Skip to content

The Malvertising Scourge

February 4, 2015

In their zeal to monetize their online content, publications increasingly have turned to online ad serving agencies that aggregate ads from a multitude of advertisers and distribute them to those online publications via code in the web site from the ad network’s servers.

This provides advantages for both publishers and advertisers — publishers can more easily manage who they sell to and advertisers can more easily manage who they buy from through these ad networks, as opposed to weeding through all of the potential publishers and advertisers themselves.

Unfortunately, in their desire to get their ads noticed by online readers, advertisers, publishers and ad agencies resort to intrusive ads that pop up over the content and jump, hop, wiggle and fly across the screen.

Those ads invariably involve Adobe Flash for the animations, and as we all should know by now, Flash has inherent security flaws as evidenced by the three — count ’em, 3 — zero-day vulnerabilities Adobe had to patch in the past two weeks.

This provides a convenient path for hackers to distribute their malware. The problem is serious enough that it even has its own category of infections — “malvertising”.

Hackers love malvertising because it allows them to infect the millions of visitors to popular web sites without breaking into all of those web sites, and the infections often occur automatically without any action on the part of the visitor.

In September 2014, the ad network Doubleclick (a subsidiary of Google) and Zedo, another popular online ad agency, served up the Zemot malware to millions of unsuspecting computer users.

Earlier that month, malvertising hit visitors to 74 different domains, including Amazon, YouTube and Yahoo. It attempted to infect Windows and Macs with spyware, adware and browser hijackers. In the past, malvertising on third-party ad networkds has hit the New York Times, Fox News, London Stock Exchange, Spotify and The Onion, to name just a few.

Anecdotally, when we clean up infected computers, users invariably tell us the infection occurred while on a news or other ad-laden web site.

That’s bad for business for publishers, as it appears that the publishers’ web sites themselves are infected, when in reality the infections come from a third-party ad server.

The problem can be alleviated by running an ad blocker, like the ad blocker in Sophos Cloud that’s included in our FlexIT End-User Protection program.

Ironically, it might also improve your experience on sites that need you to keep coming back to justify their offerings to advertisers.

Advertisements

PCI DSS Security Standard Compliance Makes Sense for Small Businesses

August 25, 2014
Since 2006, the major credit card issuers have required that businesses that process credit card payments implement the PCI DSS Security Standard for credit card processing.

 
Unfortunately, many small business owners still don’t understand the growing threats they face from hackers preying on small companies that lack the security that larger companies can afford (more than 70% of attacks are against small businesses).
 
A direct response to the breaches of hundreds of millions of computer records including credit card information, the Payment Card Industry Data Security Standard requires that merchants who process credit card payments — no matter how small — implement certain security measures on their internal networks.
 
From a business standpoint, compliance with PCI DSS makes sense as you can tout your compliance to your customers to give them more confidence that their payments to you will be secure.
 
On the other hand, the financial downside to not complying could invite not only losses from credit card fraud, but seriously impact or even put you out of business through:
  • Negative publicity
  • Lost customers
  • Lost vendors
  • Lost sales
  • Cost of reissuing new payment cards
  • Lawsuits
  • Insurance claims
  • Fines from credit card issuers
  • Government fines
  • Higher costs of subsequent compliance
  • Termination of ability to accept payment cards
 
Remember the Target breach? Target’s profits dropped nearly 50% in the aftermath and the CEO resigned, all because of security lapses within Target that started when an HVAC vendor’s login credentials for Target’s vendor system were hacked and used by the thief to log into Target’s POS system.
 
Don’t be a Target.
 
More information on PCI for the smaller sized businesses we have on Delmarva is available at the PCI Security Standards Council’s web site for smaller businesses.
 
If you need help with the technical aspects of complying, call us at 302-537-4198.

Choosing the Right Applications

June 9, 2014

One of the most important decisions you will make is choosing the software that runs your business. More specifically, I’m talking about the main applications used for the daily operation of your company.

Known by various acronyms (ERP, LOB, CRM), these applications are not purchased from a store.

Instead, these applications are just about always purchased direct from the developer. Written specifically for your type of business, they are often offered in modules that integrate seamlessly with each other, such as:

  • businesscollageCustomer Relationship Management
  • Marketing and Sales
  • Accounting including Receivables and Payables
  • Human Resources
  • Parts & Service
  • Inventory

Written by programmers targeting industry verticals or even businesspeople in your industry who couldn’t find a suitable off-the-shelf product to run their business, these applications generally work like you do rather than making you work within the confines of an off-the-shelf program that needs heavy customization and third-party utilities.

So, while the software will encompass some or all of the functions of general businesses, it will focus on specific industries. In this area, I most often see such applications for boat dealers, retailers, restaurants, hotels, auto dealers, real estate, and construction.

These programs reduce or eliminate duplicate data entry so data is available to all members who need access to it without re-typing it. The best ones include Dashboards and reporting to give you the Big Picture of your company’s performance and operations, or the ability to integrate with third-party programs that provide that functionality.

A word of caution:

It’s easy to get locked into a specific application and can be expensive to get out if it doesn’t live up to expectations. The cost alone (we’re talking thousands of dollars here) should cause you to perform your due diligence, but if that doesn’t phase you, perform your due diligence anyway to answer these questions:

  • What happens if the software developer goes out of business. Will you be stuck providing your own technical support? Are there peer support groups you could get help from? Could you move to a new application fairly easily or will you face a steep learning curve and expensive data conversion costs?
  • Does the application integrate with retail products like Office and Quickbooks if needed?
  • Will the application require major changes in your network security to function properly (i.e., do users need to be administrators on their computers, thus increasing the risk of security breaches)?
  • How much do technical support and application upgrades cost, especially in subsequent years when those costs aren’t rolled into the initial purchase price any longer?
  • Does technical support work roughly the same hours you do, or will you have to wait a couple of hours for support from a different time zone?
  • What are their typical tech support response times — they should have statistics and possibly guarantees on this;
  • If there is a Cloud-based version and it doesn’t offer all of the functionality of the on-premise version (as is sometimes the case), can you live with the reduced feature set?
  • Is a mobile version offered and what are its limitations?
  • How is their Cloud version backed up?
  • What happens to your data if the Cloud version is no longer offered?
  • Can you set up a demo for your staff or even better, run a trial version for 30 days to give all employees a chance to use it and make comments?
  • Will the system requirements require you to buy a new server and/or workstations or upgrade existing network hardware to run the application efficiently?

You should also get to know the executives of the software company and learn about:

  • Their history
  • How long they’ve been in business
  • The owners’ succession plan
  • What upgrades they plan to roll out in the next few years?

One other consideration here — if you have very specific needs that can’t be met by one of these applications, you may need to go with a custom-designed program written by a programmer. In that case, all of the above goes, but you have to be even more diligent about tech support issues and costs.

As you can see, choosing these applications is a major, company-wide decision. Look at not one, but multiple applications in your price range and whether they operate similarly enough to make a somewhat smooth change to another application if that becomes necessary.

If you’ve decided you’ve outgrown the limitations of Quickbooks and Microsoft Office and would like help with performing your due diligence, give Eric Magill a call at 302-537-4198.

Protecting the Availability of Your Data

May 20, 2014

In this four-part blog series, we’ve written about the Confidentiality, Integrity and Availability of your company’s data as the three lynch-pins of corporate IT security.

We’ve already blogged about Confidentiality and Integrity, and in this final installment will address the Availability aspect of network security.

Availability addresses two IT security concerns:

  • That data be available when you and your employees need it;
  • and that the network resources to access and manipulate that data are available when you need them

Availability of Your Data:

ciagraphic

As you and your employees go about your business throughout the day, you’ll touch on a wide variety of data types.

In the typical small business, you will need access to your company’s Line of Business application, word processing documents and spreadsheets, email, Internet-based applications, and perhaps accounting, image editing, and other highly specialized data generated by applications specific to your industry.

The inability to access any of those data sources could disrupt your business for at least as long as the data remains unavailable.

Imagine that the important quotes you’re working on are in documents on the server and the server goes down.

How disruptive would it be if you couldn’t send or receive important emails to customers or vendors or access important web sites for research because of bandwidth bottlenecks or the loss of the Internet entirely?

What happens when the Line of Business application’s database becomes corrupted or encrypted by a nasty virus like the Cryptolocker virus that encrypts files and demands a ransom for the decryption key?

How can you prevent or minimize those incidents from becoming disasters?

Availability of Network Resources:

If you can’t access network resources like your server or the Internet because of a failed server hard drive, or a failed router, modem or firewall, the Availability of your data suffers.

What would happen if a natural disaster or a fire destroyed a significant part or all of your business?

What can the typical Sussex County small business do to mitigate the risks and the damage associated with such events?

  • Consider a backup Internet source, such as another ISP or wireless services such as your cell phone provider, for access to Internet-based data, especially email, during on-premise Internet outages
  • If your business relies on the Internet for email, web-based research or Cloud-based applications, ensure that you have enough bandwidth to perform those tasks efficiently
  • Have plans in place to operate while the network resource is down, such as hand-written notes and receipts that can be entered into the system when the network resource becomes available
  • Backups to recover the most recent versions available of your data
  • For the most extreme disasters involving a long-term (more than a couple of days) loss of availability, have a Backup and Disaster Recovery Plan in place to get the business back up and running ASAP rather than trying to plan the recovery after the fact.

We’ve discussed a number of potential risks and mitigation strategies in this four-part series over the past several months.

In our inter-connected world, in which your business relies on that inter-connectivity to access data critical to your operations, the data stored on your firm’s network is more at risk than ever from a wide variety of threats.

More than anything, I hope you’ve gained an understanding of the risks to your data, and your company, and the steps needed to mitigate those risks, that you may not have appreciated before.

Protecting the Integrity of Your Data

January 6, 2014

We briefly touched on the Confidentiality, Integrity and Availability of your company’s data back in August and expanded on the Confidentiality of your data last month.

ciagraphicIn this post, I’ll focus on the Integrity of your data.

The Integrity of your data refers to the concept that your data will always be accurate and correct, un-altered in ways that would cause disruption to your business.

Think about the consequences if the prices in a proposal were accidentally or maliciously altered in a way that wasn’t easily noticed but harmful nonetheless.

Imagine the disruption to your business if a large, critical spreadsheet had unintended changes and had to be fixed manually because a recent backup wasn’t in place.

What would happen if a hacker accessed your files and maliciously changed facts and figures in documents that you send to clients and vendors or internal documents used to make critical business decisions?

Your business could be harmed if accounting or bookkeeping data was incorrectly altered.

In short, it should be obvious that if your files are accidentally or maliciously altered, your business will suffer.

That’s why it’s so important to ensure that your files and data are always accurate.

Some ways to protect the Integrity of your data include:

  • The methods to protect against unauthorized access of your data that we outlined in our Confidentiality blog
  • Backups to revert to of ALL of your company’s files and data
  • A Backup plan that determines how much data you can afford to lose and the frequency of backups to ensure you don’t lose more than you can afford to
  • Multi-version backups so that if the latest backup is also incorrect, you can revert to an earlier backup containing the correct data
  • Enabling the ability to save previous versions of documents automatically in those applications that offer such a feature

While there will be some cost attached to preserving the Confidentiality and Integrity of your data, it often will be less than the cost and disruption of data loss or accidental or malicious alterations.

Protecting the Confidentiality of Your Data

December 2, 2013

We briefly touched on the Confidentiality, Integrity and Availability of your company’s data back in August.

This time, I’ll focus on the first of the CIA’s — Confidentiality.

Confidentiality refers to the processes, policies and tools utilized to mitigate unauthorized access to files, data and sensitive information.

ciagraphic

This could mean mitigating unauthorized access from hackers to any of your files or sensitive information like credit card numbers and passwords, or it could mean preventing unauthorized access to specific types of data from employees, vendors and clients.

We’d want to protect against hackers accessing your data for obvious reasons. They almost always have malicious intent, whether it be for financial gain or causing trouble for your organization.

Employees, vendors and clients shouldn’t be able to gain unauthorized access, either, but for less obvious reasons.

Usually there won’t be malicious intent in those cases, but you most likely would not want an employee to see payroll data, or vendors and clients to see information about each other.

Some ways to preserve Confidentiality include:

  • Stronger authentication methods to protect against unauthorized logins
  • Clearly defined acceptable use policies to govern who can access what
  • Role- and rule-based network security to enforce the policies and access levels
  • Monitoring to audit who is logging in and what they’re trying to access
  • Encryption to prevent unauthorized individuals from viewing sensitive data
  • Security hardware and software to mitigate attacks from hackers, viruses and malware
  • Ongoing employee education about the latest threats to your network and how to handle suspected access violations

In this age of digital communications, your organization’s key stake-holders will have increased access to more of your information. Even if hackers disappeared tomorrow, vendors and clients will likely need to be authorized to operate within your network.

With the potential effect of that kind of external access on your firm’s health, protecting the Confidentiality of your data should be a company-wide priority.

Replace Windows XP Era Software Now

November 21, 2013

If you’re one of the small businesses still running some flavor of Office 2003 or Windows XP, you should be making plans to upgrade to one of the latest versions of  those Microsoft products.

Microsoft will end support for  Windows XP and Office 2003 come April 8, 2014. That’s less than five months away and not a lot of time to plan an upgrade if you have line of business applications or peripherals that need the older programs.

Upgrading is not always a simple matter of plugging a new computer with the upgraded software into the same spot as the old one, particularly when your old software is two or three generations old.

The transition must be planned with your software developers, and your line of business applications, email and peripherals.

Failure to figure out the potential incompatibilities beforehand could cause massive headaches once the new software has been installed.

And then there is the cost. If you have to upgrade Windows XP and Microsoft Office, you’re looking at a significant investment that you may not have anticipated.

It’s unlikely, for instance, that you can just upgrade your existing computer to the latest Windows operating systems (Windows 7 or Windows 8) because your existing hardware probably won’t run the newer OS’s. You may have old peripherals, like printers and scanners, that don’t work with Windows 7 or 8.

You should also figure in time to learn the new operating system, and if you’re upgrading from Office 2003, allow a good bit of time to become accustomed to the new interfaces in Office 2010 or Office 2013.

In addition, if you’re running some version of Windows Server 2003, you should consider upgrading your server at the same time, even though Extended Support for Server 2003 doesn’t end until July 2015.

And what happens if you don’t upgrade?

Count on hackers exploiting your network and possibly costing you money, downtime and productivity, potential fines if your industry must adhere to state or federal regulations, and potentially your business.

If you’re still running one of those old Windows products, don’t hesitate to start planning your upgrades. The time to do this is NOW if you want a smooth transition.

%d bloggers like this: