Happy New Year! – Make a New Year Resolution: Schedule Time for a Security Review/Audit
Another year has passed and we get to start fresh with a new year. Why not make a New Year’s resolution to have a security review on your network?
Why? The attacks these days are getting much more advanced and the threats are not always from the outside; the biggest risks are your users and possibly yourself. A proper review of your network will help to ensure that you will have the security controls in place to prevent some of these attacks.
What should the security review/audit cover?
Operating System and Application patching
Malware/Spyware can exploit bugs in both the operating systems and web browsers. It is wise to make sure that your systems are patched. Your servers such be patched at least quarterly and your workstations should be patched monthly. This should be an automated process if possible. Microsoft has a free tool called WSUS that can patch systems.
You should really review your anti-virus protection to make sure that your machines are being updated with the most current virus definitions and you have optimized settings. You should also have a few layers of protection. Most firewall’s these days allow you to scan for viruses, so you should add that as a layer of protection or configure it.
I believe URL filtering is necessary for every network. I don’t care about catching employees from doing bad things, it is more to prevent them from harming themselves. Websites contain many links and some also stream advertisements. I have even received a virus from a web advertisement from a local newspaper. Blocking items such as malware/spyware/advertisements will cut down on your infection rate and help keep you secure.
Admin Rights on Machines
You never really need to have administrative rights on a machine when performing everyday tasks. If your end-users are logging on as administrators, you just increase the risk of infecting your entire network. This should be a practice that is eliminated.
These are a few of many items to consider when performing an audit. If you need assistance you can contact your friendly consultants at TBJ Consulting at 262-373-9070 or firstname.lastname@example.org and they can assist you.
Lessons Learned from Four of the Advanced Attacks in 2013
The attacks of 2013 focused on using distributed denial of service and business-logic weakness to take systems out. The Fraudsters utilized encryption to scramble the data of victims until a ransom was paid. Attackers also targeted service providers as the weak link in the security chain that protects businesses.
The 2013 attacks did not advance as much as they evolved. From encrypting data using ransomware to massive DDos attacks, attackers used various options in their available bag of tricks.
“As the criminals have become more savvy and more technically knowledgable and understand the victims’ environments better, they are able to see opportunities that they might otherwise overlook.” Stated Jeff Williams, director of security strategy for the counter threat unit at Dell SecureWorks, a managed security provider.
Based on information from experts, here are four advanced attacks from 2013 and the lessons for businesses from those attacks:
1. Cryptolocker and the evolution of ransomware
While many attackers create botnets to steal data or use victim’s machines as launching points for further attacks, a specialized group of attackers have used strong-arm tactics to extort money from victims. In the past, most of these types of attacks, referred to as ransomware, have been bluffs, but Cryptolocker, which started spreading in late summer, uses asymmetric encryption to lock important files.
The group behind Cryptolocker has likely infected between 200,000 and 250,000 computers in the first hundred days, according to researchers at Dell SecureWorks. Based on the number of payments made using Bitcoin, the company conservatively estimated that 0.4 percent of victims paid the attackers, but it is likely many times more than minimum take of $240,000, the company stated in an analysis.
“What sets it apart is not just the size and the professional ability of the people behind it, but that–unlike most ransomware, which is a bluff–this one actually destroys your files, and if you don’t pay them, you lose the data,” stated Keith Jarvis, senior security researcher with Dell SecureWorks.
Companies should expect ransomware to adopt the asymmetric-key encryption strategy employed by the Cryptolocker gang.
2. New York Times “hack” and insecurity in suppliers
Rather than directly breach the New York Times’ systems, the attackers instead fooled the company’s domain registrar to transfer the ownership of the nytimes.com and other media firms’ domains to the SEA. The attack demonstrated the importance of working with any suppliers that could be a “critical cog” in a company’s security strategy, stated Carl Herberger, vice president of security solutions for Radware, a network security firm.
“You need to have real-time, critical knowledge from your service providers to determine whether they are being attacked and whether you are the intended victim of that attack,” says Herberger.
3. Bit9 and attacks on security providers
In February, security firm Bit9 revealed that its systems had been breached to gain access to a digital code-signing certificate. By using such a certificate, attackers can create malware that would be considered “trusted” by Bit9’s systems.
The attack, along with the breach of security company RSA, underscore that the firms whose job is to protect other companies are not immune to attack themselves. In addition, companies need to have additional layers of security and not rely on any one security vendor, stated Vikram Thakur, a researcher with Symantec’s security response group.
“The onus resides with the security firm to prevent successful attacks from happening, but when they fail, a victim should have a plan to bolster their defense,” Thakur says.
4. DDoS attacks get bigger, more subtle
A number of denial-of-service attacks got digital ink this year. In March, anti-spam group Spamhaus suffered a massive denial-of-service attack, after it unilaterally blocked a number of online providers connected–in some cases tenuously–to spam. The Izz ad-Din al-Qassam Cyberfighters continued their attacks on U.S. financial institutions, causing scattered outages during the year.
As part of those attacks and other digital floods, attackers put a greater emphasis on using techniques designed to overwhelm applications. Such application-layer attacks doubled in frequency in the third quarter 2013, compared to the same quarter a year before, according to denial-of-service mitigation firm Prolexic. Reflection attacks, where attackers use incorrectly configured servers to amplify attacks, grew 265 percent in the same period, according to the firm.
“This technique is still an available option for attackers,” stated Radware’s Herberger. “Because there are 28 million vulnerable resolvers, and every resolver needs to be fixed, this problem is not going away any time soon.”
Do you think you are too small for a hacker to attack? Think again.
According to a Symantec Survey, cyberattacks rose 300% in 2012. The reason? Most small businesses are attractive because they have weaker security systems in place. Small businesses are also flocking to cloud systems that do not incorporate strong encryption technology. This allows hackers to get easy access to sensitive data behind a door with nothing but a simple lock.
How can you prevent from being attacked? Make sure you patch your largest vulnerability – your people. Have them use strong passwords and teach them to look for sketchy emails. You should also invest in the best cloud security application you can afford.
Win an iPad Mini
We at TBJ are looking to grow our business and we would like to enlist your help in finding clients who might benefit from our services. For any qualified leads that result in a meeting, you will be entered into a quarterly drawing to win an iPad Mini. Our best leads come from referrals and we would like to reward you.
If you know of someone that you network with that could benefit from our services, use the form below or email us at email@example.com
Product of the Month: Amazon AWS
If you are looking to add a server or host an application, but do not want to purchase a server and host it somewhere, Amazon AWS might be the solution for you. I needed the ability to host an application in the cloud and I wanted it to be a monthly cost and not have to purchase a server or Windows Licenses. Amazon AWS allowed me to do just that. It is very easy to setup. They have various templates for servers you can utilize and have different pricing options that are affordable. If you are looking for a cloud solution, Amazon AWS might be the answer.
TBJ Partnership Announcement: Ruckus Wireless
TBJ has partnered with Ruckus Wireless to offer you a state of the art wireless solution. TBJ was looking for a solution that was flexible from the small business to the enterprise and Ruckus fits the need very well. Some of its award winning features are:
Maximized Signal Strength
Network Capacity Optimization
You can start out with a single Ruckus Access point and if you grow, you can migrate to a controller base solution.
The other nice and unique feature is BeamFlex. BeamFlex is a per-packet and per-client adaptive antenna array that has up to 4,000 unique patterns, 9 dBi gain, and 15 dBi interference mitigation.
If you are looking for a next generation wireless solution, look no further than Ruckus Wireless. You can contact the friendly TBJ consultants at 262-373-9070 or firstname.lastname@example.org to learn more about this solution or to schedule a demo.
David Pogue: 10 Time-Saving Tech Tips
With how busy everyone is these days, everyone wants to save some time. David Pogue, a New York Times tech column writer, recently presented a TED talk in which he suggested his top ten time-saving technology tips.
David’s tech tips are very easy and simple and have the potential to save tech users valuable time and money. Did you know about these valuable time saving tech tips?
In just under six minutes, David Pogue presented his “ten top time-saving tech tips”.
He starts his presentation with the fact that for major life situations/risks in society, people are required to get licensed, like in driving, owning a gun, and marriage. He stated, “For some reason, there’s no standard syllabus, there’s no basic course. They just sort of give you your computer and then kick you out of the nest.”
Here are the top ten tips:
1. Tap the spacebar to scroll down a page. Hold Shift and tap the spacebar to scroll back up.
2. When filling out forms, use the Tab key to navigate through boxes. When there’s a pop-up menu for your state or country, type its first letter repeatedly until your location shows up in the box.
3. To make text larger on a web page, hold CTRL and push “+”. To make it smaller, hold CTRL and push “-“.
4. When ending a sentence, instead of toggling through your keyboard layout for punctuation and shifting to start the next sentence, simply tap the spacebar twice. Your phone will automatically add a period and be ready to start your next sentence with a capital letter.
5. Tap the Call or Dial button to automatically call the last number that you dialed, instead of spending time typing the number back in.
6. When leaving a voicemail, to bypass the voice greeting and instructions, you can press a key to interrupt and go straight to the “beep”. Unfortunately, all carriers do not offer the same interrupt key function, so you’ll have to know which plan the person you are calling is on.
AT&T, T-Mobile: #
7a. Google acts as a dictionary when you type “define” followed by your word into the search engine without even completing the search by pressing Enter.
7b. Google also functions as a flight tracking tool. Simply type your flight number and it will show you the flight’s status without you having to press Enter.
7c. Google can also convert your units. Type what you need converted, such as “12cm in inches” and Google will automatically respond without you having to press Enter.
8a. Double-click on a word to highlight it.
8b. After double-clicking a word to highlight it, you don’t have to delete it to replace it; just type over it.
8c. Double-click and drag your mouse to highlight in one-word increments (as opposed to the regular one-character increment).
8d. Triple-click to highlight an entire paragraph.
9. Eliminate shutter lag by half-pressing the shutter button to allow it to focus, then fully press the button to snap the picture without any delay.
10a. While giving a PowerPoint presentation, demand focus to yourself (instead of your slide) by pressing “B”. This will blackout your slide. Press “B” again to resume your slideshow.
10b. Along the same lines, press “W” to whiteout your slide, and “W” again to resume.
I know this is supposed to be a technology newsletter talking about cool technologies or giving you nice technology tips, but I want to talk about an import topic that I think is overlooked: communication.
With email, texting and all of the social media sites, I think at time people have forgotten how to communicate.
First and foremost is email. I have seen people go back and forth with email attempting to make a point or trying to communicate something that is lost. A better approach, and a method that I use, is after the 2nd or 3rd email I pick up the phone and call.
I have also seen people send an email with a meeting appointment or that has important information. The sender assumes that person has seen it, when they really have not. If it is an appointment or important email, call and confirm that the person receiving the email got it and has read it.
The other item I have seen is not paying attention when someone is talking. You are thinking about something else or what is next, without being exactly present. If someone is talking to you, make sure you have eliminated the distractions. It will allow you to focus your attention on the person and make your communication more effective.
Another bad habit I see is people constantly checking their phone when they are in a meeting or talking to someone. In fact, a recent study I read stated that 75% of smartphone owners need to be within 5 feet of their device at any and all times. Put the smartphone away. Unless you are getting a very important call, you have no need to be checking it constantly. Also, the smartphone can be a digital leash; turn it off and get away from it once in a while.
Finally, don’t interrupt someone when they are attempting to make a point or share their feelings. That is discounting what the other person has to say. I have seen some strong technical personalities that always want to be right and they display this behavior. But when working in a team environment, this has the effect of robbing that team of the valuable input from that team member.
The point is: don’t hide behind technology when communicating with someone and make sure that if you do have technology around you, it is not distracting when someone is attempting to communicate with you.
We welcome all current Fortinet users and anyone interested in Fortinet products to join us. Representatives from Fortinet and TBJ Consutling will be on hand to share the lastest updates available to optimize your organization’s investment in Fortinet’s product line.
Date: April 9, 2014 at 11:30am – 1:30pm Price: FREE Type: Lunch-n-Learn