A division of Blue Valley Technologies

Networks Plus |  Call: 785.587.4121 |  IT Support: 800.299.1704

Blogs

Find the latest news and information here.

Breaking Down a Breach – What Happened and How to React 2

Hello and welcome to the Breaking Down a Breach series!

It’s time to select a breach or cyberattack that has been in the news, analyze the information that is publicly available, and offer some recommendations for protecting your network against similar attacks. We will be looking at these attacks based on the five “P’s” of cyberattacks[1]:

  • Probe
  • Penetrate
  • Persist
  • Pivot
  • Pilfer

Our goal in this series is to uncover what happened, how it was accomplished, and what you can do with your environment to help protect yourself. Remember that there is no one ‘silver bullet’ for security! Rather, you have to build your technical measures in depth[2] and, most importantly, develop a culture of security. There is no such thing as ‘My company is too small/large/unusual/whatever to be a target’. The cybercriminals know that you have something of value and will do whatever they can to get their hands on it.

Today, we will not be looking at a specific breach; rather, we will address a recently discovered vulnerability that has the potential for catastrophic impact worldwide – a serious flaw in Microsoft operating systems security trust systems. You might ask yourself if the words ‘security’ and ‘trust’ belong in the same sentence, let alone describing a core piece of the operating system software, so let me briefly elaborate.

Operating systems need to have a reliable method of determining whether patches or applications came from a source that follows the coding requirements to ensure safe and secure operation within the environment – in short, can the company who is providing the patch or application code libraries be trusted and validated? While this may seem like minor or simple detail, realize that Microsoft itself cannot test every third-party application or piece of code, so the simple expedient of only allowing the installation of applications and patches from trusted vendors was adopted. Even Microsoft’s own applications, patches, and services which require operating system functions – for instance, logging in to the computer – have to meet the trust standard. This is accomplished using a cryptography module and therein lies the problem.

On Jan. 14, 2020, Microsoft, the National Security Agency (‘NSA’), and the Computer Emergency Response Team (‘CERT’) all released high priority notifications of a ‘CVE’ or Common Vulnerability and Exposures issue regarding the issue with the cryptographic module[3]. While such notifications aren’t anything new, the fact that the NSA not only discovered the vulnerability, but alerted Microsoft and then publicly disclosed the vulnerability in a very short time frame. In the past, this has not been the policy or practice of the NSA; as such, this openly public posture for a secretive agency only underscores how serious the problem really is.

What happened: On January 13, Brian Krebs, a well-known and highly respected security researcher, broke the story of the reported vulnerability and upcoming patch to be included in the first Microsoft Patch Tuesday of the year[4]. There were rumblings in the security community that the patch was going to be important. So important, in fact, that NSA Director of Cybersecurity, Anne Neuberger, slated a call to release the information to the media, an unusual move for the NSA. On January 14, Ms. Neuberger divulged the vulnerability had been found by the NSA staff during normal research and consequently reported it to Microsoft. It was also noted that Microsoft has not yet seen any active exploitation of the vulnerability.

In this case, the vulnerability has the potential to create extensive damage to systems. The issue is that module itself is responsible for verifying the ‘chain of trust’ for software and services all the way back to an authoritative source which can validate the identity of the creator. The vulnerability would allow false information to be inserted, causing a ‘chain of trust’ to appear legitimate when it is not. Essentially, a cybercriminal could spoof the operating system into believing malware is trusted and safe to use. This would create situations where any such malware could persist in the system for long periods of time virtually undetected, pilfer information without creating error messages, make changes to protected system files, and become very difficult to trace and remove.

How it happened: It may seem that this is an egregious oversight on the part of Microsoft; however, it is estimated the Windows operating system contains over 50 million lines of programming code. Even with fairly rigorous testing prior to deployment, it is impossible to test every possible use case or combination of systems, applications, or scenarios.

Therefore, more stringent testing guidelines should be adopted. When I was in development (many, many years ago), one of the common tests for your programming was to feed purposefully bad data into the system to make certain that your logic tests would reject it properly and safely, without allowing the program to crash or otherwise perform dangerous operations. Since Windows is the most widely adopted platform on Earth, deployed to an estimated 95.86% of all computing devices in the world (as of December 2018[5]), it behooves both Microsoft and application developers to be more aggressive in secure development practices. I am oversimplifying, but the argument is valid, especially in light of such a fundamental flaw in core system module.

At the same time, I want to praise the NSA for their approach to reporting this vulnerability. In the past, the NSA, one of the few agencies with sufficient skill and resources to uncover these types of issues, has been less than forthcoming and has even used unpublished vulnerabilities as tools (such as Eternal Blue, which in turn lead to WannaCry and NotPetya, once cybercriminals got their hands on the Eternal Blue code[6].) In my opinion, this new strategy, under the leadership of Ms. Neuberger and her worthy colleagues, will help close cybersecurity gaps more rapidly.

What you can do to protect your company: There are a couple lessons you can apply to protect your business:

  1. Patch, patch, patch. It can’t be said enough that all computing devices and applications require periodic updates and patches. Turning on Windows update is not sufficient; all patches need to be vetted and applied carefully to workstations, laptops, and servers, not to mention switches, firewalls, access points, mobile phones…you get the picture. Networks Plus offers a patching service which covers all Windows patches and many of the standard business application patches. Part of the service is to test and vet patches prior to deployment. Contact your Networks Plus business consultant for more information.
  2. Set internal security policies to prevent end users from installing any application and require applications be tested and approved prior to installation. While this may seem unnecessary, realize most end users have very little understanding of what an application may do to an operating system or network. Allowing end users to install that ‘weather’ app or background theme may lead to some very undesirable consequences.
  3. Education. Make sure to stay informed on potential threats. Training the entire company, including yourself, on security threats is no longer a luxury – it is a necessity in today’s always-on, always-connected world.

UPDATE – 01/17/20: To emphasize just how serious this problem is read more here.

At Networks Plus, cybersecurity is our focus. We want to ensure that your company can prevent and recover from cyberattacks. Contact one of our Business Consulting team to discuss how our products and services can help you build a strong and resilient network for your business.

[1] For more detail on the Five “P’s”, read the first Breach blog.

[2] For more information, here is my blog.

[3] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

[4] https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

[5] Usage Share of Operating Systems

[6] https://en.wikipedia.org/wiki/EternalBlue

CES – Day 3

CES is the Consumer Electronics Show; an annual event where developers showcase their new technological and electronic innovations. Jerry Horton, IT Director for Blue Valley Technologies, is giving us a little glimpse into the future of all things technology.

What a week in Las Vegas! I was just one of about 200,000 attendees at the show and, believe me, I felt like Charlie when he visited Willy Wonka’s Chocolate Factory – overwhelmed, but completely in my element. There were so many exciting things to discover and learn about, mixed in with some things that, frankly, I just don’t get yet (check the pet dryer from my second blog last week for an example.) That being said, I saw some very exciting developments in precision agriculture, robotics, and general tech that I wanted to share.

n.thing is a South Korean company that is working hard on precision agriculture, especially focused on producing crops year round with minimal resources for maximum yield. They build hydroponic farming facilities in what are essentially shipping containers. These use no soil, have controlled environments, and require a minimum of human intervention to produce, using a combination of solid ag practice and smart tech.

South Korea isn’t the only country that is working on this concept. GRÕV Technologies is an American company based in Utah working on the same concept, but taking it a couple of steps further to include grain products, specifically targeting animal feed. I spoke to the GRÕV representative for quite a while and was very excited by both their technology and concepts. With their design, many kinds of crops can be successfully grown year round and they are testing new ideas all of the time.

Enhancing agriculture isn’t just an indoor sport! John Deere had a massive booth at CES to introduce its new self-propelled sprayer with a massive 120-foot carbon-fiber boom (it was so big that I couldn’t even get one whole side of the boom into a picture) and stuffed with advanced technology. John Deere also won a CES Innovation award for its new 8RX tractor. Given the size of this tractor, it was not on display at the convention but, I do want to send out a hearty congratulations to John Deere for winning this prestigious award. Keep up the great work!

Robotics aren’t new by any means, but they have approached science fiction proportions these days! I did see several industrial robots, but what really impressed me were the sheer number of service and companion robots on display.

Canbot is intended for commercial use as a service robot, but it does have a personality and is capable of carrying a limited conversation.

A simple industrial robot on display at the NXP Semiconductor building.

The AlienGo robot. This is not a commercially available product at this time, but it does follow you around like a dog. Seriously, a robotic canine…

Yes, this is a robotic shark. It is used for research in coral reefs and similar environments. Other marine robots are used for inspecting underwater pipelines or the hulls of ships.

Hancom Robotics had a display based around companion robots for children, including Toki, a kind of robotic nanny and study buddy for kids. Toki uses facial recognition to identify family members and will interact with each appropriately.

There were countless examples of gaming tech, including improved gaming chairs, keyboards, mice, headsets, and even haptic jackets (haptics involve the sense of touch or other tactile feedback.) The haptic jacket can be used with games similar to Call of Duty to ‘feel’ the action during the game.

To wrap it up, I did want to talk about an impressive piece of technology which I think could have a very positive impact. When it comes to autonomous driving, there is a lot of focus on cars, trucks, mass transit systems, and the like. While this technology is in widespread use in a limited way – adaptive cruise control and collision avoidance in most vehicles – even Tesla can’t make the claim that they have made a fully autonomous vehicle which is 100% safe and reliable without a human operator. However, autonomous bicycles show some real promise.

This bicycle was created by IAV, a German company as a delivery vehicle. IAV is working toward full autonomy for this bike to make deliveries for take-out, small grocery orders, or even as part of the Amazon fleet. However, it is currently in use by postmen and delivery people using the ‘follow-along’ feature, which allows the operator to walk between locations in a neighborhood and have the bike follow them to each stop. Very handy and efficient without the extra trips back and forth to climb on the bike.

Notice the barcodes on the apples? This is also part of the IAV project – a way to barcode each delivery so that a fully autonomous bike will track inventory and only open the cargo container for a person with the correctly matching code.

No doubt that CES was exhausting, both physically and mentally, but it was well worth the trip for Blue Valley to keep abreast of the latest technologies that will be useful for our customers! I hope you enjoyed these blogs as much as I enjoyed collecting all of the photos and information.

 

CES Day 3 Photos

CES – Day 2

CES is the Consumer Electronics Show; an annual event where developers showcase their new technological and electronic innovations. Jerry Horton, IT Director for Blue Valley Technologies, is giving us a little glimpse into the future of all things technology.

Note: to view all the photos Jerry is referring to, please see the complete pdf at the bottom of the page.

What a day! I saw more smart home, smart city, smart car, robotics, AR/VR, and general technology than one could shake a whole bundle of sticks at. This show is exhausting, but oh so worth it!

Let’s start with some smart kitchen tech.

WBM Smart is an American company who tests, selects, and introduces cooking products which are popular in the Asian markets. They had over a hundred different products in their booth, which they plan to test market here in the U.S.

Yes, that is a self-heating coffee mug – a boon for coffee fanatics like me.

A smart kitchen thermometer to help you do a perfect sous de vide (cooking food that has been sealed into a container at low temperatures for extended times.)

Cooking Pal presented a ‘does most everything’ cooking tool called the Julia (after Julia Childs.) I will probably get one of these since I do love my smart tech as well as kitchen gadgets!

Now, for some family tech! Babies, toddlers, and children (not to mention their parents) were the big winners with tons of tech to measure health and sleep, as well as educational games and gadgets galore.

Children learn computer coding with Matatalab toys. I had a lot of fun with this!

Singalong with a wide array of iHome eKid products!

Meet ClicBot – a fun way to learn programming and robotics. Pixar helped to create the emotional expressions of ClicBot. They had an entire group of ClicBots dancing, singing, and having conversations with each other, including one of the bots getting a scolding because it was goofing around. Thoroughly entertaining.

Personal tech was big. Really big. There were booths for exercise gear (tons of exercise gear), heated razors, toothbrushes, products for improved sleep, and even smart cosmetics and grooming tech. Honestly, it was a bit mind-boggling.

This is a printer for your nails. Pick a graphic, prep your nail, insert your finger, and voila! According to the ladies at the booth, this will work on both natural and artificial nails, once they are properly prepared.

This was the largest of about 30 booths I visited which featured smart personal care items. To be honest, I’m not sure why you would need to measure how frequently you exfoliate, but there it is.

For lack of a more descriptive product name, I am calling this one a ‘life meter’. This wearable is designed to help the elderly to age in place, giving extensive activity data to caregivers and adult children.

Losing your hair (for me, the answer is “Done did”)? Worry no more! You don’t need to use special shampoos or have a surgical procedure to implant plugs, just wear a laser hat to stimulate the capillaries and follicles. For me, I consider my hair a long-lost friend, never to return…

We all need to sleep and science has conclusively proven that we, as a nation, don’t get enough of the best type of sleep. If CES is any indication, there is significant amount of research and development going into improving our rest though comfort and setting the right conditions.

Sleep Number’s newest – the Climate 360.

Nope, not a tanning bed. This is a sleep enclosure made to create the perfect environment of comfort, sound, and oxygen levels to optimize your rest.

Is your biggest problem with a good night’s sleep due to the jet engine snoring next to you? This seems to be a major problem in Asia as well, because there were a number of products such as this to help minimize snoring.

My wife and I both like to sleep cool. I suspect that this is pretty common given all of the products I saw to regulate the temperature of the room, air, and bed itself. Chili Technology has a couple of different products.

Wrapping it up for today, here is one of a couple of products that I had chance to try which help you with your breathing, posture, and concentration via meditation. I found this one to be very intriguing as it is basically an EEG (measurement of brain waves) and the supporting software reveals useful data.

Although I am leaving tomorrow, I will post a couple of other reports about some extremely exciting developments in agriculture and robotics/artificial intelligence. For now, I am going to leave you with what I will call – Tech that makes you go ‘Huh?’

Go 4-Wheeling. Listen to tunes at a VERY high volume. Scare wildlife. Any questions?

Yes, this is a robot that looks a bit like Ahhh-nold! It’s primary job? To promote your products and services at conferences or other public venues. I’m not a marketing expert, but I’m not sure this is the best bang for the buck, although it is eye-catching.

A robot that plays and trains you in ping-pong. Enough said…

 

CES Day 2 Photos

CES – Day 1

CES is the Consumer Electronics Show; an annual event where developers showcase their new technological and electronic innovations. Jerry Horton, IT Director for Blue Valley Technologies, is giving us a little glimpse into the future of all things technology.

Las Vegas in the winter – a bit chilly, but the tech is hot! CES is vast; so vast, that one cannot truly appreciate the scope until you’ve attended it. Just as an example, I visited two of the three venues today, walked for hours, and only saw about 5% of the show. Needless to say, my feet are tired, but my brain is in full-on geek mode! For someone like me, this is like being the proverbial kid in a candy store.

Following is just a quick sampling of the things I saw.

For instance, Toyota Boshoku displayed a couple of concept cars which have autonomous driving, flexible seating (you can even face each other), entertainment centers (think Netflix on the move), and even measure and correct your emotional state with individualized sights, sounds, and smells.

Hyundai and Uber presented a concept drone. While I couldn’t get close enough to really look at it, it appears to be able to comfortably seat at least four adults.

LIDAR is an essential technology for autonomous driving, using laser light to ‘paint’ a picture of obstacles (including humans) in 3D or 4D real time.

Amazon had an entire room of their own to highlight the Alexa-enabled technologies of Amazon and their partner companies. Smart home tech such as the iRobot lawnmower, Lego Mindstorm toys, a Duxiana bed, and even a Lamborghini were on display.

Of course, no CES would be complete without the innovation awards! There are some things that, while innovative, weren’t on my ‘install this now’ list – Kohler’s Numi 2.0 smart toilet with mood lighting, surround sound, and built in Alexa comes to mind here. On the other hand, smart health technology abounded with some truly amazing ideas, such as a cane with navigation and GPS for the visually impaired.

Stay tuned for more tomorrow!

 

CES Day 1 Photos

Breaking Down a Breach – What Happened and How to React

Hello and welcome to the Breaking Down a Breach series!

It’s time to select a breach or cyberattack that has been in the news, analyze the information that is publicly available, and offer some recommendations for protecting your network against similar attacks. We will be looking at these attacks based on the five “P’s” of cyberattacks[i]:

  • Probe
  • Penetrate
  • Persist
  • Pivot
  • Pilfer

Our goal in this series is to uncover what happened, how it was accomplished, and what you can do with your environment to help protect yourself. Remember that there is no one ‘silver bullet’ for security! Rather, you have to build your technical measures in depth[ii] and, most importantly, develop a culture of security. There is no such thing as ‘My company is too small/large/unusual/whatever to be a target’. The cybercriminals know that you have something of value and will do whatever they can to get their hands on it.

Today, we will take a foray into the most troublesome and unfortunately effective tactics used by cybercriminals – phishing. Essentially, this type of cyberattack uses email and social engineering to ‘hack the human’, a much easier task than penetrating a network by technical means. There are a number of variations on this technique – business email compromise (“BEC”), spear phishing, and even whaling (yeah, I don’t know who thinks up these names…)

In October of this year, the city of Ocala, Florida suffered a loss of $500,000 due to a successful spear phishing scam[iii]. Let’s take a closer look…

What happened: An employee in a city department received an email that appeared to be from a construction company which was currently doing work for the city of Ocala. The email contained an invoice, coupled with a request to remit payment via electronic funds transfer to a specific bank account. The invoice was real – the city did, in fact, owe $640,000 to the contractor for work performed – but the bank account to which the funds were transferred was fraudulent. When the city discovered the fraud, there was still about $110,000 left in the fraudulent account which the city then recovered. Investigations are ongoing and few other details are known at this time.

How it happened: This story may lead you to believe that the fault lay with an inattentive staff member but reading between the lines reveals a tale that is more disturbing and, unfortunately, all too common.

The first thing that struck me was this question – “How did the attacker spoof the email and produce a ‘legitimate’ invoice?” As stated earlier, investigation is ongoing, so the real answers regarding the Probe and Penetrate phases of this attack aren’t available; however, I will speculate on the methods used, based on knowledge of previous cybercriminal tactics.

First, since the contractor was working for a municipality, this relationship is a matter of public record. Likely, this was published in a local paper more than once – i.e. city council meetings, legal notices, or perhaps even articles. The attacker didn’t expend much effort to get the basic information.

Secondly, getting an email, including addresses, signatures, and perhaps even an invoice from the contractor might have required little more than a phone call, posing as a city employee and directing that the email be sent to an alternate address – e.g. ‘My computer is down but you can send it to this gmail/Hotmail/ISP address…’ With a very small investment of time and work, the cybercriminal has completed the first phase of his reconnaissance.

The next phase is to penetrate and pilfer by spoofing the email, sending it to the correct city department, set up a fraudulent bank account, and wait for the money to come in. Finding the correct department or even individual is once again pretty simple; the information may have been available from multiple sources, including legal notices in the paper, the city’s website, or even another phone call (FYI – I found email addresses, phone numbers, names and bios on the city website in about a second and a half. Not too hard to imagine how the cybercriminal got the necessary information.)

Obviously, the cybercriminal(s) found some pretty low hanging fruit here. The next question I ask myself is – “Why did this actually work?” This is where things get really frightening.

  • The invoice and account were not confirmed. Once again, with sketchy details available (I am speculating), but it is pretty unusual for an electronic funds transfer to be requested to pay an invoice, especially for a municipality. Even had this been the agreed method of payment, a change in the receiving bank account should have been noticed and confirmed prior to payment. Simply picking up the phone and having a short conversation between the authorized contacts would have avoided this loss.
  • The ‘two-man’ rule was apparently not in effect or broke down. Standard accounting and security practices dictate that amounts exceeding the purchase or payment authority of any person be reviewed and authorized by at least two people in ascending order of authority. Simply put, payment should not have been issued without secondary review and approval. Even though the invoice appeared to be legitimate, the receiving bank account was clearly not.
  • Weak email security. There are DNS records which should be in place to improve mail server reputation to help prevent spoofing. In addition, a modern email security service using a sophisticated threat intelligence and behavior analysis filter would likely have caught and quarantined this attempt.
  • End user security education would have greatly improved the chances of avoiding this attack. Clearly, the end user in this case did not recognize this as a phishing attempt.

There was no persistence or pivot steps to this attack. This was an obvious ‘snatch-and-grab’, but it could have just as easily contained a malware component to allow the cybercriminal access to internal systems.

What you can do to protect your company: Although this attack was fairly straightforward fraud for a payday, the reason it was successful can be attributed to a weak security culture and some missing or misconfigured technical controls. Here are a few lessons you can apply to your business which can help you protect your business:

  1. Be cautious of the information you post publicly – The Ocala city website[iv] contains an incredible wealth of information for a cybercriminal. While this is a website for a municipality and thus requires more openness than a typical business, it is best to eliminate direct contact links from your website, using contact forms and phone numbers where possible and requiring authentication for more privileged information. Networks Plus recommends that you should limit information you post to your website or social media accounts, including email addresses and process documentation.
  2. Improved security processes and procedures – As mentioned above, the ‘two-man’ rule eliminates quite a bit of potential trouble sources, but it is not the only security practice that should be used. Make certain that you implement the principle of least privilege and separation of duties. When you develop security processes and procedures, make sure they are followed implicitly. Remember Horton’s Rules for Basic Security:
    1. STOP, LOOK, AND THINK before you react to anything.
    2. DON’T TRUST ANYTHING. VERIFY EVERYTHING.
  3. Advanced email security – Implementing strong email security is an absolute must to prevent phishing attacks. Networks Plus offers a very strong email security package and can help you get your DNS records configured properly.
  4. Supply Chain management – While you cannot control what your vendors do with their networks, you can and should exert your influence. Develop a minimum security standard which you require of your vendors, including procedures for invoicing. This is not fool proof, by any means, but does help both your company as well as the vendors to build a strong, secure relationship.
  5. Education – Once again, this breach all started with a phishing attack; not entirely surprising since 95% of attacks begin with a phishing email.[v] Make sure that you are training your entire company, including yourself, on security threats. Couple your training program with periodic tests to make sure that the lessons are being learned. Networks Plus partners with KnowBe4 to provide your organization top-notch security education and testing.

At Networks Plus, cybersecurity is our focus. We want to ensure that your company can prevent and recover from cyberattacks. Contact one of our Business Consulting team to discuss how our products and services can help you build a strong and resilient network for your business.

1 For more detail on the Five “P’s”, read the first Breach blog here: https://www.networksplus.com/breaking-down-a-breach
2 For more information, here is my blog: https://www.networksplus.com/defense-in-depth-a-primer
https://www.ocala.com/news/20191024/ocala-gets-scammed-in-spear-phishing…
https://www.ocalafl.org/home
https://blog.dashlane.com/phishing-statistics/

Why Small Businesses are at Risk of Cyberattack

By: Jake Schulte, IT Manager

Small business owners are busy. They’re pros at wearing multiple hats at the same time and making it look good. While doing what they do best, often there’s not a lot of time for thinking about threats from the web.

Cybercriminals know this.

Additionally, many small business owners aren’t aware of the threats that exist, nor how those threats could cripple or shut down their business. Since they don’t know, keeping the electronic assets they depend on for the success of their business secure from cyber threats is left out of the budget.

Cybercriminals know this too and take advantage.

Since you can’t prepare for a risk you don’t know exists, here’s a breakdown of how cybercriminals find success targeting small businesses.

Criminals cast a net

Small business owners may assume they’re too small to be specifically targeted for attack. In some ways they’re right. Instead of targeting one small business, cybercriminals target millions by casting a wide net with scores of automated phishing emails.

Criminals know the vast majority of recipients will not fall prey, but they also know a small percentage of will fall for it and they can target those who do.

The net brings targets

Automated phishing nets a new set of targets the criminals know are vulnerable to hacking. Cybercriminals use this new information to escalate their targeting with more personalized efforts, known as spearfishing.

This type of attack could consist of emails that use the names of people in the organization. Recognizing the name as familiar, the spearfished target opens the file attachment, unleashing harmful malware designed to gather information from the computer.

The malware could install a keylogger to track and report every keystroke made by the user, exposing passwords and other sensitive info. Or the malware could take the form of ransomware, holding vital information hostage for payment.

Other nefarious possibilities from successful spearfishing are equally alarming.

It’s a widely used tactic. About 95% of all attacks on small businesses are the result of successful spearfishing.

Efficiency can make small businesses vulnerable

We hate to say it, but security and efficiency are often polar opposites. The drive to accomplish more in less time can create security holes.

For example, it may be efficient for memory’s sake to use the same password across multiple logins and accounts, but that puts each of those accounts and your entire system at risk. It may be convenient to keep the same login credentials for years on end, but that also increases security risk.

The solution for these risks is following security best practices with multiple layers of protection to guard against vulnerabilities.

Multi-layered security is the answer

A comprehensive security portfolio has multiple layers of protection to defend the business from all sides. From the outside in, here’s what might be included:

  • Firewall
  • Server and computer protection
  • Best practice security policies
  • Specific actions that protect systems
  • Educated users

The reality is, every business is at risk from cybercrime. There’s no doubt technology improves business function, but it’s a tool that has to be protected and maintained.

At Networks Plus, we offer every layer of protection small businesses need to stay safe. Get in touch to keep your data–and your livelihood–secure.

Breaking Down a Breach

Breaking Down a Breach
What Happened & How to React

By: Jerry Horton, IT Director

Hello and welcome to the first in the Breaking Down a Breach series!

In this part of the newsletter, we select a breach or cyberattack that has been in the news, analyze the information that is publicly available, and offer some recommendations for protecting your network against similar attacks. We will be looking at these attacks based on the five “P’s” of cyberattacks:

  • Probe: This is the cybercriminal’s reconnaissance of the target. A surprising amount of information about any organization or individual is freely and publicly available.
  • Penetrate: Once an attacker has completed their surveillance, they will choose one or more methods of gaining unauthorized access.
  • Persist: Some cybercriminals are of the ‘snatch and grab’ school – launch some sort of attack to a wide variety of users and organizations, a small percentage will get infected, and the criminals will take the quick payday. However, persistence is the Holy Grail of cybercriminal activity. This is where real cybercriminals who have an agenda shine – they want to stick around and hide in the corners because you may have more than one thing of value. More importantly, they don’t want to leave enough traces of their penetration for you to find, meaning that they can be in your system for years (as they did in the Starwood Hotel breach)1.
  • Pivot: This is one of the goals of persistence; attackers poke around, see if they can get into other systems besides the one already compromised, see if they can elevate their privileges, and then really go to town deciding how much and what to steal.
  • Pilfer: The ultimate end goal – take what they can and sell it or use it for another attack, whether that is on the same company or a totally different one.

Our goal in this series is to uncover what happened, how it was accomplished, and what you can do with your environment to help protect yourself. Remember that there is no one ‘silver bullet’ for security! Rather, you have to build your technical measures in depth2 and, most importantly, develop a culture of security. There is no such thing as ‘My company is too small/large/unusual/whatever to be a target’. The cybercriminals know that you have something of value and will do whatever they can to get their hands on it.

Let’s kick this series off with one of the most famous breaches in recent memory – the Target breach of 2013. Your humble author and his lovely wife both had their debit and credit cards exposed during this debacle; fortunately, to no ill effect other than having to have new cards issued.

What happened: Cybercriminals did extensive probing to find a route into the Target network. Once a successful intrusion was accomplished, the criminals determined what vulnerabilities were available to exploit and, through a series of small attacks and elevations, were able to gain access to the Point Of Sale (“POS”) system. Once firmly entrenched in this system, the criminals pilfered records, an estimate of well over 40 million credit and debit card transactions, which were then put up for sale on the dark web (a hidden internet largely used for illegal activities). According to a Huffington Post article in 20153, the estimated cost to address this breach had exceeded $252 million and the loss in profit, stock value, and public trust required years to repair.

How it happened: While the extent of the reconnaissance cannot be fully known without interrogating one of the cybercriminals, what is known is that much information was easily accessible from simple internet searches. The Target Supplier Portal listed all of the vendors used by Target, giving the cybercriminals a nearly effortless group of initial targets.

The criminals, using social engineering and phishing techniques, compromised computers at Fazio Mechanical, an HVAC vendor for Target. As a part of this compromise, they were able to harvest Fazio’s credentials into the Target network. The criminals then logged into and compromised the Target vendor network.

Once into the Target network with credentials that were legitimate, it was a matter of scanning for vulnerabilities and exploiting them to move laterally and elevate their privileges. This portion of the attack is still not entirely known, but it is suspected that a common attack against web-enabled databases known as SQL injection was used to gain access to other systems, including the POS system. The attackers had now hit the motherlode, setting up a ‘skimming’ type of program which copied the transactions into a file on a ‘dump’ site which had been set up on a server with internet access (the POS system, by design, does not have direct internet access). They exfiltrated the files by disguising the outbound file transfer as an innocuous type of traffic.

What you can do to protect your company: Because of the complexity of the breach and the sophistication of the attack, there are a number of lessons to learn from the Target breach. Many of the vulnerabilities the attackers exploited have simple solutions, while others require technical and procedural fixes that are more stringent.

  1. Be cautious of the information you post publicly: The Target Supplier Portal was easy to find using a simple Google search. The Portal was a rich source of information that required no security whatsoever to access.4 Networks Plus recommends that you should limit information you post to your website or social media accounts, including email addresses and process documentation.
  2. Secure remote access: Any remote access to internal systems should require Virtual Private Network (“VPN”) connectivity and multi-factor authentication, at a minimum. The initial breach of the Target systems would have been nearly impossible had multi-factor authentication been required. Even with these extra measures, any direct access to internal systems should be severely limited using the principle of least privilege.
  3. Advanced endpoint protection: A simple anti-malware package is just not enough to protect against modern cyber threats. The majority of attacks launched during the Target breach could have been stopped very quickly if each of the computers involved had used advanced endpoint protection which monitors and reacts to any unusual activity. Taking this concept a bit further, network monitoring with intrusion detection and prevention would have gone a long way to stopping this breach dead in its tracks.
  4. Supply Chain management: While you cannot control what your vendors do with their networks, you can and should exert your influence. Develop a minimum security standard which you require of your vendors. This is not fool proof, by any means, but does help both your company as well as the vendors to build a strong, secure relationship.
  5. Security maintenance: Configure any system access using the principle of least privilege – only assign the minimum rights and privileges required to perform the job. Use lengthy passphrases5 (14 characters, minimum) and multi-factor authentication where possible. Make sure to remove or disable unused or orphan accounts, not just on your internal network, but with any external source as well. Those old online accounts may have been compromised and provide a potential attack vector.
  6. Education: The Target breach all started with a phishing attack; not entirely surprising since 95% of attacks begin with a phishing email.6 Make sure that you are training your entire company, including yourself, on security threats. Couple your training program with periodic tests to make sure that the lessons are being learned.

At Networks Plus, cybersecurity is our focus. We want to ensure that your company can prevent and recover from cyberattacks. Contact one of our Business Consulting team to discuss how our products and services can help you build a strong and resilient network for your business.

Don’t Get Hacked This Holiday Season

Don’t Get Hacked This Holiday Season

By: Kathryn Schoening, IT Technician

The most wonderful time of the year is here. Make sure it stays wonderful by protecting your data, computer, and yourself when purchasing the perfect presents online.

Scammers are always dreaming up new ways to take advantage of as many people as possible. These tips will protect you no matter the illicit scheme that comes up next.

  • Make sure your antivirus is up to date. Having an antivirus installed on your computer is protection 101, but don’t delay the updates either. Your antivirus can’t protect you if it doesn’t know how.
  • Antivirus pop-ups are a scam. Never click on a pop-up that claims your computer is infected and needs a scan. If you had a virus, the antivirus program on your computer would tell you. Run a manual scan using your installed antivirus if necessary.
  • Keep passwords unique. It’s less convenient, but keep passwords unique for each account login such as online banking, retailers and other sites with personal information. Consider setting up multi-factor authentication for critical accounts. It takes more time to login, but increases security substantially.
  • Only store passwords in a secure password manager. Again, it’s not as convenient, but avoid auto-saving passwords in your devices. If your computer or phone gets lost or stolen, criminals get easy access to your accounts without even needing your password. The inconvenience of typing your password every time you log in is worth it to keep your information secure.
  • Don’t send information. Don’t share login information and passwords over email or text even to people you trust unless using some sort of encryption. The information can be intercepted by hackers while in transit to the recipient.
  • Monitor your accounts. Check your bank and credit card statements for unknown charges. Many banks and credit cards also allow you to get a message every time a charge is applied.
  • Keep your receipts. After you make a purchase, put the confirmation, receipt, and tracking number in a designated place in your email inbox until the shipment arrives. If you don’t get the package, contact the merchant.
  • Look for the “S.” Ensure you’re only making purchases from websites with an address that uses HTTPS (Hyper Text Transfer Protocol Secure). Always make purchases from secure websites to protect yourself and your data.
  • Update from Windows 7. Microsoft will stop creating updates and security patches for Windows 7 starting in January. If you have Windows 7, it’s time to upgrade your operating system. Give us a call if you need help!

From all of us at Networks Plus, we hope you have a safe, warm, merry season!

EOL for Windows 7

 End of Life for Windows 7 & Server 2008
What Does It Mean??

By: Paul Facey, Advanced Technician

It’s the end of the road for Windows 7 and Server 2008 platforms. Starting January 14, 2020, Microsoft will no longer support updates, security patches, or development of these systems.

Though that means no more disruptive notifications telling you to install the update and restart your computer, it also means security problems discovered after that date will not be fixed by Microsoft.

In effect, any newly discovered security holes could be exploited by hackers for criminal purposes. There’s no telling what they might do, but possibilities include gaining control of your computer and modifying it for their own purposes, installing software to monitor keystrokes, using it to launch malware or DoS (denial of service) attacks against other systems, or just about anything else.

End of life also means there could be compatibility problems installing new software. Over time, the system will slow because it won’t have new drivers to make it function its best. Without system updates, anti-virus protection will quickly become out of date, unable to identify new threats.

The single best solution for addressing this problem and keeping your system secure is installing Windows 10 or the latest version of Microsoft server, whichever suits the need. As fully supported platforms, these operating systems will continue to be secure for a long time.

Though it may be cost-prohibitive for businesses with many systems to upgrade all at once, we recommend using a phased approach to get started as soon as possible. Keep in mind that not all computers running Windows 7 have the capability to support Windows 10. The best investment may be to upgrade the entire computer and get the new hardware and warranty that come with it. If you’re not sure about your best option, we can help you identify the most cost-effective solution.

If there’s a reason you haven’t updated already, such as using legacy software that’s not supported by newer versions of Windows, the prospect of updating may be more challenging.

There are options though. You can purchase Extended Security Updates (ESUs) from Microsoft. The downside of this solution is it will only be available through 2023, and the price will double every year. The ESUs have to be purchased on a per-device basis starting at $25 the first year.

If your business is uniquely reliant on Windows 7, we can help identify customized options using third-party software and anti-virus.

A final note on updates in general. Though they often pop up at inconvenient times, they don’t have to drain your productivity. At Networks Plus, scheduled updates on nights or weekends or whenever is convenient for you is one of the many benefits of our managed service product. Give us a call if you want to know more about how we can help!

All I Want for Christmas is…

By: Jerry Horton, IT Director

Autumn is here! Days are filled with harvest, canning, and the warmth of family Thanksgiving traditions. As we celebrate the bounties of our work during the fall, thoughts begin to turn to winter and the excitement of holiday giving. So, what in the world do you get that special person in your life? They already have all of the ties, mittens, and ugly Christmas sweaters they can possibly use; no one likes fruitcake; and those golf clubs may be on sale, but wrapping a golf club is like folding a fitted sheet!

Not to worry, friends, your techno-geek of all trades is here to help with suggestions sure to satisfy the techies, and even the not-so-techies, in your life.

Reading Material

I opted to avoid calling this one ‘books’ because A) I’ve found that certain online magazines are well worth the time and B) ‘Reading Material’ just sounds more techie…

  • How To by Randall Munroe: There is a famous techie cartoon strip named XKCD which is filled with stick figures, math, physics, and humor. The author of this strip, Randall Munroe, has also written books which are both educational and delightful. His latest is certainly no different – absolutely impractical scientific solutions to (mostly) everyday problems. Buy it from Amazon
  • ‘Ten Arguments For Deleting Your Social Media Accounts Right Now’ by Jaron Lanier: Do you have a friend or loved one who just can’t seem to pull themselves away from some social media, webpage or app? Jaron Lanier, a virtual reality guru, gives some solid and timely advice against social media in his book. Get it from Walmart
  • Magazines & Webzines: Want to keep up on the latest in science and technology? Discover and Wired magazines are great choices to stay informed. Both have traditional print as well as webzines.

Smart Stuff

Yes, you are correct: smart stuff is a pretty vague category. One of the biggest problems is that a lot of products are marketed as ‘smart’ without a clear definition of what that actually mean. For our purposes, we will say that something is ‘smart’ if it can connect, collect, and share information with other devices and the user.

  • Smartwatches: Smartwatches seem to be everywhere and made by everyone, so how in the heck can you choose one?
    • Make sure that you are shopping for a smartwatch that will connect to the correct phone! Apple watches will only work with the iPhone, but some smartwatches running Google’s Wear OS will work for both Android or iPhone.
    • Make sure the watch supports features that are important to you. FitBit is great for helping you keep up with your exercise regimen, but won’t support your Apple Music playlists.
    • Check the specifications so you can get the watch with the right battery life and water resistance for you, as well as swappable bands and clasps. A smartwatch has to be practical and fashionable! Find your smartwatch from BestBuy.

Smart Home Devices

At this point, it would be difficult to find someone who hasn’t heard of a smart home device. I’ve even seen a ‘smart’ dog treat dispenser… Rather than adopt a technology just because it is fun or creative, let’s stick with the ones that are easy to install, use, and have some practical value.

  • Thermostats: The most practical smart home devices are ones that can help you save money. Smart thermostats are the next evolution in energy control, replacing the clunky and temperamental programmable thermostats of a few years ago. NestEcobee, and Honeywell are top-rated choices with proven energy savings.
  • Smart locks: Another very practical smart home device which can actually save you a lot of time and trouble. No need to pass out and keep track of physical keys – just give access to the folks who need it, even on a temporary basis. My favorite is the August Lock Pro, which retrofits onto any existing deadbolt, but YaleKwikset, and Schlage all have great models, too.
  • Smart Speakers/Home hub: Now, I am a music lover, so smart speakers are right up my alley, but they can also do so much more – local news and weather, daily devotionals, games, and even working as an intercom. There are far too many manufacturers and products to list them all, but here are a few to get you started: Amazon EchoSonos One, and the Apple HomePod are all great choices. If you plan to build home automation routines, you will need to make sure you have a home hub for all of those devices to communicate. Fortunately, the Amazon Echo, Google Home, and the Apple HomePod have this feature built in. If you want some more information, or would like to see home automation in action, contact us and tour our Smart Home demo!

Smart Clothing

Yes, you read that correctly; there is such a thing as smart clothing. Most of the products are centered around exercise gear, but there are some interesting (if a little bizarre) items that might fill a need.

  • Smart Jeans: As odd as it may sound, your pants will know where you are even if you don’t. They have built-in geolocation and alert sensors which connect to your smart phone to help you navigate in urban areas. Sorry, guys, these are for the lovely ladies.
  • Smart Jackets: Same concept as the smart jeans. Google does it again. Take a look here.
  • Smart Socks: Before you roll your eyes and wonder what the world is coming to, the smart socks I am listing here actually have a practical purpose. First is the Owlet, a smart sock for babies. It monitors heart rate, oxygen level, and sleep cycles. Next is the Siren, a smart sock designed to help diabetic patients take better care of their feet. Both of these are great examples of the amazing healthcare potential of smart wearables!

 Techie Miscellaneous Gifts

Sometimes, a gift doesn’t need batteries or WiFi to be fun, practical, or just that thing to finish out your collection. Here are some things for the nerdier set…

  • Can’t find the key you are looking for on the ring? Or just can’t find your keyring because you set it down and walked away? Keysmart Pro is your solution! This product is something like a do-it-yourself ‘swiss army’ key organizer with a Tile™ locator built in, so now you can find the right key after you find your keyring!
  • Ok, I freely admit these two products remind of late night TV infomercials (I can almost hear the dulcet tones of Billy Mays extolling the virtues of these…), but I can see some practical value in them. Fair warning – I make no claim that these are good products, just that they are interesting, so buy these products at your own risk!
    • VIZR turns your smartphone into a heads-up display. To me, this has some real practical value while using navigation apps and driving. I’m surprised some smartphone manufacturer hasn’t done this yet.
    • Peeps claims that this is the same tech used by NASA on the space station (for what exactly, I don’t really know, and they don’t say). From practical engineering standpoint, using forceps (AKA tweezers) to clean glasses makes some good sense, as does carbon microfiber cloth cleaning pads.
  • Need some new kicks? Concerned about the environment? Rothy’s has the answer to both! This company makes their footwear by using a type of 3D printing to weave the shoes out of recycled water bottles. Stylish and environmentally friendly!
  • This gadget is tailor-made for me, your humble tech-head (ok, maybe humble is a little inaccurate…) Finally, someone took the time and trouble to invent a temperature-regulating coffee mug! Ember makes smart coffee and travel mugs, which use a mobile app to keep your beverage at just the right temperature and even track your caffeine intake.
  • It’s no secret – I detest the cold. It seems I can never keep my hands or feet warm enough. If you are like me, try these products:
    • Human Creations makes a series of battery handwarmers with extra functions like charging your smartphone and a flashlight.
    • Bombas makes great socks! They make a variety of them, including merino wool for colder weather, and they donate a pair for every pair sold. Keep your feet and soul warm!
  • Just can’t find that unique gift for the geek in your life? ThinkGeek has you covered! This webstore has been around for quite a few years but has recently joined forces with Amazon to house the webstore and Gamestop for good, old-fashioned brick-and-mortar stores. They have a little of everything from Star Trek pizza cutters (shaped like the Enterprise) and Star Wars cookie cutters to collectibles and clothing.

Hopefully, you will find this gift guide either helpful in your holiday shopping rush or just plain fun, because I sure had some fun researching and writing it! From all of us here at Blue Valley Technologies and Network Plus, we wish you the best of holiday warmth, kindness, and cheer!

Get a free assessment

Your custom cybersecurity check up identifies where you’re secure, and where you’re not. Fill out the information below to schedule a FREE network and cybersecurity consultation with one of our local IT Business Consultants. There are no obligations, and you will walk away with information on how you compare to today’s IT and cybersecurity best practices.