Find the latest news and information here.
Breaking Down a Breach – What Happened and How to React
Hello and welcome to the Breaking Down a Breach series!
It’s time to select a breach or cyberattack that has been in the news, analyze the information that is publicly available, and offer some recommendations for protecting your network against similar attacks. We will be looking at these attacks based on the five “P’s” of cyberattacks[i]:
Our goal in this series is to uncover what happened, how it was accomplished, and what you can do with your environment to help protect yourself. Remember that there is no one ‘silver bullet’ for security! Rather, you have to build your technical measures in depth[ii] and, most importantly, develop a culture of security. There is no such thing as ‘My company is too small/large/unusual/whatever to be a target’. The cybercriminals know that you have something of value and will do whatever they can to get their hands on it.
Today, we will take a foray into the most troublesome and unfortunately effective tactics used by cybercriminals – phishing. Essentially, this type of cyberattack uses email and social engineering to ‘hack the human’, a much easier task than penetrating a network by technical means. There are a number of variations on this technique – business email compromise (“BEC”), spear phishing, and even whaling (yeah, I don’t know who thinks up these names…)
In October of this year, the city of Ocala, Florida suffered a loss of $500,000 due to a successful spear phishing scam[iii]. Let’s take a closer look…
What happened: An employee in a city department received an email that appeared to be from a construction company which was currently doing work for the city of Ocala. The email contained an invoice, coupled with a request to remit payment via electronic funds transfer to a specific bank account. The invoice was real – the city did, in fact, owe $640,000 to the contractor for work performed – but the bank account to which the funds were transferred was fraudulent. When the city discovered the fraud, there was still about $110,000 left in the fraudulent account which the city then recovered. Investigations are ongoing and few other details are known at this time.
How it happened: This story may lead you to believe that the fault lay with an inattentive staff member but reading between the lines reveals a tale that is more disturbing and, unfortunately, all too common.
The first thing that struck me was this question – “How did the attacker spoof the email and produce a ‘legitimate’ invoice?” As stated earlier, investigation is ongoing, so the real answers regarding the Probe and Penetrate phases of this attack aren’t available; however, I will speculate on the methods used, based on knowledge of previous cybercriminal tactics.
First, since the contractor was working for a municipality, this relationship is a matter of public record. Likely, this was published in a local paper more than once – i.e. city council meetings, legal notices, or perhaps even articles. The attacker didn’t expend much effort to get the basic information.
Secondly, getting an email, including addresses, signatures, and perhaps even an invoice from the contractor might have required little more than a phone call, posing as a city employee and directing that the email be sent to an alternate address – e.g. ‘My computer is down but you can send it to this gmail/Hotmail/ISP address…’ With a very small investment of time and work, the cybercriminal has completed the first phase of his reconnaissance.
The next phase is to penetrate and pilfer by spoofing the email, sending it to the correct city department, set up a fraudulent bank account, and wait for the money to come in. Finding the correct department or even individual is once again pretty simple; the information may have been available from multiple sources, including legal notices in the paper, the city’s website, or even another phone call (FYI – I found email addresses, phone numbers, names and bios on the city website in about a second and a half. Not too hard to imagine how the cybercriminal got the necessary information.)
Obviously, the cybercriminal(s) found some pretty low hanging fruit here. The next question I ask myself is – “Why did this actually work?” This is where things get really frightening.
- The invoice and account were not confirmed. Once again, with sketchy details available (I am speculating), but it is pretty unusual for an electronic funds transfer to be requested to pay an invoice, especially for a municipality. Even had this been the agreed method of payment, a change in the receiving bank account should have been noticed and confirmed prior to payment. Simply picking up the phone and having a short conversation between the authorized contacts would have avoided this loss.
- The ‘two-man’ rule was apparently not in effect or broke down. Standard accounting and security practices dictate that amounts exceeding the purchase or payment authority of any person be reviewed and authorized by at least two people in ascending order of authority. Simply put, payment should not have been issued without secondary review and approval. Even though the invoice appeared to be legitimate, the receiving bank account was clearly not.
- Weak email security. There are DNS records which should be in place to improve mail server reputation to help prevent spoofing. In addition, a modern email security service using a sophisticated threat intelligence and behavior analysis filter would likely have caught and quarantined this attempt.
- End user security education would have greatly improved the chances of avoiding this attack. Clearly, the end user in this case did not recognize this as a phishing attempt.
There was no persistence or pivot steps to this attack. This was an obvious ‘snatch-and-grab’, but it could have just as easily contained a malware component to allow the cybercriminal access to internal systems.
What you can do to protect your company: Although this attack was fairly straightforward fraud for a payday, the reason it was successful can be attributed to a weak security culture and some missing or misconfigured technical controls. Here are a few lessons you can apply to your business which can help you protect your business:
- Be cautious of the information you post publicly – The Ocala city website[iv] contains an incredible wealth of information for a cybercriminal. While this is a website for a municipality and thus requires more openness than a typical business, it is best to eliminate direct contact links from your website, using contact forms and phone numbers where possible and requiring authentication for more privileged information. Networks Plus recommends that you should limit information you post to your website or social media accounts, including email addresses and process documentation.
- Improved security processes and procedures – As mentioned above, the ‘two-man’ rule eliminates quite a bit of potential trouble sources, but it is not the only security practice that should be used. Make certain that you implement the principle of least privilege and separation of duties. When you develop security processes and procedures, make sure they are followed implicitly. Remember Horton’s Rules for Basic Security:
- STOP, LOOK, AND THINK before you react to anything.
- DON’T TRUST ANYTHING. VERIFY EVERYTHING.
- Advanced email security – Implementing strong email security is an absolute must to prevent phishing attacks. Networks Plus offers a very strong email security package and can help you get your DNS records configured properly.
- Supply Chain management – While you cannot control what your vendors do with their networks, you can and should exert your influence. Develop a minimum security standard which you require of your vendors, including procedures for invoicing. This is not fool proof, by any means, but does help both your company as well as the vendors to build a strong, secure relationship.
- Education – Once again, this breach all started with a phishing attack; not entirely surprising since 95% of attacks begin with a phishing email.[v] Make sure that you are training your entire company, including yourself, on security threats. Couple your training program with periodic tests to make sure that the lessons are being learned. Networks Plus partners with KnowBe4 to provide your organization top-notch security education and testing.
At Networks Plus, cybersecurity is our focus. We want to ensure that your company can prevent and recover from cyberattacks. Contact one of our Business Consulting team to discuss how our products and services can help you build a strong and resilient network for your business.
1 For more detail on the Five “P’s”, read the first Breach blog here: https://www.networksplus.com/breaking-down-a-breach
2 For more information, here is my blog: https://www.networksplus.com/defense-in-depth-a-primer
Why Small Businesses are at Risk of Cyberattack
By: Jake Schulte, IT Manager
Small business owners are busy. They’re pros at wearing multiple hats at the same time and making it look good. While doing what they do best, often there’s not a lot of time for thinking about threats from the web.
Cybercriminals know this.
Additionally, many small business owners aren’t aware of the threats that exist, nor how those threats could cripple or shut down their business. Since they don’t know, keeping the electronic assets they depend on for the success of their business secure from cyber threats is left out of the budget.
Cybercriminals know this too and take advantage.
Since you can’t prepare for a risk you don’t know exists, here’s a breakdown of how cybercriminals find success targeting small businesses.
Criminals cast a net
Small business owners may assume they’re too small to be specifically targeted for attack. In some ways they’re right. Instead of targeting one small business, cybercriminals target millions by casting a wide net with scores of automated phishing emails.
Criminals know the vast majority of recipients will not fall prey, but they also know a small percentage of will fall for it and they can target those who do.
The net brings targets
Automated phishing nets a new set of targets the criminals know are vulnerable to hacking. Cybercriminals use this new information to escalate their targeting with more personalized efforts, known as spearfishing.
This type of attack could consist of emails that use the names of people in the organization. Recognizing the name as familiar, the spearfished target opens the file attachment, unleashing harmful malware designed to gather information from the computer.
The malware could install a keylogger to track and report every keystroke made by the user, exposing passwords and other sensitive info. Or the malware could take the form of ransomware, holding vital information hostage for payment.
Other nefarious possibilities from successful spearfishing are equally alarming.
It’s a widely used tactic. About 95% of all attacks on small businesses are the result of successful spearfishing.
Efficiency can make small businesses vulnerable
We hate to say it, but security and efficiency are often polar opposites. The drive to accomplish more in less time can create security holes.
For example, it may be efficient for memory’s sake to use the same password across multiple logins and accounts, but that puts each of those accounts and your entire system at risk. It may be convenient to keep the same login credentials for years on end, but that also increases security risk.
The solution for these risks is following security best practices with multiple layers of protection to guard against vulnerabilities.
Multi-layered security is the answer
A comprehensive security portfolio has multiple layers of protection to defend the business from all sides. From the outside in, here’s what might be included:
- Server and computer protection
- Best practice security policies
- Specific actions that protect systems
- Educated users
The reality is, every business is at risk from cybercrime. There’s no doubt technology improves business function, but it’s a tool that has to be protected and maintained.
At Networks Plus, we offer every layer of protection small businesses need to stay safe. Get in touch to keep your data–and your livelihood–secure.
Breaking Down a Breach
Breaking Down a Breach
What Happened & How to React
By: Jerry Horton, IT Director
Hello and welcome to the first in the Breaking Down a Breach series!
In this part of the newsletter, we select a breach or cyberattack that has been in the news, analyze the information that is publicly available, and offer some recommendations for protecting your network against similar attacks. We will be looking at these attacks based on the five “P’s” of cyberattacks:
- Probe: This is the cybercriminal’s reconnaissance of the target. A surprising amount of information about any organization or individual is freely and publicly available.
- Penetrate: Once an attacker has completed their surveillance, they will choose one or more methods of gaining unauthorized access.
- Persist: Some cybercriminals are of the ‘snatch and grab’ school – launch some sort of attack to a wide variety of users and organizations, a small percentage will get infected, and the criminals will take the quick payday. However, persistence is the Holy Grail of cybercriminal activity. This is where real cybercriminals who have an agenda shine – they want to stick around and hide in the corners because you may have more than one thing of value. More importantly, they don’t want to leave enough traces of their penetration for you to find, meaning that they can be in your system for years (as they did in the Starwood Hotel breach)1.
- Pivot: This is one of the goals of persistence; attackers poke around, see if they can get into other systems besides the one already compromised, see if they can elevate their privileges, and then really go to town deciding how much and what to steal.
- Pilfer: The ultimate end goal – take what they can and sell it or use it for another attack, whether that is on the same company or a totally different one.
Our goal in this series is to uncover what happened, how it was accomplished, and what you can do with your environment to help protect yourself. Remember that there is no one ‘silver bullet’ for security! Rather, you have to build your technical measures in depth2 and, most importantly, develop a culture of security. There is no such thing as ‘My company is too small/large/unusual/whatever to be a target’. The cybercriminals know that you have something of value and will do whatever they can to get their hands on it.
Let’s kick this series off with one of the most famous breaches in recent memory – the Target breach of 2013. Your humble author and his lovely wife both had their debit and credit cards exposed during this debacle; fortunately, to no ill effect other than having to have new cards issued.
What happened: Cybercriminals did extensive probing to find a route into the Target network. Once a successful intrusion was accomplished, the criminals determined what vulnerabilities were available to exploit and, through a series of small attacks and elevations, were able to gain access to the Point Of Sale (“POS”) system. Once firmly entrenched in this system, the criminals pilfered records, an estimate of well over 40 million credit and debit card transactions, which were then put up for sale on the dark web (a hidden internet largely used for illegal activities). According to a Huffington Post article in 20153, the estimated cost to address this breach had exceeded $252 million and the loss in profit, stock value, and public trust required years to repair.
How it happened: While the extent of the reconnaissance cannot be fully known without interrogating one of the cybercriminals, what is known is that much information was easily accessible from simple internet searches. The Target Supplier Portal listed all of the vendors used by Target, giving the cybercriminals a nearly effortless group of initial targets.
The criminals, using social engineering and phishing techniques, compromised computers at Fazio Mechanical, an HVAC vendor for Target. As a part of this compromise, they were able to harvest Fazio’s credentials into the Target network. The criminals then logged into and compromised the Target vendor network.
Once into the Target network with credentials that were legitimate, it was a matter of scanning for vulnerabilities and exploiting them to move laterally and elevate their privileges. This portion of the attack is still not entirely known, but it is suspected that a common attack against web-enabled databases known as SQL injection was used to gain access to other systems, including the POS system. The attackers had now hit the motherlode, setting up a ‘skimming’ type of program which copied the transactions into a file on a ‘dump’ site which had been set up on a server with internet access (the POS system, by design, does not have direct internet access). They exfiltrated the files by disguising the outbound file transfer as an innocuous type of traffic.
What you can do to protect your company: Because of the complexity of the breach and the sophistication of the attack, there are a number of lessons to learn from the Target breach. Many of the vulnerabilities the attackers exploited have simple solutions, while others require technical and procedural fixes that are more stringent.
- Be cautious of the information you post publicly: The Target Supplier Portal was easy to find using a simple Google search. The Portal was a rich source of information that required no security whatsoever to access.4 Networks Plus recommends that you should limit information you post to your website or social media accounts, including email addresses and process documentation.
- Secure remote access: Any remote access to internal systems should require Virtual Private Network (“VPN”) connectivity and multi-factor authentication, at a minimum. The initial breach of the Target systems would have been nearly impossible had multi-factor authentication been required. Even with these extra measures, any direct access to internal systems should be severely limited using the principle of least privilege.
- Advanced endpoint protection: A simple anti-malware package is just not enough to protect against modern cyber threats. The majority of attacks launched during the Target breach could have been stopped very quickly if each of the computers involved had used advanced endpoint protection which monitors and reacts to any unusual activity. Taking this concept a bit further, network monitoring with intrusion detection and prevention would have gone a long way to stopping this breach dead in its tracks.
- Supply Chain management: While you cannot control what your vendors do with their networks, you can and should exert your influence. Develop a minimum security standard which you require of your vendors. This is not fool proof, by any means, but does help both your company as well as the vendors to build a strong, secure relationship.
- Security maintenance: Configure any system access using the principle of least privilege – only assign the minimum rights and privileges required to perform the job. Use lengthy passphrases5 (14 characters, minimum) and multi-factor authentication where possible. Make sure to remove or disable unused or orphan accounts, not just on your internal network, but with any external source as well. Those old online accounts may have been compromised and provide a potential attack vector.
- Education: The Target breach all started with a phishing attack; not entirely surprising since 95% of attacks begin with a phishing email.6 Make sure that you are training your entire company, including yourself, on security threats. Couple your training program with periodic tests to make sure that the lessons are being learned.
At Networks Plus, cybersecurity is our focus. We want to ensure that your company can prevent and recover from cyberattacks. Contact one of our Business Consulting team to discuss how our products and services can help you build a strong and resilient network for your business.
Don’t Get Hacked This Holiday Season
Don’t Get Hacked This Holiday Season
By: Kathryn Schoening, IT Technician
The most wonderful time of the year is here. Make sure it stays wonderful by protecting your data, computer, and yourself when purchasing the perfect presents online.
Scammers are always dreaming up new ways to take advantage of as many people as possible. These tips will protect you no matter the illicit scheme that comes up next.
- Make sure your antivirus is up to date. Having an antivirus installed on your computer is protection 101, but don’t delay the updates either. Your antivirus can’t protect you if it doesn’t know how.
- Antivirus pop-ups are a scam. Never click on a pop-up that claims your computer is infected and needs a scan. If you had a virus, the antivirus program on your computer would tell you. Run a manual scan using your installed antivirus if necessary.
- Keep passwords unique. It’s less convenient, but keep passwords unique for each account login such as online banking, retailers and other sites with personal information. Consider setting up multi-factor authentication for critical accounts. It takes more time to login, but increases security substantially.
- Only store passwords in a secure password manager. Again, it’s not as convenient, but avoid auto-saving passwords in your devices. If your computer or phone gets lost or stolen, criminals get easy access to your accounts without even needing your password. The inconvenience of typing your password every time you log in is worth it to keep your information secure.
- Don’t send information. Don’t share login information and passwords over email or text even to people you trust unless using some sort of encryption. The information can be intercepted by hackers while in transit to the recipient.
- Monitor your accounts. Check your bank and credit card statements for unknown charges. Many banks and credit cards also allow you to get a message every time a charge is applied.
- Keep your receipts. After you make a purchase, put the confirmation, receipt, and tracking number in a designated place in your email inbox until the shipment arrives. If you don’t get the package, contact the merchant.
- Look for the “S.” Ensure you’re only making purchases from websites with an address that uses HTTPS (Hyper Text Transfer Protocol Secure). Always make purchases from secure websites to protect yourself and your data.
- Update from Windows 7. Microsoft will stop creating updates and security patches for Windows 7 starting in January. If you have Windows 7, it’s time to upgrade your operating system. Give us a call if you need help!
From all of us at Networks Plus, we hope you have a safe, warm, merry season!
EOL for Windows 7
End of Life for Windows 7 & Server 2008
What Does It Mean??
By: Paul Facey, Advanced Technician
It’s the end of the road for Windows 7 and Server 2008 platforms. Starting January 14, 2020, Microsoft will no longer support updates, security patches, or development of these systems.
Though that means no more disruptive notifications telling you to install the update and restart your computer, it also means security problems discovered after that date will not be fixed by Microsoft.
In effect, any newly discovered security holes could be exploited by hackers for criminal purposes. There’s no telling what they might do, but possibilities include gaining control of your computer and modifying it for their own purposes, installing software to monitor keystrokes, using it to launch malware or DoS (denial of service) attacks against other systems, or just about anything else.
End of life also means there could be compatibility problems installing new software. Over time, the system will slow because it won’t have new drivers to make it function its best. Without system updates, anti-virus protection will quickly become out of date, unable to identify new threats.
The single best solution for addressing this problem and keeping your system secure is installing Windows 10 or the latest version of Microsoft server, whichever suits the need. As fully supported platforms, these operating systems will continue to be secure for a long time.
Though it may be cost-prohibitive for businesses with many systems to upgrade all at once, we recommend using a phased approach to get started as soon as possible. Keep in mind that not all computers running Windows 7 have the capability to support Windows 10. The best investment may be to upgrade the entire computer and get the new hardware and warranty that come with it. If you’re not sure about your best option, we can help you identify the most cost-effective solution.
If there’s a reason you haven’t updated already, such as using legacy software that’s not supported by newer versions of Windows, the prospect of updating may be more challenging.
There are options though. You can purchase Extended Security Updates (ESUs) from Microsoft. The downside of this solution is it will only be available through 2023, and the price will double every year. The ESUs have to be purchased on a per-device basis starting at $25 the first year.
If your business is uniquely reliant on Windows 7, we can help identify customized options using third-party software and anti-virus.
A final note on updates in general. Though they often pop up at inconvenient times, they don’t have to drain your productivity. At Networks Plus, scheduled updates on nights or weekends or whenever is convenient for you is one of the many benefits of our managed service product. Give us a call if you want to know more about how we can help!
All I Want for Christmas is…
By: Jerry Horton, IT Director
Autumn is here! Days are filled with harvest, canning, and the warmth of family Thanksgiving traditions. As we celebrate the bounties of our work during the fall, thoughts begin to turn to winter and the excitement of holiday giving. So, what in the world do you get that special person in your life? They already have all of the ties, mittens, and ugly Christmas sweaters they can possibly use; no one likes fruitcake; and those golf clubs may be on sale, but wrapping a golf club is like folding a fitted sheet!
Not to worry, friends, your techno-geek of all trades is here to help with suggestions sure to satisfy the techies, and even the not-so-techies, in your life.
I opted to avoid calling this one ‘books’ because A) I’ve found that certain online magazines are well worth the time and B) ‘Reading Material’ just sounds more techie…
- How To by Randall Munroe: There is a famous techie cartoon strip named XKCD which is filled with stick figures, math, physics, and humor. The author of this strip, Randall Munroe, has also written books which are both educational and delightful. His latest is certainly no different – absolutely impractical scientific solutions to (mostly) everyday problems. Buy it from Amazon
- ‘Ten Arguments For Deleting Your Social Media Accounts Right Now’ by Jaron Lanier: Do you have a friend or loved one who just can’t seem to pull themselves away from some social media, webpage or app? Jaron Lanier, a virtual reality guru, gives some solid and timely advice against social media in his book. Get it from Walmart
- Magazines & Webzines: Want to keep up on the latest in science and technology? Discover and Wired magazines are great choices to stay informed. Both have traditional print as well as webzines.
Yes, you are correct: smart stuff is a pretty vague category. One of the biggest problems is that a lot of products are marketed as ‘smart’ without a clear definition of what that actually mean. For our purposes, we will say that something is ‘smart’ if it can connect, collect, and share information with other devices and the user.
- Smartwatches: Smartwatches seem to be everywhere and made by everyone, so how in the heck can you choose one?
- Make sure that you are shopping for a smartwatch that will connect to the correct phone! Apple watches will only work with the iPhone, but some smartwatches running Google’s Wear OS will work for both Android or iPhone.
- Make sure the watch supports features that are important to you. FitBit is great for helping you keep up with your exercise regimen, but won’t support your Apple Music playlists.
- Check the specifications so you can get the watch with the right battery life and water resistance for you, as well as swappable bands and clasps. A smartwatch has to be practical and fashionable! Find your smartwatch from BestBuy.
Smart Home Devices
At this point, it would be difficult to find someone who hasn’t heard of a smart home device. I’ve even seen a ‘smart’ dog treat dispenser… Rather than adopt a technology just because it is fun or creative, let’s stick with the ones that are easy to install, use, and have some practical value.
- Thermostats: The most practical smart home devices are ones that can help you save money. Smart thermostats are the next evolution in energy control, replacing the clunky and temperamental programmable thermostats of a few years ago. Nest, Ecobee, and Honeywell are top-rated choices with proven energy savings.
- Smart locks: Another very practical smart home device which can actually save you a lot of time and trouble. No need to pass out and keep track of physical keys – just give access to the folks who need it, even on a temporary basis. My favorite is the August Lock Pro, which retrofits onto any existing deadbolt, but Yale, Kwikset, and Schlage all have great models, too.
- Smart Speakers/Home hub: Now, I am a music lover, so smart speakers are right up my alley, but they can also do so much more – local news and weather, daily devotionals, games, and even working as an intercom. There are far too many manufacturers and products to list them all, but here are a few to get you started: Amazon Echo, Sonos One, and the Apple HomePod are all great choices. If you plan to build home automation routines, you will need to make sure you have a home hub for all of those devices to communicate. Fortunately, the Amazon Echo, Google Home, and the Apple HomePod have this feature built in. If you want some more information, or would like to see home automation in action, contact us and tour our Smart Home demo!
Yes, you read that correctly; there is such a thing as smart clothing. Most of the products are centered around exercise gear, but there are some interesting (if a little bizarre) items that might fill a need.
- Smart Jeans: As odd as it may sound, your pants will know where you are even if you don’t. They have built-in geolocation and alert sensors which connect to your smart phone to help you navigate in urban areas. Sorry, guys, these are for the lovely ladies.
- Smart Jackets: Same concept as the smart jeans. Google does it again. Take a look here.
- Smart Socks: Before you roll your eyes and wonder what the world is coming to, the smart socks I am listing here actually have a practical purpose. First is the Owlet, a smart sock for babies. It monitors heart rate, oxygen level, and sleep cycles. Next is the Siren, a smart sock designed to help diabetic patients take better care of their feet. Both of these are great examples of the amazing healthcare potential of smart wearables!
Techie Miscellaneous Gifts
Sometimes, a gift doesn’t need batteries or WiFi to be fun, practical, or just that thing to finish out your collection. Here are some things for the nerdier set…
- Can’t find the key you are looking for on the ring? Or just can’t find your keyring because you set it down and walked away? Keysmart Pro is your solution! This product is something like a do-it-yourself ‘swiss army’ key organizer with a Tile™ locator built in, so now you can find the right key after you find your keyring!
- Ok, I freely admit these two products remind of late night TV infomercials (I can almost hear the dulcet tones of Billy Mays extolling the virtues of these…), but I can see some practical value in them. Fair warning – I make no claim that these are good products, just that they are interesting, so buy these products at your own risk!
- VIZR turns your smartphone into a heads-up display. To me, this has some real practical value while using navigation apps and driving. I’m surprised some smartphone manufacturer hasn’t done this yet.
- Peeps claims that this is the same tech used by NASA on the space station (for what exactly, I don’t really know, and they don’t say). From practical engineering standpoint, using forceps (AKA tweezers) to clean glasses makes some good sense, as does carbon microfiber cloth cleaning pads.
- Need some new kicks? Concerned about the environment? Rothy’s has the answer to both! This company makes their footwear by using a type of 3D printing to weave the shoes out of recycled water bottles. Stylish and environmentally friendly!
- This gadget is tailor-made for me, your humble tech-head (ok, maybe humble is a little inaccurate…) Finally, someone took the time and trouble to invent a temperature-regulating coffee mug! Ember makes smart coffee and travel mugs, which use a mobile app to keep your beverage at just the right temperature and even track your caffeine intake.
- It’s no secret – I detest the cold. It seems I can never keep my hands or feet warm enough. If you are like me, try these products:
- Just can’t find that unique gift for the geek in your life? ThinkGeek has you covered! This webstore has been around for quite a few years but has recently joined forces with Amazon to house the webstore and Gamestop for good, old-fashioned brick-and-mortar stores. They have a little of everything from Star Trek pizza cutters (shaped like the Enterprise) and Star Wars cookie cutters to collectibles and clothing.
Hopefully, you will find this gift guide either helpful in your holiday shopping rush or just plain fun, because I sure had some fun researching and writing it! From all of us here at Blue Valley Technologies and Network Plus, we wish you the best of holiday warmth, kindness, and cheer!
Even Cybersecurity Guys Lose the Battle from Time to Time
By: Jerry Horton, Technology Director
Financial fraud and identity theft are like the Hydra of ancient myth: if you cut off one head, two grow in its place. Target, Home Depot, and even Equifax have had breaches which exposed millions of customers to financial fraud. Having made purchases from both Target and Home Depot during the time of the exposures, I had to deal with the inconvenience of contacting my banks and card companies to disable my cards and get new ones issued. Even though folks nationwide experienced financial fraud as a result of these breaches, the total effect was relatively limited, given the scope of the breaches. Both the forthrightness of the companies involved, and national media coverage of the breaches helped to keep the damages low, as well as ensuring those affected had ample opportunity to react. As alarming as the large, well-publicized events can be, they unfortunately do not give a complete picture of the full threat facing the consumer and can even lull people into believing that such things happen ‘somewhere else, but not in our small town’.
Unless you are from the Northeast Kansas region, this story probably didn’t show up on your radar. In the small town of Wamego, Kan., folks, including your friendly cybersecurity-geek author, were going about the business of their daily lives, purchasing goods and services from local merchants using debit and credit cards as they normally do. Suddenly, these good citizens, including me, woke up to discover transactions on their accounts had occurred in faraway cities – transactions they did not make or authorize, in cities they were not in. As this case is still under investigation by multiple law enforcement agencies, I am going to avoid divulging much detail about the breach or method of attack, but suffice it to say many people in several local communities were adversely affected. Regardless of the amounts of money stolen, those victimized have been left feeling violated and far less trusting of our neighbors. Allow me to express my gratitude and admiration for the law enforcement agents working with me and the others. These public servants have been sympathetic, patient, and diligent in their collection of evidence and pursuit of the criminals. Well done!
As stated earlier, I cannot reveal significant detail about this incident, but I can offer advice to protect yourself and how to respond to such event.
- Check your account statements at least once a week.
- While this may sound overly paranoid, there are several reasons to make frequent account reviews part of your routine. By law, the quicker you report an improper or unauthorized transaction on debit or credit card accounts, the less money you are required to forfeit. Credit cards are regulated in part under the Fair Credit Billing Act (FCBA) and cap the consumer’s liability to $50. Debit cards, on the other hand, are subject to the Electronic Fund Transfer Act (EFTA) have a matrix of liability:
|If You Report:||Maximum Loss:|
|Prior to unauthorized charges are made||$0|
|Within 2 business days after you learn of the loss or theft||$50|
|More than 2 business days after you learn of the loss or theft, but less than 60 calendar days after your statement was sent to you||$500|
|More than 60 calendar days after your statement was sent to you||The entire amount of the transaction, plus any transaction fees that might be due|
- Keep your transaction limit on cards as low as you can. This is essential for a few reasons:
- Debit and ATM cards are directly connected to your bank account, sort of like a plastic version of a check, but much faster. Once a transaction is made, that change happens immediately to your account.
- If your card and PIN number have both been compromised, it may not trigger alerts because the transactions appear to be legitimate. The burden of proof will rest on you and those funds may or may not be available to you until the matter is resolved.
- While your liability may be legally limited for a lost or stolen card, the answer isn’t as clear when both card and PIN number have been compromised. You may be liable for the entire amount if you have insufficient proof.
- Use the chip on your cards whenever possible. Credit and debit cards have used magnetic stripes on the back of the card for years which is well-known and easy to compromise.
- Skimmers are a physical hacking device placed on card readers specifically to read and steal the data encoded in a magnetic stripe.
- A magnetic stripe card can be easily duplicated once the data has been captured.
- Chips on the cards are encrypted; the magnetic stripe is not.
- The data in the chip on the cards changes constantly, making them extremely difficult to skim and nearly impossible to duplicate.
- As silly and outdated as it may seem, keep your receipts! (P.S. There’s an app for that. More to come in a future blog.) Physical or electronically reproducible copies will help you:
- Quickly and easily reconcile your accounts.
- Provide evidence of locations, dates, and transaction history.
- Stay compliant with best accounting practices and the law (if the expenses are for a business).
- Notify authorities immediately!
- If you find a skimmer on a gas pump or other card reader, contact the police and stay on-site until they arrive. If you find unauthorized transactions on an account, notify the card issuer(s) and contact law enforcement, both in the jurisdiction where you live and where the unauthorized transaction took place.
In an electronic, digitally connected world, it is inevitable you will be a victim at some point. Make sure you have developed good habits for using credit or debit cards, minimized your exposure, and kept a good paper trail.
And to the deputy who is assigned to my case, I owe you a cup of coffee…or two!
Defense in Depth – A Primer
By: Jerry Horton, Technology Director
“Defense in depth,” what exactly does this mean? Is it a new cheat code for Fortnite? A military strategy developed for action movies? An advertising buzzword phrase to entice you into spending more money?
The answer is far simpler and less sinister. Simply put, defense in depth is a security engineering concept used when designing systems, whether the system is computer-based or physical. The idea is identifying the most likely weaknesses and attack points and then build protections around them. A great way to think of a system built with defense in depth is to envision a medieval castle.
As you look at the picture to the top right*, you see several features that protect the occupants and fend off invaders. The round towers provide a 360° view to all approaches. The barbican (that’s the gate out in front of the moat) give the defenders a location to identify and repel attackers before they can reach the castle. The moat and the drawbridges control access to the castle and separate it from the surrounding countryside. The battlements (the top part of the surrounding wall) provide troops with a sure and solid footing to maintain a defense without exposing themselves to danger. These features, together with several others, provided King Jerry and his adoring subjects with defense in depth – an attack on any one part of the castle would not endanger the whole.
Modern networks are like a medieval city; far too many points of possible attack to be defended by a single system. The days of making sure you’ve updated your anti-virus and calling it good are long gone. Today, you have to consider viruses, phishing, denial-of-service, social engineering, mobile devices, cloud computing…the list goes on and on! To begin building your castle defenses, here are a few suggestions:
- Identify what you need to protect
Your first task is to figure out what you’ve got, where it’s at, and who uses it. This sounds like an oversimplification, but the truth is you will not understand what defenses to build until you know what you’re trying to defend! You have computers and probably a server, but that is only the beginning. Do you have a wireless network? Mobile phones and tablets? Do you use cloud-based services, like Office 365? These systems house part of your data and have their own unique security needs.
- Protect against the most common threats
In the Middle Ages, kingdoms had to worry about roving groups of bandits, contentious neighbors, and international kingdoms who wanted to acquire resources. History is repeating itself: cybercriminals are in a perpetual state of war to get your data and resources using malware, social engineering, and brute force. Build your basic castle walls with anti-malware on every device, including servers and mobile devices, a business-grade firewall, and a well-designed backup as your castle keep when the outer walls fail. Other protections include enforcing strong password discipline, requiring secure VPN access to your network from mobile devices, and educating your staff on cybersecurity.
- Detect threats before they become a problem
Just as a medieval castle wasn’t simply a wall and a locked gate, you can’t rely on simple protective measures to keep your data secure. Castles had lookouts and patrols to help defend the kingdom. Fortunately, you don’t have to employ knights and provide for their horses! Deploy a secure business-grade wireless network, unified threat detection on your business-grade firewall, implement advanced endpoint protection on your computers and servers, use a robust email security service to reduce or eliminate phishing attempts, and perform regular security reviews. If your business has requirements to comply with regulations, you will want to consider even more stringent security policies and measures, including a Security Information and Event Manager (“SIEM”) and possibly Mobile Information Management.
The royalty of the Middle Ages knew their world was dangerous and that doing one or two things were not ample to keep their kingdoms safe. They built complex systems of defense to avoid disaster. Likewise, our digital kingdoms are at risk and should require a similar level of diligence. For more information on how to become Sir Lancelot for your organization, contact our legion of security knights at Networks Plus!
*Castle Features – https://www.tes.com/lessons/HXqtwMKFUnRWcA/copy-of-identifying-the-featu…
What is BEC & How to Protect Yourself From It
By: Jerry Horton, Technology Director
I recently read an article about a company that lost $21 million to cybercriminals. This headline may make you envision a basement filled with bad guys in hoodies hammering away at keyboards; or perhaps Tom Cruise descending on a bungee cord to extract records from a high security mainframe. However, the truth is far less glamorous and much more frightening. The theft of these funds was committed in increments with the willing, but unknowing, participation of the company’s CFO and a Managing Director – simply because they were completely fooled by a cybercriminal posing as the CEO.
Anatomy of a Business Email Compromise
In his Nov. 10 blogpost, Stu Sjouwermann of KnowBe4, Inc. (Networks Plus’ partner for security awareness and training), gave the following synopsis of the cybercrime:
“Thursday, Mar. 8, the [Managing Director] of a Dutch movie chain gets an email from the CEO of their holding company: “Did KPMG already call you?” The email was sent from a smartphone. The MD forwards the email to their CFO, but both are puzzled. They decide to email back and ask what the issue is.
The answer is a classic CEO Fraud tactic: “We are in a confidential M&A process with a foreign company in Dubai, and any communications can only be done using the personal email address of the CEO. Please transfer the first 900K and this money will be transferred back to you at the end of the month.”
An email thread ensues where the MD wants to make sure that the transaction is legit. “No worries”, confirms the holding company CEO. Please transfer the first 10% of the acquisition.
Tuesday, Mar. 13 the second transfer gets made: $2.5 million. The two execs wonder what is going on, but decide to comply with the CEO’s orders. More transfer requests follow, for higher amounts. Tuesday, Mar. 27 the “last payment” gets made. A total of $21 million dollars has been transferred over two weeks, and they get assured: “Yes, we’ll now transfer this money back right away”. That was the last thing they heard.
Finally, the HQ wakes up, grabs the phone, and asks about the transfers: “What is going on? What was the money used for?” The penny drops. The two execs have fallen for a CEO Fraud scam…”[i]
Business email compromise or ‘BEC’ is absolutely rampant. The FBI reports that BEC scams have cost businesses $5.3 billion from 2013-16. Trend Micro predicts losses will exceed $9 billion by the end of 2018. How can you avoid being a victim?
BEC – Avoiding the disaster
BEC is a simple tactic using social engineering and phishing to draw out the potential victim. Email addresses are, by their nature, somewhat exposed. Clearly, the CFO and Managing Director in the story above made an error and then further compounded their mistake by not following the two most basic rules of cybersecurity:
STOP. LOOK. THINK.
TRUST NOTHING. VERIFY EVERYTHING.
What do you need to look for?
Here are a few dead giveaways:
- The domain doesn’t match. It is an old cybercriminal trick to use domains that look correct at first glance but are fake. Examples: firstname.lastname@example.org instead of email@example.com.
- The “Reply To” address doesn’t match the “From” address. It is even common for the “From” address to be incorrect – the cybercriminal only changed the displayed name.
- The message contains an urgent or confidential call to action. If you read the content of the message closely, the urgency contains little to no justification for the request being made.
- Payments requested for unusual amounts to routing numbers or accounts that are unfamiliar, or even wire transfers to foreign accounts.
- Requests for payment at the end of the day, before weekends or holidays.
- The email contains an unrequested attachment. Never open an attachment without verifying first!
If you looked, but are not still not certain, verification is of the utmost importance. If you suspect BEC, you don’t want to reply to the email, so speaking directly to the requestor is the best method to verify the request. If that is not possible, verify the request via a valid email address.
It has been said that building a good offense yields the best defense. While a traditional offensive against cybercriminals is impractical, there are some practices that you can proactively adopt to minimize or prevent BEC.
- Implement a company-wide security education program. The value of this cannot be understated! Most BEC attacks do not use any technical exploits – just old-fashioned human hacking through social engineering. Education is key to identification, detection, and prevention of BEC and other social engineering attacks.
- Implement an identity management platform with multifactor authentication.
- Create or tighten policies for payments or wire transfers, including a standard time delay, verification by voice, and two-person controls (also known as the two-man rule).
In the modern internet marketplace, cybercriminals are pickpockets preying upon the unsuspecting; however, with education, practical measures, and vigilance, you can help your company avoid becoming a victim.
If you’re interested in a company-wide security education program, contact me. I’d be happy to educate you and your staff on this very important issue.
How to Stay Safe Black Friday & Cyber Monday Shopping
By: Katy Schoening, IT Technician
The holiday shopping season is officially upon us! If you’re anything like me, you’d rather sit in the comfort of your own home, sipping coffee in your jammies, and shop online rather than battle the masses at the mall or outlet stores. So, in interest of keeping you safe from cyber criminals, here are three tips to keep your personal information and finances protected while you hunt down that perfect gift for all your loved ones! (Or for that one weird Uncle Paul whom you haven’t seen in years, but your Mom guilt trips you into buying him something because “he’s still family”).
- Cyber Criminals commonly use crazy-low merchandise prices on their websites to lure in their victims. As the saying goes, “if it seems too good to be true, it probably is.” So, keep an eye out and avoid those types of websites. Try to stick with websites you are familiar with.
- During the purchasing process, check the website address and make sure it’s using HTTPS (Hyper Text Transfer Protocol Secure). If not, it’s a good idea to CTRL+ALT+DEL and abort mission before you hit that confirmation button. It is ALWAYS best to purchase from a secure website to better protect yourself.
- If you do happen to be out and about, maybe to grab another cup of coffee, it’s best NOT to use public WiFi for online purchases or checking bank account information. It tends to be a prime target for hackers and as the technology world advances, so do cyber criminals.
Holiday shopping is always fun. However, one wrong cyber-step can really throw a wrench into your Christmas spirit, so please be safe and shop smart!
*NOTE: Please don’t forget to shop local first! Many of your favorite local stores also have an online presence and when dollars stay local, we all win! And remember – Saturday, November 24th is Small Business Saturday. Please plan to support your local businesses!