Envision IT - Louisville Computer Support

Tag

// network security
JUN
12
2014
Louisville Network Security & IT Support

10 IT security risks that small businesses can’t afford to ignore

 By Ellen Messmer, Network World |  Security

Generally thought of as having up to 500 employees, small businesses constitute the vast majority of companies in the United States, making them a critical part of the economy. Their customers naturally expect personal and financial data to be kept secure, and a data breach is a painful and expensive ordeal. Like the larger enterprises, small businesses that accept payment cards have to follow Payment Card Industry rules. It can be daunting for a small business that may not even have an IT department to think about how to tackle network security.

But here are 10 top tips to get started:

1. Business managers need to gain the basic knowledge of where the most important data is held, whether it’s on site in traditional desktops and servers, or in cloud services and mobile devices (including possibly those in “Bring Your Own Device’ arrangements).

Whether this knowledge is presented by the in-house IT manager or an outside technology provider, the data storage, access permissions and data processing should be documented, including whatever security controls are in place. There needs to be a conscious decision by business and technology managers, preferably with legal advice, that these security controls are adequate relative to risk. That lays the foundation for what is also needed: a back-up and disaster recovery plan.

2. Bad things happen to good businesses. Floods, fires, earthquakes, the outside thief and the insider threat, and of course malware are all factors that can impact the safety of stored data.

Automate the back-up process. Since virtually every business now depends on some form of computer processing, ask the question how employees could proceed if your physical site is suddenly not available. Plan for disruptions that could last weeks if not months — and test it to make sure it’s viable.

3. Train employees about the nature of today’s cyber-attacks. SMBs tend to think that cyber-criminals are going after the really big guys, not them, but that’s simply not true.

Cyber-criminals in particular target SMBs to compromise the PCs they use for online banking and payments in order to commit fraud in a big way by emptying out business accounts. Unfortunately, there’s actually less protection for recovery of stolen funds under the law for businesses than for consumers. Banks may even give the small business a hard time, questioning the security it has in place. How does cybercrime often begin? In many cases, the victim opens a “phishing” e-mail message with an attachment laden with malware that will let the attacker begin infiltrating the network. To tamp this down, spam filters should be in place to try and catch phishing e-mails and other junk. But some of it, especially highly targeted, will get through and employees should be trained not to open anything that seems even remotely unusual. Because web-based malware is also commonplace, applying Web-surfing controls on employees’ Internet use is also a good idea. The big companies are starting to use advanced malware protection systems that can track targeted attacks in various ways, and small businesses should too — if it’s affordable. There is also a strong argument to consider setting up a dedicated computing resource strictly for online funds transfer. There are many phone-based social-engineering scams out there now as well and employees need to be wary.

4. Deploy the security basics. That means firewalls for wireless and wired-based access points, and anti-malware on endpoints and servers, acknowledging that traditional signature-based anti-virus is a limited form of defense.

Consider technologies such as ‘whitelisting’ to prevent computer software downloads. Over the years, security vendors have frankly conceded they’ve often had a hard time marketing to SMBs, establishing channels of sales and support, and often tried to create editions of their basic products oriented towards fewer numbers of users and less technical expertise to manage them. But some practices are critical for all: Be rigorous about patching all operating systems and applications as quickly as possible. If your business is short-staffed in terms of security expertise, seek outside technical support under a managed security services arrangement. If there’s a malware outbreak, for instance, you will need that expertise. Read articles, join technology user groups, speak with industry colleagues to get tips about outside assistance. Keep in mind that if your business accepts payment cards, it’s mandatory to adhere to the data privacy requirements spelled out in the PCI guidelines, which also includes encrypting sensitive information. The government’s HIPAA and HiTech security rules also require encryption of personally identifiable information in the healthcare industry. Encryption of data at rest and in transit is just a good idea — so why not do it?

5. When disposing of old computers and other devices that store data, remove the hard disks and destroy them.

This goes for other types of media, too. And don’t forget paper holding sensitive information as well.

6. Get detailed when it comes to each individual’s access to data.

This takes time, but determine what employees or outside business partners really need to have in terms of network and applications to do their jobs. Keep a record of this and consider using more than passwords, perhaps two-factor authentication or even biometrics. This also goes for systems administrators, whose jobs give them huge power over all the information systems in use. Options include requiring a dual-authentication process — something the National Security Agency claims to be doing more vigorously after former NSA tech contractor Edward Snowden leaked all those secrets. Your business is probably not as top secret as the NSA’s, but your internal network and all the most critical data may well be under the control of a sys admin whether you think about that or not. And finally, have procedures for immediate de-provisioning of access and credentials when an employee departs or a business arrangement is altered.

7. Trust but verify, as the old saying goes.

Do official background checks on prospective employees to check for criminal history (some companies are even evaluating prospective employees by looking at what their public social media history might indicate about them).

And when it comes to technology vendors or cloud service providers, make sure whatever they promise is in a signed contract with some kind of consequences spelled out for failure to deliver. Consider paying a visit to data-center operations operated by business partners with whom you plan to electronically share your customer data, for example, and have them provide details on their security, backup and personnel involved.

8. The era of mobile smartphones and tablets is here and it’s disruptive.

Whether a transition to using smartphones or tablets in your business has begun or not, the recognition needs to be there that they represent new operating system platforms with different security requirements and methods of updating and control than older PCs and laptops.

Though the mobile-device marketplace is fast-paced in terms of change, both business and IT managers alike should be strategizing on the management and security options — and that includes “Bring Your Own Device” situations where employees are allowed to use their own smartphones and tablets for business. It will mean balancing the security needs of the business with the personal data usage of the individual, who after all, owns the device.

At the very least, BYOD raises legal questions since business data is no longer being held on a device issued directly by the business. Mobile-device management software is often in consideration for use, with the question of whether to move to so-called “containerization” options for data segmentation. If it’s any comfort, the big companies are all struggling with questions like these as part of the mobility revolution. There are no pat answers.

9. Don’t forget physical access in all this.

There should be a way to prevent unauthorized individuals from getting near business computer resources. That might mean the cleaning crews at night as well. Challenge unexpected visitors in a polite but determined way.

10. Though the business may be small, think big. Focus on policy.

That means devising an employee acceptable-use policy that clearly defines how employees are expected to behave online, how data is to be shared and restricted. Have them read and sign it, making it clear if there’s monitoring of online activities. There should be possible penalties for non-compliance. But just clamping down on employees is not usually a way to encourage the kind of creative thinking and productivity that businesses need in the world where online communications is critical. The challenge is finding the right balance.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

MAY
30
2014
Louisville Microsoft Tech Suppot

How Microsoft’s Internet Explorer Fix Reinforces the Need for Proactive IT Management

On Thursday, May 2nd, Microsoft issued an out-of-cycle security update to address the Internet Explorer security flaw publicly disclosed last week. The remote code execution vulnerability lured IE users, who make up over half of the Internet browser share, to click on malicious links, which potentially could have then granted hackers full control of individual PCs.

Microsoft reported that only a limited number of targeted attacks had been identified, but still urged users of Internet Explorer versions 6, 7, 8, 9, 10, and 11 to immediately install the patch. They even showed a little mercy on Windows XP users by pushing the update to that outdated OS, too. “When we saw the first reports about this vulnerability, we decided to fix it, fix it fast, and fix it for all of our customers,” said Adrienne Hall, general manger of Microsoft’s security unit.

This all-encompassing patch should resolve any Internet Explorer issues. However, don’t let the fix keep you from always following these rules of the road for smart, secure Internet usage:

DO NOT click ANY embedded links in email messages or on public web pages unless you know the sender or source DO NOT browse public web pages from PCs that access confidential data like credit card, protected health, or personally identifiable information Call a trusted IT provider BEFORE clicking on anything that appears suspicious, or if you think your computer has been affected

 

So how will this fix be implemented?

Microsoft said that, for customers who have automatic updates turned on, the security patch would install automatically. But many computers are wary of such programmed updates — and many don’t know how to verify they’re enabled.

Which is where proactive IT maintenance and monitoring comes in. Envision IT’s around-the-clock service began deploying the Internet Explorer patch less than 12 hours after Microsoft issued it, and many of our clients had it installed on their machines when they showed up to work on Friday. All without stressing over whether to click “Yes” when prompted for an unfamiliar update or waiting for an internal IT resource to come by their desk and manually install it.

Beyond keeping your computer safe from the hackers behind this recent Internet Explorer bug, how else can proactive IT services benefit your business?

  • By keeping your employees productive and efficient, which saves you money
  • By keeping your data and network secure, which gives you peace of mind
  • By keeping your systems running 24/7, which allows you to better serve your customers
  • By keeping your IT goals in focus, which helps you strategize for the future
  • By keeping human intelligence — high-level consultants, help desk technicians, and on-site support — in charge of your technology, which provides a valuable competitive edge in today’s rapidly evolving marketplace

 

Want to stop worrying about the security of your systems? Ready to stop spending hours trying to fix issues yourself? Contact Envision IT today to find out how we combine superior customer service with complete, proactive IT support.

AUG
14
2013
Envision IT - Louisville Network Security

5 Tips for Business Security

No business is too small for cyber-thieves to target. For National SMB Week, here are a few ways small businesses
can protect their data from thieves and their customers from malware.

By Fahmida Y. Rashid
Article Date: June 30, 2013 / PCMag.com

The most pervasive security myth is the one that has business owners sticking their heads in the sand,
ostrich-style. “It won’t happen to me,” small business owners say when they hear about targeted attacks,
phishing scams, and sophisticated malware. “I’m too small for the criminals to bother with,” they think,
when they hear about data breaches, network intrusions, and website attacks.

If that was ever true, it’s wishful thinking today. It’s increasingly clear that cyber-criminals don’t look at the
size of the company when launching their attacks. Data is data, and even the smallest organization has
valuable data the criminals can steal and sell. The days of “I’m too small for them to find me” are long
gone. In many cases, the small business may just be a stepping point in a chain of attacks, with the
criminals targeting the smaller and weaker networks as part of a comprehensive campaign against larger
partners.

Both the volume and sophistication of attacks are growing, making it difficult for SMBs to keep up their
defenses. In honor of National SMB Week, the Certificate Authority Security Council has provided a few
simple steps SMBs can follow to secure their online presence. With these tips, business owners can make
sure their site visitors can safely visit, search, enter personal information, and complete a transaction.

Passwords Are Essential

The first suggestion is to “Create unbreakable passwords” for accounts related to your online presence,
such as the domain registrar, hosting account, SSL provider, social media, and PayPal, among others,
said Rick Andrews, technical director of Symantec, on the behalf of CASC. While there is a lot of
discussion about the need for better authentication schemes, passwords are still the main way to protect
online accounts, making strong passwords essential.

Criminals can easily set up computers to cycle through random combinations to brute-force attacks. If the
password is weak, this process takes very little time. PCMag.com recommends using a password
manager
to randomly generate strong passwords and to store them securely. If the service offers
two-factor authentication, you should really take advantage of the extra layer of protection.

Scan Your Sites

Websites can be infected with malware, just like your PC. Regularly scan your site for vulnerabilities and
malware. Attackers can take advantage of vulnerabilities to infect the site with malware or inject malicious
code to redirect visitors somewhere else. Infected sites may load slowly, display unwanted
advertisements, and infect user computers with malware. Look for a site scanner—something like
StopTheHacker Web-Malware Scanning, that will monitor your site for problems and alert you when
necessary.

Update & Patch

Is your Web server regularly being updated and patched? It’s not just the server, though—your Website
also needs to be regularly patched. If you used a popular content management system (CMS) such as
WordPress or e-commerce platform such as Zen Cart, then you need to make sure you are updating your
software regularly. Attackers frequently target plugins in WordPress, so installing patches regularly is a must.
Check with your hosting provider or site maintainer to find out if all the software is being updated on a regular basis.

“Updates must be installed on your website, just like installing the latest
Windows Updates on your PC,” Andrews said.

SSL Certificates

Consumers need to trust you are a legitimate business, and SSL certificates help verify your identity. No
site should attempt to collect personal information or e-commerce without a trustworthy SSL certificate to
assure users their information is safe.

Don’t Lose Control

No matter who you hire to work on your site, the business should always retain control of the domain
name, SSL certificate, and actual Website. It’s all too common for business owners to hire someone to
build their website, and when that person leaves, there goes the only person with access to the SSL,
domain name, and hosting account. It’s harder to add people to the account or transfer ownership when
the original account holder is not around. If building and maintaining the website is outsourced to a third
party, make sure someone within the organization is also on the accounts to retain control. If the
employee leaving is the one who had access to the accounts, make sure to add a new person to the
account beforehand. This way you will be able to still manage your certificate, domain name, and hosting
account.

This article originally published June 30th, 2013 on PCMag.com

JUL
31
2013
Louisville Firewall Support & Network Security

Why Your Business Needs A Firewall

What is a Firewall?

Firewalls provide protection against outside attackers by guarding your network from malicious or unnecessary Internet traffic. Firewalls can be configured to block data from certain locations while allowing the relevant and necessary data through. They are especially important for users who rely on continually accessible connections.

Firewalls, whether hardware of software (or a combination of the two), provide a security boost to any environment. For businesses, firewalls are such an important part of having a reliable computing environment and dramatically reduce threats that can lead to costly data loss, breaches, and down time.

Small to Medium Size Business and the Standard Router

Larger companies understand the risks of their large computing environment and with that understanding often employ multiple business-grade firewalls. However, for the small to medium size business, often run from a home office or other unconventional space, the threats are equally hazardous and require more than the basic ISP-provided router (intended for household use only).

These routers are the address of your connection to the internet. An ISP router is the go-between from your business to the internet and only directs the traffic flow. These routers just do not address the vulnerabilities of a business’s information transactions.

These ISP routers do not filter or inspect the traffic, nor do they detect intrusions. Basically, this leaves your business open to web risks at large, which is only multiplied when you are transferring any sensitive data in order to conduct work. The risk is not just the compromise of this data, which means losing clients in the event of a breach, but also opens you up to some hefty fines from any number of compliance commissions.

Firewalls Put You in Control of Your Network

A firewall allows you to control the gateway (your front door) of information and gain awareness to security problems that may be attempting to enter. There are a number of different kinds of attacks that are caught via this gateway, the top three are:

  • Network packet sniffers – a hacker intercepts unprotected network information packets and steals the data
  • IP spoofing – an outsider tricks your computers into recognizing them as a trusted source, by posing as a familiar IP address
  • Password attacks – hackers guess or crack passwords used by employees, allowing them to access the computer and entire network to steal further data

A business-grade firewall allows you to filter the incoming and outgoing traffic for suspicious activity, putting you in control and minimizing your risk of attacks.

What Does a Good Firewall Do for Your Business?

In a nutshell, it protects you from costly threats. With the correct settings and subscription renewals, it offers the following functions:

  • Block incoming traffic based on rules – ex. keep employees off of Social Networking sites
  • Block websites – ex. eliminate adult website access, which reduces the associated virus risks
  • Dedicate internet network resources – ex. prevent a group of workers from accessing the web for any reason
  • Firewalls also create logs of users and instances so you can track the events of a particular time period. This kind of log is critical to pin-pointing a breach to contain or fix problems.

Asses Your Security

At the end of the day, your business data needs more than just a router from your ISP. Ask your IT advisor to do a security assessment of your network and find out where your vulnerabilities are so you don’t have to learn the hard way…