A division of Blue Valley Technologies

Networks Plus |  Call: 785.587.4121 |  IT Support: 800.299.1704

Blogs

Find the latest news and information here.

Why Small Businesses are at Risk of Cyberattack

By: Jake Schulte, IT Manager

Small business owners are busy. They’re pros at wearing multiple hats at the same time and making it look good. While doing what they do best, often there’s not a lot of time for thinking about threats from the web.

Cybercriminals know this.

Additionally, many small business owners aren’t aware of the threats that exist, nor how those threats could cripple or shut down their business. Since they don’t know, keeping the electronic assets they depend on for the success of their business secure from cyber threats is left out of the budget.

Cybercriminals know this too and take advantage.

Since you can’t prepare for a risk you don’t know exists, here’s a breakdown of how cybercriminals find success targeting small businesses.

Criminals cast a net

Small business owners may assume they’re too small to be specifically targeted for attack. In some ways they’re right. Instead of targeting one small business, cybercriminals target millions by casting a wide net with scores of automated phishing emails.

Criminals know the vast majority of recipients will not fall prey, but they also know a small percentage of will fall for it and they can target those who do.

The net brings targets

Automated phishing nets a new set of targets the criminals know are vulnerable to hacking. Cybercriminals use this new information to escalate their targeting with more personalized efforts, known as spearfishing.

This type of attack could consist of emails that use the names of people in the organization. Recognizing the name as familiar, the spearfished target opens the file attachment, unleashing harmful malware designed to gather information from the computer.

The malware could install a keylogger to track and report every keystroke made by the user, exposing passwords and other sensitive info. Or the malware could take the form of ransomware, holding vital information hostage for payment.

Other nefarious possibilities from successful spearfishing are equally alarming.

It’s a widely used tactic. About 95% of all attacks on small businesses are the result of successful spearfishing.

Efficiency can make small businesses vulnerable

We hate to say it, but security and efficiency are often polar opposites. The drive to accomplish more in less time can create security holes.

For example, it may be efficient for memory’s sake to use the same password across multiple logins and accounts, but that puts each of those accounts and your entire system at risk. It may be convenient to keep the same login credentials for years on end, but that also increases security risk.

The solution for these risks is following security best practices with multiple layers of protection to guard against vulnerabilities.

Multi-layered security is the answer

A comprehensive security portfolio has multiple layers of protection to defend the business from all sides. From the outside in, here’s what might be included:

  • Firewall
  • Server and computer protection
  • Best practice security policies
  • Specific actions that protect systems
  • Educated users

The reality is, every business is at risk from cybercrime. There’s no doubt technology improves business function, but it’s a tool that has to be protected and maintained.

At Networks Plus, we offer every layer of protection small businesses need to stay safe. Get in touch to keep your data–and your livelihood–secure.

Breaking Down a Breach

Breaking Down a Breach
What Happened & How to React

By: Jerry Horton, IT Director

Hello and welcome to the first in the Breaking Down a Breach series!

In this part of the newsletter, we select a breach or cyberattack that has been in the news, analyze the information that is publicly available, and offer some recommendations for protecting your network against similar attacks. We will be looking at these attacks based on the five “P’s” of cyberattacks:

  • Probe: This is the cybercriminal’s reconnaissance of the target. A surprising amount of information about any organization or individual is freely and publicly available.
  • Penetrate: Once an attacker has completed their surveillance, they will choose one or more methods of gaining unauthorized access.
  • Persist: Some cybercriminals are of the ‘snatch and grab’ school – launch some sort of attack to a wide variety of users and organizations, a small percentage will get infected, and the criminals will take the quick payday. However, persistence is the Holy Grail of cybercriminal activity. This is where real cybercriminals who have an agenda shine – they want to stick around and hide in the corners because you may have more than one thing of value. More importantly, they don’t want to leave enough traces of their penetration for you to find, meaning that they can be in your system for years (as they did in the Starwood Hotel breach)1.
  • Pivot: This is one of the goals of persistence; attackers poke around, see if they can get into other systems besides the one already compromised, see if they can elevate their privileges, and then really go to town deciding how much and what to steal.
  • Pilfer: The ultimate end goal – take what they can and sell it or use it for another attack, whether that is on the same company or a totally different one.

Our goal in this series is to uncover what happened, how it was accomplished, and what you can do with your environment to help protect yourself. Remember that there is no one ‘silver bullet’ for security! Rather, you have to build your technical measures in depth2 and, most importantly, develop a culture of security. There is no such thing as ‘My company is too small/large/unusual/whatever to be a target’. The cybercriminals know that you have something of value and will do whatever they can to get their hands on it.

Let’s kick this series off with one of the most famous breaches in recent memory – the Target breach of 2013. Your humble author and his lovely wife both had their debit and credit cards exposed during this debacle; fortunately, to no ill effect other than having to have new cards issued.

What happened: Cybercriminals did extensive probing to find a route into the Target network. Once a successful intrusion was accomplished, the criminals determined what vulnerabilities were available to exploit and, through a series of small attacks and elevations, were able to gain access to the Point Of Sale (“POS”) system. Once firmly entrenched in this system, the criminals pilfered records, an estimate of well over 40 million credit and debit card transactions, which were then put up for sale on the dark web (a hidden internet largely used for illegal activities). According to a Huffington Post article in 20153, the estimated cost to address this breach had exceeded $252 million and the loss in profit, stock value, and public trust required years to repair.

How it happened: While the extent of the reconnaissance cannot be fully known without interrogating one of the cybercriminals, what is known is that much information was easily accessible from simple internet searches. The Target Supplier Portal listed all of the vendors used by Target, giving the cybercriminals a nearly effortless group of initial targets.

The criminals, using social engineering and phishing techniques, compromised computers at Fazio Mechanical, an HVAC vendor for Target. As a part of this compromise, they were able to harvest Fazio’s credentials into the Target network. The criminals then logged into and compromised the Target vendor network.

Once into the Target network with credentials that were legitimate, it was a matter of scanning for vulnerabilities and exploiting them to move laterally and elevate their privileges. This portion of the attack is still not entirely known, but it is suspected that a common attack against web-enabled databases known as SQL injection was used to gain access to other systems, including the POS system. The attackers had now hit the motherlode, setting up a ‘skimming’ type of program which copied the transactions into a file on a ‘dump’ site which had been set up on a server with internet access (the POS system, by design, does not have direct internet access). They exfiltrated the files by disguising the outbound file transfer as an innocuous type of traffic.

What you can do to protect your company: Because of the complexity of the breach and the sophistication of the attack, there are a number of lessons to learn from the Target breach. Many of the vulnerabilities the attackers exploited have simple solutions, while others require technical and procedural fixes that are more stringent.

  1. Be cautious of the information you post publicly: The Target Supplier Portal was easy to find using a simple Google search. The Portal was a rich source of information that required no security whatsoever to access.4 Networks Plus recommends that you should limit information you post to your website or social media accounts, including email addresses and process documentation.
  2. Secure remote access: Any remote access to internal systems should require Virtual Private Network (“VPN”) connectivity and multi-factor authentication, at a minimum. The initial breach of the Target systems would have been nearly impossible had multi-factor authentication been required. Even with these extra measures, any direct access to internal systems should be severely limited using the principle of least privilege.
  3. Advanced endpoint protection: A simple anti-malware package is just not enough to protect against modern cyber threats. The majority of attacks launched during the Target breach could have been stopped very quickly if each of the computers involved had used advanced endpoint protection which monitors and reacts to any unusual activity. Taking this concept a bit further, network monitoring with intrusion detection and prevention would have gone a long way to stopping this breach dead in its tracks.
  4. Supply Chain management: While you cannot control what your vendors do with their networks, you can and should exert your influence. Develop a minimum security standard which you require of your vendors. This is not fool proof, by any means, but does help both your company as well as the vendors to build a strong, secure relationship.
  5. Security maintenance: Configure any system access using the principle of least privilege – only assign the minimum rights and privileges required to perform the job. Use lengthy passphrases5 (14 characters, minimum) and multi-factor authentication where possible. Make sure to remove or disable unused or orphan accounts, not just on your internal network, but with any external source as well. Those old online accounts may have been compromised and provide a potential attack vector.
  6. Education: The Target breach all started with a phishing attack; not entirely surprising since 95% of attacks begin with a phishing email.6 Make sure that you are training your entire company, including yourself, on security threats. Couple your training program with periodic tests to make sure that the lessons are being learned.

At Networks Plus, cybersecurity is our focus. We want to ensure that your company can prevent and recover from cyberattacks. Contact one of our Business Consulting team to discuss how our products and services can help you build a strong and resilient network for your business.

EOL for Windows 7

 End of Life for Windows 7 & Server 2008
What Does It Mean??

By: Paul Facey, Advanced Technician

It’s the end of the road for Windows 7 and Server 2008 platforms. Starting January 14, 2020, Microsoft will no longer support updates, security patches, or development of these systems.

Though that means no more disruptive notifications telling you to install the update and restart your computer, it also means security problems discovered after that date will not be fixed by Microsoft.

In effect, any newly discovered security holes could be exploited by hackers for criminal purposes. There’s no telling what they might do, but possibilities include gaining control of your computer and modifying it for their own purposes, installing software to monitor keystrokes, using it to launch malware or DoS (denial of service) attacks against other systems, or just about anything else.

End of life also means there could be compatibility problems installing new software. Over time, the system will slow because it won’t have new drivers to make it function its best. Without system updates, anti-virus protection will quickly become out of date, unable to identify new threats.

The single best solution for addressing this problem and keeping your system secure is installing Windows 10 or the latest version of Microsoft server, whichever suits the need. As fully supported platforms, these operating systems will continue to be secure for a long time.

Though it may be cost-prohibitive for businesses with many systems to upgrade all at once, we recommend using a phased approach to get started as soon as possible. Keep in mind that not all computers running Windows 7 have the capability to support Windows 10. The best investment may be to upgrade the entire computer and get the new hardware and warranty that come with it. If you’re not sure about your best option, we can help you identify the most cost-effective solution.

If there’s a reason you haven’t updated already, such as using legacy software that’s not supported by newer versions of Windows, the prospect of updating may be more challenging.

There are options though. You can purchase Extended Security Updates (ESUs) from Microsoft. The downside of this solution is it will only be available through 2023, and the price will double every year. The ESUs have to be purchased on a per-device basis starting at $25 the first year.

If your business is uniquely reliant on Windows 7, we can help identify customized options using third-party software and anti-virus.

A final note on updates in general. Though they often pop up at inconvenient times, they don’t have to drain your productivity. At Networks Plus, scheduled updates on nights or weekends or whenever is convenient for you is one of the many benefits of our managed service product. Give us a call if you want to know more about how we can help!

All I Want for Christmas is…

By: Jerry Horton, IT Director

Autumn is here! Days are filled with harvest, canning, and the warmth of family Thanksgiving traditions. As we celebrate the bounties of our work during the fall, thoughts begin to turn to winter and the excitement of holiday giving. So, what in the world do you get that special person in your life? They already have all of the ties, mittens, and ugly Christmas sweaters they can possibly use; no one likes fruitcake; and those golf clubs may be on sale, but wrapping a golf club is like folding a fitted sheet!

Not to worry, friends, your techno-geek of all trades is here to help with suggestions sure to satisfy the techies, and even the not-so-techies, in your life.

Reading Material

I opted to avoid calling this one ‘books’ because A) I’ve found that certain online magazines are well worth the time and B) ‘Reading Material’ just sounds more techie…

  • How To by Randall Munroe: There is a famous techie cartoon strip named XKCD which is filled with stick figures, math, physics, and humor. The author of this strip, Randall Munroe, has also written books which are both educational and delightful. His latest is certainly no different – absolutely impractical scientific solutions to (mostly) everyday problems. Buy it from Amazon
  • ‘Ten Arguments For Deleting Your Social Media Accounts Right Now’ by Jaron Lanier: Do you have a friend or loved one who just can’t seem to pull themselves away from some social media, webpage or app? Jaron Lanier, a virtual reality guru, gives some solid and timely advice against social media in his book. Get it from Walmart
  • Magazines & Webzines: Want to keep up on the latest in science and technology? Discover and Wired magazines are great choices to stay informed. Both have traditional print as well as webzines.

Smart Stuff

Yes, you are correct: smart stuff is a pretty vague category. One of the biggest problems is that a lot of products are marketed as ‘smart’ without a clear definition of what that actually mean. For our purposes, we will say that something is ‘smart’ if it can connect, collect, and share information with other devices and the user.

  • Smartwatches: Smartwatches seem to be everywhere and made by everyone, so how in the heck can you choose one?
    • Make sure that you are shopping for a smartwatch that will connect to the correct phone! Apple watches will only work with the iPhone, but some smartwatches running Google’s Wear OS will work for both Android or iPhone.
    • Make sure the watch supports features that are important to you. FitBit is great for helping you keep up with your exercise regimen, but won’t support your Apple Music playlists.
    • Check the specifications so you can get the watch with the right battery life and water resistance for you, as well as swappable bands and clasps. A smartwatch has to be practical and fashionable! Find your smartwatch from BestBuy.

Smart Home Devices

At this point, it would be difficult to find someone who hasn’t heard of a smart home device. I’ve even seen a ‘smart’ dog treat dispenser… Rather than adopt a technology just because it is fun or creative, let’s stick with the ones that are easy to install, use, and have some practical value.

  • Thermostats: The most practical smart home devices are ones that can help you save money. Smart thermostats are the next evolution in energy control, replacing the clunky and temperamental programmable thermostats of a few years ago. NestEcobee, and Honeywell are top-rated choices with proven energy savings.
  • Smart locks: Another very practical smart home device which can actually save you a lot of time and trouble. No need to pass out and keep track of physical keys – just give access to the folks who need it, even on a temporary basis. My favorite is the August Lock Pro, which retrofits onto any existing deadbolt, but YaleKwikset, and Schlage all have great models, too.
  • Smart Speakers/Home hub: Now, I am a music lover, so smart speakers are right up my alley, but they can also do so much more – local news and weather, daily devotionals, games, and even working as an intercom. There are far too many manufacturers and products to list them all, but here are a few to get you started: Amazon EchoSonos One, and the Apple HomePod are all great choices. If you plan to build home automation routines, you will need to make sure you have a home hub for all of those devices to communicate. Fortunately, the Amazon Echo, Google Home, and the Apple HomePod have this feature built in. If you want some more information, or would like to see home automation in action, contact us and tour our Smart Home demo!

Smart Clothing

Yes, you read that correctly; there is such a thing as smart clothing. Most of the products are centered around exercise gear, but there are some interesting (if a little bizarre) items that might fill a need.

  • Smart Jeans: As odd as it may sound, your pants will know where you are even if you don’t. They have built-in geolocation and alert sensors which connect to your smart phone to help you navigate in urban areas. Sorry, guys, these are for the lovely ladies.
  • Smart Jackets: Same concept as the smart jeans. Google does it again. Take a look here.
  • Smart Socks: Before you roll your eyes and wonder what the world is coming to, the smart socks I am listing here actually have a practical purpose. First is the Owlet, a smart sock for babies. It monitors heart rate, oxygen level, and sleep cycles. Next is the Siren, a smart sock designed to help diabetic patients take better care of their feet. Both of these are great examples of the amazing healthcare potential of smart wearables!

 Techie Miscellaneous Gifts

Sometimes, a gift doesn’t need batteries or WiFi to be fun, practical, or just that thing to finish out your collection. Here are some things for the nerdier set…

  • Can’t find the key you are looking for on the ring? Or just can’t find your keyring because you set it down and walked away? Keysmart Pro is your solution! This product is something like a do-it-yourself ‘swiss army’ key organizer with a Tile™ locator built in, so now you can find the right key after you find your keyring!
  • Ok, I freely admit these two products remind of late night TV infomercials (I can almost hear the dulcet tones of Billy Mays extolling the virtues of these…), but I can see some practical value in them. Fair warning – I make no claim that these are good products, just that they are interesting, so buy these products at your own risk!
    • VIZR turns your smartphone into a heads-up display. To me, this has some real practical value while using navigation apps and driving. I’m surprised some smartphone manufacturer hasn’t done this yet.
    • Peeps claims that this is the same tech used by NASA on the space station (for what exactly, I don’t really know, and they don’t say). From practical engineering standpoint, using forceps (AKA tweezers) to clean glasses makes some good sense, as does carbon microfiber cloth cleaning pads.
  • Need some new kicks? Concerned about the environment? Rothy’s has the answer to both! This company makes their footwear by using a type of 3D printing to weave the shoes out of recycled water bottles. Stylish and environmentally friendly!
  • This gadget is tailor-made for me, your humble tech-head (ok, maybe humble is a little inaccurate…) Finally, someone took the time and trouble to invent a temperature-regulating coffee mug! Ember makes smart coffee and travel mugs, which use a mobile app to keep your beverage at just the right temperature and even track your caffeine intake.
  • It’s no secret – I detest the cold. It seems I can never keep my hands or feet warm enough. If you are like me, try these products:
    • Human Creations makes a series of battery handwarmers with extra functions like charging your smartphone and a flashlight.
    • Bombas makes great socks! They make a variety of them, including merino wool for colder weather, and they donate a pair for every pair sold. Keep your feet and soul warm!
  • Just can’t find that unique gift for the geek in your life? ThinkGeek has you covered! This webstore has been around for quite a few years but has recently joined forces with Amazon to house the webstore and Gamestop for good, old-fashioned brick-and-mortar stores. They have a little of everything from Star Trek pizza cutters (shaped like the Enterprise) and Star Wars cookie cutters to collectibles and clothing.

Hopefully, you will find this gift guide either helpful in your holiday shopping rush or just plain fun, because I sure had some fun researching and writing it! From all of us here at Blue Valley Technologies and Network Plus, we wish you the best of holiday warmth, kindness, and cheer!

Even Cybersecurity Guys Lose the Battle from Time to Time

By: Jerry Horton, Technology Director

Financial fraud and identity theft are like the Hydra of ancient myth: if you cut off one head, two grow in its place. Target, Home Depot, and even Equifax have had breaches which exposed millions of customers to financial fraud. Having made purchases from both Target and Home Depot during the time of the exposures, I had to deal with the inconvenience of contacting my banks and card companies to disable my cards and get new ones issued. Even though folks nationwide experienced financial fraud as a result of these breaches, the total effect was relatively limited, given the scope of the breaches. Both the forthrightness of the companies involved, and national media coverage of the breaches helped to keep the damages low, as well as ensuring those affected had ample opportunity to react. As alarming as the large, well-publicized events can be, they unfortunately do not give a complete picture of the full threat facing the consumer and can even lull people into believing that such things happen ‘somewhere else, but not in our small town’.

Unless you are from the Northeast Kansas region, this story probably didn’t show up on your radar. In the small town of Wamego, Kan., folks, including your friendly cybersecurity-geek author, were going about the business of their daily lives, purchasing goods and services from local merchants using debit and credit cards as they normally do. Suddenly, these good citizens, including me, woke up to discover transactions on their accounts had occurred in faraway cities – transactions they did not make or authorize, in cities they were not in. As this case is still under investigation by multiple law enforcement agencies, I am going to avoid divulging much detail about the breach or method of attack, but suffice it to say many people in several local communities were adversely affected. Regardless of the amounts of money stolen, those victimized have been left feeling violated and far less trusting of our neighbors. Allow me to express my gratitude and admiration for the law enforcement agents working with me and the others. These public servants have been sympathetic, patient, and diligent in their collection of evidence and pursuit of the criminals. Well done!

As stated earlier, I cannot reveal significant detail about this incident, but I can offer advice to protect yourself and how to respond to such event.

  • Check your account statements at least once a week.
    •  While this may sound overly paranoid, there are several reasons to make frequent account reviews part of your routine. By law, the quicker you report an improper or unauthorized transaction on debit or credit card accounts, the less money you are required to forfeit. Credit cards are regulated in part under the Fair Credit Billing Act (FCBA) and cap the consumer’s liability to $50. Debit cards, on the other hand, are subject to the Electronic Fund Transfer Act (EFTA) have a matrix of liability:
If You Report: Maximum Loss:
Prior to unauthorized charges are made $0
Within 2 business days after you learn of the loss or theft $50
More than 2 business days after you learn of the loss or theft, but less than 60 calendar days after your statement was sent to you $500
More than 60 calendar days after your statement was sent to you The entire amount of the transaction, plus any transaction fees that might be due

Site: (Federal Trade Commission – Lost or Stolen Credit, ATM, and Debit Cards)

  • Keep your transaction limit on cards as low as you can. This is essential for a few reasons:
    • Debit and ATM cards are directly connected to your bank account, sort of like a plastic version of a check, but much faster. Once a transaction is made, that change happens immediately to your account.
    • If your card and PIN number have both been compromised, it may not trigger alerts because the transactions appear to be legitimate. The burden of proof will rest on you and those funds may or may not be available to you until the matter is resolved.
    • While your liability may be legally limited for a lost or stolen card, the answer isn’t as clear when both card and PIN number have been compromised. You may be liable for the entire amount if you have insufficient proof.
  • Use the chip on your cards whenever possible. Credit and debit cards have used magnetic stripes on the back of the card for years which is well-known and easy to compromise.
    • Skimmers are a physical hacking device placed on card readers specifically to read and steal the data encoded in a magnetic stripe.
    • magnetic stripe card can be easily duplicated once the data has been captured.
    • Chips on the cards are encrypted; the magnetic stripe is not.
    • The data in the chip on the cards changes constantly, making them extremely difficult to skim and nearly impossible to duplicate.
  • As silly and outdated as it may seem, keep your receipts! (P.S. There’s an app for that. More to come in a future blog.) Physical or electronically reproducible copies will help you:
    • Quickly and easily reconcile your accounts.
    • Provide evidence of locations, dates, and transaction history.
    • Stay compliant with best accounting practices and the law (if the expenses are for a business).
  • Notify authorities immediately!
    • If you find a skimmer on a gas pump or other card reader, contact the police and stay on-site until they arrive. If you find unauthorized transactions on an account, notify the card issuer(s) and contact law enforcement, both in the jurisdiction where you live and where the unauthorized transaction took place.

In an electronic, digitally connected world, it is inevitable you will be a victim at some point. Make sure you have developed good habits for using credit or debit cards, minimized your exposure, and kept a good paper trail.

And to the deputy who is assigned to my case, I owe you a cup of coffee…or two!

Defense in Depth – A Primer

By: Jerry Horton, Technology Director

“Defense in depth,” what exactly does this mean? Is it a new cheat code for Fortnite? A military strategy developed for action movies? An advertising buzzword phrase to entice you into spending more money?

The answer is far simpler and less sinister. Simply put, defense in depth is a security engineering concept used when designing systems, whether the system is computer-based or physical. The idea is identifying the most likely weaknesses and attack points and then build protections around them. A great way to think of a system built with defense in depth is to envision a medieval castle.

As you look at the picture to the top right*, you see several features that protect the occupants and fend off invaders. The round towers provide a 360° view to all approaches. The barbican (that’s the gate out in front of the moat) give the defenders a location to identify and repel attackers before they can reach the castle. The moat and the drawbridges control access to the castle and separate it from the surrounding countryside. The battlements (the top part of the surrounding wall) provide troops with a sure and solid footing to maintain a defense without exposing themselves to danger. These features, together with several others, provided King Jerry and his adoring subjects with defense in depth – an attack on any one part of the castle would not endanger the whole.

Modern networks are like a medieval city; far too many points of possible attack to be defended by a single system. The days of making sure you’ve updated your anti-virus and calling it good are long gone. Today, you have to consider viruses, phishing, denial-of-service, social engineering, mobile devices, cloud computing…the list goes on and on! To begin building your castle defenses, here are a few suggestions:

  1. Identify what you need to protect
    Your first task is to figure out what you’ve got, where it’s at, and who uses it. This sounds like an oversimplification, but the truth is you will not understand what defenses to build until you know what you’re trying to defend! You have computers and probably a server, but that is only the beginning. Do you have a wireless network? Mobile phones and tablets? Do you use cloud-based services, like Office 365? These systems house part of your data and have their own unique security needs.
  2. Protect against the most common threats
    In the Middle Ages, kingdoms had to worry about roving groups of bandits, contentious neighbors, and international kingdoms who wanted to acquire resources. History is repeating itself: cybercriminals are in a perpetual state of war to get your data and resources using malware, social engineering, and brute force. Build your basic castle walls with anti-malware on every device, including servers and mobile devices, a business-grade firewall, and a well-designed backup as your castle keep when the outer walls fail. Other protections include enforcing strong password discipline, requiring secure VPN access to your network from mobile devices, and educating your staff on cybersecurity.
  3. Detect threats before they become a problem
    Just as a medieval castle wasn’t simply a wall and a locked gate, you can’t rely on simple protective measures to keep your data secure. Castles had lookouts and patrols to help defend the kingdom. Fortunately, you don’t have to employ knights and provide for their horses! Deploy a secure business-grade wireless network, unified threat detection on your business-grade firewall, implement advanced endpoint protection on your computers and servers, use a robust email security service to reduce or eliminate phishing attempts, and perform regular security reviews. If your business has requirements to comply with regulations, you will want to consider even more stringent security policies and measures, including a Security Information and Event Manager (“SIEM”) and possibly Mobile Information Management.

The royalty of the Middle Ages knew their world was dangerous and that doing one or two things were not ample to keep their kingdoms safe. They built complex systems of defense to avoid disaster. Likewise, our digital kingdoms are at risk and should require a similar level of diligence. For more information on how to become Sir Lancelot for your organization, contact our legion of security knights at Networks Plus!

*Castle Features – https://www.tes.com/lessons/HXqtwMKFUnRWcA/copy-of-identifying-the-featu…

What is BEC & How to Protect Yourself From It

By: Jerry Horton, Technology Director

I recently read an article about a company that lost $21 million to cybercriminals. This headline may make you envision a basement filled with bad guys in hoodies hammering away at keyboards; or perhaps Tom Cruise descending on a bungee cord to extract records from a high security mainframe. However, the truth is far less glamorous and much more frightening. The theft of these funds was committed in increments with the willing, but unknowing, participation of the company’s CFO and a Managing Director – simply because they were completely fooled by a cybercriminal posing as the CEO.

Anatomy of a Business Email Compromise
In his Nov. 10 blogpost, Stu Sjouwermann of KnowBe4, Inc. (Networks Plus’ partner for security awareness and training), gave the following synopsis of the cybercrime:

“Thursday, Mar. 8, the [Managing Director] of a Dutch movie chain gets an email from the CEO of their holding company: “Did KPMG already call you?” The email was sent from a smartphone. The MD forwards the email to their CFO, but both are puzzled. They decide to email back and ask what the issue is.

The answer is a classic CEO Fraud tactic: “We are in a confidential M&A process with a foreign company in Dubai, and any communications can only be done using the personal email address of the CEO. Please transfer the first 900K and this money will be transferred back to you at the end of the month.”

An email thread ensues where the MD wants to make sure that the transaction is legit. “No worries”, confirms the holding company CEO. Please transfer the first 10% of the acquisition.

Tuesday, Mar. 13 the second transfer gets made: $2.5 million. The two execs wonder what is going on, but decide to comply with the CEO’s orders. More transfer requests follow, for higher amounts. Tuesday, Mar. 27 the “last payment” gets made. A total of $21 million dollars has been transferred over two weeks, and they get assured: “Yes, we’ll now transfer this money back right away”. That was the last thing they heard.

Finally, the HQ wakes up, grabs the phone, and asks about the transfers: “What is going on? What was the money used for?” The penny drops. The two execs have fallen for a CEO Fraud scam…”[i]

Business email compromise or ‘BEC’ is absolutely rampant. The FBI reports that BEC scams have cost businesses $5.3 billion from 2013-16. Trend Micro predicts losses will exceed $9 billion by the end of 2018. How can you avoid being a victim?

BEC – Avoiding the disaster
BEC is a simple tactic using social engineering and phishing to draw out the potential victim. Email addresses are, by their nature, somewhat exposed. Clearly, the CFO and Managing Director in the story above made an error and then further compounded their mistake by not following the two most basic rules of cybersecurity:

STOP. LOOK. THINK.
TRUST NOTHING. VERIFY EVERYTHING.

What do you need to look for?
Here are a few dead giveaways:

  • The domain doesn’t match. It is an old cybercriminal trick to use domains that look correct at first glance but are fake. Examples: fred@conpany.com instead of fred@company.com.
  • The “Reply To” address doesn’t match the “From” address. It is even common for the “From” address to be incorrect – the cybercriminal only changed the displayed name.
  • The message contains an urgent or confidential call to action. If you read the content of the message closely, the urgency contains little to no justification for the request being made.
  • Payments requested for unusual amounts to routing numbers or accounts that are unfamiliar, or even wire transfers to foreign accounts.
  • Requests for payment at the end of the day, before weekends or holidays.
  • The email contains an unrequested attachment. Never open an attachment without verifying first!

If you looked, but are not still not certain, verification is of the utmost importance. If you suspect BEC, you don’t want to reply to the email, so speaking directly to the requestor is the best method to verify the request. If that is not possible, verify the request via a valid email address.

It has been said that building a good offense yields the best defense. While a traditional offensive against cybercriminals is impractical, there are some practices that you can proactively adopt to minimize or prevent BEC.

  1. Implement a company-wide security education program. The value of this cannot be understated! Most BEC attacks do not use any technical exploits – just old-fashioned human hacking through social engineering. Education is key to identification, detection, and prevention of BEC and other social engineering attacks.
  2. Implement an identity management platform with multifactor authentication.
  3. Create or tighten policies for payments or wire transfers, including a standard time delay, verification by voice, and two-person controls (also known as the two-man rule).

In the modern internet marketplace, cybercriminals are pickpockets preying upon the unsuspecting; however, with education, practical measures, and vigilance, you can help your company avoid becoming a victim.

If you’re interested in a company-wide security education program, contact me. I’d be happy to educate you and your staff on this very important issue.

[i] https://blog.knowbe4.com/heads-up-fired-two-c-level-execs-who-fall-victi…

Top 11 Tips on Protecting Yourself Online

By: Jerry Horton, Technology Director

Passwords…we can’t live without them, but living with them gets harder every day. We need a password for everything; computers, smartphones, Wi-Fi networks, smart TVs, smartwatches, email, social media, online banking, shopping sites, utilities…the list is enormous and growing at a mind-boggling rate. Each password creates another opportunity for cybercriminals to access your information.

The modern world has become an always-connected, three-ring circus with scary clowns attempting to steal everything we are, and everything we own, because the common password is our first, and sometimes only, line of defense.

How can we protect ourselves and manage better passwords without losing our minds?

  1. Change default credentials: Wi-Fi routers, smart appliances, smart TVs, smart home technology, and wearable technology have cloud connection, and each have a default username and password. As soon as you unbox and power up, set up new credentials and disable the default ones.
  2. Use strong passphrases: Passwords can be difficult to remember, especially if they are created for maximum strength. Passphrases are easier to memorize and stronger than a password if you follow these rules.
    • Choose a phrase that has at least 25 characters. For example, “I’m dreaming of a White Christmas” is 33 characters long, including spaces. With a few simple substitutions, “I~m_Dr3@minGuv4wHite{hris+Mas” you meet the password requirements and have a “password” you can remember! Note: this is an example. Avoid popular song lyrics or other phrases that might be easily guessed.
    • Use at least five words in your passphrase. Remember a passphrase doesn’t need to be grammatically correct or even make sense, it just has to be easy to remember. A passphrase such as, “black terrier angry haikus loudly” is a good example.
    • Use simple substitutions or transpositions with upper case letters, punctuation marks, and numbers to satisfy website requirements.
    • Don’t use common names or dates, such as a family member, pet, birthday or anniversary. This information is too easily obtained.
  3. Use different credentials for work and home: Keep your work and personal accounts separate in every way, including passwords or passphrases.
  4. Ensure you have different passphrases for each account: Many websites use your email as your username, so make sure you have different passphrases for each account, especially financial or online shopping.
  5. Don’t allow a website to log you in using Facebook or Google: A cybercriminal would only have to compromise one set of credentials to steal your information or assume your identity on several websites.
  6. Change your passphrases regularly: It has been said passwords are like a toothbrush – don’t share it with anyone and it replace it every six months. Unlike a toothbrush, passwords wear out faster, so change them every 90 days.
  7. Don’t share your passwords or passphrases: The IT folks at work can change your password if they need to login as you, but no one else should have access to it.
  8. Don’t save credentials to your browser: While this is convenient, the browser stores the credentials in a well-known location in an easily readable format. Instead…
  9. Use a strong password manager: Even using passphrases, the number of credentials we need to manage becomes overwhelming. A good password manager, such as LastPassDashlane or 1Password, is cost-effective, stores credentials securely, and will allow you to set up a recovery account for your spouse, or other trusted individuals, in case of emergency.
  10. Use multifactor authentication: Most reputable websites offer this as a code sent via text after you enter your password. While this doesn’t make passwords simpler, it does increase the security of your online presence, making your passwords a less attractive target.
  11. Stay informed: Target, Home Depot, Equifax, and Facebook suffered major security breaches within the last two years. The faster you change your passwords following such an incident, the less likely you would be exposed to further issues.

Being a citizen of the online community has many positive benefits, so keep yourself safe. Practice the steps above and your travels on the Information Superhighway will avoid those potholes!

Get a free assessment

Your custom cybersecurity check up identifies where you’re secure, and where you’re not. Fill out the information below to schedule a FREE network and cybersecurity consultation with one of our local IT Business Consultants. There are no obligations, and you will walk away with information on how you compare to today’s IT and cybersecurity best practices.