Security

The Real Risks Of Running Outdated Software

December 12, 2014

Michael Menor is Vice President of Support Services for Tech Experts.

Are you still holding onto your trusty old server that’s aging towards uselessness?

Or perhaps you are still running important applications on older servers with old operating systems because they’re “good enough” or “doing the job just fine.”

In many ways, your old server is like a trusty old car. You know where the kinks are and it gets you where you need to go.

But lurking below the surface of that trusty old car, and your old server, can be hidden risks that can result in very big problems, even dangers. Usually, when least expected.

Security risks are the number one danger of older technology. The older your operating system or application, the longer the bad guys have to find and exploit vulnerabilities.

This is especially true when the manufacturer is no longer actively maintaining support. Dangers can lurk across the entire aging application platform.

Your older versions of SQL Server are at risk. Perhaps you are still using an old FTP server that’s innocently sitting in the corner. Or you have some older network equipment and appliances.

The bottom line is anything that listens on the network is a potential threat to the server, and therefore your business.

If that software or firmware isn’t up to date, you’re doubly at risk of a major security incident.

Here are the top 5 risks you’re taking with running outdated software:

Crashes and system downtime
Aging systems are more vulnerable to failure, crashes and corruption causing significant downtime.

Targeted technology upgrades can reduce total annual outage risk and reduce downtime.

Increased costs
Outdated software is more expensive to maintain than newer versions. Failing software increases costs by overloading IT personnel. The process of applying patches is also costly and time consuming.

Updated software portfolios not only decrease maintenance costs but also free up IT budgets for more strategic and innovative programs.

Decreased productivity
Aging software applications that crash or require maintenance result in reduced employee productivity.

Modernizing software increases productivity by improving the efficiency and quality of work.

Security holes
Mission critical software is more vulnerable to security breaches as it ages. A security breach can compromise sensitive customer and employee information, and proprietary company data.

Legal and regulatory compliance risks
Updated software ensures compliance to governance, regulation and policy as regulatory bodies continue to mandate new global requirements.

This is especially important for healthcare professionals that need to comply with new HIPAA regulations.

With older technology, any of the above risks can strike you at any time. The consequences can be loss of productivity, or worse, loss of critical data that negatively impacts your business.

Perhaps “good enough” isn’t really good enough after all.

(Image Source: iCLIPART)

The Human Factor In Network Security

December 12, 2014

Scott Blake is a Senior Network Engineer with Tech Experts.

As you’re aware, disaster can manifest in many forms. In the past, we have included articles about weather-related events and how to best prepare your business against disasters.

However, there is another type of disaster that’s unlike flooding or fires that can also have devastating effects on your business.

The Human Factor
When it comes to safeguarding your business both physically and virtually, you have the power and controls available to give the edge against company espionage, cyber-attacks, or absent-minded employees.

It comes down to three basic areas: Software, Hardware and People. Once you have a firm grasp and control over these areas, you will have reduced your risk level considerably.

Software
Make sure all of your company’s electronic devices – from company-owned smart phones, tablets, laptops, workstations and servers – are running anti-virus and have a firewall in place.

While some devices are easier to secure and manage than others, this is a critical area, so be sure to make the best attempt to cover all your devices.

Be certain that your data storage devices are running backups and the backups are indeed good. As an added form of protection, encrypt your data being stored, making sure you save the key offsite as well.

That way, if your data is comprised either through internal access or external, it will become very difficult to use the data that was stolen.

The size of your company and the amount of sensitive data you have will dictate the frequency of your backup schedule. Remember, it never hurts to be overprotective when it comes to your data.

Hardware
Have security/firewall devices in place. Make sure they are fully configured for your business and that the firmware is up to date.

A lot of security devices add increased measures through the firmware updates.

They often have the ability to fully lock down your internal network as well. Restrict Internet access to only websites necessary for your business operations.

If your business offers Wi-Fi access for either internal use or guest use, make sure that controls are in place to limit access to your company’s internal network. The best precaution is to place the guest Wi-Fi on a completely separate network.

While Exchange mail servers can increase overhead, they will also add a level of increased security to combat against viral infections being delivered via email and attachments.

I’m sure everyone is well aware of Crypto-Locker and its variants. The majority of Crypto-Locker infections were delivered through infected PDF files sent as attachments.

People
By nature, humans are (and will always be) the most random aspect to safeguard your business from. It is vital that you run full background checks on any employee that will be given access to sensitive data or hardware.

Restrict the use of portable media such as flash drives and external hard drives while employees are working on or in the server room. Some companies may go as far as banning all portable media devices entirely.

Be proactive in actively monitoring your employees and watch for any changes in behavior, appearance, attitude and tone of speech. These can all be signs something is wrong.

If you have questions or you’re looking for suggestions, call Tech Experts at 734-457-5000, or email us at info@mytechexperts.com.

(Image Source: iCLIPART)

IT Policies Companies Under HIPAA Regulations Must Have

November 30, 2014

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

HIPAA (the Health Insurance Portability and Accountability Act) and HITECH (the Health Information Technology for Economic and Clinical Health act) have been around for quite some time. Even so, many companies covered by these laws are way behind when it comes to implementation. When you really think about it, even companies not covered by these laws should have the requisite policies and procedures in place.

Access Control Policy
How are users granted access to programs, client data and equipment? Also includes how administrators are notified to disable accounts.

Security Awareness Training
Organizations must ensure regular training of employees regarding security updates and what to be aware of. You must also keep an audit trail of reminders and communications in case you’re audited.

Network Security And The “People Problem”

November 30, 2014

Security teams that focus on what is already happening and the layers of defense being breached are constantly in reactive mode.

Reviewing reams of data produced by technology – firewalls, network devices or servers – is not making organizations more secure. With this approach, the team fails to prevent breaches or respond in a sufficiently timely way.

Instead, the addition of more data and more complexity perversely prevents achieving the end result: protecting sensitive information.

The significant breaches of today are executed by people infiltrating the organization and attackers are doing this by assuming identities or abusing insider privileges.

There is a gap between the initial line of defense (the firewall) and the company’s last line of defense (the alerts received by the security team and their following analysis.)

Tracking user activity, especially connections between suspicious behaviors and privileged users, would allow organizations to close this gap.

True understanding of identity has the ability to cut through the overwhelming explosion of data that can render security organizations blind and unable to respond to real threats or even detect if they are under attack.
It is time to incorporate identity into the organization’s breach prevention strategy and overall security. We have to stop accepting a gap approach to security, which is usually focused on data and devices rather than people. In light of the budding perimeterless world, identity will increasingly be the primary factor that matters to the security team.

Identity data is pervasive, yet typically absent from the security world view. For security organizations, our corporate identity (the personal identity elements we bring to our corporate environment) and our behavior are aggregate details essential in building a picture of what is happening within – and beyond – the corporate perimeter.

Together, they offer deep context to inform the security team of the appropriate response to potential threats and real attacks.

The critical piece in this approach is the security organization’s ability and capacity to understand the full scope of identity: who the person really is behind any given device and whether they are behaving abnormally.

This is particularly helpful when identifying attackers that have managed to acquire privileged user credentials.

Identifying Normal Behavior
One way to reduce the scope is to focus on the highest risk identities first. If you accept that the greatest risk comes from people inside your organization that can access sensitive information – known as “privileged users”, which can also include non-human accounts that may have access – then the correct steps are as follows:

1) Reduce the number of privileged users/identities and accounts.

2) Limit the privileges any one user has to systems and applications necessary to do their job.

3) Integrate the identities of privileged users into security and risk monitoring to spot behavior that may indicate a breach.

Closing the Gap
As more and more of the computing environment breaks outside of the control of central IT organizations, spearheaded by the move towards BYOD (or Bring Your Own Device), the ability to recognize who a user actually is and what is normal for them becomes a foundational part of effective security monitoring.

Without such identity-powered security, security teams will continue to struggle to differentiate whether the events they are monitoring are worth a reaction and that hesitation allows attackers to execute more and more damaging data breaches.

Furthermore, security teams will continue to operate in reactive mode and fail to prevent breaches or respond in a sufficiently timely way.

If identity is a central component to security management, then security teams will be in a better position to understand the behavior of users and will spend far less time trying to identify the meaning behind the events they are seeing.

People will continue to be our biggest point of exposure and with a keen focus on user behavior and activity, we will be in a much better position to limit the impact of breaches.

(Image Source: iCLIPART)

Security Tips For Your Smart Phone

November 30, 2014

Today it is fairly easy to carry out business tasks using smart phones. Emailing, browsing the Internet and even creating or editing documents is now a breeze.

So technically, smart phones are now carrying a large amount of sensitive data that needs to be protected. Not only are Smart phones subject to the same threats as PCs, but they are also quite easy to misplace and lose.

Here are a few tips that will help you mitigate some of these security risks:

Screen lock the phone
Whenever you leave your phone unattended, lock your smart phone to require a password or PIN code or set it to lock after few minutes. This will prevent unwanted access and will protect your data in case the phone is lost or stolen.

Enable remote device wipe
Check if your phone allows the memory-wipe function in case it is lost or stolen. Some phones have this feature embedded, but most others will require that you download an app and potentially pay for the service that goes with it.

Apply system updates
From time to time, smart phone vendors, mobile carriers, or hardware manufacturers update the operating systems on their phones. These updates usually include useful and necessary security-related improvements.

Turn off Bluetooth discovery mode
Many people leave their smart phones on Bluetooth-discovery mode around the clock. On some phones, this feature is set by default; however, check your phone and make sure it is disabled when you are not using it. Failing to do so, your phone will constantly be discoverable to others and allow people to connect to your device without prior authorization.

Install mobile anti-virus
Malware purveyors are increasingly targeting smart phones. It is now important to use anti-virus software for your phone just like you would do for your PC.

This is particularly important for Android devices as they are built on an open platform susceptible to malware.

Are You Ready For Windows Server 2003 End Of Service?

October 31, 2014

Next July will mark the end of Windows Server 2003 Extended Support. What does that mean for you if you’re a current owner of Server 2003?

It means that there will be no more security patches or updates, putting your whole business at risk of new threats or viruses as well as potential performance problems due to incompatibilities with newer software and applications.

The bottom line is that if your business still uses Windows Server 2003 you will need a plan soon. Analysts are estimating that 10 million machines are still running Windows Server 2003 and that they will soon be stranded, especially those serving regulated industries as they will need to maintain the security and confidentiality of these servers.

For these reasons, it is important to look into the needs of your business.
Here are a few considerations: [Read more…] about Are You Ready For Windows Server 2003 End Of Service?

Tips To Protect Your Business PC From Malware

October 31, 2014

In today’s online world, technology users are essentially in a state of near-constant attack. Almost every day, there’s a new data breach in the news involving a well-known company and, quite often, fresh rules for protecting personal information are circulated.

Because of malware in email, phishing messages, and malicious websites with URLs that are one letter different from popular sites, employees need to maintain a high level of awareness and diligence to protect themselves and their organizations.

Phishing activities are especially pervasive, including attempts to steal users’ credentials or get them to install malicious software on their system. The astonishing success rate of phishing attacks makes them a favorite.

Why? More than 70% of people will follow the link to a phony website and, of those that followed the link, 30%-50% will routinely give up their usernames and passwords.

Many like to think of the network perimeter with all its firewalls and other fancy technologies as the front line in the cyber war, but the truth is there’s a whole other front.

Every single member of a company’s staff who uses email or the Internet is also on the front line and these people are generally considered a softer target than hardware or software. It’s simple: if the bad guys can get an employee to give up his or her user credentials or download some malware, they can likely waltz right past the technological controls, basically appearing as if they belong there.

When using a computer for personal functions, a user generally has to have the ability to install software and modify the system configurations. Typically, such administrative functions are not available to all users in a corporate environment.

As a result, even if an organization has made an effort to improve a system’s security, a user doing work on a personal computer has the ability to disable and circumvent protections and has the privileges to allow for the installation of malware.

As companies migrate toward a world of bring-your-own-device policies, some companies are developing strategies to help address these risks. But, as a rule, using a work computer for personal reasons or doing work on a personal computer (or tablet or smartphone) can significantly increase the threat level that an employer has to protect itself against.

To help their organization protect systems and data, employees need to implement some smart web browsing habits. Smart web browsing means engaging in the following activities:

Beware of downloads
Malware can be hidden, not just in applications or installation programs, but in what appear to be image and video files also. To limit the likelihood of downloading content that contains malware, only download from reputable sites. With sites that are not a household name, take the time to do a little research and see if other people have had issues.

Additionally, be sure that antivirus software is set up to automatically scan downloads. Or scan downloads manually, even when receiving them from name-brand sites, as it is not unheard of for infected files to make their way onto otherwise legitimate web sites.

This is especially true for file-sharing sites where the site owner cannot control every piece of content a user may place there.

Be wary of deceitful sites
Those running sites already breaking the law by illegally distributing copyrighted materials — like pirated music, movies or software — probably have no qualms about including malicious content in their downloads or stealing information.

Many popular web browsers today have built-in functionality that provides an alert when visiting a website that is known to be dangerous.

And if the browser doesn’t give a notice, the antivirus software may provide that function. Heed the alerts!

Employees need to protect their devices from online and in-person threats. Start by keeping the company’s system patched. Configure it to automatically apply updates or issue notifications when there are updates and then apply them as soon as possible. This doesn’t just apply to the operating system.

Keep all installed applications updated; sometimes this takes a little extra work.

Remember, the challenge of security is that the bad guy needs to find only one hole in a security system to get past it, so fix them all. Think of it as putting dead bolts on doors, but leaving the basement window wide open.

To that end, security professionals like to debate the usefulness of today’s antivirus software. And it’s true that malware continues to become more sophisticated and harder to detect. But it always amazes me how old some of the malware running around is. As a result, use antivirus software and keep it up-to-date.

Also, use a software firewall, either the Windows firewall or one provided in an antivirus package. This is especially true for laptops connected to public wireless access points at hotels or coffee shops, but it also applies to home systems. It just provides that extra layer of defense.

And finally, please, don’t ever give passwords to anyone. Be vigilant and question anything new, especially emails and forms in the web browser that request work credentials, no matter how nicely the request is made.

(Image Source: iCLIPART)

Considerations When Buying A Home Wireless Router

October 31, 2014

Choosing and buying a router for your wireless internet at home can be a frustrating experience; you want speed, performance and coverage as well as longevity in the life of your upgraded router.

It’s not an easy task if you add to it the complexity of all those numbers attached to the router and the knowledge required to install it.

So, here are few considerations that will help you choose your next wireless router:

What’s the end goal?
Ask yourself: why am I buying a router? If it’s simply to build a wireless network at home and have access to the Internet, you could probably get away with a router at under $200.

However, if you want extra features, such as added security, parental controls, the ability to connect USB printers, and added external storage drives for data sharing, you need to search for a higher end router.

Also, you may not even need to have a wireless router in your house, especially if you use a PC or laptop that is already connected to a cable or DSL modem and there are no other devices that need to be connected wirelessly to the internet.

Should you go for a single or dual band?
Bands are the frequencies in which wireless communications operate. A single-band is geared toward simple wireless networks and a dual-band router operates on both the 2.4 and 5 GHz frequencies.

Although a router that sustains the 5 GHz frequency will work great for gaming and online streaming, it is not as good as the 2.4 when it comes to distance. So, consider the distance you need to cover when choosing the required band.

Further considerations
When buying your next router, remember that soon enough the 6th version of the Internet Protocol (IPv6) will be here, so you will need a router that supports this transition.

Another consideration is extra features that a router may offer, such as SD card slots and USB ports for printers for example.

If you want to future-proof your investment, make sure you get an 802.11 AC router, which is fast becoming the standard in wireless networking.

Finally, even with home networks, the more security, the better!

(Image Source: iCLIPART)

Convenience And Security: The New Face Of Two-Factor Authentication

July 31, 2014

Security may be part of an IT professional’s daily world, but these days consumers are just as concerned about protecting their privacy online. It’s no surprise that many businesses are trying to boost their brand image and differentiate themselves from their competitors by promising superior security.

Yet there’s one security action that many of them could take and don’t: two-factor authentication. We all know that online authentication issues can cost both businesses and consumers a high price through cyber-attacks, online fraud and identity theft.

Two-factor authentication has always been a strong solution in mitigating these attacks. By offering secure login, it protects company reputations and provides consumers with an added layer of security during online purchases, personal banking and other digital transactions.

So why aren’t more organizations implementing it? In a word: inconvenience. Businesses are afraid of annoying their buyers by demanding multiple passwords or asking them to take an extra action that might spur them into abandoning the sale.

In a landscape where catering to customer wishes is a common business mantra, risking customer irritation seems dangerous. After all, this is the digital age where consumers expect everything to go faster and smoother and easier online, whether they’re checking email, watching a video or doing their holiday shopping.

Of course, it’s also the age of digital crime. Two-factor authentication might seem user unfriendly at the outset, but ultimately it’s in the consumer’s best interest.

Still many organizations, including those with sensitive information to protect, hesitate to use it. I ran into this recently during a security discussion with a financial institution.

When one of its top executives and I discussed ways to protec their customers online, I asked if the company used two-factor authentication. The executive shook his head and told me the business didn’t want to inflict that “inconvenience” on their customers.

It’s a classic quandary that many organizations find themselves in: they want to offer their customers the utmost in digital security, but worry that if they make that security too complicated or inconvenient, they won’t have customers to protect.

Caught between the Scylla of risk and the Charybdis of inconvenience, these organizations have mostly chosen to forgo two-factor authentication and accept the risk on behalf of their customers.

Luckily there are some new innovations that are solving this very issue, including a unified two-factor authentication protocol in the works, and technologies that manage to sidestep the inconvenience issue.

Next Gen Authentication
It’s worth noting that two-factor authentication is required by the Payment Card Industry Data Security Standard (PCI DSS) for secure remote connectivity.

This is understandable, when you consider the rising number of website and retailer breaches where the hackers obtain buyer addresses, credit card numbers and other highly sensitive information.

But two-factor authentication isn’t just for eCommerce and financial institutions. As the digital health movement surges in popularity, it can be an excellent safeguard for patient Web-based apps as well.

In fact, two-factor authentication looks more and more like a smart security measure for pretty much any process that requires user authentication.

There may be plenty of password-cracking tools on the market, but in theory, even a successful crack won’t get a hacker into an account – not with the second form of authentication stopping him. This is why two-factor authentication continues to be an ongoing quest for many innovative companies out there.

Take OAuth, a popular protocol that provides a reference architecture for universal strong authentication across all users and devices over all networks. There are also cloud-based tools that seamlessly integrate into existing application login workflows using a robust API that works with smartphones and multiple platforms.

Not all two-factor authentication tools are perfect, of course. SMS-based techniques such as texting to reset passwords are compromised on a regular basis, either through malware on the phone or other vectors.

Ultimately hardware is the safest way to go, as seen in several clever two-factor solutions. For instance with some tools, users log in with their usernames and passwords, then activate their second factor by pressing a button on a USB device, which quickly enters a one-time password that is usually only good for a matter of seconds.

Each previous password is invalidated, so that even if a hacker records it, it’s worthless for all future access. Some of the hardware is engineered to work with NFC-enabled smart phones, allowing mobile security without the risk of traditional SMS two-factor authentication.

From cumbersome to convenient
It should be obvious by now that the face of two-factor authentication has changed. The days of burdensome multiple login steps and passwords are over. New two-factor technologies offer speed and convenience to users; brands can assure customer safety during online payments and activities without requesting additional action.

In short, it’s the kind of layered security demanded in these attack-prone times. Let’s hope organizations will look beyond the more primitive two-factor offerings of the past, and embrace new technologies that can provide customers with the protection they deserve.

(Image Source: iCLIPART)

Seven Smart Tips To Secure Your Business Network

June 30, 2014

Hackers are constantly on the lookout for digital data they can use to make a profit, either by stealing money electronically or by selling the information to third parties.

Therefore, it is important to protect your precious data; here are seven tips to get you started:

Policies
Your staff is the front line of defense against hackers. Human error is one of the leading causes of data security breaches, so you need to have policies in place to ensure your employees are promoting the security of your network while working.

Strong passwords
People generally opt for simple easy-to-remember passwords that hackers can easily crack.

A simple “dictionary attack” (using an automated tool that uses a combination of dictionary words and numbers to crack passwords), is sufficient to uncover many passwords.

On the other hand, coming up with a complicated password and saving it to your computer as opposed to writing it down is a simple but very effective way to prevent hacks.

Multi-factor authentication
It is highly advisable to establish multiple layers of technology dedicated to security that you would apply to all your devices, including desktops, mobile devices, file servers, mail servers and network end points.

Multiple security blocks hacking attacks and alerts you to any problems beforehand so you can take the appropriate measures.

Data encryption
Encryption is yet another great security tool that you can use to protect your data. For instance, if your hard disk is stolen or your USB drive is lost, anyone trying to access your data would be unable to read it if it is encrypted.

Backup
Security makes up half of your data protection, while a proper backup strategy makes up for the other half.
Even with great security, you need to be able to recover your data if you have a failure. Back up often, and remember to test the backup regularly.

Audit
You need to identify the vulnerable areas of your network or which data needs to be protected.

Your entire IT infrastructure, including your computers, mobile devices and network should be audited by a professional IT specialist to determine the appropriate steps to prevent hackers from accessing your data.

Managed services
Managed services are an alternative and highly-effective approach for achieving the best possible security, including backup and recovery.

Many small businesses are unable to adequately meet the daunting and expensive task of securing their data.

With a managed-service provider specialized in data security, you get the benefit of professional services and skills without having to hire an in-house security expert, thus cutting on costs. In addition, you get access to the latest security technology and support professionals.

(Image Source: iCLIPART)

« Previous Page