Posts

Why do organizations ignore information (cyber) security?

I read an interesting article by Don Jones of Redmond Magazine titled: “The Quest for a Culture of Security”.  In it, Mr. Jones notes (via my paraphrasing):

  • Security gets limited attention and even less funding from decision makers
  • Security hacking has become a profession with significant financial rewards
  • Every company is a target and has been, at a minimum, probed by hackers

In 2010, I witnessed the first item above when Bryley Systems hosted a series of seminars on the (then) new Massachusetts statute for the protection of personal information (201 CMR 17.00); people attended the seminars and took the first steps toward compliance, but most ignored the difficult changes and few made security (and compliance) part of their corporate structure.

Mr. Jones’ suggestion:  Ingrain security into your corporate culture; make it as important as uptime and connectivity and make it a fundamental part of everything you do.

Lynn Russo Whylly, in her May 14th 2014 article “How to Prevent Becoming the Next “Target” of a Data Security Breach” from Chief Executive, recommends:

  • Discuss security with your CIO or MSP regularly (to highlight its importance).
  • Walk-through the data center (to pose questions about its vulnerabilities).
  • Setup security goals and then monitor metrics (to inspect what you expect).
  • Hire an outside person/firm to attack your security (and highlight its flaws).

Her position is that security is a part of the CEO’s responsibility; one of continually growing importance.

Password manager

The days of widespread, biometric-based security (voice recognition, fingerprint reading, eye scanning, etc.) are coming, but passwords are still required in many organizations and at most websites.  The problem:  How do I manage (let alone remember) all of the different usernames and passwords I have out there?

Personally, I use Tasks within Microsoft Outlook, which is secured by my network login:  Within a folder I titled “Usernames”, I create a task for each application and website and then copy-in the date and user information.  This limits my “need to remember” to only one complex password (my network login).  However, I must have access to my Outlook account to retrieve all other user information.

There are better tools called password managers.  These are software applications that “help a user organize passwords and PIN codes”1, which are held in a secure, encrypted file or database.  Many include the ability to automatically fill-in a form-based webpage with the username, password, and any other login credentials.

Most password managers can be categorized thus:

  • PC based – Application running on your PC
  • Mobile based – Application running on your tablet or smartphone
  • Token-based – Requires a separate smartcard, memory stick, or similar device to authenticate
  • Web-based – Credentials are located at a website and must be viewed and/or copied from this site
  • Cloud-based – Credentials are web-based, but are securely transferred for processing to an application running on your PC or mobile device

Most password managers are hybrids and many fit into two or more categories, but all share one trait:  You still need a master password to access your information (although some offer two-factor authentication).

Important characteristics include:

  • Access – Accessible from all devices and browsers
  • Detect – Automatically detect and save from any account
  • Secure – Advanced encryption, two-factor authentication, etc.

Pricing varies from free (for the slimmed-down, single-device versions) to annual subscriptions that range from $9.95 to $49.99 per year.

Several publications2 have reviewed password managers; the top performers:

  • LastPass 3.0 – Cloud-based and powerful yet flexible; free version available, but upgrade (at $12/year) to LastPass Premium for mobile-device support
  • DashLane 2.0 – Feature laden with an easy-to-use interface; free version, but $29.95/year to synchronize all devices and get priority support
  • RoboForm Everywhere 7.0 – Cloud-based at $9.95 for first year

Other password managers (in alphabetical order):

  • 1Password for Windows – $49.99 per user
  • F-secure Key – $15.95
  • Handy Password – Starts at $29.92
  • KeePass – Free
  • Keeper – Subscription at $9.99/year
  • My1login – Free for 1 to 3 users; $22 for 4 to 10 users
  • Password Box – Free version with subscription at $12.00/year
  • Password Genie 4.0 – Subscription at $15.00/year
  • PassPack – Free version with subscription at $12.00/year
  • PasswordWallet – $20.00

I like LastPass; the free version is easy to use and my login data is available from anywhere (with Internet access).  Plus, I like having the application locally on my PC (even though my data is stored at LastPass in encrypted format).

1. Taken from Wikipedia at http://en.wikipedia.org/wiki/Password_manager.

2. Recent password managers reviews:

They’re back: Telephone scammers

Yes, they have returned:  The IRS and National Grid are both warning of telephone scammers that call and demand fictional, past-due payment.

The IRS scammers1 are very specific; they call and threaten immediate arrest, loss of driver’s license, and seizure of assets.  They may leave a message requesting a callback; follow-up callers may pretend to be from the local police or the DMV.

Characteristics of these scams can include2:

  • Scammers use fake names and IRS badge numbers. They generally use common names and surnames to identify themselves.
  • Scammers may be able to recite the last four digits of a victim’s Social Security Number.
  • Scammers “spoof” or imitate the IRS toll-free number on caller ID to make it appear that it’s the IRS calling.
  • Scammers sometimes send bogus IRS emails to some victims to support their bogus calls.  (Note:  The IRS does not use email to contact taxpayers.)
  • Victims hear background noise of other calls being conducted to mimic a call site.

Best advice:

  • Do not engage the caller in a conversation
  • Do not provide personal information
  • Hang-up the phone immediately
  • Call the IRS at 800-829-1040

National Grid3 will call and request payment and will notify of potential for service interruption due to non-payment, which makes it tougher to separate a legitimate call from a scammer.  If in doubt:

  • Ask the caller to provide the last five digits of your National Grid account
  • Do not provide your account number or any other personal information
  • Contact National Grid at 800-322-3223

1. Thank you to Nancy Goedecke, EA, of Taxes and Money Management who provided the notice on the IRS scammers.

2. Taken from http://www.irs.gov/uac/Newsroom/IRS-Releases-the-“Dirty-Dozen”-Tax-Scams-for-2014;-Identity-Theft,-Phone-Scams-Lead-List.

3. Taken from National Grid’s July/August 2014 issue of WeConnect.

Protect your mobile device

The need to secure newer mobile devices (smartphones, tablets, etc.) has grown since they now meet the basic criteria for malicious, cyberspace-based attack:

  • Developer kits are readily available
  • Mobile devices are in widespread use throughout the world
  • Motivation is increasing since usable/saleable data live on these devices

In addition, BYOD (Bring Your Own Device) has introduced related, security-oriented concerns and complexities:

  • How can we accommodate personal equipment in the workplace, particularly when two-thirds of 20-something workers in a recent survey from research firm Vision Critical state that “they, not the company, should be responsible for the security of devices used for work purposes”?1
  • How do we manage the large variety of mobile devices, many with differing operating systems, processing capabilities, and user interfaces?
  • How do we structure our security offerings to permit broad access to low-risk functions while restricting high-risk activities on a need-to-have basis?

Protecting a smartphone (or tablet) gets easier if you take the perspective of Garin Livingstone, one of our technical staff, who pointed out: “It is just a small computer; all of the same security concerns and rules that apply to PCs also apply to smartphones.”

As described in a recent InformationWeek article2, corporate response from the IT department should consist of these three stages:

  • Set policy for mobile device use
  • Train users
  • Enforce

 

1. Policies

Mobile-device-use policies should protect company data, while enabling employees to do their jobs efficiently.  The policy should protect, but not inhibit, the use of data from a mobile device; this usually requires the protection of the device itself with a strong focus on what data is available and where it will reside.

Some policy suggestions:

  • Device:
    • Deploy an anti-malware utility set to scan automatically
    • Set continuous updates of operating system and anti-malware utility
    • Encrypt company data (if stored on the device itself)
    • Backup data to a secure site (preferably daily)
  • User:
    • Require passwords and make them complex
    • Set an auto-lock period of five minutes or less
    • Set browsers to high-security mode
  • Remote access:
    • Access data/applications securely via SSL, HTTPS, or VPN technologies
    • Provide virtualized access to data stored at the corporate site

 

2. Training

Training is an important, early step in any process; informing end-users of the need to secure their mobile devices is critical.  Recommended training topics:

  • Why we need to authenticate and encrypt
  • How to reduce the risk of loss or theft
  • How to safely deploy new applications
  • How to securely backup your data

Authenticate and encrypt

Authentication is the process of confirming that the end-user is authorized to use the mobile device in a prescribed manner.  It is typically handled through a username with a complex password that is changed frequently.  (A complex password requires at least three of four character options – capital letter, lower-case letter, numeric, and special character – with at least eight characters.)

Increasingly, biometrics (fingerprint verification, eye-scans, etc.) are playing a role in authentication.

Sensitive data should be encrypted to make it unreadable if the device is lost or stolen.  (Encryption scrambles the content, making it unreadable to anyone without the capability to unencrypt.)  Authentication is required to unencrypt and access the data.

Reduce the risk of loss or theft

Cell phones are easy targets for theft; they can be sold on-the-street and are (still) easily programmed to a new service on a cellular network.

To prevent theft:

  • Be vigilant; know where your cell phone is at all times and keep it close to your body.  (It doesn’t always help:  One of our clients had his cellphone taken right from his hand by a man on a bike on a busy city street; the bicyclist also gave him a kick to discourage pursuit.)
  • Install phone-tracking software
  • Install a physical locking device

Safely deploy new applications

Mobile-device users download applications through app stores installed on the device.  App stores are increasingly targeted areas for malware distribution; only trusted and approved applications should be downloaded and deployed.  (Most app stores have responded by requiring additional security precautions from their customers.)

For company-owned devices, end-users should have specific guidelines on what applications can or cannot be deployed; ideally, an enforcement mechanism would be installed on the mobile device to ensure these policies are followed.  For employee-owned devices, this policy may need to be recommended rather than required.

Securely backup your data

To prevent loss or inadvertent deletion, data stored on a mobile device (pictures, documents, contacts, etc.) should be backed-up in an encrypted format to a separate, secure location.

Backups should be required on devices owned by the organization and strongly recommended for individually owned devices.  Backups should be scheduled periodically and verified.

Online, consumer-oriented backup and file-storage applications – spritemobile, DropBox, Mozy, SugarSync – are somewhat restricted by the mobile-device operating system in what type of data that they can backup; typically contacts, calendars, tunes, and photos.  Full backups are usually done through tethering (attaching the phone to an external device).

Visit Enterprise Security Policies for Mobile Device Backup and Restoreat Dummies.com for an informative article on mobile-device backup.

 

3. Enforcement

Enforcement is usually assisted through a Mobile Device Management (MDM) tool; typically a software-based application that requires an agent be installed to the mobile device.  Once installed, this agent connects back (remotely) to a central console from which an administrator can monitor, manage, and secure the mobile device and also support its user.

MDM features typically include:

  • Enforce user security policy:
    • Require complex password with frequent changes
    • Permit remote access only via SSL or VPN
    • Lock-down browser settings
    • Enable encryption
  • Recover lost or stolen devices:
    • Activate alarm (set off an audible alarm on the device)
    • Enable track and locate (track and locate the device via GPS)
    • Permit remote wipe (complete erasure of the device as a last resort)
  • Control mobile device applications:
    • Recognize and prevent installation of unauthorized applications
    • Permit whitelisting and blacklisting of application
    • Restrict or block application stores
  • Remotely deploy and configure applications (email, etc.)
  • Audit the mobile device for installed software, configuration, and capacity

ComputerWorld has a comprehensive article on the challenges of MDM.  View it at Mobile device management: Getting started.

MDM Tools

To support our mobile device clients, we use the MDM capabilities built into Kaseya, our Remote Monitoring and Management tool.  Other MDM providers include:

  • AirWatch
  • LabTech
  • MobileIron
  • Symantec
  • Zenprise

While MDM provides a comprehensive tool, it can be costly to procure and support.  Many companies utilize a trusted business partner (like Bryley) to provide MDM tooling, monitoring, and support for their mobile devices on an ongoing basis with pricing that ranges from $15 (in quantity) to $75 per device per month.

Non-MDM Tools

Alternatively, Microsoft Exchange 2010 offers many MDM-type features through Exchange ActiveSync (EAS), an included protocol that licenses by end-user or end-device Client Access License (CAL).  The Exchange 2010 Standard CAL licenses:

  • Password security policies
  • Encryption required
  • Remote wipe

The Exchange 2010 Enterprise Add-On CAL licenses advanced features including:

  • Allow/disallow Internet browser, consumer email, unsigned installation, etc.
  • Allow/disallow removable storage, Wi-Fi, Internet sharing, etc.
  • Allow/block specific applications
  • Per-user journaling
  • Integrated archive

Exchange Server Standard 2010 is $709; Standard CALs are $68 each while the Enterprise Add-On CAL is an additional $42 each (based on list prices for business).

Main difference between MDM and EAS: Most MDM tools provide greater control over the mobile device during its lifecycle and can provide control over the device even before email is configured.

Other recommended tools include:

  • Anti-malware: AVG Mobilation – From free to $9.99 for Pro version
  • Protect and find phone via key-case fob – Kensington Bungee Air at $79.99

First step suggestions

These are our minimum, first-step suggestions:

  • Deploy anti-malware software immediately and manage it continuously
  • Require password to activate the device with a low auto-lock time
  • Update mobile devices through vendor-approved patching
  • Enable on-board encryption if handling sensitive data

Visit 10 Steps to Secure Your Mobile Device for detailed recommendations on securing your mobile device.

 

References:

1. Visit Network World at http://www.networkworld.com/news/2012/061912-byod-20somethings-260305.html to review the article “Young employees say BYOD a Right not Privilege” by Ellen Messmer.

2. Please review the May 12, 2012 InformationWorld article “Mobile Security Gaps Abound” at informationweek.com by Michael Finneran.

 

For more information, please email Info@Bryley.com or call us at 978.562.6077.

The problem with Heartbleed

Heartbleed is a much-publicized security flaw in the OpenSSL cryptography library; an update to this OpenSSL flaw was published on April 7th, 2014, which was (coincidentally?) the same day that the flaw was disclosed.

OpenSSL runs on secure web servers certified by trusted authorities; it is estimated that about 17% of secure web servers may be vulnerable to an attack based on the Heartbleed flaw, which could compromise the server’s private keys and end-user passwords and cookies.

Fortunately, most organizations with secure web servers have taken steps to identify and fix this flaw.  And, to date, no known exploitations of this flaw have taken place.

Unfortunately, this flaw has been around for over two years and leaves no traces; if exploited, there would be no ready evidence that anything was wrong.

At the moment, there is not much any end-user can do except to logout of any secure web server that has not been patched.  (See http://filippo.io/Heartbleed/, a site created by Italian cryptographer Filippo Valsorda, which claims that it can identify unpatched servers.)

Http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/index.html contains an informative article and video by Jose Pagliery at CNN Money.

Living with Windows XP

Microsoft has officially ended general support of Windows XP, but many have not updated or replaced their Windows XP PCs.  Although we recommend against continuing to use Windows XP, particularly in any Internet-facing role, there are some steps that can be taken to reduce the risk of remaining on this platform.

The easiest, but least practical solution would be to disconnect all Windows XP PCs from the Internet or to limit their access to the Internet.  This step could exclude exposure to outside sources, but reduces the effectiveness of these PCs.

The second-most effective strategy would be to replace older versions of Internet Explorer (IE) with a supported Internet browser; replacing IE with Mozilla Firefox or Google Chrome will reduce, but not eliminate, the risk of using a Windows XP PC to browse the Internet.  (Windows XP originally released with IE 6, but most Windows XP systems are now running version 7 or 8.  The current version of IE is 11.)

Updating to Mozilla’s Firefox is easy:

Please see http://www.zdnet.com/windows-xp-support-ends-survival-tips-to-stay-safe-7000028188/ for more information from Charlie Osborn of ZDNet.  Or, visit http://www.computerworld.com/s/article/9246877/US_CERT_urges_XP_users_to_dump_IE?source=CTWNLE_nlt_pm_2014-03-11 for a similar message from Gregg Keizer of ComputerWorld.

Additional steps to reduce Windows XP risk include:

  • Disable the ability to add new applications to a Windows XP PC
  • Remove administrative rights of all Windows XP users
  • Disable ports and drives on Windows XP PCs

See the article from Toby Wolpe of ZDNet at http://www.zdnet.com/windows-xp-support-end-10-steps-to-cut-security-risks-7000028193/.

Fitness regime for your IT equipment: Keep it clean, cool, and empowered

IT (Information Technology) equipment is somewhat temperamental; it requires reasonable temperatures; stable, uninterrupted power; and some air flow to operate efficiently.  Cleanliness is important.  Here’s how to keep it toned.

IT equipment should be kept in a clean, neat, and (preferably) dust-adverse/static-resistant area; walls with painted surfaces, tiled or coated floors without carpeting, etc.  Fire-suppression equipment is a plus, but cannot be water-based.

Access should be restricted; a separate, locked room is ideal, but a closet with sufficient space and air flow can work for smaller sites.

Dust is the enemy of fans and electrical components; a reduced-dust environment and regular cleaning of equipment fans can lengthen the life of most items.  (Note: cleanings should be performed when equipment is powered-down, which is not always desirable or feasible.)

The area should have dedicated electrical circuits with sufficient amperage to match the power requirements of the equipment.  We also recommend an Uninterruptible Power Supply (UPS) for all critical items (and require them for equipment that we cover under our Comprehensive Support Program); the UPS provides emergency power when the input-power source is unavailable, but it also helps to regulate fluctuations in power, both spikes/surges (voltage overload) and brown-outs (reduction in voltage) that can damage sensitive equipment.

Cooling and humidity control are very important; most equipment runs optimally within a narrow range of temperature (64° to 81° Fahrenheit) and a maximum range of relative humidity of 60%.  HP, in an effort to be “greener”, lists current specifications on its DL360 server that provide a wider range of 50° to 90°F with 10% to 90% humidity (non-condensing).  However, cooler temperatures do make things last longer.  (The DL360 will actually throttle-back the CPU when the air-inlet sensors detect temperatures over 85°F.)

The area should have continuous air flow (to provide new, cool air while removing heated air that is exiting the equipment) and remain uncluttered to facilitate this air flow.  A dedicated A/C unit combined with a closed door is optimal; locating all equipment within a rack enclosure (with blanking panels over open areas) can enhance air flow.

TechAdvisory has 9 tips at http://techtimes.techadvisory.org/2011/11/9-steps-you-must-know-to-prevent-a-server-crash/.

Comparing Cloud-based services – Part 4: Prevention

Many Cloud-based services fall into one of these categories:

  • Productivity suites – Applications that help you be more productive
  • Storage – Storing, retrieving, and synchronizing files in the Cloud
  • Backup and Recovery – Backing-up data and being able to recover it
  • Prevention – Prevent malware, spam, and related components
  • Search – Find items from either a holistic or from a specialty perspective

In this issue, we’ll explore popular, Cloud-oriented options within Prevention, the highlighted item above, and compare them with one another.

Prevention is a necessary evil; it can slow end-point performance (since these tools are using computing resources to constantly scan for problems), but it is critical in keeping end-users safe from external threats like spam, malware, and viruses.  Cloud-oriented Prevention includes:

  • Email protection – Control spam plus encrypt and archive emails
  • End-point security – Secure end-user computers against attacks
  • Web filtering – Prevent unauthorized access to undesired websites

Email protection is wholly Cloud-based, but end-point security tools usually deploy an application onto the end-user computer while web filtering requires at least an adjustment to (ie: setup a proxy server), or an application installed on, the end-user computer.  We’ll cover only Cloud-based, email protection in this article.

Key issues for email-protection options include:

  • Administration – Easy setup and enforcement
  • Effectiveness – Works reliably and consistently
  • End-user interface – Intuitive, secure, and easy-to-use
  • Granularity – Allows multi-level policies and permissions

Popular, email-protection options (alphabetically) include:

  • Google Message Secure (formerly Postini; now bundled within Google Apps)
  • McAfee® (now Intel Security) SaaS Email Prevention and Continuity
  • Microsoft® Exchange Online Protection
  • ProofPointEssentials Business
  • Symantec Email Security.cloud (formerly MessageLabs)

Google Message Secure (GMS)

GMS was one of the best products at an excellent price of $12/user per year.  In 2013, Google discontinued GMS as a stand-alone service and bundled it within Google Apps.  Former GMS clients will retain the $12 pricing for a period of time, but will eventually pay the Google Apps for Business price of $50/user per year.

Visit http://www.google.com/postini/ for details on this transition.

McAfee SaaS Email Prevention and Continuity (MEPC)

Intel is currently rebranding McAfee within Intel Security; no timeframe on the conversion, but the McAfee logo (a red “M” on a shield) will remain associated with these services.

MEPC prevents spam, but also includes Continuity, which allows end-users to retrieve and send email even if their email service is unavailable; once the email service becomes available, all emails received and sent via MEPC are then resynchronized with the email service.  The price is $27/user per year.

McAfee also offers email encryption and email archiving.  (Please visit our site at http://www.Bryley.com/services/email-management/ for details on MEPC and related offerings.)

Microsoft Exchange Online Protection (EOP)

Microsoft provides email protection and archiving within its Office 365 suite, but also offers it as a stand–alone service under EOP, although it is directed solely at Exchange-based email.  In addition to spam and malware prevention, you can establish content and policy-based filtering to ensure outbound emails do not violate company standards.  Price is $12/user per year.

Visit http://office.microsoft.com/en-us/exchange/microsoft-exchange-online-protection-email-filter-and-anti-spam-protection-email-security-email-spam-FX103763969.aspx for details on EOP.  Or, visit our site for information on

Office 365 at http://www.Bryley.com/office365/.

Proofpoint Essentials Business

Proofpoint Essentials Business is a comprehensive offering that classifies security threats and then manages against their intrusion.  Outbound filtering, content filtering, and 14-day spooling are included; archiving is also available.  Proofpoint Essentials Business starts at $26.40/user per year.

Please visit http://essentials.proofpoint.com/ for more information.

Symantec Email Security.cloud

Symantec recently acquired MessageLabs spam filter and rebranded it within their Symantec.cloud services under Email Security.cloud.  It protects against targeted attacks, malware, spam, and the like using proprietary Skeptic technologies.  Content filtering is included; email encryption is available.

See http://www.symantec.com/email-security-cloud for details.

Upcoming Event: Business Lawyers Network (BLN) February Meeting – Get into the Cloud!

John Koenig Focused on Business Succession

Date: Tuesday, February 11, 2014 at 7:30am

Topic: “Use Cloud Services to streamline your practice while protecting yourself from external threats”

Speaker: Gavin Livingstone, President, Bryley Systems

Place: Offices of Brier & Geurden LLP, 160 Gould Street, Ste. 320, Needham, MA (Map)

OVERVIEW

Everyone is talking about, or taking to the “Cloud.” You may be asking yourself, “what is the Cloud and how can I get some for myself?” Or you’re wondering “will I and my client data be safe in the Cloud?” In this program, you will learn the hows of the Clouds, including:

• How to compare popular Cloud services.
• How secure your systems from spyware, spam, and unauthorized access.
• How to ensure the integrity of your valuable data, whether inside your office or out in the Cloud.

ABOUT THE SPEAKER

With over 30 years of experience in the computer and telecommunications industries, Gavin Livingstone has considerable knowledge of leading-edge technologies and business-productivity tools. In 1987, he founded Bryley Systems Inc., a computer-networking and maintenance firm, and has successfully steered Bryley Systems to its current size of 12 employees with over 200 clients in eastern and central Massachusetts. Mr. Livingstone is a Novell Master Certified Netware Engineer (v5), a Microsoft Certified Systems Engineer (v3.51), and a Boston College MBA.

CryptoLocker Case Study

The following event depicts a real-life malware attack that infected a New England manufacturing firm. The company has chosen to share its story anonymously to help other businesses avoid a similar fate.

The unsuspecting sales rep certainly reacted in a way anyone would expect. He received an email with a voicemail attachment that looked like it came from the company CEO. When the CEO calls, reps jump to attention, and at this particular manufacturing firm based in New England, the business relies on a communication system that sends voicemails as email attachments. So the sales rep had no reason to suspect anything was wrong.

As it turns out, something was very wrong.

Click the link below to read the full article.

Bryley — CryptoLocker Remediation — 2013