Secure your company

Right now, the world is holding its breath, waiting for the novel Corona virus pandemic to pass. Employees are sitting at home, either working remotely, or worried they won’t have a job to go back to. Many business owners are crunching numbers on how they can survive this event after being closed for so long. Will their customers come back? Will the reopening date move again?

For many business owners, it will be a close thing. The bottom line will be very thin for a while. A mistake on the factory floor that causes some product loss could be the difference between open and closed permanently. All business owners will have a new definition of risk that is acceptable.

Cyber security is a risk strategy. If your business is running lean, perhaps even having to lay off employees, or cut some pay for a while, can you afford a cyber security breach? What about a violation of the NY Shield Act? Or the California CCPA? GDPR? What if you are audited, and fail a cyber security audit and some of your clients walk away to business that are more secure?

During times like this, customers look for quality and stability in their business partners. Are you small company? Worried your clients might take their business elsewhere? Can you show them you are keeping their data safe?

These are all critical issues to consider in business. Assessments from KidderSec will give you the peace of mind that your data is secure. It is like someone telling you that you already locked the door. A penetration test is the belt and suspenders approach, where we actually test those defenses. You locked the door and we tried to open it.

Do you want to take the risk of going out of business? Contact us today!

Working from Home, securely?

The COVID-19 pandemic has been very disruptive to businesses across the globe. Some businesses that rely on store front traffic like restaurants, coffee shops and hair salons are completely closed. Other businesses have shifted to a work from home model in order to stay open during this time of social distancing. It is the latter type of business that is at the most risk.

Why? Maybe as a business owner you have set up some type of remote access so your employees can work. Is that remote access method secure? What type of device is your employee accessing your network from? Is their home network secure?

Chances are that pretty good that your employees are using some type of VPN technology to access their work. Maybe they are logging in and performing their regular functions like payroll or client record management from their home PC. Here is where it gets tricky:

The PC they use in the office is likely managed. You have a policy in place to keep it up to date. Your network is secured by your IT staff. Only legitimate employees are allowed in the building to access the secured computer systems, and the customer records. Great job!

Now they are working from their personal computers at home, that are likely not updated, and could be infected with malware. They are accessing your corporate network and transferring important or business critical data to and from their insecure PC, over their insecure wireless network in their house. How many of your employees changed their wifi configuration password from “admin” to something more secure?

To make matters worse, when employees are working in the office, they are used to a routine. They see people who might say “Hey Jim, did you get my email?” while at the coffee machine. Now everything is a little more disconnected without that conversation. Did this email really come from Jim’s coworker? Are your users more trusting than they should be? Are they aware that phishing scams are more likely while working without personal interactions like that?

User behavior is the number one key to thwarting bad actors. We can provide the training necessary to keep your business running. Contact us to find out more.

Facebook, phones, privacy, oh my!

Last year Facebook was dragged before a senate committee hearing regarding privacy. The founder Mark Zuckerberg was challenged with questions regarding how Facebook keeps user records private, and how Facebook is able to access personal data beyond it’s documented reach. What does this mean?

In several videos, and in independent tests, it appears that Facebook as an application installed on your phone was granted by default (unless the user changes the settings) ability to access the phone’s microphone and the camera. Per Facebook, this is for items such as auto tagging what a user is listening to while making a post. The videos where people test this show something far more nefarious though. By placing a phone with the Facebook app installed near them, people intentionally discuss an item that they have never discussed or searched for. As an example, “taking a trip to South Africa”. Note that the Facebook app is simply installed, not running as an application. Lo and behold, the users start getting advertising for flights to South Africa, tourism trips in South Africa, etc. This is disturbing enough, but add in the actual privacy practices of Facebook….

Facebook sold private data to Cambridge Analytics, and that data was leaked. While the data in this case was not worse than say, the Equifax breach, it still shows a disregard for data privacy.

If Facebook is recording your voice conversations if you are near your phone, and is capable of selling that data that they store, could you be at risk? Client confidentiality breach? Trade secrets? Even if you didn’t intend to reveal that data to Facebook, they have it. And if they intend to keep it private, they can’t guarantee it.

Want to know what other risks you are exposing your company to? Contact us today!

Smartphones, computers, tablets….

Technology, according to Moore’s law will get faster, and smaller as time goes by. I am paraphrasing here in order to make the point. Years ago, cell phones were just that, phones. They had a small LCD screen, and they could make and receive phone calls. Some even had an address book that could store up to 1000 names and numbers! Today, the technology packed in to a high end iPhone or Android device is greater than that of computers from 10 years ago. The younger generations can’t live without their smart phone and in some cases conduct their whole live on a 3″x4″ screen.

With IoT devices in almost every home (think about smart devices in your home/business, such as a Ring Doorbell, a video camera, a smoke detector, a WiFi capable refrigerator, thermostat, you get the idea), your home or business is connected to everything. This includes the smart phones and tablets. The risk here is that these IoT devices and smart phones are the greatest attack surface of any hacker.

So what does this mean? Computer networks will always be a vector for bad actors, but there are new threats emerging that go after these pervasive devices. How does this work? Let’s see…

Let’s say you have Facebook on your smart phone, and you see a message from an old high school friend whom you haven’t spoken to in 20 years asking you to click on a link, or watch a video. You are on your phone, so it’s safe, right? Wrong.

You open the link and in the background malware downloads to your phone. Immediately you phone reaches out across the wifi network you are connected to in order to discover other devices on your network. Are you at work? You business is now at risk! Your IoT security cameras? Compromised. Your network is being attacked.

Want to know how to mitigate this risk? Contact us today!

How secure is enough?

There is often a counter balance between security and usability. On one end of the spectrum is a completely secure system, but not usable. To ever be completely secure; to ensure the bad actors can’t access your systems, an organization has to ensure that their own employees can’t be bad actors. A completely secure system is one that isn’t usable. A computer that is powered off inside of a locked safe is secure, but is it usable? No, not really.

If we take that paradigm and apply it to your company, there are ways to ensure that the company is secure, but your system also has to be used. As a real world example, let’s discuss company A, that makes toys. They have several computers that they use for designing the toys, ordering new materials, invoices, billing, email and employee records. To be secure, the company shouldn’t allow any outside communication that can be compromised, but they need those communications for their business. If “secure” meant that they have 100% assurance that no one could access the system, the company can’t do their jobs to make toys. So how much security should be applied to compay A’s computer systems?

The answer is “just enough”. Just enough access to perform the critical task, but not so much access that it could be an avenue for a bad actor to exploit. Each process, application, communication method, employee and login must be checked under the guise of security to ensure that it is necessary for the business, and it is secure enough.

But how much is enough? Well, that depends on the amount of risk that item poses if it were compromised, as compared to the value of that item being examined. This type of Business Impact Analysis is something that each and every business SHOULD conduct to understand their risk posture. The risk around the company’s “secret sauce” is probably more valuable than past material invoices, so the “secret sauce” should receive more scrutiny.

Want to know more? Contact us today!

Knowing is half the battle…

The key to security in any environment is to know what you have that needs to be secured. Seems simple, right? It’s not.

One of the most common ways that a organization or company is breached is through an unknown configuration. It could be a server that someone brought online for testing and left unpatched and forgotten, or a service account that has local admin rights but neglected and the password age is over a year. Perhaps it is a dual-homed server created to solve a specific problem, but left with little or no configuration.

It is often the case that after a breach detection, someone sees how it occurs and says “oh, gee, I forgot about that!” Or “I didn’t realize that was still online!” The reality is that when you are patching and doing your due diligence to make your organization secure, you can only do that for the assets and configurations you know about.

Enter configuration management. The process of configuration management is to create and maintain detailed documentation for all of your assets and all of their configurations as they currently are. This means an inventory of all of your servers, accounts, services, patch levels, switches, routers, workstations, vendor access etc. The reason you have this is so that when a critical vulnerability like BlueKeep comes out, and you want to apply patches, you can be sure you have patched everything in your environment.

On top of your configuration management system, it is important to internally audit your environment on a regular basis to discover any changes to your infrastructure that you weren’t aware of.

Want to know the most efficient ways to do this? Contact us today!

So you are in the cloud?

Like most businesses, the allure of using cloud resources is a smart decision. The cloud offers different types of flexibility to manage your business appropriately. Maybe you need to have a web server and don’t want the cost, maintenance and overhead of all of the infrastructure of hosting it yourself? Or perhaps you are using the cloud as a part of a online transaction processor? Regardless of your need for cloud, there is likely something you haven’t put a lot of thought towards… How secure are THEY?

The cloud provider is a business like any other, with servers, vendors, employees, IT staff, marketing people, contractors and likely at least one out-sourced service. It is smart business sense to regularly review your cloud provider’s security. You are trusting them with your data, your reputation, and in many cases they are assuming the risk of maintaining your IT services.

In a recent study following the suspected cyber attacks on the US Democratic party following the most recent presidential election, it was determined that the vendors were the way the attackers got in. By compromising a “trusted partner” of a business, attackers can then infiltrate any business attached to them. From a cloud vendor perspective you would hope they have the strictest security posture possible; but how do you know?

Every business that uses any type of cloud service should thoroughly review the security of the cloud provider they are trusting. Want to know more?

Contact us today!

The truth about Ransomware

There are many articles in the news about Ransomware today, which is a special type of malware. Ransomware is a way for the bad guys to get your systems to lock up so you can’t access the data, and then tell you that you can have your data back only if you pay them.

But, how do they do this?

It all starts with a breach of some type. Perhaps your employee is looking at their personal email on their work computer and they click on a link to log in to their bank account (which isn’t from their bank; in fact, it is phishing). Their computer is infected. This is the foot in the door. From here, that PC will “call home” to the command and control center for the malware, and the PC will begin scanning the network from the inside looking for other hosts to infect.

Once the malware has control of many or all of the PCs, file servers, databases, email servers, web servers and every critical business function, the command and control center will allow each PC to download a special exploit that will encrypt the hard drive of every machine.

When you come in Monday morning, grab your cup of coffee, power on your PC and you are presented with a screen stating that the hackers have your data and they won’t release it unless you pay them some large amount of money in bitcoins. You put down your coffee and pick up the TUMS as you realize all employees have the same screen, and you can’t access any data that makes your business work. All of your invoices, client contacts, contracts, billing information, etc. You haven’t just lost your data, but confidential data that belongs to your clients as well.

What do you do? Do you pay?

There is evidence to suggest that paying the ransomer may NOT get your back your data. Once you pay them, they can walk away, leaving you poorer. On the other hand, they could unlock your workstations and servers, but you now know that they have access to all of the confidential data you were trying to protect.

According to this research report from MIT, Ransomware has generated over $45 Million for the bad guys. The larger the organization, the more sensitive the data, the higher the ransom.

But you are covered, right? You have cybercrime insurance? Not all insurance companies will pay. Recently, some insurance companies decided that since the ransomware was “NotPetya”, which has been linked to the Russian government’s actions, it was deemed as an “Act of war”. Other companies refuse to pay for various reasons, citing that the target business should have done more to prevent these damages.

Could you be doing more? Contact us today.

Privacy and what it means…

Privacy is a touchy topic. For some people, it means having control over what you don’t want others to know. For example, you want to keep your social security number private, or your bank account number. But there are other things that we care less about being private, such as photos of ourselves on vacation that we post to social media. What if what you think is “private” really is just slightly harder to get to?

The world news is full of stories where someone’s privacy was breached, from leaked celebrity iCloud photos to identity theft. We believe that these incidents are isolated, but in fact everyone has had some level of privacy breach in their lives whether or not they know it. Recent data breaches from major corporations were released here. You can search for yourself and find out if your usernames and passwords were published.

Take for example, you have an iPhone and you use Facebook. According to several “experiments”, Facebook may be collecting information about all of the texts and phone calls you have made from the iPhone, they track all of your locations where you “check in” and Google has already admitted that they send telemetry location data every time you use a Google app, even if your GPS is turned off.

For a typical user, someone with access to this data can know where you were, when and what you were doing all the time. Maybe you think “I don’t care if Facebook or the government knows I bought a shovel from Home Depot on Saturday morning at 11:14AM for $28.34 and I used my Visa card ####-####-####-#### for it.” And maybe that is true, but did you volunteer that information? If I can gather that, what else can I get?

This type of data collection when coupled with “Artificial Intelligence” or “Deep Learning” can come pretty close to predicting what you are likely to do in the future. It is this part of “privacy” that becomes scary.

What if I could detail out all of the daily activities of your employees? What information can I collect about your business? Bad actors have long know that the easiest way to get in a door, is to ask a person with a key to open it for you. This is usually called “Social Engineering”, but with machine learning, and organizations like Amazon, Microsoft, Google and Facebook collecting every aspect of your life, the issue of privacy goes beyond what you choose to share and enters the realm of inference.

Protecting yourself means being vigilant with what information about you is available. Many people choose not to post vacation photos while they are away because it tells robbers that they aren’t home. Beyond that, does Facebook NEED access to your camera? Photo Gallery? Text Messages? Microphone? Does Amazon Prime need to know your GPS location? All of these apps have permissions that they ask you about. If it doesn’t seem right (why would Candy Crush need access to my Voicemail? Or my camera?) then it probably isn’t.

Want to know more about how to protect yourself and your company? Contact us today!

A preventative cure

As a small or medium business, you are concerned with what you need to do, which rightfully so, is all about your business! But while you are managing your employees, customers, products, and bottom line, who is watching the gates? Security starts and ends with everyone in your company being aware of how to behave like they are personally responsible for the company’s security.

Your employees have their own lives; they have Facebook, they watch cat videos on YouTube, they send text messages from their phones, and they email family and friends from their personal accounts, all from company resources. There are inherent dangers to this, perhaps more than you realize.

A single user logs in to a company computer, and opens Chrome or Firefox to their Gmail inbox, and they also open Facebook. While they are working, they are managing their daily lives as well. One of them clicks on an email from what appears to be their email contact to look at a file or click on a link. Wham! That email wasn’t actually from their email contact, it was well-crafted spam. Their company PC is now infected with malware. Behind the scenes, that malware is now collecting other computers their PC connects to, customer databases, moving to other coworker PCs, and collecting their information as well. Within a short amount of time, almost every PC is infected, and the bad actors have a treasure trove of information about you, your employees, their passwords to your internal systems, your customer data, and your company secrets.

The bad actor might try to exploit your business, locking all of your PCs using cryptoware, making all of your data inaccessible unless you pay them a large ransom. Possibly the bad actor will find some of your user’s social data, and start a social engineering campaign to learn their habits, and blackmail them in to divulging company secrets.

Scared? You should be. This type of behavior happens every day.

But what can you do? The front line of cyber security is awareness and education. If your employees practice safe behaviors, know how to spot phony emails, and suspicious phone calls, you can thwart the attacks before they start. This type of training and education should start right NOW before you are in trouble. You shouldn’t decide to go to school only once you apply for a job and turned down due to a lack education. The same applies here. Education and awareness are preventative measures.

As the cyber security industry changes, so should the training. A good practice is to have a solid cyber security training program for all new employees and a refresher program every six months.

A custom tailored program works best to reach your employees and management staff, and should be as important as skills training or HR policy signing. After all, it is the fundamental security of your business that is at risk!

Want to know more? Contact us today!