A division of Blue Valley Technologies

Networks Plus |  Call: 785.587.4121 |  IT Support: 800.299.1704

Blogs

Find the latest news and information here.

Even Cybersecurity Guys Lose the Battle from Time to Time

By: Jerry Horton, Technology Director

Financial fraud and identity theft are like the Hydra of ancient myth: if you cut off one head, two grow in its place. Target, Home Depot, and even Equifax have had breaches which exposed millions of customers to financial fraud. Having made purchases from both Target and Home Depot during the time of the exposures, I had to deal with the inconvenience of contacting my banks and card companies to disable my cards and get new ones issued. Even though folks nationwide experienced financial fraud as a result of these breaches, the total effect was relatively limited, given the scope of the breaches. Both the forthrightness of the companies involved, and national media coverage of the breaches helped to keep the damages low, as well as ensuring those affected had ample opportunity to react. As alarming as the large, well-publicized events can be, they unfortunately do not give a complete picture of the full threat facing the consumer and can even lull people into believing that such things happen ‘somewhere else, but not in our small town’.

Unless you are from the Northeast Kansas region, this story probably didn’t show up on your radar. In the small town of Wamego, Kan., folks, including your friendly cybersecurity-geek author, were going about the business of their daily lives, purchasing goods and services from local merchants using debit and credit cards as they normally do. Suddenly, these good citizens, including me, woke up to discover transactions on their accounts had occurred in faraway cities – transactions they did not make or authorize, in cities they were not in. As this case is still under investigation by multiple law enforcement agencies, I am going to avoid divulging much detail about the breach or method of attack, but suffice it to say many people in several local communities were adversely affected. Regardless of the amounts of money stolen, those victimized have been left feeling violated and far less trusting of our neighbors. Allow me to express my gratitude and admiration for the law enforcement agents working with me and the others. These public servants have been sympathetic, patient, and diligent in their collection of evidence and pursuit of the criminals. Well done!

As stated earlier, I cannot reveal significant detail about this incident, but I can offer advice to protect yourself and how to respond to such event.

  • Check your account statements at least once a week.
    •  While this may sound overly paranoid, there are several reasons to make frequent account reviews part of your routine. By law, the quicker you report an improper or unauthorized transaction on debit or credit card accounts, the less money you are required to forfeit. Credit cards are regulated in part under the Fair Credit Billing Act (FCBA) and cap the consumer’s liability to $50. Debit cards, on the other hand, are subject to the Electronic Fund Transfer Act (EFTA) have a matrix of liability:
If You Report: Maximum Loss:
Prior to unauthorized charges are made $0
Within 2 business days after you learn of the loss or theft $50
More than 2 business days after you learn of the loss or theft, but less than 60 calendar days after your statement was sent to you $500
More than 60 calendar days after your statement was sent to you The entire amount of the transaction, plus any transaction fees that might be due

Site: (Federal Trade Commission – Lost or Stolen Credit, ATM, and Debit Cards)

  • Keep your transaction limit on cards as low as you can. This is essential for a few reasons:
    • Debit and ATM cards are directly connected to your bank account, sort of like a plastic version of a check, but much faster. Once a transaction is made, that change happens immediately to your account.
    • If your card and PIN number have both been compromised, it may not trigger alerts because the transactions appear to be legitimate. The burden of proof will rest on you and those funds may or may not be available to you until the matter is resolved.
    • While your liability may be legally limited for a lost or stolen card, the answer isn’t as clear when both card and PIN number have been compromised. You may be liable for the entire amount if you have insufficient proof.
  • Use the chip on your cards whenever possible. Credit and debit cards have used magnetic stripes on the back of the card for years which is well-known and easy to compromise.
    • Skimmers are a physical hacking device placed on card readers specifically to read and steal the data encoded in a magnetic stripe.
    • magnetic stripe card can be easily duplicated once the data has been captured.
    • Chips on the cards are encrypted; the magnetic stripe is not.
    • The data in the chip on the cards changes constantly, making them extremely difficult to skim and nearly impossible to duplicate.
  • As silly and outdated as it may seem, keep your receipts! (P.S. There’s an app for that. More to come in a future blog.) Physical or electronically reproducible copies will help you:
    • Quickly and easily reconcile your accounts.
    • Provide evidence of locations, dates, and transaction history.
    • Stay compliant with best accounting practices and the law (if the expenses are for a business).
  • Notify authorities immediately!
    • If you find a skimmer on a gas pump or other card reader, contact the police and stay on-site until they arrive. If you find unauthorized transactions on an account, notify the card issuer(s) and contact law enforcement, both in the jurisdiction where you live and where the unauthorized transaction took place.

In an electronic, digitally connected world, it is inevitable you will be a victim at some point. Make sure you have developed good habits for using credit or debit cards, minimized your exposure, and kept a good paper trail.

And to the deputy who is assigned to my case, I owe you a cup of coffee…or two!

Defense in Depth – A Primer

By: Jerry Horton, Technology Director

“Defense in depth,” what exactly does this mean? Is it a new cheat code for Fortnite? A military strategy developed for action movies? An advertising buzzword phrase to entice you into spending more money?

The answer is far simpler and less sinister. Simply put, defense in depth is a security engineering concept used when designing systems, whether the system is computer-based or physical. The idea is identifying the most likely weaknesses and attack points and then build protections around them. A great way to think of a system built with defense in depth is to envision a medieval castle.

As you look at the picture to the top right*, you see several features that protect the occupants and fend off invaders. The round towers provide a 360° view to all approaches. The barbican (that’s the gate out in front of the moat) give the defenders a location to identify and repel attackers before they can reach the castle. The moat and the drawbridges control access to the castle and separate it from the surrounding countryside. The battlements (the top part of the surrounding wall) provide troops with a sure and solid footing to maintain a defense without exposing themselves to danger. These features, together with several others, provided King Jerry and his adoring subjects with defense in depth – an attack on any one part of the castle would not endanger the whole.

Modern networks are like a medieval city; far too many points of possible attack to be defended by a single system. The days of making sure you’ve updated your anti-virus and calling it good are long gone. Today, you have to consider viruses, phishing, denial-of-service, social engineering, mobile devices, cloud computing…the list goes on and on! To begin building your castle defenses, here are a few suggestions:

  1. Identify what you need to protect
    Your first task is to figure out what you’ve got, where it’s at, and who uses it. This sounds like an oversimplification, but the truth is you will not understand what defenses to build until you know what you’re trying to defend! You have computers and probably a server, but that is only the beginning. Do you have a wireless network? Mobile phones and tablets? Do you use cloud-based services, like Office 365? These systems house part of your data and have their own unique security needs.
  2. Protect against the most common threats
    In the Middle Ages, kingdoms had to worry about roving groups of bandits, contentious neighbors, and international kingdoms who wanted to acquire resources. History is repeating itself: cybercriminals are in a perpetual state of war to get your data and resources using malware, social engineering, and brute force. Build your basic castle walls with anti-malware on every device, including servers and mobile devices, a business-grade firewall, and a well-designed backup as your castle keep when the outer walls fail. Other protections include enforcing strong password discipline, requiring secure VPN access to your network from mobile devices, and educating your staff on cybersecurity.
  3. Detect threats before they become a problem
    Just as a medieval castle wasn’t simply a wall and a locked gate, you can’t rely on simple protective measures to keep your data secure. Castles had lookouts and patrols to help defend the kingdom. Fortunately, you don’t have to employ knights and provide for their horses! Deploy a secure business-grade wireless network, unified threat detection on your business-grade firewall, implement advanced endpoint protection on your computers and servers, use a robust email security service to reduce or eliminate phishing attempts, and perform regular security reviews. If your business has requirements to comply with regulations, you will want to consider even more stringent security policies and measures, including a Security Information and Event Manager (“SIEM”) and possibly Mobile Information Management.

The royalty of the Middle Ages knew their world was dangerous and that doing one or two things were not ample to keep their kingdoms safe. They built complex systems of defense to avoid disaster. Likewise, our digital kingdoms are at risk and should require a similar level of diligence. For more information on how to become Sir Lancelot for your organization, contact our legion of security knights at Networks Plus!

*Castle Features – https://www.tes.com/lessons/HXqtwMKFUnRWcA/copy-of-identifying-the-featu…

What is BEC & How to Protect Yourself From It

By: Jerry Horton, Technology Director

I recently read an article about a company that lost $21 million to cybercriminals. This headline may make you envision a basement filled with bad guys in hoodies hammering away at keyboards; or perhaps Tom Cruise descending on a bungee cord to extract records from a high security mainframe. However, the truth is far less glamorous and much more frightening. The theft of these funds was committed in increments with the willing, but unknowing, participation of the company’s CFO and a Managing Director – simply because they were completely fooled by a cybercriminal posing as the CEO.

Anatomy of a Business Email Compromise
In his Nov. 10 blogpost, Stu Sjouwermann of KnowBe4, Inc. (Networks Plus’ partner for security awareness and training), gave the following synopsis of the cybercrime:

“Thursday, Mar. 8, the [Managing Director] of a Dutch movie chain gets an email from the CEO of their holding company: “Did KPMG already call you?” The email was sent from a smartphone. The MD forwards the email to their CFO, but both are puzzled. They decide to email back and ask what the issue is.

The answer is a classic CEO Fraud tactic: “We are in a confidential M&A process with a foreign company in Dubai, and any communications can only be done using the personal email address of the CEO. Please transfer the first 900K and this money will be transferred back to you at the end of the month.”

An email thread ensues where the MD wants to make sure that the transaction is legit. “No worries”, confirms the holding company CEO. Please transfer the first 10% of the acquisition.

Tuesday, Mar. 13 the second transfer gets made: $2.5 million. The two execs wonder what is going on, but decide to comply with the CEO’s orders. More transfer requests follow, for higher amounts. Tuesday, Mar. 27 the “last payment” gets made. A total of $21 million dollars has been transferred over two weeks, and they get assured: “Yes, we’ll now transfer this money back right away”. That was the last thing they heard.

Finally, the HQ wakes up, grabs the phone, and asks about the transfers: “What is going on? What was the money used for?” The penny drops. The two execs have fallen for a CEO Fraud scam…”[i]

Business email compromise or ‘BEC’ is absolutely rampant. The FBI reports that BEC scams have cost businesses $5.3 billion from 2013-16. Trend Micro predicts losses will exceed $9 billion by the end of 2018. How can you avoid being a victim?

BEC – Avoiding the disaster
BEC is a simple tactic using social engineering and phishing to draw out the potential victim. Email addresses are, by their nature, somewhat exposed. Clearly, the CFO and Managing Director in the story above made an error and then further compounded their mistake by not following the two most basic rules of cybersecurity:

STOP. LOOK. THINK.
TRUST NOTHING. VERIFY EVERYTHING.

What do you need to look for?
Here are a few dead giveaways:

  • The domain doesn’t match. It is an old cybercriminal trick to use domains that look correct at first glance but are fake. Examples: fred@conpany.com instead of fred@company.com.
  • The “Reply To” address doesn’t match the “From” address. It is even common for the “From” address to be incorrect – the cybercriminal only changed the displayed name.
  • The message contains an urgent or confidential call to action. If you read the content of the message closely, the urgency contains little to no justification for the request being made.
  • Payments requested for unusual amounts to routing numbers or accounts that are unfamiliar, or even wire transfers to foreign accounts.
  • Requests for payment at the end of the day, before weekends or holidays.
  • The email contains an unrequested attachment. Never open an attachment without verifying first!

If you looked, but are not still not certain, verification is of the utmost importance. If you suspect BEC, you don’t want to reply to the email, so speaking directly to the requestor is the best method to verify the request. If that is not possible, verify the request via a valid email address.

It has been said that building a good offense yields the best defense. While a traditional offensive against cybercriminals is impractical, there are some practices that you can proactively adopt to minimize or prevent BEC.

  1. Implement a company-wide security education program. The value of this cannot be understated! Most BEC attacks do not use any technical exploits – just old-fashioned human hacking through social engineering. Education is key to identification, detection, and prevention of BEC and other social engineering attacks.
  2. Implement an identity management platform with multifactor authentication.
  3. Create or tighten policies for payments or wire transfers, including a standard time delay, verification by voice, and two-person controls (also known as the two-man rule).

In the modern internet marketplace, cybercriminals are pickpockets preying upon the unsuspecting; however, with education, practical measures, and vigilance, you can help your company avoid becoming a victim.

If you’re interested in a company-wide security education program, contact me. I’d be happy to educate you and your staff on this very important issue.

[i] https://blog.knowbe4.com/heads-up-fired-two-c-level-execs-who-fall-victi…

How to Stay Safe Black Friday & Cyber Monday Shopping

By: Katy Schoening, IT Technician

The holiday shopping season is officially upon us! If you’re anything like me, you’d rather sit in the comfort of your own home, sipping coffee in your jammies, and shop online rather than battle the masses at the mall or outlet stores. So, in interest of keeping you safe from cyber criminals, here are three tips to keep your personal information and finances protected while you hunt down that perfect gift for all your loved ones! (Or for that one weird Uncle Paul whom you haven’t seen in years, but your Mom guilt trips you into buying him something because “he’s still family”).

  1. Cyber Criminals commonly use crazy-low merchandise prices on their websites to lure in their victims. As the saying goes, “if it seems too good to be true, it probably is.” So, keep an eye out and avoid those types of websites. Try to stick with websites you are familiar with.
  2. During the purchasing process, check the website address and make sure it’s using HTTPS (Hyper Text Transfer Protocol Secure). If not, it’s a good idea to CTRL+ALT+DEL and abort mission before you hit that confirmation button. It is ALWAYS best to purchase from a secure website to better protect yourself.
  3. If you do happen to be out and about, maybe to grab another cup of coffee, it’s best NOT to use public WiFi for online purchases or checking bank account information. It tends to be a prime target for hackers and as the technology world advances, so do cyber criminals.

Holiday shopping is always fun. However, one wrong cyber-step can really throw a wrench into your Christmas spirit, so please be safe and shop smart!

*NOTE: Please don’t forget to shop local first! Many of your favorite local stores also have an online presence and when dollars stay local, we all win! And remember – Saturday, November 24th is Small Business Saturday. Please plan to support your local businesses!

Top 11 Tips on Protecting Yourself Online

By: Jerry Horton, Technology Director

Passwords…we can’t live without them, but living with them gets harder every day. We need a password for everything; computers, smartphones, Wi-Fi networks, smart TVs, smartwatches, email, social media, online banking, shopping sites, utilities…the list is enormous and growing at a mind-boggling rate. Each password creates another opportunity for cybercriminals to access your information.

The modern world has become an always-connected, three-ring circus with scary clowns attempting to steal everything we are, and everything we own, because the common password is our first, and sometimes only, line of defense.

How can we protect ourselves and manage better passwords without losing our minds?

  1. Change default credentials: Wi-Fi routers, smart appliances, smart TVs, smart home technology, and wearable technology have cloud connection, and each have a default username and password. As soon as you unbox and power up, set up new credentials and disable the default ones.
  2. Use strong passphrases: Passwords can be difficult to remember, especially if they are created for maximum strength. Passphrases are easier to memorize and stronger than a password if you follow these rules.
    • Choose a phrase that has at least 25 characters. For example, “I’m dreaming of a White Christmas” is 33 characters long, including spaces. With a few simple substitutions, “I~m_Dr3@minGuv4wHite{hris+Mas” you meet the password requirements and have a “password” you can remember! Note: this is an example. Avoid popular song lyrics or other phrases that might be easily guessed.
    • Use at least five words in your passphrase. Remember a passphrase doesn’t need to be grammatically correct or even make sense, it just has to be easy to remember. A passphrase such as, “black terrier angry haikus loudly” is a good example.
    • Use simple substitutions or transpositions with upper case letters, punctuation marks, and numbers to satisfy website requirements.
    • Don’t use common names or dates, such as a family member, pet, birthday or anniversary. This information is too easily obtained.
  3. Use different credentials for work and home: Keep your work and personal accounts separate in every way, including passwords or passphrases.
  4. Ensure you have different passphrases for each account: Many websites use your email as your username, so make sure you have different passphrases for each account, especially financial or online shopping.
  5. Don’t allow a website to log you in using Facebook or Google: A cybercriminal would only have to compromise one set of credentials to steal your information or assume your identity on several websites.
  6. Change your passphrases regularly: It has been said passwords are like a toothbrush – don’t share it with anyone and it replace it every six months. Unlike a toothbrush, passwords wear out faster, so change them every 90 days.
  7. Don’t share your passwords or passphrases: The IT folks at work can change your password if they need to login as you, but no one else should have access to it.
  8. Don’t save credentials to your browser: While this is convenient, the browser stores the credentials in a well-known location in an easily readable format. Instead…
  9. Use a strong password manager: Even using passphrases, the number of credentials we need to manage becomes overwhelming. A good password manager, such as LastPassDashlane or 1Password, is cost-effective, stores credentials securely, and will allow you to set up a recovery account for your spouse, or other trusted individuals, in case of emergency.
  10. Use multifactor authentication: Most reputable websites offer this as a code sent via text after you enter your password. While this doesn’t make passwords simpler, it does increase the security of your online presence, making your passwords a less attractive target.
  11. Stay informed: Target, Home Depot, Equifax, and Facebook suffered major security breaches within the last two years. The faster you change your passwords following such an incident, the less likely you would be exposed to further issues.

Being a citizen of the online community has many positive benefits, so keep yourself safe. Practice the steps above and your travels on the Information Superhighway will avoid those potholes!

Get a free assessment

Your custom cybersecurity check up identifies where you’re secure, and where you’re not. Fill out the information below to schedule a FREE network and cybersecurity consultation with one of our local IT Business Consultants. There are no obligations, and you will walk away with information on how you compare to today’s IT and cybersecurity best practices.