TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Top Seven Network Attack Types So Far In 2015

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

There’s no doubt that small businesses are under attack from hackers and cyber-criminals. Typically, small companies have less secure networks and looser security standards, making them easy targets.

The latest Threat Report from McAfee Labs details the types of attacks against small businesses. The chart shows the most common network attacks detected in Q1 2015.

Denial of service attacks – 37%
A denial of service (DOS) attack attempts to make a resource, such as a web server, unavailable to users. These attacks are very common, accounting for more than one-third of all network attacks reviewed in the report.

A common approach is to overload the resource with illegitimate requests for service. The resource cannot process the flood of requests and either slows or crashes. [Read more…] about Top Seven Network Attack Types So Far In 2015

The Basics Of HIPAA Compliance

Michael Menor is Vice President of Support Services for Tech Experts.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal legislation that created national standards to protect the privacy of patients’ medical records (including electronic records) and other personal health information.

The legislation makes organizations and individuals who collect and manage personal healthcare data legally liable for its security, including health care providers, health plans, health clearinghouses and business associated with any of these. Consequences of negligence and misuse of private information can include civil and criminal penalties.

As a result of HIPAA, the Department of Health and Human Services created specific regulations for the handling of Protected Health Information (PHI), including electronic or digital forms (ePHI). HIPAA has two main sets of requirements related to privacy and security.

The HIPAA Privacy Rule governs the saving, accessing and sharing of health-related and other personal information, either oral or written.

This rule defines the guidelines safeguarding the confidentiality of PHI. Standards for identifying and authenticating people and organizations requesting PHI are outlined in this rule.
The HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically.

This rule primarily focuses on the technological measures used to enforce policies keeping ePHI out of the wrong hands. Failing to comply with these rules can result in penalties for not only organizations, but for the responsible individuals.

Any entity that deals with protected health information must make sure that all the required measures are established and continuously observed — physical (actual data center server access), network, and process security (audits, policies and staff training).

While the legislation is clear on the privacy, security, and accessibility requirements for organizations, over 91,000 violations were recorded between April 2003 and January 2013. These resulted in 22,000 enforcement actions (which included settlements and fines) with 521 referred to the US Department of Justice for criminal investigation.

HIPAA Compliant Best Practices
1. Review and evolve your policies and procedures. HIPAA is not a “set and forget” proposition; compliance must be a living, changing process that is regularly audited for effectiveness and legality. A lot has changed since 1996 and organizations’ policies must reflect those changes.

2. Accessibility rights are as important as rights to privacy. HIPAA gives patients certain control over their healthcare information, including the right to access it on demand and the right to revoke authorization to store their data. Organizations must act quickly when patients ask for their PHI.

3. If you store your data with a third party hosting provider, make sure that they are HIPAA compliant. The Security Rule hands down many stringent administrative, physical and technical requirements for such providers. Make sure that a full-scale risk assessment of the provider is performed on a regular basis and that a process is in place for monitoring compliance.

Apply common sense to your technology platforms. Shut down computer programs and servers containing patient information when not in use, and don’t share passwords among staff members.

The US Department of Health and Human Services has found that storing patients’ information in a HIPAA compliant cloud server can be safer than using a localized server or paper documents, so consider this option for increased security.

A HIPAA violation can be as small as a health care worker discussing a patient’s private health information in the elevator or as large as a $1.2 million fine for not erasing PHI from photocopier hard drives before returning them to the leasing agent.

More than ever, common sense and sound corporate governance must be applied to the technologies and processes that manage confidential data. Protecting that data will protect clients and the organization as well.

Documenting Business Processes

Scott Blake is a Senior Network Engineer with Tech Experts.

Documentation is quite possibly the most important aspect of a business, but it can also be workers’ least favorite task to do. The average person doesn’t want to spend time writing down how they do something — they just want to do it and move on.

Can you guess the biggest reason for documenting your business processes? It may come as a surprise, but it’s also the most fluid part of your business: your employees.

Employees come and employees go and some just take vacations. It’s what they do in between that’s important. Every employee is responsible for some part of your daily business.

Whether an employee quits or just needs time off, having documentation that lists the software used with usernames and passwords, step-by-step instructions on how to use the business software, client and vendor contact information, and credit card information makes their absences that much easier to deal with.

Well-documented processes will cut down on the time it takes to train a new employee.
Give the related information to the new employee and let them use it as a guide for their daily activities. This will allow your other employees to spend more time on their tasks and assignments instead of spending the majority of their time answering routine questions that a documented process could answer.

Order-of-operation questions and disputes can be minimized as well. If there ever comes a time when your employees are unsure of the next step or there is a dispute between departments on how to proceed, they will only need to look over the documented processes in question to resolve the issue.

Having documentation that shows in detail how long it takes to produce a product will also help your sales force deliver your product to your customers.

It allows your sales and marketing departments to understand the timelines of production.

This knowledge will let them know when a product order can be delivered and if the amount can be fulfilled in the timeline requested by the customer. There will be no more over or under promising of delivery dates to customers.

Put trust in the documents, not the person. No one person should be trusted with remembering processes without documenting them. What if this employee quits or becomes ill and is unable to return to work?

For example: You have an employee that works in your IT department. This employee’s job is to monitor and resolve any network related issues. While doing his daily tasks, he discovers it’s time to change the passwords on the business networking equipment such as the router, managed switches and domain admin password.

While the employee doesn’t think twice about it and may have mentioned it to his manager, there was nothing ever documented. Now, four months later, the employee falls very ill and is unable to return to work. What do you do?

The best way to document your business processes is to document them in such a way that all contributing employees have access.

You could use online tools such as Google Docs or Microsoft SharePoint. This way, whenever a process is changed, amended, or removed, the documentation is instant and available for all to see.

After a while, you will have an impressive collection of documented procedures. Having documented information available for employees to read can also start the flow of constructive questions and comments why things are done a certain way and how they can be improved.

If you have questions or you’re looking for suggestions on documenting your processes, call Tech Experts at (734) 457-5000.

Three Sure-Tell Signs Your Hard Drive Is Failing

Under ideal conditions, the average stationary hard drive lasts five to ten years. With the growing use of external drives and laptops that are toted around frequently and exposed to damaging elements, that life span shrinks to between three and five years.

Consequently, it is important to watch for indications that your hard drive is failing, so you can back up all of your valued files and data. Here are three signs that it’s time to act:

Slowed Operation and Freezes
You should immediately back up the contents of your hard drive when you notice that freezes and display of the blue screen become the norm.

It is even more imperative to do so, if these problems continue in Safe Mode or after a fresh installation of your operating system because that’s an indication that hard drive failure is imminent.

Corrupted Data
When it becomes problematic to save or open your computer’s files and you start getting error messages about corrupted data, you should know that your hard drive is failing.

As a hard drive’s functionality gradually wanes, this is a common problem, so act fast to ensure your business and personal data stays intact and safe.

Presence of Bad Sectors
If your hard drive has bad sectors, or areas incapable of maintaining data integrity, you may not immediately notice the problem.

The presence of such sectors is a grave problem and tells that your hard drive is in its final strides.

To check your hard drive for bad sectors, run a disk check with the options to automatically fix the problem and attempt recovery of files.

Coming Of “Edge:” Microsoft’s New Browser

Up until now, Internet Explorer’s successor has been secretly referred to as Project Spartan during Microsoft’s development stage. At the Microsoft Build 2015 Developer Conference, the project name was finally announced as the company’s newest browser: Edge.

The name was already familiar to those in the know because Project Spartan’s page-rendering engine was known as Edge, but now the name has been elevated to describe the product as a whole.

For those who have had difficulties with Internet Explorer, this new browser is long overdue, but Edge should turn their frowns into smiles because it is much faster and more compatible with modern web standards.

Edge joins its competitors, like Firefox and Chrome, in the use of extensions and actually uses the same JavaScript and HTML standard code.

This means that Microsoft’s new browser can easily adopt its competitor’s extensions. In fact, Joe Belfiore, Microsoft’s VP of Operating Systems Group at Microsoft, demoed a couple of extensions at the conference. However, you won’t see the extensions feature in Windows 10 until later this year.

Cortana, Windows 10’s Siri-like virtual voice assistant, makes an appearance in Edge as well. When needed, Cortana shows up in a blue circle in the browser’s toolbar to relay pertinent information related to the landing page, such as directions to a local business or contact information.

Edge users can also summon Cortana for assistance and extra info by right-clicking on text selections to find out more.

Another Edge feature is the new-tab page, a remnant from Internet Explorer with a few tweaks. When Edge users open a new tab, the page displays thumbnail icons for the most frequently visited sites. It also allows users to reopen closed tabs and makes many suggestions for apps and videos and facilitates access to weather or latest sports scores.

Edge also provides the option to view pages in a reading mode free of distractions such as images and advertisements. Users can even make annotations, such as highlights and notes, on webpages for sharing or storing as an image. Microsoft’s new browser also comes with coding support and will function the same across all platforms. Until Edge is formally released, users can test it on non-critical PCs by downloading Windows 10 and joining the Windows Insider Program.

How Can You Use Google Trends For Small Business?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Google Trends is a tool that has been around for a while, and has great potential for improving exposure and sales for businesses. It is entirely free to use, and its simplicity makes it accessible to virtually anyone with basic computer knowledge.

Here are some specific ways in which you can use Google Trends to enhance your small business practices:

Brainstorming Topics
For instance, if your business website contains a blog, it’s common to quickly run out of content ideas that will not only interest your readers but also tie into the products or services your business offers.

Choose a phrase that describes a broad idea for a blog post, and Google Trends will show you how popular that phrase is and also suggest related topics. With one simple search, you could potentially come up with ideas for dozens of different blog posts, and relevant content is the best way to build your business website. [Read more…] about How Can You Use Google Trends For Small Business?

Data Breaches And The Building Blocks Of Cyber Security

Michael Menor is Vice President of Support Services for Tech Experts.

The data breaches at Target, Home Depot, Staples, Michaels, Anthem, and Sony Pictures Entertainment are just the tip of the iceberg and the stakes are very high. They’re costly for both businesses and customers and once the breach is announced, customers often terminate their relationship with that business.

You may ask, “What constitutes a data breach?” It is an event in which an individual’s information, including name, Social Security number, medical record and/or financial record or debit card is potentially put at risk. This can be in either electronic or paper format. The data set forth in this article is based on Ponemon Institute’s “2014 Cost of Data Breach Study.” Ponemon conducts independent research on privacy, data protection and information security policy.

New methodologies developed by the National Institute of Standards and Technology (NIST) and other industry standards bodies, such as the Department of Health and Human Services (HHS), are being implemented by many organizations, but best practices for addressing cyber security threats remain vague.

So what can be done to minimize cyber security threats? An effective starting point is to focus on the following essential building blocks of any cyber threat defense strategy.

Most organizations rely on tools like vulnerability management and fraud and data loss prevention to gather security data. This creates an endless and complex high-volume stream of data feeds that must be analyzed and prioritized. Unfortunately, relying on manual processes to comb through these logs is one of the main reasons that critical issues are not being addressed in a timely fashion.

Implementing continuous monitoring, as recommended by NIST Special Publication 800-137, only adds to the security problem as a higher frequency of scans and reporting exponentially increases the data volume. Data risk management software can assist organizations in combining the different data sources, leading to reduced costs by merging solutions, streamlining processes, and creating situational awareness to expose exploits and threats in a timely manner.

One of the most efficient ways to identify impending threats to an organization is to create a visual representation of its IT architecture and associated risks.

This approach provides security operations teams with interactive views of the relationships between systems and their components, systems and other systems, and components and other components. It enables security practitioners to rapidly distinguish the criticality of risks to the affected systems and components. This allows organizations to focus mitigation actions on the most sensitive, at-risk business components.

Effective prioritization of vulnerabilities and incidents is essential to staying ahead of attackers. Information security decision-making should be based on prioritized information derived from the security monitoring logs. To achieve this, security data needs to be correlated with its risk to the organization. Without a risk-based approach to security, organizations can waste valuable IT resources mitigating vulnerabilities that, in reality, pose little or no threat to the business.

Lastly, closed-loop, risk-based remediation uses a continuous review of assets, people, processes, potential risks, and possible threats. Organizations can dramatically increase operational efficiency. This enables security efforts to be measured and made tangible (e.g., time to resolution, investment into security operations personnel, purchases of additional security tools).

By focusing on these four cyber security building blocks, organizations can not only fulfill their requirements for measurable risk reporting that spans all business operations, but also serve their business units’ need to neutralize the impact of cyber-attacks.

These methodologies can also help improve time-to-remediation and increase visibility of risks.

The Reality Of Microsoft EOL Software

Scott Blake is a Senior Network Engineer with Tech Experts.

As in life, all good things come to an end. This fact is also true in the software world. When a software company decides to move on from outdated versions of its software they schedule an EOL or End of Life date.

This is set to allow businesses and home users time to plan and ready themselves to upgrade to the most recent versions.

With 90% of the world’s computers running some form of Microsoft software, no other company in the world has more of an impact when setting EOL dates than Microsoft.

From Office software suites to operating systems for desktops and servers (and even cross platforms such as Office for Apple-based computers), Microsoft software is everywhere.

This alone is the number one reason for preparing and upgrading before an EOL date is upon you. There is no greater example of this as when the EOL date for Windows XP arrived.

Companies that made the migration to Windows 7 well in advance were able to test their company software and hardware, as well as communicate with their vendors to secure working upgrades to both. Those that didn’t suffered productivity and business loss due to unneeded and unplanned downtime to make the necessary upgrades and changes.

But for the basic home user, this was a time of doubt. Many users didn’t want to (or have the means to) replace all of the outdated hardware or software.

Spending several hundred dollars on new software and hardware just to be able to receive security updates and patches seemed a little excessive to most home users.

However, keeping security and your data safe is another reason to make sure you make migration plans.

In most cases when an EOL date has come and gone, so has any and all support for your software and hardware. Other software and hardware vendors will soon follow suit and discontinue support for their products that are installed on systems running non-supported software, including operating systems.

Anti-virus software companies are usually the first to discontinue their support. After all, if the operating system is no longer receiving updated security patches, it becomes difficult to continue to support their software.

Computer systems running EOL software will become major targets for hackers and malicious malware. Your personal data will be at risk.

The truth is it’s not the intent of companies like Microsoft to be malicious when ending support for their products.

No matter how popular they may be throughout the world, it’s a business decision. For any company to grow, they must keep developing and growing their products.

This development and growth is expensive and requires a large percentage of their resources. Continuing to support outdated software and hardware would limit these resources.

This would cause development overhead to rise and, in turn, make that $39 inkjet printer cost $89 or raise the price of that $119 operating system to $199.

By ending support and moving forward, companies such as Microsoft are able to develop new and exciting hardware and software for both the largest of companies and the smallest home user while keeping prices affordable to all.

Some important future EOL dates to keep in mind:

July 15, 2015
The end for support for Microsoft Server 2003 and 2003 R2

April 10, 2017
The end of support for Windows Vista (all versions)

October 10, 2017
The end of support for Microsoft Office 2007 (all versions)

January 14, 2020
The end of support for Server 2008

October 13, 2020
The end of support for Microsoft Office 2010 (all versions)

Security Tips To Keep Your Mobile Phone Secure

We’ve all seen the stories about celebrities getting their mobile phones hacked and having their private photos splattered all over the web.

Although you may think there is nothing of real interest on your phone, you are still at risk of security invasion. Any number of people could have motive to do so from exes to a colleague who perceives you as a threat, and even innocuous content on your phone can be taken out of context to reflect negatively on you in general.

Use some of these simple tips to protect your mobile phone and reputation:

Passwords
Your passwords are your primary defense against would-be hackers – from your lock code to email account password. Don’t share your passwords with others. Also, make sure your passwords aren’t easily guessed, such as your pet’s name or child’s birthday.

A secure password may not be as easily remembered, but it is far harder to hack. Finally, shield your phone’s screen when entering passwords in public lest onlookers take note of which buttons you push.

Clear Out the Cobwebs
In addition to creating more storage space on your mobile phone, it is just wise to remove old text conversations, photos, and other data periodically.

Back up the things you want to keep onto other devices, so you can access them later. With all of the excess stuff you don’t use on a regular basis gone, you leave less for hackers to work with if the security of your mobile phone is breached. In the event of being hacked, you would also likely lose all of those things, so backing such info up protects you twofold.

Beef Up Security
Take advantage of the lesser-known security features of your mobile phone. For example, turn off the Discoverable mode on your Bluetooth.

Look on your phone under Security to see if there are already included options, such as an automatic lock screen that activates after a certain period of inactivity.

There are also applications you can download to increase the level of security on your phone, including apps that allow you to access and control your phone remotely in the case of loss or theft.

Major Microsoft Windows Vulnerability Discovered

Microsoft recently released details about the newest vulnerability (MS15-034) in the Windows HTTP stack’s armor. With other recent problems in Microsoft patches, the problem may have been downplayed a bit to save face. This vulnerability, however, is more serious than it initially seemed.

The MS15-034 vulnerability is widespread. Although Windows servers are most at risk, this problem affects most products that run Windows. The chink in question lies in the HTTP.sys component, which is a kernel-mode device driver that processes HTTP requests quickly.

This component has been an integral part of Windows since 2003 and is present in all versions up to Windows 8.1. This means that any device running Windows without up-to-date patches is at risk.

It isn’t difficult to exploit this vulnerability. The only thing Microsoft is divulging about how MS15-034 can be used to compromise devices is that it requires “a specially crafted HTTP request.” It seems that this information is deliberately vague.

All one has to do is send an HTTP request with a modified range header, and access to data is granted, although sometimes limited. A similar attack was documented in 2011 on the Apache HTTPD Web server that was later patched.

There is good news though. As in other areas of life, prevention is far more effective than trying to deal with a problem’s aftermath. It isn’t difficult to protect your devices from the MS15-034 vulnerability.

The first step is to ensure that your server has the latest updates that include the patch to fix the problem.

If your server hosts a publicly accessible application, you can verify your server’s vulnerability by going to https://lab.xpaw.me/MS15-034, enter your server’s URL, and press the Check button for an instant report on your site.

If you then see the report that the website has been patched, you’re safe; otherwise, that particular system will need to be patched.