Posts by Joe Welker, CISA:
- Check for updates regularly.
- The first time you pull your device out of the package, change the password.
- Disable features and services that you don’t need or won’t use.
- Turn off your devices when they aren’t in use.
- Pay close attention to your privacy settings.
- Provide law enforcement with a greater understanding of the threat
- Help justify Ransomware investigations
- Contribute relevant information to ongoing Ransomware cases
These days it’s not uncommon for our lives and our businesses to be managed almost entirely online. From our communications and calendars to our thermostats and security systems, while the internet may have made us more efficient, it has also made us more vulnerable. And these days, the safety of our networks and databases are never guaranteed – a lesson that was made abundantly clear after last week’s massive cyberattack.
Weak Usernames, Passwords Are (Once Again) To Blame
As most of you already know, some of your favorite websites took a hit last week. And as much as you may have wanted to take to Twitter to vent your frustration – you couldn’t. So, what happened? Once again, weak usernames and passwords were to blame although, unlike in the past, individual users weren’t the primary culprits. According to United States security researchers, hackers utilized common electronic devices, such as DVRs, webcams and digital recorders, to execute a complex internet-wide attack. The massive distributed denial-of-service (DDOS) attack was made possible thanks to weak default usernames and passwords found in the internet-connected hardware. This attack was the result of a Mirai botnet attack, which is specifically designed to scan the internet for poorly secured products and then access them through easily guessable passwords like “admin” or “12345.” Earlier this month, after security experts gained access to the botnet’s source code, which was released to the hacker community, it was discovered that the botnet was designed to try a list of more than 60 combinations of user names and passwords. Officials with Level 3 Communications, a provider of internet backbone services, estimates this recent attack was also the result of a Mirai malware attack that infected more than 500,000 devices.
Unlike botnets that typically rely on PCs, Mirai malware targets internet-connected devices that have weak default passwords, making them easy to infect, said Michel Kan a correspondent for PCWorld. More botnets like Mirai will appear unless the hardware industry can move away from default passwords. Hangzhou Xiongmai Technology Co Ltd, a Chinese electronics component manufacturer, said because its products inadvertently played a role in last week’s cyberattack the manufacturer will recall some of the products it sold in the U.S. The Chinese company said the security flaws associated with its products were patched in September 2015 and that its devices now ask customers to change the default password when used for the first time. However, products running older versions of the firmware are still vulnerable. Users with older versions of the company’s products can still protect themselves by updating their product’s firmware and change the default username and passwords or simply take their products offline by disconnecting them from the internet.
Protect Your Devices
Do you own a device that connects to the internet? Take the following precautions to prevent a hacker from infiltrating your system:
Protect Your Cloud-Based Data
A lot of times, individuals and businesses will consider cloud-based data storage solutions to be more secure, but the way I see it, if it’s online, it can be hacked – regardless of how many safety protocols you may have in place. Criminals continue to look for new ways to infiltrate our online devices therefore, it is reasonable to assume, that they are looking for cracks in the cloud-based security solutions as well. This article will give you more insight into the risks you may be taking on if you were to move all your data to the cloud.
For more information and insight about protecting yourself online, read my comprehensive whitepaper: Cybercrime: The Invisible Threat That Haunts Your Business. By Joe Welker, CISA (New Philadelphia office)
Check out these articles for more helpful cybersecurity insight:
The FBI recently released a public service announcement urging victims of Ransomware attacks to come forward and report these cyber infections to federal law enforcement. Doing so, the FBI said in a statement, will “help us gain a more comprehensive view of the current threat and its impact on U.S. victims.
A Closer Look At Ransomware
A computer infection that has been programmed to encrypt all files of known file types on your computer and your server’s shared drive and making them inaccessible until a specified ransom is paid; Ransomware is a very real threat to all businesses nationwide. Once a computer is infected, which usually happens once a user clicks on a malicious link, opens a fraudulent email attachment or unknowingly picks up a high-risk automatic download while surfing the web, it’s all but impossible to regain access to the data that has been infected. Upon discovering that your computer has been infected, you have two choices. You can either:
1) Restore the machine by using backup media, or
2) Accommodate the hacker’s demands and pay their ransom.
And both options are less than ideal.
What To Do If Your Company’s Network Becomes Infected
Ransomware infections were at an all-time high in the first several months of 2016, according to various cybersecurity companies, and because new Ransomware variants are emerging regularly, the FBI needs your help to determine the true number of Ransomware victims.
“It has been challenging for the FBI to ascertain the true number of Ransomware victims as many infections go unreported to law enforcement,” the agency stated in its recent announcement. “Victims may not report to law enforcement for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment. Additionally, those who resolve the issue internally either by paying the ransom or by restoring their files from back-ups may not feel a need to contact law enforcement.”
Read Also: How Much Is Your Data Worth To Criminals?
Reporting a Ransomware attack on your company’s network is not only beneficial for you, the information you provide will help the FBI as it works to identify ways to prevent future attacks. Your reports will:
Help Arm The FBI With Information
The recent PSA released by the agency requests that all Ransomware victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center. Be sure to have the following details available and ready to provide to the respondent when prompted (if applicable).
- Date of Infection
- Ransomware Variant (identified on the ransom page or by the encrypted file extension)
- Victim Company Information (industry type, business size, etc.)
- How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
- Requested Ransom Amount
- Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
- Ransom Amount Paid (if any)
- Overall Losses Associated with a Ransomware Infection (including the ransom amount)
- Victim Impact Statement
The FBI recommends users consider implementing prevention and continuity measures to lessen the risk of a successful Ransomware attack. Click here to read the FBI’s complete announcement.
To learn more about protecting your business from cybercrime, download the free whitepaper, “Cybercrime: The Invisible Threat That Haunts Your Business.”
I am regularly asked by clients, friends and family whether they should be concerned with storing their data in a cloud-based environment. My answer: Absolutely.
Even though cloud-based data storage solutions are managed by storage and security professionals (at least hopefully), there’s really no way to determine whether their authentication policies and data security procedures are always in line with industry standards. Because I’m acutely aware of these standards and best practices, I would have a hard time entrusting a cloud-based data storage enterprise with copious amounts of my company’s sensitive information.
Download The Free Whitepaper: Cybercrime: The Invisible Threat That Haunts Your Business
At the end of the day, your company’s data and the data you collect is your responsibility. Therefore, your IT team is ultimately responsible for verifying whether it’s properly secured and whether a proper authentication protocol is in place to ensure that those accessing data are approved to do so. When you work with a cloud-based data storage solutions business, your control over data security procedures is significantly limited.
And just because we haven’t heard much about these types of breaches in the past, doesn’t mean they don’t happen. Consider, for example, the latest “mega-breach,” that has affected millions of Dropbox users.
The Dropbox Breach
According to reports, more than 68 million Dropbox user accounts and associated information, including user names and passwords, were discovered online. The company said Dropbox user information stolen by hackers and distributed via the Internet was the result of a previously disclosed data breach from 2012. Unfortunately, the company and the company’s users are still being hurt by this attack. In response, Dropbox said in a statement that it was forcing password resets.
“We’ve confirmed that the proactive password reset we completed last week covered all potentially impacted users,” said Patrick Heim, head of trust and security for Dropbox. “We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password.”
Protect Your Data To Protect Your Company
Most professionals in the data security field – including myself – believe that any and every site can be hacked. Therefore, in an effort to protect our companies and the businesses and individuals we serve, our goal is to provide comprehensive cybersecurity education to all employees while striving to be aware of all data security issues that may have occurred. Hopefully we will know about any data breach long before cybercriminals have a chance to post information on the Internet or before our businesses are notified of an issue by the FBI or Secret Service.
Want to know why data security professionals say that your company’s employees are your weakest link? This video highlights a common security breach method used by hackers to gain access to your company.
You can take a proactive stance against cybercriminals with the following data security protocols.
- Don’t just install a firewall, constantly monitor your firewall. Your IT team can constantly monitor your company’s firewall through the use of Security Information and Event Management (SIEM) or Intrusion Detection Systems (IDS) programs. You can also work with an external service provider to provide this essential service.
- Passwords are powerful, protect them. Require your employees to use complex passwords to log onto your company’s network and change those passwords regularly. Secondary authentication is also important to use wherever possible.
- Don’t wait for disaster to strike – actively defend your company. Routinely test the access controls of your employees. Not all employees require access to all company data. Instead, only grant access to the data your employees need to do their jobs.
- Educate, educate, educate. It seems like there are new phishing attempts, ransomware attacks and malware issues every day. But just because you hear that they are happening doesn’t mean your employees are aware. Make sure you keep your employees up to speed. Doing so may just stop them from clicking on a potentially dangerous email.
If, for whatever reason, you do decide to store your company’s data on the cloud, be sure to thoroughly investigate the cloud environment you intend on using. Then, pay close attention to whether their security controls and processes, including rollover sites or backup and testing procedures, adhere to industry standards. It’s also best practice to request a SOC (Service Organization Controls) SOC Report from your cloud provider.
At the end of the day, all you can do is take ownership of your data and be proactive when it comes to verifying the safety and security of your organization’s data. Email Rea & Associates to learn more.
By Joe Welker, CISA (New Philadelphia)
For more tips and insight to help keep your company safe from cybercriminals, listen to episode 41: “the hacked & the hacked nots” on unsuitable on Rea Radio.
It was 2013 when a medium-sized library in Ohio found itself in the midst of a data breach that would later serve as a powerful case study warning against the very real threat of electronic fraud. While originally developed by the Ohio Auditor of State’s office as a tool for government entities throughout the state, Cash Management 240: Financial Fraud – A Case Study, has found usefulness beyond just the government sphere.
Leaders of not-for-profit organizations and for-profit business owners would also find value in this resource, which outlines:
- the events that resulted in the occurrence of the data breach,
- the reaction of entity officials during and after the breach was detected, and
- the short- and long-term outcomes that resulted from the breach.
While I strongly recommend that you read the entire case study, I provide a brief overview of the story below.
How would you respond to a data breach?
Library officials were notified of the occurrence of fraudulent activity impacting the entity’s checking account in March of 2013. According to the bank, the fraudulent activity appeared to be limited to three transactions, totaling $144,743. Fortunately, bank officials were proactive in their efforts to recall the transactions.
In an effort to avoid further fraudulent activity, library officials decided to disconnect the accounting workstations from the entity’s network and proceeded to contact their technology vendor, who advised the library proceed with reformatting both accounting workstations immediately. Soon thereafter, library officials contacted the local police station to report the incident, closed the entity’s existing bank accounts and opened new ones, and notified employees of the data breach as well as the board of directors.
Due to the nature of the breach, it didn’t take long before the Ohio Auditor of State’s office and the FBI were notified of the incident as well. And, in an effort to try and reclaim some of the money that was stolen, a claim was filed with the entity’s insurance carrier. Finally, the library’s bank was able to successfully recover $54,910 of the amount that was stolen. In 2014, when the case study was released, the library was still in the process of negotiating with the bank regarding $89,833 that was still missing.
So, what do you think? Would you say that the library officials were effective in their management of the data breach? What would you do if your company or nonprofit found itself in a similar situation?
Well, according to the FBI, the library could have handled the situation better. For example, the library should have not reformatted the workstations. The FBI and local police force should have been contacted immediately. And finally, the entity should have followed all instructions mandated by the bank to eliminate the possibility of such fraudulent activity.
Since it’s 2013 data breach, the library:
- Is now required by the bank to follow the ACH Originator Agreement.
- Has designated one stand-alone PC to be used for online banking.
- Has requested online access from only one IP address
- Has purchased a cybercrime policy.
- Revisited its banking RFP to include a section regarding online banking security minimums.
Do you have a plan to help deter cybercrime?
The above scenario is just one of the countless cybercrimes that occur every day and every type of businesses, entity and organizations are being impacted. If you don’t have a plan in place to help prevent cybercriminals from infiltrating your network and stealing your data for financial gain, or a strategy to recover once a breach has been identified, you are in a very vulnerable position.
I believe that in order to protect against a cybercrime attack, it’s important to be armed with as much knowledge as possible. On Sept. 7, 2016, FBI Agent David Fine will be the featured presenter of part two of the Columbus Cybersecurity Series. During this portion of the presentation, attendees will hear real-life examples of attacks on businesses, including what schemes are prevalent today. Audience members will also discover the very real impact these attacks have on companies and what they can do to deter an attack from occurring in their own business or organization.
The Columbus Cybersecurity Series is free to attend, but registration is required. You can RSVP here.
By Joe Welker, CISA (New Philadelphia office)
Stop Criminals From Hijacking Your Identity With These Top 5 ID Theft Prevention Posts
December is National ID Theft Awareness Month and the fraud prevention team at Rea is a wealth of information when it comes to sharing great tips to help taxpayers protect their identities from fraudsters. Instead of scrolling past posts in our expansive article library or award-winning blog, we’ve compiled this Top 5 list to make your search for information easier. Read on to discover how you can prevent cyber criminals from hijacking your identity all year long.
Read Also: Let’s Talk About The F-Word
- WARNING: Tis The Season To Practice Safe Online Shopping Habits: While it may be the most wonderful time of the year, cyber criminals are looking for ways to stuff their own stockings – at your expense. The holiday season is also a busy time of the year for scammers because, in general, more money is being spent and more people are clicking through cyberspace for the best deals and tracking their purchases. Find out what you can do to keep your identity safe this Holiday season.
- Cyber Crime: It Can Happen To You: Fraudsters don’t take holidays. In fact, they tend to be more active this time of year because they believe we are more likely to let our guards down. I don’t intend on falling for any of their traps, and I encourage you to do the same.
- Malware Threat Spreads To Smart Phones: Researchers and IT security experts from ESET, a global IT security company, recently announced that they had discovered a malware application that is designed to encrypt files and change PINs on Android devices in the United States. In return, victims are demanded to pay up to the tune of $500. Only then will hackers provide users with the recover key. Keep reading to learn how you can protect yourself.
- Should I Still Be Concerned About Identity Theft And Tax Fraud?: Identity theft and tax fraud are problems that show no signs of stopping. In 2015, in an attempt to provide an added layer of protection, taxpayers in Ohio had the opportunity to get up close and personal with the Ohio Department of Taxation’s (ODT) newest fraud safety measure – the Identification Confirmation Quiz. Read on to see how this quiz has helped reduce fraud in Ohio.
- How To Recover From Identity Theft & Refund Fraud: Suspecting, and then confirming, that you’ve had your identity stolen is a nightmarish scenario. It combines one of your worst fears, losing your wallet or purse, with all of the work of replacing the things that were lost. It can be so overwhelming you might be wondering: “Where do I even start?” We can help you answer that question.
Identity theft is a scary thing and you don’t want to become a victim. Take some steps now to protect yourself in the future.
Want to learn more about keeping your identity safe? Email the team at Rea & Associates, our fraud prevention specialists can be an important of keeping your information protected.
Looking for tips to secure your business from fraudsters? Check out these posts:
It’s hard to remember a time when reports of data breaches, ransomware attacks and business email compromises (BEC) weren’t part of our daily lives. In fact, not so long ago we were pretty content to believe that the controls companies had in place were enough to protect us from the invisible threat of hackers and cyber criminals. But that was just a dream – and it wasn’t long before that dream manifested into a nightmarish scenario for one of the nation’s largest retailers.
Two years ago, cyber criminals gained access to the point-of-sale systems belonging to Target. Authorities later learned that the hacker(s) gained access to about 11 GB worth of data (including highly-sensitive personal and credit card information). When the dust settled, about 70 million consumers nationwide were left vulnerable to identity theft and credit card fraud. This magnitude of this breach was huge and, as a result, companies everywhere made an effort to buckle down and implement a slew of “best practices.” But what has really changed since December 2013?
What Have We Learned From Target?
The Target breach symbolizes the moment when the threat of personal data security violations became mainstream in America; and today, we don’t think about fraud in terms of if it will happen – it’s when it will happen. But instead of becoming more vigilant about data security practices, it appears as though consumers have chosen a more desensitized reaction. These days we are content with trusting the credit card companies to notify us of any suspicious activity occurring on our account rather than implementing safer payment practices in our daily lives.
Retailers and credit card companies, on the other hand, have worked hard to make it more difficult for hackers to access their customer data. Since the breach, Target has:
- Installed EMV compliant point-of-sale (POS) terminals in all stores to allow for transactions to be processed using a token instead of actual credit card numbers.
- Joined two cybersecurity threat-sharing organizations in order to share and retrieve valuable information concerning data breaches and the source of those breaches.
- Implemented more stringent firewall rules and governance procedures.
- Constantly monitors and logs system activity.
- Applied whitelisting technology, an administrative process that allows only preapproved applications to execute in a system, on the store’s POS systems.
- Disabled or placed limited access on vendor accounts.
- Deployed 2-factor authentication.
- Established password vaults and required the use of more complex passwords.
- Thoroughly reviewed and revised its process on how to determine which employees and contractors would have access to consumer data.
With the exception of the first two points, the measures Target has taken since its 2013 data breach are considered best practices, which means that if your business doesn’t have these security measures in place, you shouldn’t wait any longer. And, with regard to EMV technology, most businesses were expected to install and activate the new technology before Oct. 1, 2015 to avoid liability for losses resulting from fraudulent transactions.
A Moving Target
As long as there are fraudsters willing to pay for stolen names, addresses, credit card numbers and expiration dates, phone numbers, email addresses, dates of birth, Social Security numbers, etc., there will be cyber criminals looking for a way to hack into your company’s system to gain access to your consumer data or intellectual property. But if you are really serious about keeping your data safe, there are additional measures you can take.
1. Reinforce Your Firewall
Firewalls should be securely configured and continuously monitored. There are many providers that perform 24-7 firewall monitoring services to protect your company from attacks and or to alert you to signs of a possible breach. Moreover, providers are also coupling these services with the use of whitelists or blacklists, which triggers an immediate response if a potential threat is identified. Another great reinforcement for companies with experienced IT staff, would be the implementation of SIEM (Security Information and Event Management) or IDS (Intrusion Detection System) software.
2. Take Your VIP List Seriously
Not everybody should have access to your company’s domain – especially outside groups, and you should take care to review your employee and vendor access accounts routinely. The 2013 Target breach was a result of a breach that was intended for one of Target’s vendors. But, once in, the hacker was able to work his way into the Target Vendor Portal and infiltrate the Target POS systems.
3. Don’t Take Your Passwords For Granted
While doing so, be sure to verify that these credentials, in particular, require complex passwords, a limit on the number of attempts allowed before automatically disabling the account, and that they are required to be changed regularly. (Believe it or not, the most common password continues to be “123456” – proving that we are still not learning from past mistakes.)
Check out these articles for more data security best practices
EMV Technology Impacts Netflix’s Q3 Earnings
Since the United States made the switch to EMV (EuroPay, Mastercard and Visa) chip technology in October, some companies are beginning to report unexpected side effects – sluggish growth in the third quarter. A recent story from Patrick Kulp on Mashable, a global media company, reported that Netflix’s lack-luster third quarter earnings may be directly linked to the new technology.
Why? Because, according to Kulp, “[many] Netflix users may not want to go through the hassle of updating their payment records, and some may even use the switch as an excuse to bail on the service. As a result, the company can’t collect their fees.” Now, as third quarter earnings continue to roll in, business analysts are beginning to speculate as to what this means for businesses hoping to finish the year on a high note.
Why Was EMV Implemented?
In September, I provided insight into the reasoning behind the new chip-based technology, which pointed to the increasing number of credit card breaches as the reasoning behind the change. Over the years millions of credit card numbers and associated data have been stolen, leaving the credit card industry on the hook for the fraudulent transactions. In an effort to transfer liability from payment card companies to individual businesses, while providing greater protection to users against credit card fraud, the PCI Security Council supported the addition of EMV chip technology to the existing PCI (Payment Card Industry) Security Requirements.
The ultimate goal of EMV is to stop and prevent further fraudulent activity. Success has already been noted in countries outside the U.S. “Currently, almost half of the world’s credit card fraud happens in the U.S. where magnetic stripe technology is the standard,” stated David Navetta and Susan Ross in a blog on Data Protection Report. “Outside the U.S., an estimated 40 percent of the world’s cards and 70 percent of the terminals already use the EMV technology. These countries are reporting significantly lower counterfeit fraud levels with EMV cards than with the magnetic stripe cards.”
Businesses have rushed to accommodate the transition to avoid liability for any losses that result from fraudulent transactions. From installing devices that read the new chips, to training employees to address any questions and concerns that may come up during the payment process. Unfortunately, in order to bring the American public up to speed, payment card insurers are issuing new chip-enabled cards to card holders and, in many cases, users are being issued new card numbers as well.
Companies such as Netflix are beginning to feel the pinch as they are realizing that their customers are in no hurry to update their card numbers in their accounts, which means the company can’t collect subscription payments.
“Our over-forecast in the US for Q3 was due to slightly higher-than-expected involuntary churn (inability to collect), which we believe was driven in part by the ongoing transition to chip-based credit and debit cards,” the company said in its earnings release.
Is Your Business Witnessing Unexpected Consequences?
Third-quarter earnings are just beginning to be reported, which means we are unable to adequately identify how widespread this particular issue is.
So, we want to hear from you. Since the EMV chip technology went into effect on Oct. 1, what has your experience been? Have you had trouble collecting renewal payments from your customers? Comment below or send us a quick email.
If you have a specific question about EMV technology or another business challenge, you can always let us know by filling out the brief form at the top, right side of this page. And don’t forget to subscribe to Dear Drebit to get great business tips and advice delivered directly to your inbox!
Are you looking for more ways to prevent fraud from taking control of your business? Check out these articles:
Dear Drebit: Does a company that doesn’t physically swipe credit cards have to worry about increased liability when the new EMV rules are implemented in October? Sincerely, Online Payments Only
Dear Online Payments: As you may already know, I recently wrote an article to inform merchants about the Oct. 1 deadline to implement Credit Card EMV (EuroPay, MasterCard and Visa) technology. When this change takes effect, the liability for fraudulent transactions will no longer be assumed by the credit card issuing institution. Instead, if you continue to use the credit card’s magnetic stripe to process payments, your business will assume liability for any resulting fraud. For most businesses – especially smaller businesses – a single instance of fraud could be crippling.
EMV technology essentially swaps out the magnetic stripe used on credit cards today for an embedded chip. The chip scrambles sensitive cardholder data at the point of sale, which makes it increasingly difficult to fraudulently access and replicate consumer data.
But what changes lie ahead for businesses that utilize online payment methods and don’t require customers to physically swipe their credit card to pay for a product or service? Do they need to be concerned about this liability switch on Oct. 1 too?
EMV Concerns For Online Merchants
Your third-party processor (such as PayPal), is responsible for ensuring that the payment is authentic. These companies validate payments using a variety of methods.
Natalie Gagliordi, a blogger with Small Business Matters, writes that “for most online merchants, whatever payment processing technology they are using will likely contain out-of-the-box security and authentication protocols.” PayPal, for example, “has developed complex end-to-end encryption to help protect consumers and merchants with their payment information.”
But just because your business doesn’t bare the sole responsibility for keeping your customers’ credit card data safe, doesn’t mean you have nothing to worry about – quite the contrary. Some experts expect credit card fraudsters to pay more attention on hacking online consumer data. This means, for your customers’ sake, you must continue to be informed of online security best practices and should not only be knowledgeable about what your third-party payment processor is doing to keep credit card data safe, but what your third-party payment processor requires of you to maintain your compliance. This could include maintaining current antivirus protection, a secure firewall and other online safety protocols.
The EMV Migration Forum’s Card-Not-Present Working Committee recently published an informative whitepaper to address the growing threat of Card-Not-Present Fraud. This resource will give online merchants a little more insight into the numerous options currently available to help authenticate online payments.
In the meantime, if you have additional questions or concerns, contact your third-party payment processor immediately. Requirement 12.9 of the Payment Card Industry Data Security Standard v3.0 states that they must provide you with – in writing – the details of its role in providing PCI compliancy, as well as any requirements of your organization. Click here to learn more.
How Can Drebit Help You?
Readers, do you have questions about data security, fraud, accounting, succession planning and other general business topics, but don’t really know who to ask? Let Drebit help find the answer! Simply fill out the brief form at the top, right side of this page. You can also click here to reach out to one of fraud experts directly. If you like the advice we offer, why not click here to subscribe to Dear Drebit and get notified of new articles and updates the minute they are posted?
Would You Pay A Hacker’s Ransom If Your Phone’s Data Was At Risk?
Researchers and IT security experts from ESET, a global IT security company, recently announced that they had discovered a malware application that is designed to encrypt files and change PINs on Android devices in the United States. In return, victims are demanded to pay up to the tune of $500. Only then will hackers provide users with the recover key.
If it continues to spread, this form of malware could result in a staggering number of victims. Once again we are reminded of how important it is to vigilantly protect ourselves against fraudsters who will continue to exploit such weaknesses in our technological infrastructure.
According to the digital media analytics company comScore, between the months of December and March 2015, more than 187.5 million people in the U.S. owned smartphones. During that time, Google Android led the pack as the number one smartphone platform with 52.4 percent platform market share.
Malware Goes Mobile
The malware, called LockerPIN, spreads via third party applications, which are downloaded by the user to their Android device. Similar to the CryptoLocker and CryptoWall malware that has inundated users over the past several years, LockerPIN spreads malware’s reach to the mobile user.
Originally discovered in Ukraine in 2014 the malware has been modified to the point that it is just now making its North American debut. Disguised as a system update, the application changes the user’s PIN to a random setting without their knowledge. The worse part? The only known recovery solution is to perform a complete factory reset, which will result in the loss of all your data.
It’s only a matter of time before this malware progresses to the point of being able to infect all phones. In the meantime, there are actions you can take to protect yourself.
1) Never download apps outside of certified app stores.
2) Back up your mobile devices to your computer or to the cloud regularly.
3) Do not grant administrator privileges to apps unless you truly trust them.
4) Stay away from suspicious apps and sites.
Want to learn more ways to protect yourself and your business from IT threats? Check out these articles.
PCI to EMV – Protecting Credit Card Data
Your customers want their payment experience to be as easy and painless as possible, which is why you have come to depend on the ability to process credit card payments – especially if your average transaction is more than $20. But providing your consumers with the ability to pay with plastic has also been helpful to fraudsters looking to steal the information hidden within their card’s magnetic stripe. In an effort to crack down on fraudulent transactions, protect consumers and transfer liability from the credit card company to your business, the United States will begin to implement Credit Card EMV (EuroPay, MasterCard and Visa) technology.
Change Is Necessary
Due to the increasing number of credit card breaches where millions of credit card numbers and associated data have been stolen, the industry has forced retailers and merchants to adhere to PCI (Payment Card Industry) Security Requirements. Supported by the PCI Security Council, the ultimate goal of EMV is to stop and prevent further fraudulent activity. Success has already been noted in countries outside the U.S. “Currently, almost half of the world’s credit card fraud happens in the U.S. where magnetic stripe technology is the standard,” states David Navetta and Susan Ross in a blog on Data Protection Report. “Outside the U.S., an estimated 40 percent of the world’s cards and 70 percent of the terminals already use the EMV technology. These countries are reporting significantly lower counterfeit fraud levels with EMV cards than with the magnetic stripe cards.”
Understanding EMV Technology
Credit Card EMV technology, which has been used in Europe since the early 1990s, replaces the magnetic stripe we have grown accustomed to with an embedded chip that, scrambles sensitive cardholder data at the point of sale terminal. This technology ultimately makes it more difficult to access and replicate consumer data in an attempt to commit fraud.
Businesses Can’t Afford Not To Comply
Why should you be concerned about the credit card industry’s switch-over to EMV technology? As of Oct. 1, 2015, the liability for fraudulent transactions will no longer be assumed by the credit card issuing institution. Instead, if you (the merchant) fail to adopt EMV technology, your business will be responsible for any loss that results from a fraudulent transaction. If your business currently accepts credit cards as a form of payment (and you would like to continue this practice), unless you want to be hit with potentially devastating losses, you must make sure to install and activate the new technology before the Oct. 1 deadline. That being said, some types of businesses will have a little more time to comply. If you aren’t quite sure whether or not your business is exempt, visit the website of each payment brand you accept to learn more.
- If you have not investigated or planned for EMV Technology, contact your card processor immediately to determine your business’s specific needs.
- Implementing EMV technology can be a cumbersome and time consuming project, but the best way to protect yourself from fraud and liability is to implement the new technology as soon as possible.
- If EMV technology has been implemented be sure to confirm that the chip reading capability has been enabled. In addition, confirm with issuers that cryptographic values are being associated with the card number to ensure that the EMV technology has been setup and configured properly. Verifying that cryptographic values are being assigned will eliminate the chance of misconfiguration and possible fraudulent activity.
- Train your staff on the new procedures. When a customer tries to pay for a product or service using their card, they will notice some changes, such as their credit card being held in the EMV reading slot throughout the entire transaction process. This is normal, however your staff should be prepared to answer the questions that will certainly arise.
Want to learn more ways you can protect your business and your customers from a fraudster? Check out these articles:
Red Flags To Be Aware Of When Opening Your Email
We hear it a lot and often – be careful when clicking on the links in your email (especially if you do not know the sender.) But what if the email is from someone you know, like your boss? And what if the email appears to come from their work account?
E-mail Account Compromise (EAC) is a sophisticated scam that uses legitimate email accounts that have been compromised to target unsuspecting victims, oftentimes tricking even the most tech-savvy individuals.
So that email your “boss” sent that asked you to click on a link to wire them money because they lost everything while on vacation in France may actually look authentic, but in reality it’s a scam that could have a divesting impact on your business’s network.
How can you tell the difference?
“Just 1 percent of employees are responsible for 75 percent of cloud-related enterprise security risks, and companies can dramatically reduce their exposure at very little additional cost by paying extra attention to these users.”
Recently, the FBI reported a 270 percent spike in victims and cash losses due to these scams. The numbers are scary, but educating yourself on what to be on the lookout for can help eliminate the scams.
Want to learn more about the recent EAC scam? Contact Rea & Associates to learn more ways to protect your business from unseen threats.
Looking for more information about securing the safety of your business? Check out these articles:
As if you didn’t have enough keeping you up at night, the topic of data security continues to send collective shivers up the spines of business owners worldwide. Unfortunately, the Aug. 24, ruling by the United States Court of Appeals for the Third Circuit didn’t make matters any better (or less expensive) for businesses guilty of failing to protect their customers’ data. In fact, companies that utilize poor security practices that ultimately lead to a breach of consumer data are at risk of facing further disciplinary action and penalties.
What does the FTC’s Courtroom Win Mean To Business Owners?
If you haven’t taken data security seriously in the past, it’s time to get real serious about it real quick.
Prior to the ruling, companies at the center of a data breach had to battle with lawsuits while working to rebuild their reputations. Now, in addition to litigation and negative headlines, your organization must also risk being fined by the Federal Trade Commission (FTC). Businesses can no longer operate with a subpar data security infrastructure. Those that do are at risk of losing everything.
The court upheld the FTC’s 2012 lawsuit against Wyndham Worldwide, a company known for operating hotels and time-shares. Records show that the FTC filed complaints against Wyndham for three data breaches occurring in 2008 and 2009, which resulted in more than $10.6 million in fraudulent charges. In its decision, the appeals court reaffirmed previous rulings that found Wyndham to be responsible for implementing better security practices, which would have helped prevent such breaches from occurring in the first place.
According to the FTC’s argument, software used at Wyndham-owned hotels stored credit card information as readable text, hotel computers lacked a system for monitoring malware, there was no requirement for user identification and or to make password difficult for hackers to guess, the company failed to use firewalls and, ultimately, failed to employ reasonable measures to detect and prevent unauthorized access to the computer network or to conduct security investigations.
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said FTC Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Next Steps For Businesses
With regard to the case between the FTC and Wyndham, the next chapter of the story is uncertain. While the win in the courtroom has helped put some wind in the FTC’s sails, the commission has yet to levy any penalties or assertions against the defendant. What is clear, however, is that a data security breach is a very real threat – one that is felt by nearly every business in the world. Furthermore, as technology continues to advance and hackers adapt, the security procedures businesses deploy must be top-notch to avoid further complications and costs associated with a sloppy security infrastructure.
Will you be ready when disaster strikes? Email Rea & Associates today to learn what you can do to protect your business from unforeseen threats.
Want to learn more about how to protect your business from a data security crisis? Check out these articles:
The malware known as CryptoLocker or CryptoWall continues to be a major concern for individuals and companies alike. So much so, that the FBI saw fit to issue a warning just last month and help raise further awareness about the threat.
According to the FBI, this Ransomware continues to evolve, which helps it avoid user’s virus detection software applications – even if they are current. Since April 2014, reported the FBI, there have been 992 incidents of CryptoLocker reported. These occurrences have resulted in the loss of around $18 million.
Read Also: How Much Is Your Data Worth To Criminals?
The Threat Is Real
Ransomware is a computer infection that’s been programmed to encrypt all files of known file types on your local computer and your server’s shared drives. Once it takes hold, it’s all but impossible for you to regain access to the data that’s been infected. Once this happens, you have one of two choices. You can:
- Restore their machine by using backup media, or
- Accommodate the hacker’s demands and pay up.
As a direct result of my experience as an IT audit manager, I have been made aware of several situations in which businesses were left with no choice but to succumb to the demands of malicious cybercriminals carrying out Ransomware attacks. And while the companies I have worked with were finally able to obtain their assailant’s encryption key code to unencrypt and regain access to their data after the ransom was paid, others are not as lucky – after all, the FBI has reported $18 million worth of losses in just over a year. Furthermore, there are no guarantees that you won’t be targeted again in the future.
Preempt A Crisis
While there is no surefire way to prevent a Ransomware attack on your data, it’s wise to implement the following best practices to reduce the possibility of infection or reinfection.
- Implement mandatory computer safety training for all employees and implement and test an IT Disaster Recovery Plan in place.
- Always use reputable antivirus software and a firewall and be sure to keep both up to date.
- Put your popup blockers to good use. Doing so will help remove the temptation to click on an ad that could infect your computer.
- Limit access to company’s data by ensuring that only a few employees have access to certain folders and data. You can facilitate this type of action by conducting annual reviews of your company’s employee access rights.
- Backup all company-owned content. Then if you do become infected, instead of paying the ransom, you can simply have the Ransomware wiped from your system and then reinstall your files once it’s safe again to do so.
- Never click on suspicious emails or attachments, especially if they come from an email address you don’t recognize. And actively avoid websites that raise suspicion.
Shut Down The Attack
If you are surfing the Web and a popup ad or message appears to alert you that a Ransomware attack is in progress, disconnect from the Internet immediately. Breaking the connection between the hacker and your data could help stop the spread of additional infections or data losses. In addition to informing your company’s IT department about the threat or occurrence, be sure to file a complaint with your local law enforcement agency.
Email Rea & Associates to learn more about the importance of your company’s online security.
By Joe Welker, CISA (New Philadelphia office)
You probably don’t have a lot of spare time on your hands. Between managing your business and employees, to ensuring your clients’ needs are being met. The last thing you might be concerned about is adhering to Payment Card Industry (PCI) Data Security compliance standards. But hold up. If your business (or any of your vendors) deals with client cardholder data or stores this information anywhere in your business’s IT systems, PCI standards are not something to ignore. It could be the difference between your business surviving and thriving or going down the drain.
PCI Data Security Best Practices
In November 2013, the Payment Card Industry (PCI) Data Security Standard version 3 was released. There were five requirements defined as “best practices.” And as of June 30, 2015, these requirements are mandatory and may affect your organization.
The Payment Card Industry (PCI) Data Security Standard v3.0 data sheet describes the need for compliance as: “All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, including applications that have been validated to PA-DSS.”
The two requirements that could most affect your organization are Requirements 12.9 and 9.9.
- Requirement 12.9 – Additional requirements for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
- Requirement: 9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
So what exactly do these requirements mean for you (and your vendor)? In essence, Requirement 12.9 requires third parties to provide in writing the details of its role in providing PCI compliancy, as well as any requirements of your organization. Requirement 12.9 is relevant to Requirement 9.9 as it relates to devices used to scan or input credit card information. The vendor’s compliancy requirements could require the entity to adhere to Requirement 9.9 by protecting and monitoring devices used by the entity to scan or input credit card information. And because it’s ultimately the responsibility of your organization to protect client credit card information, it is important that your business obtain the PCI requirements of any vendors you work with and adhere to the requirements of their PCI Compliancy Standards. It is always best practice to document in detail when testing for PCI or communicating with your vendor.
Remaining Three Best Practice PCI Compliance Requirements
The other three PCI compliance “best practice” requirements are listed below. These may or may not be items to be addressed by your organization depending on your current PCI classification. It’s best to review and determine if your entity needs to add to your current PCI testing procedures.
- Requirement: 6.5.10 – Broken authentication and session management. Secure authentication and session management prevents unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.
- Requirement: 8.5.1 – Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
- Requirement: P. 93 11.3 P. 55 6.5 – Implement a methodology for Penetration testing. See P. 93 of the Payment Card Industry (PCI) Data Security Standard v3.0 data sheet for details.
The End of Outdated Secure Sockets Layer Encryption Protocol
Finally, in April 2015 the PCI Security Standards Council published a new version of the Payment Card Data Security Standard that calls for ending the use of the outdated Secure Sockets Layer (SSL) encryption protocol. The new standard requires that the use of SSL be discontinued and replaced by the use of the more secure Transport Layer Security (TLS) protocol. The deadline for this change has been set at June 2016.
Remember, although you may employ a vendor to process credit card payments, it is still your client’s data and the ultimate need to protect that data is assumed by you.
We hear of new breaches daily, so it’s in the best interest of your organization to know the responsibilities of your organization for PCI Compliancy. Don’t assume that all the responsibility is on a third party vendor because it is all of our responsibility to maintain security and keep the integrity of our data secure.
By Joe Welker, CISA (New Philadelphia office)
How much would you pay to regain access to your company’s network if it was compromised and held for ransom? Are you willing to shell hundreds of dollars to take your information back from a cybercriminal, or are you willing (and able) to just walk away and start anew? I wish I were asking hypothetical questions but, unfortunately, the increased popularity of Ransomware has made the risk of such an attack a very, very real possibility.
Sandra Ponczkowski, a manager of the IT security company KnowBe4, recently shared Your Money or Your Life Files, a whitepaper that details the history and real threat of Ransomware, a computer infection that encrypts all files of known file types on your local computer and server shared drives. Once infected, it becomes impossible for you to access your documents or applications that use these encrypted files. The only way to recover from such an infection is to either restore your machine by using backup media, or accommodating the hacker’s demands and paying their ransom.
Unfortunately, I know of several situations where the businesses involved in a Ransomware attack had no choice but to pay ransom demands to the cybercriminal. The silver lining for these companies was that, upon paying the ransom, they were able to obtain the assailant’s encryption key code, which allowed them to unencrypt their data and regain access to their data.
Long-term protection, however, cannot be guaranteed and there is a chance that your data can be held for ransom again.
The literature provided by KnowBe4 details the fluency with which the popular Ransomware infection CryptoLocker changes and adapts once a solution to unencrypt infected data files becomes available. When this happens, the CryptoLocker infection will evolve into a new strain, thus making the previous solution unusable.
While there is no way to completely protect yourself and your network, there are ways to preempt an attack against you and your business. I recommend the following best practices.
- Train yourself and your employees about computer safety practices.
- Complete a yearly review of your employee’s access rights to company-owned computers, server folders and backup media. For example, only a few, strategic employees should have access to the company’s folders and data. As a general rule, employee access should be restricted to include only the programs and software required for them to do their jobs. This also applies to work-from-home employees who typically attach a USB drive to their machines for backup protection.
- If you don’t already, put a disaster recovery in place and test it ever year to ensure accuracy and completeness.
Following these practices should make your business’s Ransomware prevention and recovery much easier. Email Rea & Associates to learn find out more about the importance of protecting your company’s online security.
By Joe Welker, CISA (New Philadelphia office)
If you purchased a Lenovo desktop or laptop between September 2014 and January 2015 you could be susceptible to “SuperFish” – adware that can be found lurking in the depths of your device.
Capable of hijacking Internet traffic data typically used for securing Internet transactions, SuperFish was installed on Lenovo devices by the manufacturer per an agreement with Superfish Advertising, a third-party software developer based out of Palo Alto, Calif.
“In our effort to enhance our user experience, we pre-installed a piece of third-party software … on some of our consumer notebooks. The goal was to improve the shopping experience using their virtual discovery techniques,” said the company in a prepared statement. “In reality, we had customer complaints about the software. … We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January), and we are providing online resources to help users remove this software.”
Until you are certain that your Lenovo system is safe from adware, refrain from online banking, making online purchases or engaging in any other online activity were security is critical.
To determine if SuperFish is present on your device and how to remove it, Lenovo released step-by-step SuperFish Uninstall Instructions on its website.
Unfortunately, in his article about the Lenovo crisis, Zack Wittaker cites ZDNet’s Chris Duckett as saying that “the only confirmed way of completely removing SuperFish appears to be reinstalling Windows … or moving to another operating system entirely” as simply uninstalling the adware may not remove the root certificate authority.
According to reports from IDC Worldwide Quarterly PC Tracker and Gartner, Lenovo shipped more than 16 million desktops and notebooks worldwide during the fourth quarter of 2014. Lenovo’s statement indicates that following models may have been effected:
- G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45, G40-80
- U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
- Y Series: Y430P, Y40-70, Y50-70, Y40-80, Y70-70
- Z Series: Z40-75, Z50-75, Z40-70, Z50-70, Z70-80
- S Series: S310, S410, S40-70, S415, S415Touch, S435, S20-30, S20-30Touch
- Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 Pro, Flex 10
- MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11, MIIX 3 1030
- YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11, YOGA3 Pro
- E Series: E10-30
Email Rea & Associates to learn more about the importance of protecting your virtual assets against cyber threats.
By Joe Welker, CISA (New Philadelphia office)
Late last week, the Federal Bureau of Investigation (FBI) issued a wire transfer scam alert for all small businesses in the United States. According to the FBI alert, between October 2013 and December 2014 a total of 1,198 complaints from U.S.- based companies were received dealing with wire transfer scams. Losses from these incidents totaled more than $179 million. The FBI also reports that the scams can follow a Ransomware incident, and may involve a fraudster contacting a vendor and requesting a change of payment to an alternate fraudster-controlled bank account.
How To Mitigate This Type of Scam
If you’re a small business owner, you may be at risk for this kind of scam. The FBI recommends the following mitigation steps for these types of scams:
- Keep all of your anti-virus software up-to-date.
- Educate your workforce about security best practices.
- Be sure that any changes to payments via electronic transfer are verified with an employee of the bank and at a phone number that you utilize for assistance.
- Don’t use alternate phone numbers provided via email or by a bank representative contacting you.
- Always call the institution back and verify that you are communicating with your bank.
- Monitor all of your business’s financial transactions on a daily basis. Suspected electronic fraud must be reported in a single business work day.
- Use two-party authorization access to complete all wire transfer transactions.
- Utilize biometric authentication to verify the identity of authorized users.
- Use online bank portals that require strong fraud controls to complete all wire transfer transactions.
You can find more information about the FBI’s scam alert here. This site also provides detailed samples of how the scams will be run against unsuspecting businesses.
If you have any specific questions about how this scam might impact you or if would like more information on IT security best practices, email Rea & Associates.
By Joe Welker, CISA (New Philadelphia office)
As we embark on a new year, many of us will set personal goals for ourselves or renew commitments to objectives that may have eluded us over the last year – and if you are a business owner you probably have a whole other list of initiatives to conquer in 2015. But before you dive into a new campaign, product launch or acquisition, take a moment to reassess your business’s disaster recovery and business continuity planning. Doing so could save you from unforeseen financial hardships that could devastate your bottom line.
From eBay’s server breach early in 2014 to the recent Sony Pictures hack, this year major U.S. companies found out that even the best defenses cannot guard against attacks carried out by a determined hacker (or hackers). And if these large-scale businesses are vulnerable, how is your small to midsize business expected to recover? In addition to building up a solid defense to these types of threats by employing firewalls and antivirus software, businesses with a solid business continuity plan are more likely to recover if (and when) a disaster does strike.
Plan For The Best – Expect The Worse
Could you recover from a cyber-attack or data breach? Do you have a plan in place to not only shield yourself from threats, but to swiftly respond and recover? The ISACA, an organization that engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems, encourages business owners to take a proactive stance when guarding against disasters – online and offline. If you are unsure whether your business could recover, ask yourself these questions.
- Do you have a thorough understanding your business’s activities, including which ones are critical to support your overall operations while satisfying your customer’s expectations?
- Do you know what data you need to support your business’s critical operations and do you know where this data is kept?
- Do you have a clear understanding of the effects of downtime within your business and, using this information, are you able to identify where you are most vulnerable?
- Do you have current infrastructure in place to protect your business and data against hackers and viruses?
- Do you consider business continuity to be a priority to your business?
- Do you have a documented plan in place to guide all aspects of your business through a major emergency? How about smaller disruptions like organizational, process and technology changes?
- If a disaster were to strike today would you be able to recover quickly while protecting the best interests of your customers and business stakeholders?
If you answered no to any of these questions your business may find itself susceptible to risk and unable to recover from a cyber-attack or data breach. Make business continuity a priority in 2015. Email Rea & Associates for more information on how you can protect your business against countless internal and external threats.
By Joe Welker, CISA (New Philadelphia office)
Natural disasters. Hardware meltdowns. New variants of viruses and malware. Unfortunately, we live in a day and age where anything can happen. It’s critical that your business is on its toes, ready to tackle any potential disaster or crisis that may come your way. But is it? If your business’s computer systems crashed tomorrow, how easy (or even possible) would it be for your business to recover? Has your business ever given thought to a disaster recovery (DR) plan? Do you have one of these plans?
It’s National Preparedness Month. A month where government agencies and businesses alike work to educate companies and organizations about the importance of being prepared whatever may come your business’s way. In honor of this month, below are five reasons why your business should create (if you don’t have one) a disaster recovery plan
Top 5 Reasons For A IT Disaster Recovery Plan
A Gartner report estimates that only 35 percent of small- to medium-sized businesses (SMBs) actually have a working and comprehensive DR plan. And from its research, Gartner also found that 40 percent of SMBs that manage their networks and Internet usage in-house will have their networks hacked, and more than 50 percent won’t know they were hacked. Pretty sobering statistics, right? There are many reasons why having a DR plan is a wise business move. In fact, here are the top five reasons why a DR plan is imperative to the success of your business:
- You can’t control when a disaster happens – it can happen at any time. Disasters can be natural or man-made – either way, you don’t have control over when it could happen. A DR plan will help you be prepared for anything at any time.
- A DR plan can help you save thousands, possibly even millions, of dollars in the event of a disaster. When a disaster strikes, it’s usually not a cheap fix. Depending on its severity, many businesses’ budgets are hit quite hard. And if this is an unexpected expense, it’s that much harder to make a complete recovery.
- You can mitigate your losses with a DR plan. Money isn’t the only thing at stake during a disaster. Don’t forget about the trust and confidence of your customers, employees, investors, vendors – the list goes on. A DR plan can help you retain your critical audiences during a disaster.
- A DR plan can help you reduce confusion among your staff and audiences. When a disaster hits, imagine the confusion and uncertainty that comes with it. In some cases, it may seem like you have no control over the situation. A DR plan can help you have an organized approach to resolving the disaster.
- The government may require businesses within your industry to develop and utilize a DR plan. If your business handles sensitive customer information or other information that could be critical if lost, the government may require you to have a formal DR plan, which should include yearly testing of offsite back-up recovery data.
Does your business have a DR plan? If not, you need to create one. Email Rea & Associates for more information about what to include in your plan. If you already have one in place, first pat yourself on the back, and then review it to ensure that it reflects your business’s current environment. Detailed and tested plans are imperative to the successful recovery and even for the longevity of your business.
Author: Joe Welker, CISA (New Philadelphia office)
Last week, UPS announced that 51 of its stores were infected by point-of-sale (POS) malware that has been affecting other retailers across the U.S. In total, UPS estimates that approximately 105,000 POS transactions were comprised in the data breach, leaving many customers’ financial and contact information exposed, increasing their risk of identity theft and fraud.
POS malware, known as Backoff, was identified last week as having targeted a New Orleans restaurant, a much smaller retailer than UPS. On July 31, several government agencies sent out an alert about Backoff. The alert explained the risks that Backoff posed to U.S. businesses, including smaller merchants, and that this new form of malware was found to infect POS systems via access to a remote-access portal.
And just a few days ago, the U.S. Secret Service announced that an estimated 1,000 businesses have been infected by Backoff. Now the Department of Homeland Security is encouraging all businesses – no matter the size – to scan their POS systems to check for a possible compromise.
While these recent incidents may not affect you or your business directly, the discovery of this new form of malware should cause you to stop and assess your business’s IT security situation. Do you have the right security protocols in place to protect your business – and your customers – from a potential data breach?
How To Protect Your Business From A Data Breach
Your mind may be far from thinking about your business’s IT environment. You’re probably focused more on the day-to-day operations of your business and serving your customers. But think of protecting your business’s IT environment as one way of serving your customers. By protecting your IT systems, you are helping ensure that your customers’ personal and financial data is safe. Here are some ways you can protect your business’s IT environment:
- Use End Point Protection monitoring to verify that all workstations are current on their virus definition files and OS patches.
- Make sure all servers are patched with the most current operating system security patches.
- Employ a vendor to complete penetration testing to find any open avenues to your network.
- Consider implementing Intrusion Detection Systems (IDS) or Security Information & Event Management (SIEM) applications. Many companies utilize IDS/SIEM to monitor their incoming and outgoing network traffic. If the expense is too great or you don’t have qualified personnel, then consider a vendor to provide the service. Many vendors provide these services at a very reasonable price.
- Review the Mitigation and Prevention Strategies of the Department of Homeland Security July 31, 2014, announcement of the Backoff malware.
The Cost of Protecting Your Customers
What cost is too much to protect my customers’ data? Only you can answer this question. UPS and the restaurant have chosen to pay for identity theft and credit monitoring services for customers who may have been affected from their data breaches (a data breach-related expense many companies don’t consider). But take that one step further. What cost is too much to protect my business’s reputation? In order for your company to survive in today’s digital world, it’s critical for your business to cultivate a culture of trust with your customers. Many businesses find that they’ll do what it takes to prevent security breaches. What will you do?
Want more IT tips? Check out other articles that provide best practices on how to secure your business’s IT environment.
Author: Joe Welker, CISA (New Philadelphia office)
As a business owner, you have a lot to be concerned about. Ensuring that your business is bringing in revenue. Providing quality customer service. Retaining quality employees. The list goes on and on. Is maintaining and keeping your IT systems anywhere near the top of your list? If not, you might want to think again.
Microsoft To Stop Supporting Microsoft 2003 Servers
Back in April, Microsoft announced it was no longer supporting its Windows XP workstation software … this means that Microsoft is not providing any security patches or upgrades to computers using Windows XP software. Despite this news, many companies are still using the non-supported operating system. This leaves a huge hole in your operating system security. While many entities are planning to replace their XP workstations, we now find that Microsoft has some additional changes coming.
Microsoft recently announced that it has posted end of life for its Microsoft Server 2003 and Server 2003 R2 systems. These two server operating systems will no longer be supported after July 14, 2015. So if your business uses these systems, you have a little under a year to plan and implement a replacement strategy for these servers. The consequence for not replacing? Serious security issues.
In many industries the use of these operating systems on servers could lead to non-compliance issues. When looking at your upgrade options, consider using virtualization software such as VMWare or Hyper V or server operating systems like Linux, UNIX, Windows Server 2008 and Windows Server 2012.
What You Can Do To Prepare For The Microsoft 2003 Server Expiration
It’s important you work with your application vendors to make sure that your current applications will transfer over and operate correctly on the replacement server operating system you decide upon. It is recommended that your entity do an analysis of critical business applications currently being used on Microsoft Windows 2003 and Windows 2003 R2 servers and determine the best replacement option as well as conversion process.
IT Audit Help
Not sure what server(s) your business is running on? Or are you unsure how this Microsoft server expiration will affect your business? Contact Rea & Associates. Our IT audit team can assess your business’s IT systems and help you determine how these changes will affect you moving forward. Don’t delay in updating your servers. It could be the difference between a safe IT environment and an unsecured one.
Author: Joe Welker, CISA (New Philadelphia office)
Looking for more information on how you can keep your business environment safe? Check out these blog posts:
eBay Inc. recently recommended its users to change their passwords. Why? If you guessed there was a cyberattack on one of eBay’s databases, you are correct! Cyberattacks have been in the news almost daily, and unfortunately they seem to be increasing in number. While companies are busy trying to stave off any attacks, there are ways you can protect yourself.
Treat Passwords With Care
Like with other items, you should consider your passwords to be sensitive material. Treat them no differently than you treat your credit cards. Make sure your passwords are secure and change them regularly – as often as four times a year, or sooner if you believe it has been compromised.
A standard eight-character password with moderate security can be hacked within two to four hours. In comparison, passwords or passphrases of 12 characters with high complexity would take 17,000 years to breach.
8 Tips To Keep Your Passwords Strong and Safe
Here are eight tips and best practices you can implement to help keep your passwords strong and safe:
- Use passphrases instead of passwords or a string of characters and digits. Passphrases can be easier to remember. For example: “Myd0gisSamm@”
- Use upper and lower case letters, numbers and special characters in passphrases.
- Never use complete words within a passphrase.
- Change passphrases routinely.
- Never share passphrases with others.
- Be cautious of shared computers that do not have current virus detection programs installed on them, such as hotel data centers, publicly used computer kiosks.
- Change passphrases after using a shared public access computer.
- Use two-step verifications when available.
Password and IT Audit Help
Need some additional advice on how to create strong passwords that will protect you and your business? Contact Rea & Associates. Our IT audit professionals can help you determine where you can strengthen your IT security.
Author: Joe Welker, CISA (New Philadelphia office)
The Internet is a powerful tool – something that can make our lives (and businesses) easier. But it also can be our worst nightmare at times. If you keep up on the news, you may recall within the past few days hearing something about “Heartbleed.” No, this isn’t the name of a new rock-n-roll band. It’s the latest threat to your security on the Internet. News sites started reporting on this newest Internet threat earlier this week. But as more and more has become known about this Internet defect, it’s becoming clear that everyone with an online identity needs to be concerned about it.
Heartbleed is an exploit that basically allows malicious users to run a tool that will gain them access to a Web server and provide them with usernames and password from that server. What can this defect potentially affect? Every website on the Internet. Bank websites, social media sites, online merchant sites … the list goes on.
Within the past couple days, a Heartbleed defect was discovered that allows hackers to access chunks of a server’s memory that could contain Personally Identifiable Information (PII). Sites that integrate a Secure-Socket Layer (SSL) encryption certificate are now at risk of this new defect.
Steps For Protecting Your Online Identity
So what should you do to protect you and your business from this risk? Follow these steps:
- Take inventory of all of your online accounts and make a list of your accounts.
- Before changing your online passwords, contact the businesses of any accounts that may have SSL certificates to ensure that the company has issued new certificates. To check the “grade” of an SSL-secured site, you can visit Qualys SSL Labs website and input the URL of the site you’re checking. Sites are graded (A through F) on how secure they actual are.
- Change your passwords for each of your online accounts.
- Clear your Web browsers’ cache, cookies and history. Check out this ZDNet article for step-by-step instructions on how to do this.
- Closely monitor your bank and credit card statements to make sure there’s no unusual or suspect activity.
- If you receive emails or other online communication that promises a solution to your Heartbleed woes, don’t buy it. These communications are more than likely spam connected to dangerous malware or pointing you to malware. Heartbleed is a very complex online security threat, and there’s not a simple, quick fix for it.
Need Advice On Protecting Your Online Identity?
Following the steps outlined above will hopefully help lessen your chances of becoming a victim of identity theft and fraud. If you have questions or need additional guidance on how to protect your business, contact our IT audit professionals at Rea & Associates.
Author: Joe Welker, CISA (New Philadelphia office)
Looking for other blog posts about protecting your business’s online identity? Check these posts out:
You may find that your business relies heavily on the technical support provided by third-party hardware and software providers. But have you ever considered whether your vendors have direct access to your business’s internal IT network without having to gain permission from someone within your business? If you’re not positive about how to answer, then it’s probably time to do some digging to see if that’s the case or not. It’s possible that your vendor(s) has access to your business’s sensitive data and devices. Read the rest of this entry “
You’ve probably heard by now about the Target data breach, but just this week other retailer data breaches during the 2013 holiday season have become known. In light of these broad, major data breaches, this is a great time to ask yourself: When was the last time you evaluated your business’s IT network? If this has been an area of your business that you’ve let slide, then let it slide no more! Read the rest of this entry “
We live in an ever-increasing digital world. And with that comes risk – and lots of it. The number of stolen debit/credit card numbers continues to grow every day. Today’s news story about how nearly 40 million Target customers had debit or credit card information stolen is the most recent example of the kind of risky, digital world we live in. Read the rest of this entry “
The end of the year is near, and it’s easy to get caught up in the excitement of the holidays. But don’t let that be an excuse to forget about your entity’s security and information technology (IT) operations. As you close out your year, here are seven areas and tips that can help you strengthen and further secure your entity’s IT environment – and keep you off Santa’s naughty list! Read the rest of this entry “
If you missed it… you should know that Microsoft recently announced that effective April 8, 2014, it will no longer release any security patches or extend support for its Windows XP operating system. You may be thinking, “So what?” Well, if your organization is running its IT systems on Windows XP, your organization could open itself up to security issues. Furthermore, if your organization is in the healthcare industry and using Windows XP, it could be held liable and found non-compliant with Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) laws. Read the rest of this entry “