-virus and anti-malware protection programs. We work with several trusted providers, including Symantec, and we can help you select and set up the programs that best meet your needs. Call us – 973-433-6676 – or email us if you think your security may have been compromised or if have any questions about online security verification.

Security and On/Off Wi-Fi

We’re seeing more Ring doorbells. They offer you the ability to monitor your door from anywhere through the internet and your Wi-Fi network. But some clients have told us they don’t want their network on at all times because of radio frequency waves.

We don’t share some people’s concerns about damage from radio waves. We carry cell phones in our pockets and hold them up to our ears. We can reduce our exposure to radio waves by using a headset, but nearly everyone uses a Bluetooth device, which operates on…right.

Despite a majority of scientific studies that radio waves from cell phones pose no danger to most people, some like to avoid them wherever possible. And those avoidance steps include shutting off Wi-Fi systems – routers and boosters within a home – for periods of time.

Personally, we believe that defeats the purpose of having a security device, such as Ring, which can record and store images of anyone coming to your door, even if they don’t ring the bell. But your Wi-Fi has to be on, or else you can’t identify a threat to your home.

The issue of no internet or Wi-Fi was brought home to us this past summer with 10 days left on our vacation. We saw that Ring alerts had stopped – because our internet service was down. We were able to contact Verizon while in Europe, and they were able to restore our service as soon as we got home. But during the time it was out, we lost part of our security protection. (For the record, our service was knocked out by a squirrel.) That being said, we can help you set up a program to automatically control the operating times of your Wi-Fi network. Call us – 973-433-6676 – or email us to discuss all the pros, cons and options.

Inside the World of Updates

Facetime updates got a lot of face time recently with all the reports about how a 14-year-old discovered a bug that left a mic open even if a recipient didn’t answer a group Facetime call. It was shocking but not surprising, based on how updates are developed and implemented.

Apple, Microsoft, Google and other technology companies are huge corporations and, as such, are highly compartmentalized. When I visit trade shows and conferences and can find an engineer or software developer to discuss very specific issues related to hardware, firmware or software, the conversations very technical and very tightly focused. They are brilliant people, but they operate in silos.

So, when a problem like the Facetime issue surfaces, it’s likely to involve a piece of code that only one person or a small team worked on – based on instructions that may have come down through several layers of command. That person or team didn’t talk the public or get any feedback based on a personal interaction. Further, the amount of code needed to implement a feature such as a group Facetime session is massive. It’s written in sections and assembled in sections, and even though they are tested, errors can occur each time lines of code from various teams are put together. The people involved do a great job, and the percentage of errors to lines of code written is practically microscopic.

The bottom line is that bugs will show up in the real world, and they need to be found and fixed before any catastrophic consequences show up. But code is not the only factor in updating software for use on a computer or device. We see a lot of old computers and devices with old operating systems that simply cannot handle updates.

We were reminded of the technology gap that opens up when working with older systems. It involved a family business, and technical challenges arose as some family members wanted capabilities that were requested by others. The challenges came as we had to work with computers and devices with a wide range of ages and with differences between Windows 7 and Windows 10. We had to be mindful that Windows 7 is 12 years old and that we are six versions into Windows 10.

Our common thread in the solution had to be sealing up security breaks. We can’t emphasize enough that security patches are the biggest improvements in upgrades and updates, although we all get excited about new features and capabilities. And the problem is that an older system can only handle a limited number of security and feature updates.

At some point, it doesn’t pay for a software or hardware provider to support older systems. Their developers have to jump from one issue to another like playing Whac-A-Mole, and then there is a smaller universe of real-world users to provide feedback on the new code and then use it.

One of our missions is to make the most efficient use of your money. We’ll always do our best to avoid having you buy new equipment or software by trying to find a good workaround. But sometimes, buying new technology can give you a better return on your investment, and one of the reasons to do so is to take advantages of upgrades and updates that are used by a larger universe of people and businesses. That can be especially beneficial based on the how the update world lives.

We can help you install, configure and test updates, and we can advise you on whether to upgrade or keep your current technology. Call us – 973-433-6676 – or email us for a consultation.

Hack Attack Continues vs. Businesses and People

While government-sponsored hacking and disinformation makes big news, don’t take your eye your eye off the ball when it comes to protecting your personal and corporate data. A report from a consulting firm, Positive Technologies, painted a dark, dark picture, saying the second quarter of 2018 showed a 47 percent increase over 2017. You need to remain vigilant, even when events are beyond your control. Nobody is immune.

As reported in Tech Republic, Positive Technologies said the most common methods of cyberattack are:

  • Malware (49%), with spyware or remote administration malware being the most widely used forms of infection.
  • Social engineering (25%) is the term for manipulating users into believing a message, link, or attachment is from a trusted source, and then infecting targeted systems with malware, stealing money, or accessing confidential information.
  • Hacking (21%) exploits vulnerabilities in software and hardware, causing the most damage to governments, banks, and cryptocurrency platforms.
  • Credential compromise (19%) targets password managers used for storing and keeping track of passwords.
  • Web attacks (18%) are online racketeering attempts to extort website operators for profit, sometimes by threatening to steal client databases or shut down the website.
  • DDoS (5%) tends to be the weapon of choice for business rivals, disgruntled clients, and hacktivists. Political events can drive attacks on government institutions. Criminals can use DDoS attacks to take websites offline and demand payment from the victims.

Attacks can be made in tandem, such as the common duo of using phishing emails to trick users into downloading malware.

Financial and healthcare institutions, retailers, and government databases remain prime targets, but higher education institutions and even school districts are being attacked. Wired reports that this past March, the Department of Justice indicted nine Iranian hackers in alleged attacks on 144 US universities and 176 in 21 other countries. They were also cited for attacking 47 private companies.

Hackers are homing in on the money. Positive Technologies said targeted attacks are outnumbering mass campaigns, with attacks directed at companies and their clients, as well as cryptocurrency exchanges. Data theft is driving an increasing number of attacks, with many criminals seeking personal data (30%), credentials (22%), and payment card information (15%). To steal this data, hackers are compromising online platforms, including e-commerce websites, online ticketing systems, and hotel booking sites.

The scary part for us is the report you can never be sure that criminals don’t have your credit card number from one source or another. Even a brand-new smartphone in a store can have pre-installed malware.

People and businesses can take steps to keep their data safe by installing updates for operating systems and application software and installing antivirus protection on all systems and endpoints and keeping it up to date.

Businesses can encrypt all sensitive information, perform regular backups, minimize the privileges of users and services as much as possible, and use two-factor authentication. Enforcing a password policy with strict length and complexity requirements, and requiring password changes every 90 days, can also help protect systems.

We offer security audits for businesses, and we can answer any questions individuals have about protecting themselves from cyberattacks. Call us – 973-433-6676 – or email us to set up an appointment.

Updating Your Cloud Strategy

We hear all about the cloud without end. For large corporations and individuals, using the cloud is a nearly flawless solution for storing and accessing apps and data from anywhere. But for small businesses, exclusive reliance on the cloud may not be the best solution. Here are some decision-making factors.

First, for all their differences in size, a huge corporation and an individual have a few things in common. Individuals and corporate employees can travel anywhere in the world and need to access apps and data wherever they are. The cloud works really well for this.

Although they operate on totally different levels, subscription-based apps such as Office 365 work really well for individuals and large corporations. Individuals can share the cost over a large user base, enabling each to benefit from constant upgrades that app publishers can update from central locations. Large corporations essentially do the same thing within their communities. They spread their cost over many users, and their tech teams control the software-update process to keep operations running as smoothly as possible.

A small business is different in one significant way. It’s essentially a self-contained community of users who use the same apps and data in one location. Yes, that business may have employees who log in ‘from remote locations, and yes, it may benefit from subscription-based application software. But we are likely talking about 10 to 100 people who are working with the same apps and data in a “bubble” known as the office. While small businesses combine to form a huge user base, each has its own specific needs, and our clients rely on us to customize systems to meet specific needs.

Therefore, the cloud may not be the solution, especially if you are a small business still working with a combination of a Windows 7 operating system and a Windows 2008 server, either in your office or in the cloud. We’re approaching a perfect storm with that combination because by January 2020, Windows will no longer support that OS and server platform. They’re too old and expensive for Microsoft to develop performance upgrades and security patches. You are being brought to a decision point.

We recommend that small businesses look at a cost/benefit analysis that covers five years to determine whether you upgrade your OS and server or migrate to the cloud. Five years is a good projected lifetime for a server and OS, it makes it easier to compare their cost with setting up and using a cloud-based system.

Setting up a server on the cloud involves costs, including the cost of server space and the cost to set it up to meet your needs. Once that’s done, your maintenance cost should be minimal. If your business runs Office 365, you already have a cloud presence through Azure, Microsoft’s cloud system. And while Azure automatically updates its server, it’s still a maintenance operation. All cloud servers need maintenance, and it’s something you pay for as part of your agreement.

Of course, using a cloud-based server requires access to a good internet connection, one with sufficient bandwidth for your needs and virtually perfect reliability. If you don’t have the bandwidth, your business won’t operate at its desired level. If your service goes down, you’re out of business until it’s restored.

If your computing needs are largely internal, you might be better served with your own server on a strong internal network, which can be hard-wired for better performance and security than a Wi-Fi network. You’ll incur purchase and set-up costs for your server, and you’ll need to install all updates in a timely manner. But your maintenance expenses should be relatively low once you’re up and running.

By setting up computers as terminals on a server and hard-wiring the network, you won’t need a router system or a big pipeline to the internet. You’ll also have fewer internet access points to secure, and that could help keep out intruders. Finally, depending on your employees, they’ll likely be less likely to wander off to other things on the internet.

Whichever way you go, you will have the most up-to-date servers, application software and security technology available at the time of installation. Cloud systems will update automatically, but your internal system can be configured to download and install updates.

With a January 2020 deadline, you have time to analyze your options and start moving along your chosen migration plan. We can help you analyze your business’s needs over the next five years and put a plan into action so you don’t miss a deadline or a beat. Call us – 973-433-6676 – or email us for an appointment.

Hello, New Security Technology

Passwords are on the verge of becoming extinct, and for many people, the passing of passwords will be like getting rid of a migraine. With the latest Windows 10 major update from Microsoft, your computers and devices may now say “hello” to you to access Microsoft accounts, and additional security measures may now work together better with smart devices. Facial recognition is playing a big role.

Security is more important than anything in today’s world, and hackers keep cyber defenders back on their heels in many instances. Our message continues to be that you need to harden your security measures while you have control of your computer, device, network, etc. If you wait until it controls you, it can cost you a lot of time, money and aggravation.

Combining facial recognition with another authentication factor is one element of Hello, which is available on certain computers with Windows 10 installed. It replaces a password with biometrics to authenticate secure access to devices, apps, online services and networks with a fingerprint, iris scan or facial recognition. It’s considered to be more user friendly, secure and reliable than traditional passwords, which are easy to crack because most people use simple ones they can remember or leave written notes in easy-to-find places.

You can authenticate a Microsoft account or a non-Microsoft service that supports Fast Identity Online (FIDO) by setting up a facial scan, iris scan or fingerprint to log into a device. Hello uses 3D-structured light to create a model of someone’s face and then uses anti-spoofing techniques to limit the success of people creating a fake head or mask to spoof the system. Once you set up your initial scan, the image will enable you to unlock access to Microsoft accounts, core applications and third-party applications that use the system. You can modify facial and iris scans, and add or remove additional fingerprints, and you can uninstall biometric identification.

Microsoft has updated Hello to support new security keys and offers two-factor authentication. There are keys to authenticate users for Azure Active Directory without requiring that a user enter a username or password, or even set-up Windows Hello beforehand. Technology advances could include authentication through a smartphone, but don’t expect any of those to involve text messages. Your cell phone number can be easily highjacked, and a perpetrator can simply have all of your passwords sent somewhere else without you ever knowing about it.

Windows’ latest update, version 1809, which is being pushed out this month, will increase the number of computers able to use Hello, and that will certainly help expand its user base – which, in turn, will spur more development of more ways to use it.

Microsoft is working with a growing number of service providers and device manufacturers to give its users a more seamless method to authenticate multiple accounts. Ultimately, the industry needs to tighten its false rejection rates and “liveness detection,” which ensures that the scan is that of a living person.

We’re confident that use of these new systems, such as Hello, will make us more secure, especially for business systems. We still see so many offices with passwords attached to computer monitors. Hello will go a long way to eliminating this particular potential for security breaches.

If you have computers that can work with Hello, we urge you to take a close look at implementing it. If you have questions about getting computers that are compatible with Hello or will be, we can help you set it up or prepare you to set it up. In the meantime, we can perform a security assessment to make sure your information technology system has no open backdoors or trapdoors that can allow access. This can be especially important, as one client discovered after they bought a company and started to merge IT systems.

Call us – 973-433-6676 – or email us to talk about your security.

Password Agony; No Ecstasy

Passwords are a total pain. Upper- and lower-case letters, numbers and special characters in one password are likely unbreakable over the course of a lifetime. But just to be safe, you’re required to change them periodically – without repeating one you’ve previously used for a website. And if you go to extremes, well, it is possible that someone can beat you over the head and hold your finger or an open eye in front your phone and access your bank account. A password manager could relieve that pain.

Password managers are applications on your computers and devices to access a database where your passwords are stored. One of the big pains they relieve is the need to remember multiple complex combinations of letters, numbers and characters that – to be effective – are totally random. Almost all password managers let you create a master password for access to your identity vault, and then the password manager fills in individual user IDs and passwords for the sites and apps you use. One benefit is that you can give each site or app a different, complex and hard-to-remember password. They also relieve the burden of making required password changes for websites by generating a new one.

For those of you thinking several steps ahead, you are not tied to a password manager forever. You can always download the database with your passwords and user names, allowing you to leave the service and change passwords at each website as needed.

Of course, there’s some risk to a password manager. If a hacker gains access to your master password, all your accounts are open to plundering. Likewise, if a hacker manages to breach the central vault of the password management company, it’s possible that millions of account credentials could be stolen in a single hack.

Good password managers have defenses for both possibilities. Most employ multifactor authentication, so access is granted only with both a correct password and a correct authentication code. That code exists only on a device you own, limiting the ability for someone on the other side of the world to gain access to your information. They also encrypt your password information locally, before it ever leaves your devices, on the servers operated by the vendors. In most cases, this is strong enough.

You have a lot of choices for password managers. We happen to like Dashlane, which gets strong reviews from sources such as PC Magazine, Tom’s Guide, and CNET. You can find more than enough reviews of Dashlane and other program managers, some subscription-based and some free. You should remember that we’re not always enamored with free programs, but regardless of price, here are some things to consider.

Your password manager should secure your data on your machine and in the cloud with an industry-accepted, tough form of encryption that’s widely used today. Along that line, it’s good to have a password manager that scans the dark web to make sure you haven’t been compromised.

It should work across multiple platforms with software for Windows, macOS, Android and iOS, and you should be able to install it on an unlimited number of devices for a single (usually paid) account, store an unlimited number of passwords and generate new, strong passwords for you, even on a mobile device. We like one that can alert you to data breaches and give you a two-factor authentication option for master passwords. Some will offer to save personal information, such as personal details, credit-card numbers and other frequently used information to quickly fill out online forms. While this is optional, it may be safer than letting a website save your credit-card information.

While no password manager can recover your master password if you forget it, it’s helpful to have one that lets you reset your password. Another good feature is one that lets you provide an emergency contact so that a trusted person can access your websites and apps if you are unable to do so.

Choosing a password manager and setting it up can be daunting tasks, but we can help. Call us – 973-433-6676 – or email us for answers to your questions or to walk through the setup.

Airports, Wi-Fi and VPNs

Since most of us fly in and out of Newark Liberty International Airport, you might want to know that it’s ranked fifth on one list of airports where your phone is mostly likely to be hacked. Setting up a VPN (virtual private network) might not be your answer, either, because they are not always as reliable as you think for protecting privacy. Your best protection is your own cybersmarts.

Newark’s lack of security was highlighted in a recent article by Tech Republic about the 10 US airports where you’re most likely to be hacked. That article was based on a report by Coronet, an internet security provider, which looked at the 45 busiest airports in the country. The report applies mostly to businesses, but a lot of it can apply to all travelers.

Why are airport wi-fi systems vulnerable? Lax cybersecurity at most airports lets bad guys onto insecure public wi-fi to introduce a plethora of advanced network vulnerabilities, such as captive portals (AKA Wireless phishing), Evil Twins, ARP poisoning, VPN Gaps, Honeypots and compromised routers. Any one of these network vulnerabilities can empower an attacker to obtain access credentials to Microsoft Office 365, G-Suite, Dropbox and other popular cloud apps; deliver malware to the device and the cloud, and snoop and sniff device communications. Further, not all VPNs give you rock-solid protection against attacks, and USB charging stations are notorious being vulnerable to attack.

To be fair, the report puts the probability of connecting to a medium-risk network at 1 percent and the probability of connecting to high-risk network at 0.6 percent. The same numbers for the worst airport, John Wayne Airport-Orange County Airport are 26 and 7 percent, respectively.

But why take a chance when you can take steps to reduce even the slightest risk? Even at a 1 percent risk, you’re still gambling, and the cost of a breach could be more than the cost of more data on your cellular plan. To be safe, use cellular data in public places.

But let’s try to put all of this in perspective. If you’re checking your email or browsing the internet at the airport, you’re not using much cellular data. The heavy use comes in streaming movies or TV shows or in downloading content with a lot of pictures and video. To keep data use minimal, change your settings so you don’t download pictures and video. If you can, download and store reading and viewing material onto a device before you leave home. If not, buy a newspaper or carry a book to kill time at the airport.

When you’re at various locations – anywhere in the world – make sure you check that you are on a legitimate network. In Europe, for example, we found that the wi-fi networks were faster than data networks, and that made it better to use them to download email. But if speed is not an issue or if the wi-fi is slow, you’re safer on cellular.

We’d also like to add one more reminder: Although this article deals with airports, the same safety precautions apply to any public network. They’re all prime targets for hackers. The notorious bank robber Willie Sutton was once asked why he robbed banks. His answer: “That’s where the money is.” Today, data is where the money is; hence the hackers.

If you have any questions about securing your phones, devices and computers, call us – 973-433-6676 – and email us.

IoT and the Fourth Industrial Revolution

At a recent technology conference in Las Vegas, I was overwhelmed by how far technology has advanced in such a short time – and by how much faster the impact of technology on our lives will grow. We are in the Fourth Industrial Revolution.

Where are we headed? We’re headed for the clouds – the massive server and data storage networks make it possible to do everything imaginable from a phone or tablet from anyplace in the world where you can get an internet connection. This time-compressed evolution is the Fourth Industrial Revolution. Yes, it does seem strange to talk of an evolution, which is long-term movement, with the short burst of a revolution. But that’s just how fast technology moves.

In 1995, we were astounded that we had PCs on every desk. By 2005, we had democratized data in the sense that businesses of all sizes stored and sometimes shared data they gathered and used. That could be correspondence (email), financial records (banks, large retailers), or business info of all sorts, ranging from sales and inventory records to programming heavy industrial equipment. In 2015, society made a really big leap to the cloud to store and manage all the data we use for practically every aspect of our lives. Even people who never use the internet and pay cash for everything are affected by today’s technology if they drive or vote or pay taxes.

Some things I saw in Las Vegas give indications where we’re heading. Business is undergoing a digital transformation built around their customer experiences and new business models. Some one million digital devices come online every day, and by 2025, 60 percent of all computing will be in the cloud. While we each need to maintain our online security vigilance, the entire computing world needs to step its efforts because no bit of information ever goes away. Further, no matter how deeply hidden any information remains, the tools to find it and exploit it are constantly developing. The bad guys can build botnets (networks of electronic robots) to find IP addresses for any exposed device. The Boa open source server, which was used to automate a lot of web-related functions quickly and securely, was discontinued in 2005. But it’s still used in some devices, and with no technical support, bad guys are free to try to pick away at out-of-date defenses. Opening one door can lead to other doors that can be opened, and in some cases, the hackers who open the doors can’t be traced – or can’t be traced quickly enough.

It’s not just the bad guys using stealthy methods to find information. Anyone can use a Google search to find systems and get into them. Those systems can include security cameras and alarms and smart speakers. A Google search can also turn up expired security certificates, which can indicate vulnerabilities.

So, here’s some of what needs to happen:

  • The owners and operators of every server – from a single location to server farms with multiple links – must make sure their firewalls are “locked-down” and secure. That requires the installation of all security updates and patches as they become available and constant monitoring to make sure all ports are secure.
  • All device manufacturers must keep their firmware updated for maximum security. And, if the manufacturers can’t send you updates, you should get and install them on your own.
  • You need to make sure your firewalls and devices are secure through patches and strong passwords. You also should be running virus and malware scans regularly and frequently.
  • Be extremely careful and attentive when you click on a link. You can’t afford to let down your guard.

We also highly recommend an onsite security audit if you have any hint you may have an exposure. We can check all connections for everything on your network – home or office – and trace back anything that looks like a possible security issue, apply a fix and test it. Security issues never resolve themselves and fixing them involves looking at a variety of complexities.

If your computers or devices are running slowly, if you clicked on an email or link you think shouldn’t have, or if you think you’ve been hacked, call us – 973-433-6676 – or email us to set up a security audit. None of us wants to give up our technology; we just need to make it as safe as possible.