Skip to content

Hackers’ Toll Goes Beyond Finances

May 3, 2016

I wrote about the toll hackers and cyber criminals take on end-users four years ago and think the topic deserves a refresh given the ramped up attacks since then.

Each year, the increasing cyber crime menace impacts us beyond the financial cost of anti-virus and anti-spam programs and firewalls, expensive virus removal fees, or splurging for a Mac because they appear to be immune from infections (truth: they’re no more immune from social engineering attacks than Windows computers).

The toll is no longer just financial, however. Hackers have diminished our confidence in the good nature of others and our ability to discern between good and evil.

The attacks have been so clever — designed to look like legitimate security or virus alerts with scary messages about the consequences of not following the instructions — that not only are end-users tricked into clicking them, they no longer have the confidence to click on the legitimate notices.

Of course, if they don’t follow through on legitimate alerts, they risk the security of their computers and their data by ignoring critical updates.

Hackers have confused end-users to the point of near paralysis. End-users might spend hours or even days trying to figure out if they should abide by an update alert or ignore it out of fear that it’s an infection. We get many calls from clients asking those very questions about good notices, as many as we do about actual infections.

Phishing emails, booby-trapped attachments from friends who have been hacked, threatening phone calls and on-screen warnings, pretexting believable but false scenarios, reconnaissance with seemingly innocuous questions that reveal valuable information to hackers, forged web sites and emails with links to infections, alarming or normal emails reputedly from UPS, the IRS, FedEx, banks and retailers … all of them far more convincing than the stereotypical Nigerian Prince scams of years past.

Pile on sneaky “Recommended” add-ons that the likes of Java and Adobe add to their updates that tangibly change your settings, annoying repetitive renewal and update notices from legitmate security software that mimics the behavior of infections, and Microsoft’s shady Windows 10 update procedure, and it’s a wonder anyone clicks any notice anymore.

This particularly affects less savvy end-users for whom any alert sounds convincing or scary. Honestly, faced with a bewildering array of alarming alerts on their computers, how many end-users will be comfortable enough to trust that their next click won’t encrypt the company’s files? How much time and money is lost to such paralysis?

Your end-users need to be educated on the differences between valid and malicious alerts and appropriate responses to the malicious ones.

A good security awareness program such as our FlexIT End-User Security program, that gets their attention and maintains their diligence, can not only help them avoid infections but restore the confidence they need to work safely and efficiently.

Advertisements

The 5 W’s of End-User IT Security

March 2, 2016

You may have heard the terms “end-user IT security”, “end-user IT security training” or “end-user IT security awareness”, but do not have a firm grasp on what those terms mean or their importance to your small business.

The following primer explains the Who, What, Where, When, Why and How of End-User IT Security:

Who?

End-user IT Security refers to securing the humans in your organization — you, your employees and vendors — by making them aware of the social engineering tactics used by cyber criminals to evade your firewall and anti-virus solutions.

What?

End-User IT Security Awareness training teaches you, your employees and your vendors about your company’s Acceptable Use Policy in the context of the social engineering attacks they face on a daily basis:    
  • What tactics hackers deploy to evade security solutions
  • What motivates cyber criminals
  • What you, your employees and vendors should look for to recognize current and   future scams
  • What procedures you, your employees and vendors should follow if they are victimized by a cyber criminal
  • What ongoing activities can be used to keep employees vigilant in the course of a busy work-day.

Where?

To make this a comfortable learning environment for you and your employees, we present your Acceptable Use Policy at the location of your choosing followed by ongoing monitoring, testing and training through your employees’ computers.

When?

We will make the initial presentation of the Acceptable Use Policy at a convenient date and time for your organization to minimize disruption. Subsequent ongoing efforts will be conducted with minimal disruption to your company, as well.

Why?

  • To tout your employees’ training and ongoing vigilance to your customers and vendors as evidence of your commitment to securing their information.
  • Cyber criminals bypass your costly security solutions by attacking your employees — more than half of security incidents in small businesses result from employee error or ignorance (52% according to the computer trade association CompTIA).
  • More than half of small businesses that lose critical data to hackers file for bankruptcy within a year. If the breach is large enough, it could result in expensive notifications to potentially affected parties and negative publicity.
  • Almost all Ransomware attacks are launched through social engineering tactics.
  • Hackers successfully steal data from small business networks they breach at an alarming rate (82.6% according to a 2015 Verizon study).
  • Small businesses represent easy prey because they can’t afford dedicated security specialists. They can also be potential paths to much larger prey (the Target breach in 2013 started with a social engineering attack at a Target HVAC vendor).

How?

The FlexIT End-User IT Security Program works by:
  • Developing or updating an Acceptable Use Policy for your employees’ and vendors’ use of the network
  • An engaging presentation of your Acceptable Use Policy that explains how the policy protects your employees, your company and your customers, with real-life examples of social engineering cons, the motivations of hackers, and steps to follow in the event of a successful attack
  • Keeping your employees’ vigilance high with regular email alerts about new attack methods and imminent threats
  • Ongoing monitoring to ensure compliance with the Acceptable Use Policy
  • Random testing to ensure continued vigilance

Understand that the size of your small business will not make you immune to probing by hackers. They understand that no matter how small, your business might store data that can be re-sold on the black market, used as a path to larger prey you do business with, or be held hostage for a sizeable ransom. And the barrier to entry might only be an ineffective anti-virus solution.

With a 10 percent increase in the past year in social engineering attacks by hackers (Verizon study), you don’t want to have to explain to authorities, your customers, your vendors, your employees, the media and the public that their personal or confidential information might have been compromised — because an employee unwittingly opened the door to hackers.

To learn more about how the FlexIT End-User IT Security Program would apply to your small business, contact Eric Magill at 302-537-4198 or ericm@flexitechs.com.

Verizon Study — SMBs Easier Prey

May 4, 2015

Hackers and cyber criminals continue to focus their attacks on small businesses and organizations, according to evidence contained in the 2015 Verizon Data Breach Investigations Report.

The Accommodations industry that is such a critical component of the Hospitality industry that drives the local economy on Delmarva offers just one example of cyber gangs’ taste for smaller organizations.

Partners reporting to Verizon identified 368 security incidents in the Accomodations industry in 2014, including 181 at small lodging businesses.

More striking, however, is that of those 181 security incidents, 180 resulted in confirmed data loss. That’s a nearly 100% success rate for cyber criminals interested in pilfering the data stored by motels and hotels — names, addresses, phone numbers, license numbers, credit card information.

Consider then, that of the 90 security incidents at Large Accomodations businesses, only 10 resulted in confirmed data loss.

The trend continues across all industries — of the 694 security incidents reported at small organizations by Verizon’s study partners, 573 resulted in confirmed data loss for an 82.6% success rate.

Contrast that with large organizations that experienced 50,081 security incidents in 2014 but with just 502 resulting in confirmed data loss for a 1% success rate.

Is it any wonder cyber criminals continue to increase their attacks on small organizations given such astounding success in stealing data from them?

Besides the ease of data theft, cyber criminals, on the heels of the Target breach in late 2013, know that small businesses can lead to larger prey — i.e., login credentials to vendor web sites of large corporations.

That’s what happened at Target. An employee at one of Target’s HVAC contractors opened an infected email. The resulting compromise of that machine allowed the hackers to obtain the contractor’s Target vendor credentials, which the hackers then used to work their way through Target’s system, all the way to the cash registers at Target stores.

Before Target realized it had been breached months later, 40 million credit cards had been stolen.

Most small business owners I talk to resent having to spend money on network security. It’s an understandable but short-sighted sentiment.

The fact is, you don’t need to spend a fortune on security to protect yourself, your business, your employees, your customers, and your vendors, but you do need more than an anti-virus based on signatures and definitions.

The amount you should spend depends on the risk your business faces of an attack, the value of the data you store, and the financial and reputational damage that could be result if that data is stolen.

The only way to determine those values is to perform a Security Risk Assessment. FlexITechs can help you perform that assessment and determine the types of security you need at a cost that makes sense for your business.

Anti-Virus Not Enough Anymore

April 7, 2015

One of the most popular refrains I hear from clients whose computers have been infected with a virus or malware is: “But I have anti-virus software, and it didn’t show anything when I scanned the last time.”

Incredulous, they can’t believe the software they specifically purchased to stop viruses doesn’t. The fact is, hackers have surpassed the ability of anti-virus and anti-malware companies to keep their signature and definition databases apace with the latest infections.

Highly organized, hackers take pains to ensure that their viruses can’t be detected by anti-virus software before releasing them. Consequently, if you’re unlucky enough to land on an infected web site before your anti-virus has detected and created a definition for that specific infection, you will be infected.

In addition, hackers will often just bypass your anti-virus and firewalls by sending their attacks directly to unsuspecting employees in official-looking emails designed to trick them into opening the attached file.

And it doesn’t matter what size business you have. It’s cheap for hackers to send out random emails to small businesses. Even if you don’t think you have anything particularly interesting to hackers on your network, remember that they may use you as a bridge to much larger prey.

The Target breach of 10s of millions of credit cards started with an email with an infected file attachment sent to an HVAC vendor for Target. Hackers used the program installed when the employee at the HVAC company opened the file attachment to find the vendor’s Target login credentials, and then worked their way through Target’s network to its POS systems.

So if anti-virus software doesn’t provide the best protection anymore, what can you do? Following are the methods we deploy to provide you with the highest level of protection in our FlexIT End-User Security Program, which combines traditional anti-virus and anti-malware software with the following:

Any Device, Anywhere

It’s user-based rather than device-based so you are protected on all of your devices in any location — the office, at a client, coffee shops, hotels, airports, etc.

Enables BYOD Securely

It mitigates the risks of Bring Your Own Device (allowing employees to use their personal devices for work) by securing those personal devices as well to prevent data breaches and leakage

Cloud-Based

Infections on web sites are blocked before they can reach your network Monitored We monitor your devices daily for infections that have been cleaned or need to be cleaned manually, as opposed to traditional anti-virus, where we often don’t know of an infection until the computer has another problem days, weeks or even months later.

Host Intrusion Protection

HIPS goes beyond the definitions-based protection of traditional anti-virus to catch unknown threats by blocking unusual behaviors indicative of an attack

Multi-Platform

It can be used on Windows, Android, OsX and iOS devices

Enforces Acceptable Use

Our program enforces acceptable use policies by controlling the types of web sites employees can visit and what they can do on your network based on your specific needs

End-User Education

Perhaps the most critical part of the solution, as it provides ongoing education to your employees about common scams and cons used by hackers to gather information needed to breach your system.

Virus Removal

A perk of our FlexIT End-User Security program, we will clean free of charge any virus we can remove remotely, which will be most of them unless your Internet is down. If we have to remove a virus manually, the charge would be our lowest hourly rate in effect at the time (currently $75 per hour).

I’ve spent a lot of time thinking about how our clients get infected and the most common denominator is a lack of awareness on their employees’ part about what constitutes a scam. They see “Microsoft” or “Dell” or “Norton” in a security warning and assume it’s legitimate or open an email attachment they didn’t expect because they thought it was from someone they know.

Educating them about these scams and providing protection beyond definitions and signatures and across all devices will go a long way to keeping your organization safe from potentially devastating data breaches. To learn more about how our FlexIT End-User Security Program can be applied to your business, call Eric Magill at 302-537-4198 or visit www.enduseritsecurity.com.

To Pay Ransomware or Not?

March 19, 2015

One of our security partners, Sophos — the developer of the Sophos Cloud End-User Protection software we use in our Flex-IT End-User Security Program — posed the following question given the recent resurgence of ransomware infections:

Should victims of locked-screen ransomware or file encrypting ransomware like CryptoLocker and CryptoWall pay the ransom to get their files back?

We generally agree with our partner’s assessment that if it is the only way to get critical files back, then you have no choice but to pay the ransom and hope for the best.

But if you’ve followed my advice through the years, you will have backups in place that at most would lose a day’s worth of data.

If you haven’t backed up, and you need those files to run your business or the encrypted data includes sentimental photos or other irreplaceable files, you’ll have to pay the ransom. In most cases, you will get the key needed to decrypt your files.

But there is more to it than just paying the ransom. The question that wasn’t addressed was what do you do before and after you’ve retrieved your files?

The answer is you must get the ransomware off of the computer, of course, but you just can’t run an anti-virus program to do that.

Because of the possibility that the hackers have left malware on your computer, and because you know it’s already evaded your anti-virus software in the first place, you need to completely erase the hard drive and replace everything — operating system, files, programs, peripherals — to ensure no remnants remain that could come back to life.

You would need to do this regardless of whether you paid the ransom or not.

To recap, you should do the following if your computer is infected with ransomware:

  1. As soon as you see warnings and demands to pay a fee or fine, disconnect the network cable from the computer and/or try to turn off the wireless connection, and turn the computer off — encryption ransomware will search your network for encryptable files on mapped drives, including file servers
  2. Check files on network drives to see if you can open them — if not, immediately begin the recovery process from a backup prior to the encryption
  3. If no backup exists, you will have to pay the ransom if you need the files — the instructions will be in documents left by the hackers on your computer
  4. Once your files have been recovered, start up the infected computer without connecting to your network and begin the process of erasing the hard drive and restoring it to factory condition
  5. After restoration, re-connect the computer to the network and be sure to install the latest updates for Windows, third-party applications, and anti-virus software
  6. Don’t open unsolicited file attachments — the most common access point for ransomware

Presidential Candidates Set Bad Security Examples

March 5, 2015

Two of the leading candidates for President in 2016 have offered voters bad examples of cyber security practices in the past month.

Hillary Clinton and Jeb Bush, the former the leading presumed contender for the Democratic nomination, and the latter the leading presumed contender for the Republican nomination, have proven to be failed leaders in cyber security and privacy matters.

Clinton’s well-publicized use of personal email to conduct U.S. State Department business as its Secretary and Bush’s less-publicized release of personal details of constituents who emailed him as Governor of Florida in the name of “transparency” demonstrate a disturbing lack of awareness of online security and privacy.

Clinton’s use of personal email off the security of the State Department’s network would make any IT person’s head spin, not to mention violate federal regulations.

Bush, in a flawed attempt to provide transparency by releasing emails from his terms as governor that he knew would be requested at some point, violated the confidentiality of constituents who emailed him by failing to redact the personal details they revealed in those emails, including Social Security Numbers in some cases.

The notifications alerting constituents that their emails were a matter of public record weren’t on the online forms they submitted but in the automatic replies they received AFTER they emailed.

Unfortunately, I can’t say I’m surprised. Some of the people who should know the most about cyber security seem to be the most egregious violators of common sense security measures.

I’ll never forget the time I visited a couple performing outsourced human resources tasks for the Department of Homeland Security. They had viruses on both laptops they used to store and analyze the applications of Homeland Security applicants.

Neither laptop had adequate anti-virus software, and worse, neither required a password to boot into Windows. Just turn it on and a treasure trove of personal information for job applicants for sensitive security positions awaited. I mean, it’s not like a laptop has ever been stolen or lost ( /snark ).

So, the lessons to be learned here are not to follow the examples of politicians and government officials when it comes to online behavior, and most certainly don’t send government officials your Social Security Number.

Encryption Debate Ratchets Up

February 19, 2015

The debate on strong encryption has heated up with differing viewpoints from President Barack Obama and UK Prime Minister David Cameron in the past couple of weeks.

On one side, President Obama says he prefers strong encryption “more than some in law enforcement”, and on the other, Prime Minister Cameron would prefer encryption that provided a “back-door” for government and law enforcement agencies to read encrypted data.

So why would two allies, leaders of countries that have both been victims of terrorism, be on opposite sides of such an important security issue?

Encryption scrambles data that can’t be read by anyone who doesn’t have the proper “keys” to decrypt it.

Strong end-to-end encryption would prevent cyber criminals from reading the sensitive communications, information and files of businesses and individuals and help alleviate the financial and emotional toll hackers exact. This is President Obama’s concern.

It also, however, makes it much more difficult for intelligence and law enforcement to read the communications of cyber criminals, hackers and terrorists. This is Prime Minister Cameron’s concern (President Obama also acknowledged this risk in an interview with RE/Code).

Therein lies the issue — preventing information from falling into the wrong hands while not allowing law enforcement and intelligence agencies to abuse their access, as has happened since the Patriot Act was enacted in response to 9-11.

There is no easy answer for this and I’m not prepared to weigh in one way or another, though I lean toward preventing official agencies from accessing information without reasonable cause rather than the blanket, dragnet access we’ve seen some agencies abuse.

%d bloggers like this: