Information Leakage - Using the Internet Judiciously

One of the best online resources for cyber criminals is Google.  While businesses seek to utilize their company website, Facebook, Twitter, LinkedIn, and the like for marketing and recruitment purposes, they are unintentionally leaking information that can be useful to cyber criminals.  At the same time, their employees are also guilty of both disclosing more details about their job duties as well as connecting to and friending people based on invites without any due diligence.

For businesses, below are some typical areas where internal information is disclosed:

Press Releases: Expanding your business?  Offering a new product?  That is great and something to brag about.  But pick and choose what details you make public.  Let's say you are offering a new product or service, and you bought a new piece of equipment to provide it, or have a new vendor to help you support it.  If possible, don't name business partners or describe any new additions of equipment by name.  While these details don't sound like anything of importance, internal details can be used in spear-phishing to gain the trust of your employees.  Let's say you name your new business supplier (XYZ Corp) in your press release.  A few weeks later an e-mail is sent to your accountant that appears to be from XYZ Corp saying they just changed banks and to use the below banking information to pay future invoices.  You figure out that it was a phishing e-mail when XYZ Corp starts calling you because of all the unpaid invoices, and now you are out the money.

Job Postings:  One of my pet peeves is all of the information you can glean from an organization's job postings.  An example is if your company is hiring a Database Administrator, you don't have to say in the posting "Must be experienced with MS SQL Server 2008 R2 Express"  This tells the public what version of your database you are running, and what security issues you may be vulnerable to.  Simply saying "Must be experienced with MS SQL Server" will suffice.

Vendor Endorsements: I never give public vendor recommendations (posted on the vendor's website).  Why?  Because I don't want anyone knowing too much about the inner workings of my business, such as my vendors.  The reason being is that a cyber criminal can use that relationship to try to spear phish either company.  Also, this may not be something you want your competitors to know about either.  If you have a really good vendor relationship and they want a recommendation, offer to give one-off personal recommendations.  Just don't put it out on the web for the world to see.

Website Contacts: If possible (granted it is a must for some industries), do not have a directory of your employee's names and contact information on your company website.  This is a treasure trove for cyber criminals for both phishing e-mails as well as scam phone calls.  Use generic contact e-mails in your Contact US sections such as sales@xyzcorp.com, or even better is a contact form that does not disclose company e-mail addresses.


Tips for your employees:

Social Media: Encourage your employees to leave their job duties generic when updating their LinkedIn profile or online resumes.  If you are an Accountant for a business, that is great.  You don't have to put on LinkedIn that you handle all of the business's banking, send wire transfers, or are familiar with Wells Fargo's business banking portal.  This is way too much information to be giving out to potential cyber criminals and can be utilized in a Business Email Compromise (BEC) or spear -phishing attack.  Save the details for the resume you submit to a potential employer.  The one you publicly post should be a summary.

Technology questions using company e-mail address: Technology folks will often visit tech blogs and websites soliciting information and knowledge regarding a problem they are trying to resolve.  This is all well and good, but sometimes they post detailed questions that disclose the names/versions of systems and applications using their company e-mail address, and therefore identifying the organization with the problem.  Information about current IT issues (whether security related or not) should not be publicly disclosed.  It's not something you want hackers to see, and it doesn't look good to current or future customers to see.

Be Secure!

@tjmprofessional

How to Overcome Your E-mail Insecurity - Part 3 of 3

Phishing

Less complex than BEC, but even more widespread, phishing e-mails will usually come from free e-mail providers, ex. gmail, yahoo, outlook/hotmail, but will have a display name that is different than the actual e-mail in trying to gain your trust.  The e-mail is supposedly from DHL, UPS, DropBox, Microsoft, or some large company that you trust, but then you find out that the underlying e-mail address is not from that companies e-mail domain, but is a gmail account or a similar domain like DHL_Accountservices.com, etc.  

Some recent attacks actually impersonated domains to try and fool employees at the actual business.  An example is if your business e-mail domain is "marysdonuts,com", the impersonated e-mail domain might be rnarysdonuts.com, whereby the "m" is replaced with an "r" and an "n" to fool your eye into thinking it's a lower case "m".  Cyrillic alphabet characters have also been used to play tricks on your eyes.

Security Tip:  Like the BEC e-mails, there is a call to action, usually an attachment (virus infected) or a button/link to click. 

Ask yourself these questions when you receive an e-mail:

1. Do I know the sender?  (hover your cursor on the display name or click the display name to see the real e-mail address)
2. Am I expecting this e-mail or any attachments from this sender?

If you answer "No" to either question, it is probably a phishing e-mail. Again, if you do know the sender, pick up the phone and verify that they sent you the e-mail and any attachments. 

So the lesson at the end of the day, is if you want to be safe, and not be a victim of e-mail fraud, BEC, or phishing you should use the low tech communication device that was invented by Alexander Graham Bell and verify before taking action based on e-mailed instructions.  After all, as discussed in my Part 1 blog post, e-mail is not secure by design.

Be Secure!

@tjmprofessional

How to Overcome Your E-mail Insecurity - Part 2 of 3

Business E-mail Compromise (BEC)
For the last two years this has been a growing threat to small businesses.  It is a phishing e-mail, whereby the hacker poses someone of authority, your boss, the CEO, the CFO, the IRS, etc. and asks you to send either your employees HR data, ex. W-2 information, customer information, send money or buy gift cards.  The things to look for in identifying a BEC attempt is:

• Usually sent off hours or right before you are about to leave for the day.
• Has the appearance of being from someone you know, work with, or government agency, but is usually from a g-mail, yahoo, or some other free e-mail domain and not a business domain.
• Has a sense of urgency, and asking you to take immediate action.
• May be written in odd English or European style English.
• The message in the e-mail is usually short and to the point, and may be trying to start a conversation to gain your trust.  E-mail #1 might say "Are you in the office?"  Which will cause you to respond "Yes", then E-mail #2 says "Great, I need you to send (money, gift cards, data) urgently.  More likely than not will have the word "Kindly" as in "Kindly send,,,".
• The e-mail will probably be asking you to do something out of the ordinary. (This is where the red flashing lights should start going off in your head)

Security Tip: Always pick up the phone and call a number (that you already have on file) and verify with the person sending the e-mail is who you think it is and not a hacker.  As for the IRS,,they will never e-mail you asking for anything.  They used certified/registered mail for official business.

A good rule of thumb is, if an e-mail seems strange, or is requesting something that is not normal procedure, it's probably a scam.


Be Secure!

@tjmprofessional

How to Overcome Your E-mail Insecurity - Part 1 of 3

As a small business owner you probably have a lot of things keeping you up at night.  Your use of E-mail in doing business probably wasn't one of them, until you read this post.

E-mail was not designed to be secure.  It was created to be a simple electronic messaging platform for trusted networked computers back in the late 1960's, and grew in use during the 1990's.  It eventually replaced both the telephone and the fax machine as the primary communication medium for business in the 2000's.  Its security flaw of being "trusted" remains from its original 1960's design, and is what has also made it the preferred attack vector for cyber criminals to defraud both individuals and businesses.  Rather than dwell on what we can't change, let's focus on what we can.

The E-mail Interloper

Over the last year a very popular type of e-mail hacking has been targeting attorneys, loan officers, and realtors. (Although there have been similar scams with vendor payments and payroll provider settlements)  A hacker compromises one of these party's e-mail accounts.  Rather than make their presence known, they will just sit back and read through the person's e-mails and wait for the right situation to arise, usually a real estate transaction.  Once the hacker knows the particulars of the deal, they wait until the time of closing and then send an e-mail from the compromised party's e-mail account stating to the buyer or the buyer's agent that the wiring instructions for the settlement has changed and to use the new bank routing and account number to transfer the proceeds of the transaction.  The buyer then sends the wire to the hacker's bank, and by the time all the parties figure out what has occurred, the hacker has since moved the money to several other banks and eventually wires the funds to an overseas bank and "poof" hundreds of thousands, potentially millions are gone.  If that wasn't bad enough, now everyone gets lawyer-ed up to try and figure out who is at fault, and the real mess begins.  Regardless of whether you are the buyer, seller, a real estate agent, or attorney, this can be a business nightmare as both the money and the deal are gone.

Security Tip: If you are in the real estate business, or another business where you frequently send wires to different parties, always pick up the phone and call a number (that you already have on file) and verify with the receiving party the wiring instructions before sending the funds.  A simple five minute phone call will defeat an e-mail take over scam, and will also demonstrate to your customers and business partners that you take security and doing business with them seriously.  If your clients are the ones sending funds, remind them to do this one simple thing to protect themselves, and your commission.

Be Secure!

@tjmprofessional

Phishing is not a Technology Problem

In reading the title of this post, IT folks all around the world are shouting at the top of their lungs; "Amen!".

While perhaps not a profound statement for the IT community, it is however a true statement that phishing is not an IT risk, but it is a Business risk.  Phishing is about social engineering or the use of trickery and deception through the utilization of technology as a delivery platform to coerce your employees into e-mailing mass HR or customer data, give up their password, or send money to the criminal posing as a company executive, government official or a vendor.  Therefore it is the social engineering aspect that needs to be addressed, but rarely is.  Hence, why Phishing is very effective, very profitable, and the volume and complexity of attacks are growing at a rapid pace.

The security software and appliance providers keep upping the ante with the latest technology tools (now AI) to detect or block phishing e-mails, but at the end of the day, this is just a holding action, not a sustainable solution as it is not 100% effective.  The root cause is still sitting one foot in front of the keyboard.  It is your employees and contracted staff that make phishing attacks possible.  And this is where the least amount of budget and time are spent on reducing your organization's risk of being phished.

Security experts have been debating for years about how effective security awareness training, mock phishing exercises, the security posters hung in the break room, and posting security tips on your organization's intranet site are.  And to be honest, perhaps the jury is still out on having any scientific data on that, but what is the alternative?  Do nothing?  We've seen first-hand with recent data breaches how well that works. 

Perhaps the secret formula is a balanced approach of tools, training, and procedures to combat this business risk.  At the end of the day, if you have tools that scan e-mails for suspicious activity, you train your employees on what phishing e-mails look like, give them an avenue to report them (be included in the security process), and hold mock phishing exercises with a teachable moment built in to educate, plus have well communicated procedures on not e-mailing mass data without approvals, or not sending wires without phone verification, or that the CEO (who probably doesn't remember your name) is never going to ask you to "kindly" pick up some iTunes gift cards at the store, then perhaps your organization has a shot at thwarting the Phishers.

Be Secure!!!

@TJMProfessional

"Are you still in the office?" - A Phishing Story

The below is based on a true story:

Monday at 5:00 pm - You are just leaving the office.

You happen to have left the office on time today (for once) for your kid's soccer game, a happy hour, a hot date, or whatever.  At 5:35 pm you get an e-mail from your boss.  The subject is "Are you still in the office?".  Of course you open the e-mail.  In the body of the e-mail, your boss says "Hey, are you still there?  I need you to do me a favor that's most urgent."  Naturally you want to please your boss, and be responsive.  You immediately respond; "Sure, what do you need?". You then get a reply back; "Thank you so much.  I have a client that I am going to be meeting tonight, and really wanted to "Wow" them by getting their team some iTunes gift cards.  I totally forgot to get them.  Can you run out to a store and get me four $250 iTunes gift cards.  Once you have them, scratch off the back to reveal the code and kindly send me photos of the codes.  I need them before dinner is over at 8:00 pm tonight."

You make a slight detour on the way to your after-work event to stop by a store and purchase four iTunes gift cards with your corporate card.  You then whip out your phone and send your boss photos of the codes by 6:20 pm, and are still able to make your event.  You saved the day for your boss and helped him/her win over the new clients.  Deep down you are hoping your part in this is remembered when raise/bonus evaluation time comes around.  All is right in the world.

Tuesday Morning at 8:10 am - You are in the office and just grabbed your morning coffee.

The boss walks by your desk and says "Good Morning".  You respond in kind and add, "How did the clients like the gift cards?"  Your boss stops, turns to you and says "What are you talking about?"

It is at this point you find out that the e-mail was not from your boss, but that you were the victim of a spear-phishing e-mail.  The cyber criminal stole a $1,000 which you put on your corporate card and had thought you would be getting reimbursed for.

Does this sound like a far fetched story?  It's not.  It is safe to say that thousands of intelligent people around the world fall for this type of phishing campaign every day.  Per the FBI's 2017 Internet Crime Report*, there were 25,344 reported phishing victims in the US alone in 2017.  Keep in mind, most phishing attacks go unreported due to the victim being embarrassed for having been tricked.  Today's cyber criminals rely on human behavior over technical skill.  They will use fear, greed, people's good nature and helpfulness to try to defraud your employees and your business.  Security awareness training is a very effective defense against phishing attacks and is fairly cheap.  Speaking of awareness, let's get to it.  Below are some tips as to what this employee should have done to prevent being a victim:

Tips:

1.)  If you are getting an e-mail from someone (such as your boss), and the request is unusual (ie. not something they have ever asked you to do before.), pick up the phone and call them on a number you know is valid.  Also, if the e-mail is from the CEO or CFO and they most likely don't even know your name, they probably aren't asking you for a favor.  This is when it is good to forward it to your boss with your suspicions, and ask him/her to look into it.  Communicate outside the e-mail thread and use the chain of command to authenticate odd e-mail requests.

2.) Any e-mail asking you to buy something (typically iTunes, gift cards, or prepaid debit cards), transfer customer/employee data, or transfer funds (sending a wire, ACH, Western Union, Money Gram, etc.) needs to be independently verified by picking up the phone and calling the person on a number you know is valid (don't use any contact info in the e-mail that was sent to you).

3.) Cyber criminals know what your office hours are.  So look for "Urgent" requests after hours as highly suspicious.

4.) As with #3 above, the cyber criminals know you most likely will be checking your work e-mail after-hours with a mobile device.  Most mobile phones only show the display name, not the actual e-mail address, so they can send an e-mail from a gmail account with your boss, CEO, or CFO's name displayed and it will appear on your phone or tablet as the display name, not the actual e-mail address.  Click on the display name to show the actual e-mail address.  Even if it looks legit, still call.  No one ever got fired or in trouble for verifying e-mail instructions that seem odd.

5.) Look for very short e-mail messages (with no details).  Also bad grammar/spelling are common signs.  In addition, look for non-American style English being used  "I have a most urgent request" or "Kindly send me the gift card codes."  Does your boss or CEO talk like that? 

6.) Let's say you fell for it, and realize it afterwards.   Report it!  You can still save the day.  In this case, the employee should have notified his company's security officer or HR so that all the other employees could be notified of the scam to prevent additional victims at your organization.  Secondly, he/she should contact Apple and had the codes deactivated.  It wouldn't get the money back, but it would stop the criminals from getting it.  When criminals see a good target, they will keep coming back.  Try to ensure that their attack on you isn't profitable.  This way they will seek an easier target next time and leave you alone.  

Be Secure!

Link to the 2017 FBI Internet Crime Report

* https://pdf.ic3.gov/2017_IC3Report.pdf

The Password Game

With all the focus on phishing and ransomware (which yes, you need to be protecting your organization from), don't lose sight of the importance of good password management.  You hear security folks talking about strong passwords, or complex passwords, but what does it mean?  and better yet, why is it important?

Answer to the question: "What is a Strong password?"
Strong passwords are by nature harder to compromise by a hacker due to having all of the following characteristics:

• They are complex passwords (made up of alpha, lower case, upper case, numeric, and special characters such as @#$%&?!).
• They are not dictionary words or proper nouns.
• They are long in length (8 is usually recommended, but 10 or more is better)
• They are changed with frequency (45 days is recommended, but 30 days is better)
• They are not recycled (also known as password history, usually recommended that the setting be the last 12 passwords, but a good practice is to never reuse a previous password.)

So to answer the question "Why is it important?", let's go through each of the above points to demonstrate this:

1. Complex Passwords: The reason you don't want to just use alpha and numeric characters is due to the advances in password cracking tools.  Should your password file on your computer or a single password going across the web be captured by a hacker, they will perform what is called a Brute Force attack on the password hash (encoded / encrypted password).  The tools in use will take one character at a time and try to guess what the character is.  If you just use lower case alphabetical characters, then he tool just has to try 26 times on each of your password's characters to figure it out (password would be cracked in milliseconds).  Add different cases, numbers, and special characters, as well as having a long password increases the amount of time it takes a tool to decipher your password.  This is important when we discuss change frequency.
2. Dictionary Words / Proper Nouns -  In the early 2000's someone came up with a tool called Rainbow Crack and created a number of data sets (lists) of dictionary words, first names of people and names of places as well as their corresponding password hash using various encryption ciphers.  In essence, Rainbow crack predetermined what a dictionary word looks like encrypted, and if a password file or hash was captured, this tool using the Rainbow tables turns cracking the password into a database lookup which would instantly give you the full password.  So don't use dictionary words or names.  In fact it is better to not use pass-"words", but a phrase instead.  An example would be something that means something to you only and easy to remember.  Let's say your daughter's name is Sara, she was born in 2008, and you drive a Chevy Cruz.  Your passphrase could be $ar@08CrUzing.
3. Password Length - As mentioned in #1 above, the longer the complex password, the more time it will take to crack if the hash is compromised.  So think like this is a game you are playing, the more complex and longer the password, the more you are increasing your odds of protecting it and decreasing the hackers odds of cracking it before you change it.  Which leads us to the next point,,,,
4. Password Change Frequency - In one of my posts from last year, I applied a Benjamin Franklin quote to changing passwords.  "“Passwords are a lot like diapers. They should be changed frequently, and for the same reasons.”  So the whole point of coming up with a complex password, that is long, and doesn't have any dictionary words, is to increase the time it takes to crack a password to beyond the point where you change your password.  So if you never change your password, eventually a hacker can crack it.  Therefore, you should change your passwords every 30-45 days.  In theory, by the time a hacker gets your password hash and cracks it, you would have already changed it and the cracked password is now useless.
5. Password History - For the same reason in #4 above, don't reuse an old password, at least not for several change cycles.  The reason being, if you change your password every 30 days, and it takes a hacker 60 days to crack your password, and you reuse the original password, then you defeated the purpose of changing it.

So as demonstrated in the above 5 points, all of these characteristics work together not to prevent a hacker from getting your password, but to prevent a hacker from getting a password that works.  It is a game you are playing, and your goal is to run the clock down on the hacker while you are ahead.

Be Secure!

No Silver Bullet for the Cyber-wolves

The majority of individuals and businesses are sold a bag of goods regarding cyber security.  They hear marketing pitches for security software, appliances, and managed services, and are told that "this product" or "that service" will secure your business or secure your home computer, and at the end of the day, it is giving them a false sense of security.

While these products and services can help reduce your risk of a cyber incident, they are only a small piece of your overall security program.  There is no silver bullet that can keep hackers at bay.  To do this, you need to employ a Defense in Depth security program.  While this sounds like a daunting and expensive task, it can actually be done very inexpensively and with a few simple steps.

Risk Assessment - "If You Can't Measure It, You Can't Improve It." - Peter Drucker
The first step is to have a security risk assessment performed.  This informs you where your information security risks are, what controls you have in place, and what control gaps/weaknesses you need to shore up.

Polices, Plans & Procedures - "Those that fail to plan, plan to fail."  - Alan Lakein

• Information Security Policy - This should cover, at a minimum, access control/user management, anti-virus, patching, password management, data classification and handling, use of encryption, remote access, change/configuration management, software acquisition/licensing, logging, and use policy.
• Incident Response Plan - You need to have this before you have an incident.  Don't worry about trying to identify every single type of incident to deal with, just get it down to high level impact, ex. network outage, server outage, application outage, security breach, malware infection, etc.  Have written procedures on how our staff should respond to each of these types of incidents. 
• Business Continuity Plan - If there is an electrical outage, fire, or natural disaster you need to have a plan of action on how and where you will resume your business.  Also have all your employees, contractors, and vendor contact information in the plan.  Keep the plan in multiple locations, including a hard copy at your home.  If there is no power, your cloud or PC may not not be accessible.  Do not get hung up on the type of disaster, focus on the fact that your office in not accessible, and the plan needs to answer the question "What do I do now to stay in business?".  Do a paper walk-through with your management team at least twice a year and update contact info.

Anti-Malware (Anti-Virus, End Point Control, Patching)
Having anti-virus and end point protection is not optional.  Make sure they are actively running, updated daily, scans are daily (off hours), and that only an Admin can disable or change the settings.  Also, no user on your business network should have Local Admin, and the IT guys should have an Admin account for doing things that require Admin access, and a non-Admin (normal user) account to surf the web and check e-mail.  Malware is most dangerous if it can execute using Admin privileges, and whoever clicks on it,,,executes it.   Patching needs to be done timely on operating systems, database management systems (MS SQL, MySQL, Oracle), and application software (Apache, Adobe, Office, etc.)

PC & Server Hardened Standard Image
Your PCs and servers require certain services to operate.  Over time, as you add software, more and more services are activated, and usually set to run at startup (when most do not need to).  Besides slowing down the machine and providing a poor user experience (takes forever to start up and to shutdown), having unnecessary services running is increasing the attack surface for a hacker or malware.  You should have a standard image for your organizations PCs and servers in which you deactivate all non-essential services (daemons if in the Unix/Linux world).  Also, remove all no-essential user accounts.  Most operating systems and applications come with Test or Guest accounts.  Either remove them or disable them.  If you have to keep any default accounts, then change the passwords and make them complex (10-14 characters, alpha-numeric, caps, and special symbols).  this is called hardening.  Once you have a hardened image, copy it, and that is what every machine in your organization gets as a baseline.  And as you are not letting your users have Local Admin, they will not be able to install software which will ensure that only approved, malware free, and licensed software is running on your network.

Network Security
You should have multiple layers of firewalls/routers/switches.  Keep these patched timely too, and all default accounts and passwords need to be changed.  You should have some type of Intrusion Detection or reporting system in place to sift through the firewall logs and report the critical alerts so you know if you are under attack, and can follow your Incident Response Plan as noted above to prevent or stop an attack.

Security Awareness Training
While listed last in this post, it is by far the most important low cost security measure you can do.  Cyber Criminals have figured out that it requires a lot of skill and hard work to hack your network.  It is much easier to trick your employees into giving them a userid and password, your customer/employee data, or wiring money out of you business bank account.  Your awareness program is not a once a year video or PowerPoint slide deck.  It needs to be ongoing and use a number of mechanisms to stay at the top of mind of your employees.  Monthly security tip e-mails, security posters in the break room, mock phishing exercises, having a security expert come in quarterly for live or web based training, having your IT or security team do monthly brown-bag lunch presentations will have a big impact on your employees' security awareness.

To sum it up, there is no silver bullet, and information security is not a menu to choose from.  You have to do all of these things, and more to have a defense in depth security architecture.    You need to put up enough barriers to frustrate them which will encourage them to leave your organization alone and go hack someone else...(hopefully your competitors who don't take my advice).

Gone Phishing

Phishing, or the act of trying to deceive folks into thinking you are someone else in the hopes of scamming either user credentials, data, or money out of them, is occurring at an alarming rate.  This is also becoming a delivery mechanism for ransomware.


Some popular ones over that last few weeks to be aware of:

DocuSign Document is waiting for you

UPS Quantum Shipment - About a recent attempt to deliver a package to your address.

accounting@<yourcompany>com - An invoice or statement from a vendor that was sent to your company's accounting department.

"You have a fax message from RingCentral"

USPS HoldMail - The email is letting you know that your mail is on hold.

E-mails from your social media contacts whom you don't usually get emails from.

AppleID - A supposed receipt from Apple about some recent purchases you didn't make.

LinkedIn Connection Requests from fake LinkedIn profiles posing as if they worked at the same company as you at some point.   The tells are a low number of connections (under 50) and usually no profile photo.  Best practice is if you don't know them, don't connect with them.


Remember, if you are not expecting an e-mail, don't open it, and always be suspicious of attachments or links.  If you are not sure if it is legit or a scam, call the company from a verifiable phone number, don't click on anything in the e-mail.

Be secure!

You are Only as Secure as Your Service Provider

Many businesses recognize the need to handle sensitive customer and employee information in a secure manner.  They may be using encryption on their hard drives, masking data fields like credit card numbers and social security numbers, and using secure methods to send data to their service providers for processing.  Where most organizations fall short is their lack of due diligence in finding out if their service providers treat their data with the same level of care that they do.

In banking, the federal regulators mandate that banks must perform upfront vendor due diligence before contracting with a vendor who will be handling customer information, specifically NPI, or Non-Public Information.  This is credit/debit card information, social security numbers, dates of birth, drivers license or passport information, bank account information, and user login information such as userids, passwords, security questions, or PINs in combination with identifiable information such as customer name, address or phone number.

The bank regulations also require that the banks perform ongoing vendor monitoring, even to the extent of sub-contractors who may have access to the banks sensitive data.

Businesses of all sizes need to hold their vendors accountable just as the large banks do.  As a small business you of course do not have the time or resources that a bank has to do vendor risk management to the same level.  But at a minimum, the following are some quick and easy tips to give you some comfort that your service provider is employing reasonable security measures regarding your data:

1. Ask for and read their Information Security Policy.  (And yes, you should have one too.)
2. Ask for and read their Data Backup Process as well as their Business Continuity Plan (BCP).  Make sure their backups are encrypted.  Is their BCP tested at least annually?  Can you get a progress report on the issues noted during the last BCP test.  If they don't have a BCP, then you need to make sure you can switch to a secondary provider in the event this vendor can't service your needs due to a business disruption.
3. Do they have either an employee, or a contractor that is responsible for Information Security?  You should have a brief conversation with them to see if they are a knowledgeable security professional, or just a management person that got a title CISO because someone need to be listed to make it look good.  (Yes, this does happen more than you know.)
4. Does the vendor have a network penetration test performed (at least annually), by an independent Ethical Hack firm?  They may not want to provide you with the entire report, and that is fine, but they should be able to give you the Executive Summary, and a progress report on resolving any issues noted during the exercise that could affect the security of your data.
5. Insurance coverage (E&O and general liability)  Make sure you get an Evidence of Insurance certificate.  And ensure that the coverage amount is adequate given your business and your data.
6. Make sure there is contract language that holds the vendor responsible for maintaining reasonable security practices regarding the storage, processing, and transmission of your data.  If possible, spell out what your definition of "reasonable" includes.*
7. Does the vendor have any type of third party controls review performed, ex. SOC1, SOC2, SOC3 or PCI?  If so ask for a copy of the report and read it.
8. Does the vendor use encryption for the transmission and storage of your data?
9. Are user account entitlement reviews performed quarterly?
10. Do they have a Security Awareness Program in place to train their employees about good security practices?
11. Do they perform quarterly vulnerability scans of their computer environment?
12. How are you sharing data with the provider?  Is it a secure method?


*For item #6, this is a requirement by the Maryland Personal Information Protection Act.  So if you have any customers or employees that are Maryland residents, this new law (effective 1/1/18) mandates that you have security language in your service provider contracts if you are sharing customer or employee NPI.

For more details visit:
http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx



Be Secure!

Computer Kidnappers Are Charging a King's Ransom

Well, if data breaches and phishing weren't bad enough, an emerging cyber threat that came about early in 2016 is Ransomware.  A few months ago an episode of the TV show "Grey's Anatomy" had a Ransomware plot whereby the hacker locked out the staff from their access to the hospital computer systems and wouldn't return control unless a large ransom was paid.  The irony is that the writers of the show only had to be as creative in writing the script as doing a Google search on "Ransomware" to get all the material they needed to write the show's script.

Ransomware is in essence a computer virus that infects a computer network, but instead of disrupting or destroying software and data, it encrypts it, and only the hacker has the key to decrypt it.  If you want the key to get your computer(s) and data back you have to pay the hacker a ransom.

So the question on your mind right now is "How do I defend against this?".

Follow the tips below to reduce your risk of having to deal with Ransomware:

Defensive

• Anti-Virus: Ensure you are running anti-virus software on all of your computers.  The anti-virus software needs to be set to automatically update the virus definition file (which should occur daily).  Ensure that Real-Time Protection is active and schedule a Full Scan daily.  Not having these settings makes your anti-virus only marginally effective.  This should be in addition to Windows Defender (formerly Windows Security Essentials).  This tip goes for Apple, Linux, and Unix computers too.  While there are not as many viruses written for these non-Microsoft operating systems, there are still some out there.  The small annual expense you pay is well worth it.

Preventative

• Operating System Patching: For small businesses and home users running a Microsoft operating system we call it Windows Update. This keeps your operating system up to date with the latest bug fixes, many of which have a security impact.  Windows Update should be set to update automatically on every computer you own (PCs, laptops, tablets, servers).  And then your computer (including servers) need to be restarted after the update is done to have it fully installed on your computer.  Patching needs to be done on Apple, Linux, Unix computers as well.  Also, if you are using VM instances (ex. VMWare or Hyper-V) make sure your virtual operating system instances are also patched, as well as the physical machine that is running the Hyper Visor console.  This is often overlooked.
• Application Patching:  Like the operating system patching, purchased off the shelf software also needs to be kept up to date with patches.  Applications like Apache, Adobe, MySQL, push patches out regularly.  Microsoft applications use Windows Update for your convenience.

Corrective

• Back-ups - At a minimum, on a daily basis you need to backup your critical systems, applications, and data.  Back-ups, if electronic (ie. not to tape, DVD or some other physical media) should be stored to a separate server / storage device, that is on a separate network segment (is walled off from your production network by a switch or router and a firewall).  This will, at a minimum, ensure you can restore a 1 day old back up of your production environment should Ransomware get past the anti-virus and your network security controls.

Keep in mind, the above is not a cafeteria plan.  You need to be doing all of the above processes for this to be an effective defense.

FYI - Earlier this week, a hospital in Indiana had to pay $55,000 in Bitcoin to a hacker due to Ransomware.

http://www.zdnet.com/article/us-hospital-pays-55000-to-ransomware-operators/

Be Secure!

 

Vishing, It's not Just for Kids Anymore.

When I was a kid, it was common practice to phone scam your grumpy neighbors.  Calling and asking; "Is your refrigerator running?", and getting the response "Uh yes it is.", and then saying "Then you better go catch it!", was something that gave us hours of childish joy at the expense of our severely annoyed neighbors.

I had thought those days were behind me, but I guess not.  So in addition to phishing, another attack vector that scam artists and hackers are starting to employ with greater frequency is Vishing or Voice Phishing.

The common approach is that they get a list of names and phone numbers and will call folks and pose as their electric utility, their cell phone provider, or the water company.  They will be calling because they either didn't get your last payment and now have to shut off your service, or have some other urgent matter to speak with you about.   I have also seen where this is automated using a phone dialer and a recorded message instructing you to call another phone number immediately to resolve the issue.  They will then try to get you to provide them with your personal information in order to "verify" who they are speaking with.  They will structure the call in a way so they get your information in pieces so it doesn't raise any suspicions.  They may try to get your banking or credit card information in order to "pay your overdue balance".  Remember, if one of your service providers is calling you, they should already have your information as they are calling your phone number of record.

Red Flags to look for:

1. Your utility companies will give you multiple late notices and you will need to be 2+ months late on paying your bill before they shut off your service.
2. If you get one of these calls and are not sure if it is a scam, hang up and call the phone number on your last bill.  This way you will know if it's legit.

Another popular vishing scheme is to call posing as the IRS.  This scam has been targeting businesses and individuals alike.  The "agent" will claim that you have an outstanding tax debt and it has to be paid immediately or you will be taken to court, lose your house, business, car, and bank account.  As with "turning your service off" above, this scam preys upon most people's fear, and who isn't fearful of getting into trouble with the IRS?  In some cases the scam is more about getting your social security number and date of birth rather than payment.  Either way, don't give any information over the phone.

Red Flags to look for:

1. The IRS will never call or e-mail you about a tax debt, they will send you notice via certified mail.
2. The IRS will never ask you to pay your tax debt using Western Union, Money Gram, or by getting a prepaid debit card at your corner drug store.

While the above two schemes have been known to target both individuals and businesses, the last one I'll be discussing is just focused on individuals.  

In this scenario, the caller will tell you they are calling from the local courthouse, and you had been sent a notice for jury duty months ago, but you did not show up to court today, so you are now in contempt.  If you want to get out of going to jail, you need to immediately send money to pay the fine using Western Union (or one of their competitors).  Again the fear factor is used to create panic and a sense of urgency.

So the lesson here is you need to authenticate the person on the other end of the phone.  When in doubt, hang up and call back using a phone number you know is legitimate.

If only my grumpy old neighbor could see me now.

Be Secure!

How long it takes a Hacker to notice your website?

Like most small business owners, I did all of the SEO things one does when they have a new business website up and get noticed by search engines and clients.  I set up my descriptions, keywords, signed up for Google My Business, and created a profile on Manta.  With my website up for only 1 day, per Google Analytics I got my first visitor.  Can you guess from where?  You guessed it, Russia.  Not really part of my geographic profile, but what the heck, a website visitor, is a website visitor.  The individual had spent about a minute on each of my pages.  That’s great, I’m getting noticed the first day my website is up. 

And then on day 2, it happened.  I had an e-mail in my Spam folder.  I looked at the subject line, and sure enough, it was a phishing e-mail.  The e-mail was in the name of an individual and the subject line read “Your Monthly Statement document is ready for review”   Keep in mind, my website had been up for only 2 days.  My website and the listing websites were the only places my newly created company e-mail was posted.  And when I hovered my cursor above the displayed e-mail address, yes you guessed it, it had a .ru domain. 

A week later I got my first spear phishing attempt.  This e-mail was also displaying the name of an individual and the subject line read; “Please DocuSign: Order Form for tjmprofessional.com” and the body stated; “ accounting@tjmprofessional.com has sent you a document to review and sign. “.  Ironically, I don’t have a separate generic e-mail address called “accounting”.  But to give credit to the hacker, it did look more enticing and believable.  And yes, again the e-mail had a Russian domain.

So if you are wondering if your a 6 month old startup, or your 50 year old family business is at risk for a cyber attack?  The answer is most definitely "Yes!".  My business was found, researched, and attacked within 2 days of its online existence. 

Now if only my clients could develop these hacker skills, and find my website as easily.  Who would need to pay for Google AdWords?   J