Articles – Page 3 – Fabella Security

Antivirus Program Runs Afoul

Posted on January 31, 2020February 1, 2020 by Greg Price in Articles

This article was originally published in The Troy Messenger on January 31, 2020.

The internet is riddled with all sorts of wickedness. The opportunity to encounter malicious content is ever-present. Protecting our technology and digital presences is a matter of necessity. Quite often, the most frequent tool to assist with protection is an anti-virus application.

If you’re not running an anti-virus program on a modern computing device, it’s likely you’re either playing with fire, or, a very lucky person – in either case, it’s only a matter of time before the would-be bad actors reach success and infiltrate your devices with some virus or malware. I’ve written extensively on the importance of protecting devices, updating software and maintaining a healthy dose of skepticism about “apps”.

However, it’s with a heavy heart that I inform you of a substantial issue with a common, and, free antivirus tool: Avast.

I suppose we shouldn’t be too shocked that trusted software can serve duplicitous roles. You all have read of reported issues with other security tools sharing information via clandestine avenues with shadowy organizations. So, let’s add Avast to the list of protective software accused of deceptive tactics.

Avast is well-known and loved. Since 2017, Avast has been the most popular anti-virus vendor on the market. The company holds the largest share of the market for anti-virus applications. I’ve suggested it for many years, in fact, I use the tool. Well, I suppose I should say, I used the tool until recently…

Earlier this week, an investigative report revealed that the Avast anti-virus platform was collecting personal data from its enormous user base and selling the collected personal data to third-parties.

The accusation sent waves through the security community. Such a violation of trust by a provider of software anchored in trust was incorrigible. I was both angered and disappointed.

There’s a reason why the endpoint protection axiom is shouted from the rooftops of every cybersecurity manual: it works. Protect the endpoint, the end-user device, and your defenses are strengthened. Neglect the endpoint and you will suffer the perils of the internet-connected world.

So, what happens when the good guys are suddenly exposed as supposed bad guys?

The trust relationship erodes quickly.

If my anti-virus program fails, that’s a big deal. If I update the application frequently, scan my device intensively and discover that my computer is littered with a variety of badness, I will doubt the product, the company’s ability to deliver on their promise: protect me.

But, what are your concerns about an anti-virus company that protects you while simultaneously spiriting away personal data in the background? Is a moral conundrum afoot?

As an aside, please review every social media platform article I’ve written. But, back to Avast.

The harvesting of personal data is the claim via an investigation by Motherboard and PCMag.

Documents reveal that Avast has been purposefully collecting data from customers for years. A subsidiary company of Avast, called Jumpshot, served as the intermediary for the sale of the data.

What types of data, you ask?

Well, for starters, web browsing history.

Yeah, pause for a moment and think about that. Your anti-virus program protects your device from badness, while peaking over your shoulder. All of those clicks, those websites have been bundled and sold.

Included among the web browsing history are shopping and search engine queries.

The report indicated that some of the biggest companies in the world paid millions of dollars for the data.

One option offered within the data was something referred to as “all clicks feed”. The option tracks all web clicks and interactions with websites with an incredible degree of both accuracy and completeness.

In one example described in the investigative report, a user was observed visiting pornography sites. Not only were the pornography sites listed, but, every click on the sites, every search on the sites, and how the user located the pornography site were included among the datasets.

The report revealed that the data was anonymized: personally identifiable features were not included among the data. But, given the extent of the intrusion, it’s not hard to imagine that data exists somewhere.

So, what do you do?

According to several reports, simply installing Avast doesn’t necessarily equate to an invasion of privacy. A specific browser plugin, suggested by Avast, appears to be the key to the data harvesting efforts. The plugin is offered as a way to protect against cyberattacks and unauthorized connections from dubious web servers and traffic. If the browser extension, plugin isn’t installed, it’s likely that your data hasn’t been pilfered.

Avast’s initial response to the report was weak. They didn’t deny the operation, instead, they simply indicated that the data had been anonymized, bundled within large datasets, and can’t be used to personally identify or target a specific user.

While the statement appears to be technically true, Avast assigned an identifier as a substitute for a personally-identifiable attribute. The assigned identifier persists on your device unless you uninstall the Avast anti-virus product.

However, in the world of big data, when large datasets are combined, the opportunity to specifically identify an individual increases greatly. A collection of anonymized data in the right hands can be reassembled with other “known” data and a clearer picture of the user brought into focus.

On January 30, 2020, Avast announced that they would close Jumpshot and issued an apology.

So, what should you do?

Consider another product. If you’re a Windows user, use Windows Defender. The tool is robust, runs intimately with the operating system and is updated very frequently.

In the meantime, read those software agreements thoroughly and be safe!

Holiday Shipping Scams

Posted on November 29, 2019 by Greg Price in Articles

It’s that time of year again. Holiday shopping is in full-swing. Americans are buying more and more from online vendors and shipping companies are working feverishly to keep up with demand.

And, of course, the bad guys are looming, seeking an opportunity to upset the holiday season.

Due to the increasing popularity of online shopping, shipping scams are more common than ever. Given the battle over expedient shipping, there’s no wonder that cybercriminals have developed sophisticated, and timely, methods of stealing from you.

During the holiday season, one of the most common shipping scams is nothing new, and, certainly not a sophisticated cyberattack. Commonly referred to as porch pirates, those who steal packages from the exterior of homes are rampant. In fact, recent statistics reveal that 25 million Americans were victims of porch pirates in 2018.

So, what can you do?

During the checkout process, select “signature required” in the shipping details. In doing so, you will force the shipping service to get a physical signature. The process is a bit tedious by today’s standards; however, not only will you safely collect your items, but, you’ll ensure that the items aren’t carelessly tossed onto your property in haste. Not all online vendors provide this option, so, don’t be surprised if it’s not present during the checkout process.

Secondly, if you live near a package collection service, you can use those providers. A package collection service will provide you with a physical street address – an employee will collect the packages and store for you. The service is similar to USPS post office boxes; however, many commercial carriers will not deliver to a post office box, and, these services are a good substitute for home delivery.

Next, ponder the porch pirate’s methods. They steal based on opportunity and relative ease of access to the goods. If you remove the easy access, the thief will likely pass your home. Many companies sell protective bags or boxes that are secured to your front door or other physical structure. When ordering, in the “other instructions” box for shipping, indicate that the package should be placed in the protective device and locked. While it’s true that a thief could steal the protective device, remember these are typically quick-action efforts. Porch pirates usually drive through a neighborhood and dash to and from a porch – they don’t carry tools; therefore, they aren’t prepared to fight with a locked bag or box.

Similarly, review your delivery area at your home. If you have hedges or other landscaping that will provide a blind for your packages, instruct the online vendor to place the packages behind those obstructions.

A few high-tech tools are available that could prevent, or, minimally, detect package theft. Amazon provides a locker service in some areas. The locker service is similar to the package collection providers, except, you have a key to your shipping locker, which is housed in a large building. Various video doorbell systems and motion alarms could assist with preventing the bad guys – when they work correctly. I use a combination of alarm and video products. Unfortunately, they’ve not always worked to scare away the thieves. However, I receive a text when activity occurs, so, if time permits, I can drop by and move the packages inside the house.

And, of course, the true online scammers use the holiday season as ripe opportunity to flood your inbox with phishing messages.

Shipping-themed phishing messages always increase during the holiday season. Complicating the matter, shipping companies rely heavily on email or text notification in today’s vibrant shipping environment. Therefore, it’s often a challenge to detect which messages are bad.

Whether you, or your business, use UPS, FedEx, DHL, or the USPS, it’s important to understand exactly what a legitimate delivery message looks like from those vendors.

The intent of the phishing messages is to steal. Specifically, the cybercriminals are trying to steal credentials (usernames and passwords), financial information (logins, account numbers), and spread malware which could lead to system ransom, downtime, and other undesirable outcomes.

How do the would-be bad guys design shipping scam messages?

Common techniques include: phony tracking numbers, undeliverable package notice, additional postage request, invalid mailing address, or attaching files to messages that claim to be claims forms or other shipping documents.

So, what do you do if you receive one of these messages and you know you have packages, but, are concerned about the possibility of malicious messages?

One of the most common phishing attempts is delivery of a fake tracking number. There are two ways to avoid this scam. First, if you are expecting a package, simply visit the online vendor’s website, view your account information and check the shipping information there. Secondly, if your vendor only lists the tracking information, but no detail, copy the tracking number from the vendor site and visit the shipping provider. As an example, UPS provides a very quick and accurate webpage for checking on the status of packages. I simply copy and paste the tracking numbers into the UPS website and get updates immediately. Clicking on links in email messages isn’t a good idea, so, taking a couple extra steps and being cautious will avoid malicious efforts, and, possibly provide more detailed shipping information.

Don’t trust links sent to your mobile device as texts – just because you think no one has your mobile number, doesn’t mean that’s accurate. Links within text messages can present an abundance of opportunity for poor outcome. Visit the online seller and check the status there.

As for the other common shipping scams, the same instructions will work. Visit the online vendor’s website to check on all delivery issues. It’s very unlikely that you will receive an email indicating that additional postage is needed. And, email delivery of invoices as attachments is common for business purchases, but rather inconvenient and unusual for consumer purchases – just avoid opening those attachments completely.

And lastly, a perfect way to avoid all of these online scams and shipping concerns is to shop local – support your local business community.

Be safe.

Ransomware Strikes Again

Posted on November 25, 2019November 25, 2019 by Greg Price in Articles

Various Federal and cybersecurity advocates have released numerous announcements this year, highlighting the increase in ransomware attacks in the United States. Many of the notices indicate that the rise in ransomware attacks is directly related to attacks on enterprises: the large targets are paying substantial amounts of money to regain access to their data. And, as a result, the cybercriminals are expanding their “business”.

While the increase in attacks is likely correct, the troubling issue is the continued increase in successful attacks. The bad guys are winning and gathering financial gain in the process.

On November 18, Louisiana found itself, once again, in a painful situation. Ransomware struck the state networks and resulted in a decision to shutter various agencies in order to reduce the spread of the ransomware. The governor’s office indicated that the Departments of Health, Children and Family Services, Motor Vehicles, Transportation and Governor John Edwards were closed as a result of the attack.

The state’s cybersecurity response team was activated and moved quickly to contain the ransomware. Based on various reports, the team isolated the malware and began an aggressive server restore process.

A statement indicated that no data loss occurred and no ransom was paid.

Several researchers revealed that the attack was similar to one on Louisiana’s public school systems in July. The ransomware was a variant of the popular Ryuk malware.

The real story here is Louisiana’s response: no ransom payment. The team was able to contain the situation, and, due to a careful eye to proper backups, restored operations. The disruption may have been annoying, perhaps inconvenient, but the message was very clear: the disaster recovery plans worked. As a result, the bad guys’ efforts were wasted. Chalk one for the good guys and adhering to good computing hygiene.

As I’ve mentioned before, sometimes the best practice is a solid, tested defense. Louisiana could have poured millions of dollars into the latest shiny object or expensive consultants. Instead, they created a method for containing cyber attacks and built a strong cyber hygiene program, all of which are predicated on two things: updating software and following a rigorous backup routine.

So, speaking of updates, the would-be bad guys are actively impersonating Microsoft.

According to online reports, a spam campaign has been launched, offering a Windows 10 update.

The malware is disguised within the fake Windows 10 update, likely the Cyborg ransomware. When installed, instead of Windows 10, you will have a locked PC and a demand for ransom.

Given that Microsoft releases patches routinely and aggressively pushes the Windows 10 platform, impersonating a Windows 10 update is a clever way to trick users.

But, here’s the thing. Microsoft never announces updates or provides downloads to its software through email links.

What should you do if you receive one of the Microsoft Windows 10 update email messages?

Delete it. Don’t forward it, don’t preview it, don’t open with your mobile device. Just delete it.

Despite the increased attacks to large enterprises, the largest volume of successful ransomware attacks continue to occur with individual users and small businesses.

So, how do you build a solid defense to ransomware?

Start with some basic computer hygiene.

Pay attention to email, avoid opening unsolicited attachments, don’t click on emailed links. Additionally, stop sharing data via fistfuls of thumb drives. There are many efficient and secure methods for sharing files: consider Microsoft’s OneDrive, Google Drive, Dropbox, as examples.

Next, avoid running pirated, or, stolen software.

If you download files via torrent sites or enjoy “borrowing” software from pirated software sites, you’re not only likely breaking many laws, but, you’re exposing yourself to untrusted software, all of which could be loaded with malware. Use licensed software or download open source tools from trusted sites.

And, of course, keep your software updated.

Backup your files frequently and properly. Most modern devices include an online backup service – enable the service for your devices and review that all of your important files are backing up correctly.

Despite all of our efforts to have a good defense and adhere to best practices, there is still a chance that we all can fall victim to a scam and end up with an infected or broken device. Having your files backed up properly is the best way to avoid losing your data or having to run the risk of paying a hefty ransom.

As the holiday season approaches, the scammers will be more vibrant than ever. Below are a few items to help you increase your awareness and hygiene to avoid the most common of email scams.

First, be cautious, even paranoid with links.

Don’t click on email links, especially if you find the content questionable or suspicious. Hover over the link and see if the link’s actual address matches its display name. Also, open a web browser and visit the site directly: type the link into the browser and avoid clicking the link completely.

Second, watch for grammar and typographical issues.

Since the beginning of phishing and scam messages, typos and grammar problems have drawn attention to the legitimacy of the messages. Old, or, dated images often suggest problems as well. Reputable companies don’t send poorly-written inquiries.

Lastly, use multi-factor authentication.

If you fall victim to an impersonation attack and offer your credentials, at least with two-factor, you will have a parachute, of sorts. If two-factor is available use it and pay close attention to the requests you receive for the second form of verification. If you receive one and you didn’t initiate the request, don’t approve it.
Pay attention to the basics and enjoy a safer computing experience.

Be safe.

Hello Facebook

Posted on November 18, 2019 by Greg Price in Articles

Facebook’s business model is based heavily on the collection and sale of user data.

Fostering digital “friendships” and promoting likes are some of the beguiling tools used to keep you clicking and browsing your feeds – maintaining engagement equals income for Facebook.

Despite Facebook and its leader’s claims to value online privacy, the continued issues and perplexing security conundrums suggest the company is struggling to maintain a positive image.

In 2018, following the Cambridge Analytica debacle, Facebook promised to restrict developer access to user data. Recent announcements by Facebook suggest the new privacy policies haven’t been applied to every developer – possibly over one-hundred application designers continue to have access to the personal data of users in Groups.

Data harvested by the developers include names, profile photos, phone numbers and Facebook reactions, such as your “likes “. According to Facebook, despite the neglect and continued release of the data, the data hasn’t been abused or used inappropriately – trust me, I’m from Facebook. Who knows if the data has been misused, most don’t know it’s being used by other firms.

The incredible irony in these continued abuses is Mark Zuckerberg’s statement that “the future is private”. Is the statement dishonest or the result of poor engagement?

Here’s a simple fact. If you use Facebook, your data is being sold. Stop, don’t argue, don’t venture any further. That’s Facebook’s primary source of income. After all, you are allowed to use Facebook for “free”.

This week’s latest Facebook controversy involves a bizarre issue on the Facebook app for Apple iOS.

When you look at an image or video within the Facebook app, the Apple device’s camera activates on its own, for no known reason. When the issue was reported, nobody had any idea why the app opened the camera.

When you open a photo within the app, swipe down and you will see that your phone’s camera is running live in the background. Why?

Facebook has corrected the issue through a hastily-delivered fix to the Apple App store. Simply visit the App store and download the latest version of the app.

The very peculiar thing for me, when I tested the app on a lab phone, was not once did the Facebook app ask for permission to launch the camera app. At first, I thought the issue was a design intent that presented an impersonated camera interface or maybe a quick include to launch the camera interface rapidly. However, I moved the phone and the surroundings changed – the camera was live.

I could not reproduce the problem on an Apple device running an older version of the iOS; only the latest version, 13.2.2 presented the problem.

I haven’t noticed a formal notice of the issue from Facebook, simply the push of a new version of the app that appears to resolve the matter.

Was the problem the result of buggy software?

Maybe.

If you’re running the latest version of Apple iOS, you have a few options.

First, delete the Facebook app.

Not only will you resolve the current camera problem, but, you’ll tackle all future failures of the social media platform.

But, seriously, you don’t have to use the app to check Facebook. You can use a web browser such as Safari or Firefox and interact with your account through a common tool.

If you’re not ready to abandon ship just yet, obviously, the easiest thing to do is update the Facebook app to the most current version.

Lastly, if for whatever reason, you can’t update the app, disable the camera access for the Facebook app in the phone’s privacy settings. Simply visit the Settings app, select Privacy and then tap Camera. Find the Facebook entry and toggle the green switch to off to disable the camera access.

While you’re there, take a look at the other apps that you’ve granted access to your camera. See something you don’t like or don’t recall enabling? Disable those too.

If you can’t tolerate the thought of deleting Facebook, I urge you to consider restricting what Facebook knows about you. In order to do so, you must make your profile settings as private as possible.

Keep in mind, adjusting the settings to reduce data collection will not make you immune to the inspection and exchange of data; but, perhaps, tightening your settings will allow you to control more of your data and reduce what Facebook collects.

Facebook provides a security checkup – but, only on the desktop version, for now – you cannot perform the security checkup from the mobile Facebook app. The security checkup is supposed to reveal what data is being shared. As you observe those data, you can restrict some of the data.

The downside?

Your tailored, or customized ads and recommendations will be less specific to you – from my perspective, the creepiness will be reduced – not a bad thing.

How do you run the Facebook privacy checkup?

Click the question mark at the top of any Facebook page. Then select Privacy Checkup. Three options should appear: Who can see what you share, How people can find you on Facebook and Your data settings on Facebook.

Click each of the three options and adjust the settings based on your personal needs.

As you step through the privacy checkup, you will see which apps are sharing your data and which data is presented to the public.

I recommended the security checkup to a friend recently. He sought the feature within the app for a day or so before he emailed me. Remember to use a desktop device and a web browser to check the settings and to make adjustments. You can’t do this from within the mobile app.

Interestingly enough, after perusing the settings and associated data, he emailed me and asked how to remove the Facebook app and delete his profile.

Be careful as you look behind the curtain, you might not like what you see.

Be safe.

Protect Your Business Continued

Posted on November 12, 2019 by Greg Price in Articles

Last week I referenced the Verizon breach report and some of the key observations among the data.

Small businesses are a favorite target for cyberattacks.

I offered two “stacks” of suggestions: the easy-to-do stack and the more-difficult stack. Each stack represents best practices for improving your cybersecurity posture and reducing data breach risk.

The “easy” stack included suggestions for raising employee awareness, managing backup routines, enabling automatic updates, upgrading password hygiene, and strengthening physical security.

The “difficult” stack is heavy with policy and planning.

Verizon’s report revealed that an incredible sixty percent of small businesses that suffered a data breach were closed within six months of the cybersecurity event.

Why?

Obviously, cost and damage to reputation account for many of the closures. However, given that small businesses often operate on razor thin margins, and, owners are also operators, time is a precious resource.

As a result, expending time on building technology usage plans and incident response plans are not front-burner priorities. Making payroll and improving revenue are vital to the business’ success, not a plan that may never be used – at least, that’s a common thought.

However, let’s suppose you operate a business that is dependent upon mechanical devices. Your ability to produce is dependent upon machines, and, more specifically the efficient operation of those devices.

If a device breaks, many small businesses owners have the expertise to repair their equipment themselves, in fact, their knowledge of the functional side of a business is often the value they depend upon for success. Manuals and a network of knowledgeable resources complement what the owner may lack.

What happens when a data breach occurs?

Choose your own adventure – a hacker breaks into your business software and steals customer data. Or, a ransomware attack is successfully deployed via an email and all of your computers and cash registers are broken. Or, perhaps, a thief smashes a window and walks away with your server.

What do you do?

If a piece of vital equipment broke, you’d employ your knowledge, or, knowledge network to repair the device.

In other words, you would launch a repair plan.

The same must exist with your IT operations. A plan is needed, especially if IT isn’t your core business function.

Enter the IT plans.

A written security policy is necessary for modern businesses. In some instances, a security policy is a regulatory requirement.

In Alabama, the new data breach notification law requires that businesses evaluate and implement reasonable security measures – a security policy/plan will assist in those efforts.

While there’s no penalty for not being proactive, if a breach results, your situation will not be enhanced by not having a written security policy.

A good security policy outlines how you manage customer data, how you protect it, and, if an incident occurs, what you do to respond.

I suggest considering the plan as a blueprint for you and your employees: if something goes wrong, it’s a basic manual for controlling the situation.

A good starting place for policies are templates designed by security experts. Free templates are available at https://www.sans.org/security-resources/policies.

Review the policy templates and tailor them to your specific needs. Share them with your employees and review them, at least annually.

Encryption is another must.

Encryption of your data reduces the likelihood of the data being read by an unintended recipient. Most modern operating systems provide a mechanism by which you can encrypt your local data. By enabling local encryption on your office devices, you reduce data loss through physical theft. If someone breaks into your office and steals a computer, an encrypted device presents a formidable challenge to the thief. Similarly, using encryption for accessing email and other sensitive systems is important. If you employ a commercial email product, encryption is always included in the solution, simply verify that it is enabled.

Backups, part two.

I mentioned the importance of backups last week. However, in addition to establishing a backup routine and testing the quality of your backups, there are a few additional items to consider.

The purpose of a backup is to restore lost data.

If your backup solution doesn’t encrypt your data, you should enable backup encryption. If a data thief gains access to your backups, if they aren’t encrypted, you’ve provided a nice package that enables easy theft of volumes of data from one location.

Also, consider your backup strategy.

Are you depending on a local device for backup, such as an external hard drive, tape? Do you depend on a cloud backup, such as Microsoft OneDrive?

Redundancy is important. If you backup data to a local external hard drive, that’s great – make sure it’s encrypted and stored safely. But, what do you do if the hard drive fails? What do you do if your cloud provider is down when you need to restore lost data, or, if your internet service provider is experiencing problems?

Redundancy provides extra protection and can be accomplished very simply. In fact, for small businesses, the tools are often available with current software subscriptions, the features simply need to be activated.

And, lastly, data destruction and life cycle should be reviewed.

Don’t hoard electronic data. If you have no regulatory requirement or business need to maintain copies of unused data, get rid of it. Dispose of the data properly, use verified tools for deletion of the data. By doing so, you reduce the amount of data that a would-be bad actor can access, and, make your systems run more efficiently.

Last week’s small, easy tasks will enhance your security posture quickly.

This week’s suggestions require more planning and thought. However, there are many free sources for technology, security plans, and, most modern software provide the enhanced features that I mentioned.

Be safe and protect your business and your customers’ data.

Protect Your Business

Posted on November 7, 2019 by Greg Price in Articles

When web presences began to take off, it was debatable what constituted an effective site. Thirty years later, I hear the same questions being asked. Do updated graphics and imagery attract more customers? Does frequently-updated content bring customers to your site? Does intuitive navigation make any difference? What about mobile compatibility? Adaptive needs support? Search engine placement? Social media presence?

The list is extensive, seems to repeat every few years, or, whenever a new platform or service emerges.

All of those items are important to a successful business presence, especially a business that is driven by an online customer base. And, you shouldn’t neglect securing your online business presence.

However, I’d argue that there are other items of equal, perhaps, more significant importance when evaluating your business technology operations.

Not paying attention is a problem in different avenues. Technology is synonymous with change. If you use technology and expect that technology to simply keep running, need no maintenance, you’re setting yourself up for failure.

Your information technology is no different than mechanical devices. Information technology requires attention. Complacency with all technology will result in poor performance, and, ultimately, failure.

Verizon produces an annual data breach investigation report. The information housed within the report is outstanding and terrifying.

Small businesses are a favorite target for cyberattacks.

According to the most recent Verizon report, almost two-thirds of all cyberattacks were directed at small businesses and individuals. The average cost for a business to recover from a successful cyberattack exceeded $400,000. And shockingly, nearly sixty percent of all business go out of business within six months of a successful cyberattack.

In the same report, a survey revealed that ninety percent of small businesses don’t use any data protection at all for company and customer information.

Wow. Ninety percent of small businesses do not use any software or service to protect data.

I’m not a website expert, but, I’ll offer this: it doesn’t matter how pretty your website’s images are or how well you place in search engines results, if you can’t protect your business data and customer data, you won’t be in business long. Similarly, your Twitter account might be on fire, but, if you hemorrhage data, your social media site will become a collection of outdated memes and twisted puns.

So, what are you to do? How do you protect your business and your customers?

Ordinarily, this is where a list would emerge. A top ten, or, top five delineation of chores to review or pursue.

For this discussion, let’s keep things simple. We have two stacks: the easy items and the more difficult items.

Let’s start with the easy stack.

Raise employee awareness. Human error accounts for a sizable portion of the successful cyberattacks. If you fail to inform your employees about the importance of data management and securing information, you shouldn’t be surprised that they open all email attachments and click every link in every email messages. Set the stage with commonsense advice: beware of fake invoices, don’t open unsolicited email attachments, don’t click on peculiar links, ask for help before “trying” a new app on your work device. If you train staff to spot and report security concerns, you will create a solid defense.

Backup your data. Often. Yes, more than once a month.

Regular backups are necessary. If you experience a ransomware attack, loss of storage systems, a recent backup will have you up-and-running quickly. That is, if you also test your regularly-occurring backups.

You only cover half the field by starting a frequent backup process. If you don’t test those backups, you cannot have confidence in the process.

Backup frequently and test regularly.

Install anti-virus and anti-malware software and enable automatic updates and scans. This is an easy, low-cost protection. Yes, the software will slow your computers. Would you rather the computers work slowly or not at all?

Update your software, especially the operating system. Modern operating systems can install and update patches automatically. If your business efforts can accommodate a fast, frequent patching process, enable automatic updates. If you have a business need to review the patches and install manually, schedule at least once per month.

Use complex passwords, passphrases. Don’t use easy passwords, just don’t. The would-be bad guys enjoy easy passwords – they’re the gift that keeps on giving. Where available, enable two-factor authentication. Often, the service is included in modern software – turn it on and turn up the difficulty to breaking into your systems.

Survey your paper documents and how you store your various computing devices.

Do you have paper scattered everywhere? Are filing cabinets locked? Are computers locked and secured to a heavy structure? Do employees walk around with USB thumb drives? Do you shred all discarded documents?

Physical security is vital. Not all theft of data occurs through a cyberattack. Crafty criminals will dig through trash, collect items from desks, take photos of computer screens, or, walk out the door with a computer.

And lastly, don’t allow personal devices on your networks. You have too much to worry about already as a small business owner. Your employees’ cellphones aren’t your concern and shouldn’t have access to your business network. Eliminate the security risk by refusing to allow the devices.

Small, easy tasks will enhance your security posture quickly.

And now, let’s move to the more difficult stack. Be safe and we will continue next time.

Watch Your Assets

Posted on October 27, 2019 by Greg Price in Articles

We are in the midst of a technology explosion.

Whether you’re managing information technology for a small business, a large enterprise, or, your household, it’s likely that your technology inventory grows without much notice, in fact some might describe the effort as a silent technology sprawl.

What causes technology sprawl?

Inexpensive devices are certainly a driving force. Additionally, the seemingly uncontrollable fascination with connecting everything to the internet adds to the heap. Single-use devices, such as projectors, contribute to your footprint. And, we shouldn’t ignore a bit of laziness either. Before the proliferation of wireless, IT managers were more vigilant in allowing devices onto the network. After all, with wired networks, we could “see” the devices, observe the cabling and appreciate the costs.

However, with wireless, especially open wireless, scores of devices can attach to your network and without proper controls and visibility, the devices might as well be invisible: you don’t know about them.

Why should we worry about technology sprawl?

Well, inventory, in particular, is an issue. You need an inventory of your assets – what’s hanging out on your network space? What do you have on your home network, your work network?

I observe my home network. Admittedly, I am probably a bit aggressive with my home network, but, my keen interest didn’t appear suddenly. Over time, I knew the number of devices increased. Why? I bought them.

When I detected a gradual slowing of network speed, I made some changes to the network devices at my home and that’s when I noticed device sprawl within my own home.

For years I’d spoken about the need to have a solid handle on what is allowed on business networks, but, here I was in my own home and I was shocked at the number of “things” connected to my network.

After a long and tedious weekend, I verified all of the devices and was pleased that there weren’t any unwanted items lurking in my home space.

The count? Forty-two.

Yeah, that’s not a typo. Forty-two.

When I discussed the discovery with my colleagues, I must have sounded like an old man reminiscing about the single TV channel and the nightmare ushered in with the advent of cable television. “It went from as single dial-up connection to nearly fifty devices…”

You can’t protect what you don’t know about, and, conversely, you can’t defend effectively from the unknown.

Due to the explosion in the number and types of devices, two major problems arise from lack of control of network devices.

First, as I alluded to above, an inventory is essential.

But, more specifically, we need full visibility into the entire network space. What’s out there?

I read some statistics recently from a networking service provider. In their research, they observed that unknown devices account for eighteen percent of all devices in an average business network. In their tests, a full one-hundred percent of all evaluators found unknown devices on their networks.

That’s a problem.

With unknown devices, not only is the object not managed, but, its unknown state presents a risk exposure – you have no idea about the state of the device. Is the device patched? Is it good? Is it bad?

Statistically, there’s a one in four chance that the device isn’t updated or secured properly. The same networking company observed that unknown devices often fail to comply with basic security requirements and lack adequate security controls. As a result, a lurking device presents risk and waste, simultaneously.

Risk arises by virtue of the device’s existence within your environment. Since you weren’t aware of it, its state is unknown, therefore, your other resources are at risk.

Waste is an interesting issue. Perhaps the device isn’t sanctioned. Maybe its a personal device and the device is streaming movies. Not only is bandwidth being wasted, but, time to locate and isolate the device are expended.

And, let’s ramp up the risk and waste variables, suppose the device is a personal device streaming unlicensed, copyright-protected content. Are you at fault?

Secondly, unknown devices are unmanaged. As a result, it’s unlikely that you will be able to enforce your security policies on the devices. Let’s assume the rogue device is an internet-connected TV. In your company, those types of devices aren’t on the business network, because they can’t be secured and they aren’t updated by the manufacturer frequently. As a result, you create a separate network space for those unmanaged devices, in an effort to corral security risks into one space. Yet, you find one on your business network – now you have to find the device, find the owner, address the risk and waste more time.

The idea of an inventory of devices and applications isn’t something I stumbled upon by myself. The Center for Internet Security (CIS) manages a list of twenty critical controls that are designed to protect organizations against known cyberattacks. Controls one and two are considered the foundational priorities for moving towards a secure environment.

Control one indicates that you should maintain an accurate and current inventory of devices on your network. Identify all devices, document the inventory, and, keep the inventory current. The goal is simple: visibility allows greater opportunity for success.

Control two suggests an inventory of authorized software. Identify all allowed software and manage the software through regular updates. In doing so, you keep current on releases and patches, but, also observe unauthorized, unwanted software.

Watch your assets and you’ll be on the road to good security.

Protect IT

Posted on October 18, 2019 by Greg Price in Articles

For the third week of National Cybersecurity Awareness Month, let’s review protecting your “IT”.

Your use of connected technology creates a digital footprint. Your footprint is composed of every click, share, text, email, post, GPS coordinate created by you and your devices. The wealth of data points are constantly updated and subsequently stored.

The digital data trail is enticing to cybercriminals.

Why?

The data is worth a lot.

Some of the wealthiest companies in the world survive on the richness of your digital footprint. Google and Facebook generate the overwhelming majority of their incomes through monetizing your digital data trail into a product: a collection of your behaviors.

Advertisers, and, others, are intoxicated by the power of the digital behavior profile. Due to the sheer volume of data that can be collected from connected systems and the relative ease by which the data can be consumed, an incredibly accurate impression of you can be rendered.

Continue reading →

Secure You

Posted on October 17, 2019October 17, 2019 by Greg Price in Articles

This article was originally published in The Tropolitan on October 16, 2019.

Held each October, National Cybersecurity Awareness Month is a collaborative effort between government and industry. The primary goal of the effort is to provide citizens access to resources to stay safe and secure online, all while strengthening the Nation’s cyber posture.

In short, we seek to raise cybersecurity awareness among the consumers of technology.

The 2019 theme is “Own IT. Secure IT. Protect IT.”

As an individual, you play a vital role in the security of not only your own information, but those of your communities. Whether at work, school, or recreation, the importance of taking proactive steps to enhance cybersecurity can’t be understated.

I’ve worked in a variety of capacities in cybersecurity for over 25 years. As a security practitioner, I’ve witnessed firsthand the incredible potential and danger of technology.

Continue reading →

Secure Your IT

Posted on October 11, 2019October 17, 2019 by Greg Price in Articles

For the second week of National Cyber Security Awareness Month, I’ll discuss the idea of “Secure IT”.

The would-be bad guys are accomplished at relieving unsuspecting victims of their personal information. The tools for a successful cyber theft have evolved significantly. In fact, the tools are easy-to-install and require little knowledge. And, if you’re a very lazy hacker, “hackers-for-hire” is a real service.

So, what do you do to protect your interests?

“Secure IT”, more specifically, secure your IT, your devices, your services, your gear.

The best way to protect against cyber threat is to be knowledgeable about the products that you use. Specifically, review the security features available on your hardware, software and services.

Continue reading →