Firewalls st louis

Hardware Firewalls Strengthen Cyber Security Protection [Updated for 2018]

Does your organization or small business have a firewall?

The answer is “yes,” right? If you use the internet, you’ve got to have a firewall! Don’t computers come with them?

Our 2017 audit of St. Louis small businesses found that, while most of the businesses and organizations we surveyed did in fact have a hardware firewall, 100% were not operating optimally. According to a 2018 Sophos whitepaper, 84% of survey respondents agreed that lack of effective application of firewalls was a serious security concern.

A number of businesses think their answer to the firewall question is “yes,” but after investigation, the real answer is revealed to be “not at all” or “only a software firewall.”

Unfortunately, lack of firewall awareness is a trend that continues into 2019.

Firewalls, one of the most important facets of digital security, are often misunderstood and frequently taken for granted. In computing, a firewall is not a wall meant to confine fires within a building, but a digital wall meant to segment networks and protect sensitive information.

Are you beginning to wonder about the state of your firewall? The rest of this article will serve as a brief primer on firewalls, including six questions to ask your IT division or managed services provider to discover just how well that firewall is doing its job.

Hardware Firewall vs. Software Firewall

With hackers, viruses, ransomware and malware compromising computer systems worldwide, every small business needs a hardware firewall. Firewalls provide enhanced IT security to protect your technology from attack, blocking unauthorized access while still allowing legitimate users access to the systems and data necessary to perform their jobs. They are an essential part of any properly designed IT protection plan.

But why a hardware firewall?

The problem with software firewalls is that they exist on the same network where sensitive data is stored. A hacker hitting this firewall has already penetrated your network. Yes, the software firewall does offer limited protection for a single computer, but it is nowhere near enterprise-grade. A hardware firewall, on the other hand, is a completely separate piece of hardware that stands guard at the perimeter of the network and prevents access.

Once you can confidently answer “yes” to having both a hardware and software firewall in place, keep your business safe by asking the following six questions about your firewall.

Six Questions about Your Firewall

  1. Is my firewall really protecting me?

Anderson Technologies performs an infrastructure analysis at the start of every new client engagement, and we’re surprised by the number of businesses vulnerable to cyber security risks. This is often due to the lack of a firewall (when the business owner thinks they have one) or insufficient and/or out of date configuration of an existing firewall, which results in inadequate protection of systems and data.

  1. Can it handle the latest security threats?

Because new cyber security threats are developed and launched every day, your firewall’s firmware needs to be continuously updated. It should be tested on a regular schedule to ensure that security flaws are patched by the manufacturer and protected against the latest threats.

  1. Is my firewall monitored?

Firewalls are not a “set it and forget it” device. Ongoing monitoring of a security appliance like a firewall is vital to understanding what kind of threats your business is exposed to and how often intrusion attempts are made. Knowing if and when your system is under attack allows you to marshal the proper response. Monitoring provides this valuable insight.

  1. Does its configuration both protect my vital systems and allow my employees to do their work efficiently with minimal interference?

Many firewalls are installed with limited configuration and too often are set to the manufacturer’s defaults. This can lead to cyber security vulnerabilities, unnecessary exposure, and business risk. Firewalls must be configured for the particular business environment they are being installed within to provide maximum security with optimal functionality.

  1. Is my firewall running effectively?

Blocking malicious attacks requires a firewall to perform many system-intensive background tasks. It needs enough processing power to not only handle the internet provider’s speeds but also efficiently run necessary protection processes while maintaining optimal performance. If your firewall is older, it could actually be causing a “bottleneck” on your network and slowing down your business’s productivity.

  1. Is my firewall equipment up to the task?

Not all hardware firewalls are created equally! Some manufacturers garner industry recognitions and awards for their security technology and constant innovations while others do the bare minimum. The latter companies lack enterprise-level support and fail to update their hardware to protect against the latest evolving threats. Make sure you have the right equipment to protect your business.

If you can answer these six questions positively, your firewall is likely performing well and protecting your systems and data from attack. If not, we’d love to help. If you suspect your business is vulnerable to attack and would like assistance analyzing options and developing a secure firewall solution, schedule a consultation by contacting us or calling 314.394.3001.

 

HIPAA Part 2: Diving Deep into the Security Rule

In our first HIPAA article, we offered a little history on the Health Insurance Portability and Accountability Act and a general overview of how the Privacy and Security Rules evolved from it. In this post, we’re going deep into the murky depths of the Security Rule from a business standpoint.

HIPAA’s Security Rule may seem daunting at first, especially if you’re not an IT expert, but you don’t need a degree in computer science to understand the standards it establishes. At its core, the HIPAA Security Rule is about knowing what data you have, assessing the people and technology handling it, and finding where problems could arise. Survey, assess, plan, implement, and—most importantly—repeat. This is an easy way to think about and manage the requirements laid out in the Security Rule.

What Is the Security Rule?

The Security Rule sets the standards that entities creating, using, or transmitting electronic protected health information (ePHI) must implement in order to “ensure the confidentiality, integrity, and availability of ePHI . . . protect against any reasonably anticipated threats and hazards . . . [and] protect against reasonably anticipated uses or disclosures of such information not permitted by the Privacy Rule” (NIST). If you can imagine it happening to you, then you have to protect against it.

Confidentiality, Integrity, and Availability

The Security Rule uses this phrase throughout. It’s a key tenet of its purpose, but what exactly does it mean to ePHI?

  • Confidentiality: Don’t allow anyone without proper permission to access ePHI, as described in the Privacy Rule, to see it.
  • Integrity: Ensure that the ePHI created, maintained, or transmitted isn’t altered in any way.
  • Availability: Ensure those with permission are able to access ePHI when they need it.

A quick way to think of these are “Don’t Show. Don’t Change. Can Use.” Keep these goals in mind when implementing the standards set forth in the Security Rule.

Understanding the Security Standards

The Security Rule consists of 18 security standards divided into three sections: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Some of those security standards contain implementation specifications (36 in total), which provide more detailed instructions on what needs to happen to fulfill the security standard. The Security Rule designates these implementation specifications as either required or addressable.

Important! Do not confuse addressable with optional. All implementation specifications must be handled, but those marked as addressable may not be suitable for all businesses managing ePHI. Each business must assess its own situation to determine whether an addressable implementation specification is reasonable and appropriate. Once assessed, the business has to ask themselves:

  • Is the specification reasonable and appropriate? Implement.
  • Is the specification not reasonable or appropriate? Implement an alternate solution that would be.
  • Are there no reasonable and appropriate ways to implement the specification? Do not implement.

All assessments and justifications for not implementing a specification as stated in the security standard must be fully documented.

Reasonable and Appropriate

This is another phrase that appears throughout the Security Rule. Since the Security Rule affects a wide variety of businesses, it was designed with flexibility of approach in mind. Many of its standards and implementation specifications explain what needs to be done but not how to do it. How is left up to the individual business to determine based on its use of ePHI and its environment.

The security standards general rule §164.306(b)(2) explains that when “deciding which security measures to use, a covered entity must take into account the following factors:

  1. The size, complexity, and capabilities of the covered entity.
  2. The covered entity’s technical infrastructure, hardware, and software security capabilities.
  3. The costs of security measures.
  4. The probability and criticality of potential risks to electronic protected health information.”

Flexibility, scalability, and technology neutrality are key features of the Security Rule that allow businesses of any size or function to use the same standards and adjust accordingly to the evolution of technology. It’s important to note that cost alone is not enough of a justification to not implement a security standard. All factors need to be considered together when dealing with addressable specifications.

Security Standards

Before diving into the nitty-gritty of each security standard and the implementation specifications, evaluate what your business already has in place. Some of the requirements may be satisfied by the current security infrastructure. Read all the security standards once to get a feel for what you need to be assessing, then take the time to determine what measures, policies, and hardware already protect your ePHI. Knowing where you stand can save you time and stress while working toward HIPAA compliance.

Below we’ll address each section in a high-level overview and mention some of the important standards you should be aware of. This won’t be a step-by-step breakdown of all the standards and implementation specifications. For that, the Department of Health and Human Services (HHS) produced the HIPAA Security Series papers, which are extremely helpful, as is National Institute of Standards and Technology’s (NIST) An Introductory Resource Guide for Implementing the HIPAA Security Rule.

Administrative Safeguards

Administrative Safeguards make up more than half of all the standards in the Security Rule; however, this is also where many of your current systems might already be established to satisfy the requirements with little to no alterations.

The standards and implementations categorized under Administrative Safeguards involve the process of planning, selecting, and managing a business’s protection of ePHI. This includes, but is not limited to, emergency preparedness plans, policies and procedures, contracts, and employee management and training.

This category is all about knowing what you have, planning for the future, and making sure everyone in the company knows how to enforce the confidentiality, integrity, and availability of ePHI. It’s not enough to simply implement these systems, though. Everything must be documented, accessible to all who need it, tested and reviewed periodically.

Important Standards to Note

Security Management Process §164.308(a)(1): This is the very first standard, and for good reason. Its implementation specifications require a risk analysis and continuous risk management. The information gathered in these steps will help with many of the other standards. The risk analysis can highlight areas of deficiency in your security that might otherwise appear only when a malicious actor finds and exploits it.

There is no single correct way to perform a risk analysis because all businesses have differing needs. If you are looking for where to start, there are many useful guides outlining the risk assessment process. The HHS’s HIPAA Series includes Basics of Risk Analysis and Risk Management, and Appendix E in NIST’s Introduction provides risk assessment guidelines. For a more comprehensive look at risk assessments, NIST also produced a Guide for Conducting Risk Assessments.

hippa risk analysis

Workforce Security §164.308(a)(3) & Security Awareness and Training §164.308(a)(5): These two standards have seven addressable implementation specifications between them. These deal with verifying that employees have the correct access to ePHI according to the duties they perform, and that they are informed on how to protect themselves and ePHI from cybersecurity threats. It also deals with how management handles adding new employees and removing employee access as job duties change or if the employee leaves the company. Both management and employees are responsible in protecting ePHI, but they must be given the knowledge, tools, and policies to do so.

Contingency Plan §164.308(a)(7): This standard includes the creation or revision of several different emergency preparedness plans, including a Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operation Plan. Besides preparing both management and employees in what to do, who needs to do it, and where resources are in the event of an emergency, this standard also helps assess what hardware or software is critical to the confidentiality, integrity, and availability of ePHI. This allows better prioritization and distribution of limited resources. Such precise knowledge is especially important in facilities that provide direct patient care.

Physical Safeguards

Physical Safeguards deal with the facility, hardware, and other physical mechanisms necessary to protect ePHI, as well as the policies and procedures that regulate them. These can range from locks on doors or security guards in times of disaster to employees logging off before leaving a workstation. If a person could walk into your office and access ePHI, the Physical Safeguards handle how to appropriately plan your security measures according to your needs.

Important Standards to Note

Device and Media Controls §164.310(d)(1): Given the portability of data in the daily functions of modern business, it’s vital that any movable media containing ePHI be strictly logged, tracked, and disposed of when no longer needed. Even one lost USB drive containing ePHI is a breach of the Security Rule. This standard relates to all types of removable media, including laptops, flash drives, CD/DVDs, hard drives, and portable backups. It also deals with the re-use of these materials within the office, which first requires the proper removal and destruction of all ePHI.

Technical Safeguards

Technical Safeguards deal with the technology used to create, access, transmit, and protect ePHI, as well as the policies and procedures that govern it. The Security Rule remains intentionally vague on the specific technology used to fulfill these standards to allow for advances in technology and the changes in security needs against new cyber security threats. This flexibility is also what allows a variety of businesses to handle ePHI and still comply with HIPAA’s Security Rule.

Technical Safeguards address aspects such as user access, hardware and software use, transmitting ePHI digitally, and encryption for various purposes. The Risk Analysis and Risk Management specifications from Administration Safeguards are especially useful in determining the technological needs and policies to enforce.

Important Standards to Note

Integrity §164.312(c)(1): This standard refers directly back to the key phrase confidentiality, integrity, and availability discussed earlier. It’s not enough to protect ePHI from being accessed or transmitted improperly; ePHI must also be protected from improper tampering or destruction of data. Wrong or incomplete information can have drastic effects on patient lives and care, so the ability to authenticate the validity of ePHI is a vital part of its security.

Monitor and Update

A vital part of the Security Rule is not only assessments and creating policies but implementing them so all employees are aware of and following the rules. Systems should be in place to verify that employees receive the necessary training in ePHI security procedures and understand the consequences of not following the policy. Reassessment of policies and re-training of employees should occur periodically so outdated procedures can be re-written for the current threat environment. Cyber threats are ever evolving, so too should ePHI cyber protections.

While the Security Rule may feel a bit daunting, many of its requirements are best practices for any business. Knowing exactly what data you handle, how it’s processed, and who needs access to it provides you with an informed view of your business’s operations. Having a written and tested Disaster Recovery Policy, Contingency Policy, and Continuity of Operations Plan will save you time, money, and stress should an emergency occur.

If you have any HIPAA related questions or need help implementing the Security Rule’s technical standards, contact Anderson Technologies at 314.394.3001 or info@andersontech.com.

Infected? A New Phishing Attempt for 2018

Even managed service providers receive scam emails and phone calls.

These serve as a reminder that education on phishing, scareware, and ransomware is an ongoing process, one that even IT experts need to stay sharp on.

But let’s assume you aren’t an IT expert. How can you best determine the validity of these messages and if they have malicious intent?

As with any learning process, practice is important. You may want to start with our phishing quiz. Know where you stand with gut instinct and some important clues.

Pink phishing lure

Can you spot the phish? Take our quiz today by clicking on the image above!

Whether the attempt is made by email or phone, there is always something just a bit off about a phishing attempt. The phisher may have some accurate personal information—like your name, or the fact that you have Yahoo! email or an AT&T phone account—and see if you’ll take the bait.

It is easy to panic at the threat of suspension or an overdue bill and put aside any unease because of the urgent matter apparently at hand. This is exactly what phishers and scammers hope will happen.

The goal of these calls or emails is to collect even more information about you, fleshing out a profile for future scams, which the phisher can sell to other scammers, or—the jackpot—to collect banking or credit card information and cash in.

Because these phishes do have some truth mixed in, many do fall victim.

False Blackmail

It might sound like an episode of Black Mirror—in fact, the tactics used in this blackmail email are eerily similar to those dramatized in a recent episode of the Netflix series depicting fictional futures—but scammers are now using direct emails as a method to extort information or Bitcoin from unsuspecting users.

About a month ago, Mark Anderson, Principal of Anderson Technologies, received a blackmail email scam. “As you could probably have guessed, your account was hacked, because I sent message you from it,” the scammer began in broken English. They first boasted by showing an unencrypted old password—probably acquired from Yahoo’s 2013 data breach.

The email continued to outline the threat. “Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we’ve created.” This virus, they suggested, gave them access to “messages, social media accounts, and messengers.” This apparently wasn’t enough intimidation for most scam victims, because the email then amped up the threat.

Users all over the internet report similar threats; the scammer creates a scenario that, if true, would serve as ample motivation to give in to their demands. The scammer says that video of the user was recorded while visiting “adult websites,” and that, unless 700 dollars is transferred to the scammer’s Bitcoin wallet within 48 hours, this footage would be released and they would “show this video to your friends, relatives, and your intimate one…”

So, with a relatively low payout amount, and a previously accurate (but very old) password, how did Anderson know this threat was a scam? He knew what they’d accused him of was false, not to mention he didn’t have a webcam as they’d suggested. But other clues included:

  • While the email appeared to be sent from Anderson’s old account, this can be accomplished through spoofing.
  • The password they listed was not the current (or even recent) password for that account.
  • Broken English isn’t always a giveaway but combined with the generic threat, it seemed like a form letter.
  • Googling some of the email text brings up threads of other users exposing the scam. We’ve censored some of the less savory aspects of the original email, but the full text and break down can be read online.

If you receive this email or a similar threat, your first step should be to research the threat online or reach out to an IT expert. Never pay a blackmail, ransom, or other request for money. Instead, update your passwords, run anti-virus and anti-malware scans on affected devices, and consider implementing multi-factor authentication on your accounts in order to bolster your security profile.

Are you looking for an IT expert to help guard your small business from scams like this? Contact Anderson Technologies by phone (314.394.3001) or email (info@andersontech.com) today.

Get Hip to HIPAA!

Even if you’ve never worked in the healthcare industry, you’ve probably heard of HIPAA. An appointment to get your teeth cleaned comes complete with a slew of forms that include your rights according to HIPAA.

But can you explain what HIPAA is and why that form is necessary? We often sign and date and move on, knowing it relates vaguely to what our care provider can do with our private health information.

HIPAA includes a lot more than you may realize, and if you work with Protected Health Information (PHI), especially electronic Protected Health Information (ePHI), understanding HIPAA is crucial. This article is the first in a series discussing what HIPAA is, understanding the Privacy and Security Rules, and analyzing HIPAA compliance standards.

What Does HIPAA Stand for?

If you’re not exceptionally familiar with this acronym, you may think it stands for the Health Information Privacy and Accountability Act. That seems reasonable given how the everyday person is exposed to it. In fact, it stands for the Health Insurance Portability and Accountability Act.

That doesn’t sound so familiar, does it? HIPAA was enacted in 1996 not with the intent to protect people’s privacy, but instead to regulate and simplify the health insurance industry. According to the official HIPAA language, the objective of this government regulation is:

To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.

Essentially, Congress wanted to make health insurance cheaper and simpler by reducing administrative costs and creating a standard method that everyone related to the health insurance industry could adopt. So where does all this privacy and security regulation come into play? The requirement “to simplify the administration of health insurance” triggered everything.

In the Administrative Simplification section of HIPAA, the Act requires that the rights of individuals relating to the use and disclosure of their health information be clearly explained and that standards are set for the electronic exchange of health information. These two subsections, privacy and safeguards, would later be addressed in what is now referred to as the Privacy Rule and the Security Rule.

The Privacy Rule

The Privacy Rule went into effect in 2000 and has been amended several times. It lays out the standards and guidelines for how PHI in all forms—verbal, physical, or electronic—can be used and disclosed. The Privacy Rule is the reason you know the acronym HIPAA at all.

Thanks to the Privacy Rule, health care providers, insurance companies, and their business partners must follow the same rules regarding health information. Individuals have the same right to access and the same expectation of privacy from all entities according to the guidelines in the Privacy Rule. PHI can include:

  • identifiable personal information,
  • any medical or mental health condition diagnosed during the lifetime of the individual,
  • any treatment or procedure performed in the lifetime of the individual,
  • payment information relating to health care,
  • and any identifiable or medical information that the individual wants restricted.

The Privacy Rule is also the reason you must sign that form stating you understand your rights according to HIPAA. Being informed that you have the right to privacy is part of your legal rights. There are exceptions to these rules, such as life-threatening emergencies, court orders, and release of information authorizations, but all are directly addressed and specified within the rule.

Ultimately, the HIPAA Privacy Rule sets the standard for each patient’s right to privacy regarding their PHI. Thanks to the Privacy Rule, PHI is automatically considered confidential in almost all circumstances, and it also explains under what circumstances PHI may be shared.

The Security Rule

The Security Rule is a little different. It first went into effect in 2003 and, unlike the Privacy Rule, relates only to ePHI. The Security Rule established the safeguard standards everyone dealing with ePHI must follow to be HIPAA compliant. Compliance means all ePHI is stored, processed, and transferred in a way that ensures patient privacy. While it doesn’t dictate specific implementation steps, since each company’s use and needs around ePHI is different, anyone dealing with ePHI must address each specification.

HIPAA began as a way to simplify health insurance procedures and make those handling health information more accountable to every citizen’s rights about their private health information, and its effects have been far-reaching. For anyone dealing with PHI, the requirements can appear daunting at first, but with a trusted IT partner, HIPAA compliance means any and all health information will be safe in your hands.

Look for our next HIPAA article, which will discuss the Security Rule in more detail. Until then, you can contact Anderson Technologies’ expert consultants for help navigating HIPAA compliance by calling 314.394.3001 or emailing info@andersontech.com.

MFA – An Extra Layer of Digital Protection

What do logging into Netflix from a new device, updating your PayPal account, answering questions about your first car before accessing your iTunes, and withdrawing money at an ATM all have in common? Authentication!

The National Institute of Standards and Technology (NIST) creates guidelines for passwords and the software that requires them, which Anderson Technologies has previously discussed. Technology is still changing to adopt these standards, so it is up to us to take cyber security into our own hands—and that includes business security practices. The most commonly used and overlooked of these measures is password safety and authentication.

Hackers are great at keeping up with technology, so as consumers and business owners, we must keep up with it as well to stay safe. Multi-factor authentication (or MFA) has been around for years, and it’s so common that we take advantage of it more than we might realize. MFA remains one of the strongest defenses surrounding our digital lives.

What Does MFA Look Like?

You’ve probably already encountered MFA without realizing it. Any website that utilizes verification codes or emails is using a form of MFA. A task as simple as changing your Apple ID requires MFA to confirm the new information. IT Glue describes instances of MFA that don’t involve technology at all, like showing government ID to verify your identity.

MFA as it applies to your business’ safety most often takes the form of software that requires a user to provide two forms of evidence proving they are authorized to access the system. This includes security codes, verification emails, security questions, and biometric software. However, it is not necessary to contact your bank or insurance company to initiate MFA. Applications like Google Authenticator or Authy can be attached to countless logins by connecting your account information.

What does this look like for the user? Validated access to your account (your email, for example) is established with a unique QR code or numerical key that securely connects your mobile device. From that point forward, logging into the site requires not just your standard user name and password but also a randomized six-digit code available only on your device.  This code refreshes every 30 seconds for even greater security. Many sites that store confidential data—think Intuit or IT Glue—require connecting your account login with an MFA application of your choice.

Some sites and servers have their own internal methods of verification, and other MFA methods may require special hardware. These are useful for businesses and organizations that use specialized systems to access confidential databases. This includes cashiers logging into their retail system or technicians scanning an ID card to pull up your file during a dentist visit.

What Are the Benefits of MFA?

Once hackers get their hands on your login credentials, it’s easy to mine data from your other accounts. MFA acts as a barrier to the hacker by assuring the identity of the user attempting to login. By using a secure method of authentication like Touch ID or Face ID on your smart phone, unless an unauthorized user has your fingerprint or face, it’s impossible for them to authenticate using your device.

MFA is beneficial for companies who have employees on the go or working remotely. Using multiple layers of authentication allow remote employees to securely access encrypted data from unfamiliar networks and devices.

What Are Some Challenges to Integrating MFA?

Resistance to change is one of the tallest hurdles when integrating MFA into your business networks. Though MFA usually uses devices your employees already have (like their smartphones and watches), the extra steps needed to gain access can seem superfluous. Some people see MFA as inconvenient or time consuming; however, this is rarely the case when using simple applications.

MFA goes hand-in-hand with the Zero Trust security model, a tool that requires authentication at every step of the login process. New security concepts can be challenging to introduce in the workplace but like all new plans of action, eventually the multiple verifications will become second nature. Your company will greatly benefit knowing all data is secure.

You and your employees may find it valuable to coordinate with a managed services provider when integrating MFA to internal networks, especially if your needs require special enterprise-grade hardware. An IT support team can provide training to ease the transition for your employees, some of whom may be hesitant or feel they don’t have the time to properly implement MFA.

With a little practice and an IT team behind your business’s transition, MFA doesn’t have to be intimidating or bothersome—and the benefits are great. For more information on how to keep your business safe using MFA, contact Anderson Technologies today at 314.394.3001.

Pink phishing lure

Are You Ready to Go Phishing?

Phishing and spear-phishing emails are an ever-present problem to businesses, and the criminals are only getting better at fooling people. Understanding and being able to spot phishing and spear-phishing emails is a vital part of employee training at Anderson Technologies. But reading about how to spot them and actually spotting emails are different things.

Worse yet, the phishing websites those email links go to often appear legitimate, right down to having the secure lock icon in the browser. In their 2018 1st Quarter Report, the Anti-Phishing Working Group notes that “more than a third of phishing attacks [reported to them] were hosted on web sites that had HTTPS and SSL certificates.” They attribute this in part to the fact that consumers believe they can trust all HTTPS sites, or they at least recognize a site without encryption asking for personal or financial information is not secure.

It’s vital to know whether your email is a legitimate business interest or a scam hoping to trap you, but how confident are you to do so? Take our quiz to see if you can tell the difference between a legitimate email and a fake one.

Are you an expert phisherman or just the phish taking the bait?

1.
2.
3.
4.
5.
6.

Hopefully you were an expert phisherman, but if not, it’s not too late to brush up on some basics.

  • Know what you’ve ordered and who your vendors are. If you didn’t order anything from the person, don’t trust their emails.
  • Always check the sender’s address before clicking on links or attachments, even if it looks like a company you trust.
  • Read the email completely before clicking links. Poor grammar or obvious spelling/branding mistakes are key signs of phishing emails.
  • If you’re unsure if an email is really from a company you trust, go to their website manually, not through a link provided in the email. If it’s real, you can look up the information through your account, and if not, you’ve just protected yourself.
  • Don’t panic! Urgent calls for action to avoid loss of service or legal action are meant to upset you. Don’t let them. Read everything carefully and verify there’s a problem by using the service mentioned or calling the company using the number on their website, not in the email.
  • If all else fails, Google it. These emails are widespread and a quick Google search will most likely bring up a hundred different people receiving the same fraudulent email.

If you’d like a refresher course on e-mail safety, contact Anderson Technologies to schedule an employee cyber security training seminar. Reach us by email at info@andersontech.com or by phone at 314.394.3001.

Don’t Hold the Door Open for Cyber Criminals

Here in St. Louis, you’re likely to hear people saying they’re heading to Bread Co. for lunch, even if Panera is the sign above the restaurant. That’s because to St. Louisans, Panera will always be Saint Louis Bread Company. But recently, residents were relieved the St. Louis name wasn’t attached to Panera’s recent cyber security blunder.

On April 2, Brian Krebs of security news website KrebsOnSecurity broke the story that customer data from Panera’s loyalty program—including names, email and physical addresses, birthdays, and the last four digits of credit card numbers—was available through an insecure API on their website. Worse yet, Panera had been notified about the defect eight months prior in August 2017 and did nothing to resolve the problem.

Cyber security researcher Dylan Houlihan found the flaw in Panera’s API and, after confirming the extent of the problem, contacted Panera’s cyber security team. He notes that reaching out to Panera was difficult as there was no information available for who to contact if security holes were found. Panera’s response was less than stellar. In Houlihan’s detailed account of their communication, Panera’s director of information security, Mike Gustavison, was suspicious of him, and after receiving proof of the problem, took several days to reply that they would work to resolve it.

Except they didn’t.

Every month, Houlihan checked to see if the flaw was fixed, only to see that customer data was still unprotected. Finally, in April 2018, he contacted Krebs to make the matter public and force Panera to respond. They did. Within two hours Panera claimed they patched the problem.

Except they hadn’t.

Krebs continued to monitor the website and found that, while the information was no longer accessible to the public, if a member logged into their free Panera account, they could still exploit the flaw. He also discovered that it extended to other parts of Panera’s business, such as the catering website.

After the negative media coverage, Panera took down its website and patched the problem properly. In a tweet following the incident, Krebs estimates that up to 37 million accounts could have been made public because of this flaw. While there is no evidence yet that malicious agents accessed the data, this was still a terrible security breach.

How Often Does This Really Happen?

It’s easy to lose the details in light of Panera’s poor response and subsequent inaction, but accidental data breaches from misconfigured hardware or software happen far more often than you might imagine.

  • March 6, 2017: River City Media left more than a billion email accounts exposed to the public, some with personal information. Also exposed were detailed records of their own illegal spamming activities. The problem—no password protection on the backups.
  • June 19, 2017: Deep Root Analytics left millions of Americans’ addresses, birthdays, phone numbers, and political views on a variety of topics open to the public. The problem—misconfigured user permission settings.
  • October 3, 2017: A National Credit Federation cloud storage bucket was found to be open to public access, revealing personal, credit, and financial information of tens of thousands of its customers. The problem—misconfigured user permission settings.
  • October 6, 2017: An Alteryx cloud storage bucket was found to be accessible to anyone with a free Amazon Web Services account. It exposed personal data, Experian marketing data, and US Census data for more than 123 million American households. The problem—misconfigured user permission settings.
  • April 9, 2018: A flaw similar to Panera’s was discovered in P. F. Chang’s rewards website. The problem—an insecure API.
  • April 23, 2018: After rebuilding their website following a ransomware attack, MEDantex’s new customer portal contained abilities intended only for employees, including accessing confidential patient records without authentication. The problem—a bug on the website.
  • May 17, 2018: LocationSmart’s demo feature is found to be able to track the location of almost any cell phone without the user’s consent. The problem—an insecure API.

What Does This Mean for a Small Business Owner?

These examples of private, financial, and personal information leaked unintentionally serve as a warning to all business owners. While there’s a sense of poetic justice that River City Media revealed their own criminal activities by forgetting to add a password, the truth is, not all data you could reveal belongs to other people. You can be a cyber threat to your own business.

Few businesses can run day to day without some amount of personal, customer, or vendor data stored either on their network or in cloud storage. The technicalities of properly configuring security for these electronic databases can be daunting, but even when things appear to be simplified for you, all it takes is one open port, one missing password, or one unsecured application for the door to your data to be left wide open.

This is why it’s vital for businesses to have their systems set up by IT professionals and to perform network security audits routinely to ensure both the hardware and the software are configured correctly. It’s not enough to simply hire an IT consultant once and assume your system is secure. Files get moved, employees are hired, and new hardware is installed—all leaving room for new settings to supersede old ones, or worse, be forgotten all together. A network security audit performed at least annually gives you peace of mind that your cyber doors are tightly closed and locked.

What Should You Do to Protect Your Business?

While it’s crucial to know how to avoid opening the door to criminals, knowing how to respond to a breach is just as important. Here are a few simple steps you can take to avoid or address an accidental data breach.

  1. Hire IT professionals to set up all hardware and software. Your customers trust you to be the expert in your field, so trust the IT professionals to be the experts in theirs. Make sure all your hardware and software have been properly configured from the start.
  2. Perform annual network security audits. Just because you configured everything correctly, doesn’t mean it will stay that way. Your business changes all the time, so it’s best to check the doors and windows before someone else notices they’re open.
  3. Know your hardware. Many business owners don’t realize what’s in their hardware closet. Can you point to your hardware firewall with confidence? Are you certain it’s the correct type for your business? Ask an IT professional to review your hardware with you so you understand what you need and how it works. Doing so will improve your ability to spot potential problems.
  4. Have a way people can contact you about problems they find. One lesson learned from the Panera breach is how important it is that people can contact you with problems they’ve noticed. Many security researchers who find flaws due to misconfiguration just want you to know about the issue so it can be resolved. Make sure they can get in touch. Larger companies should have separate contact information specifically for security issues to keep them from being lost with other routine technical issues customers might have.
  5. Respond quickly to any problems found. Don’t wait eight months or for public embarrassment to sound the alarm before responding to an accidental data breach. If you act swiftly, your data may still be kept safe. In many accidental breaches, the problem was found not by criminals but cyber researchers.

No company wants to find themselves in a situation like Panera’s, so make sure your network security is done right. If you’d like to learn more about configuring your systems or to schedule a network security audit, contact Anderson Technologies by phone at 314.394.3001 or by email at info@andersontech.com.

When Phishing Strikes: The Tool Your Business Needs When Cyber Criminals Succeed

Email-delivered threats have increased drastically over the last few years. Even businesses with enterprise-level email services and employee training can fall victim to creative manipulation. To battle this, Anderson Technologies offers a solution that protects email when other systems fall short.

The Incident

Imagine turning on your work email to find a message from your biggest client. “If we get one more spam email from your accounts, we will stop doing business with you.”

How can this be? You pay for managed services, educate your employees on email security, and even recently upgraded your email services. How could something like this happen? Sure, your employees have received some suspicious-looking emails in the past, but there’s no way that could seep into your client interactions.

Except that’s exactly what happened to Intrante.*

According to Farica Chang, director at Anderson Technologies, the system administration team was able to trace the outgoing spam to a single “malicious phishing email that successfully executed code inside two employee Outlook applications.” The malware set up email rules that “hid its behavior from the users and began spamming everyone in their address books with email sent through their accounts.” Those emails not only went out to every internal company inbox but also to many clients and vendors.

Intrante couldn’t afford for this to happen again. Imagine this happened to you. What would you do?

The Response

Upon learning of the spam coming from Intrante’s accounts, senior systems administrator at Anderson Technologies, Luke Bragg, immediately took action. “The first thing we did was reset the passwords for the suspected accounts that were compromised,” he said, thus cutting off further access from cyber criminals. “From there we started digging into the accounts to see what other data or settings had been maliciously modified.”

Once the scope of the incident had been uncovered and repaired, Bragg and his team needed a stronger email spam filtering solution to implement to prevent a similar incident from occurring in the future.

He looked to the August 2017 study from SE Labs, which analyzed email threat protection services. This data made it clear—while many popular email services catch spam and phishing attempts, messages still slip through the cracks. Three email filtering services analyzed by SE Labs received their “AAA” rating: Mimecast, Forcepoint, and Proofpoint Essentials. While all three provided excellent coverage, only the last service achieved a 100% accuracy rating.

Proofpoint inspects both inbound and outbound emails.  According to the SE Labs study, not only does Proofpoint quarantine or send threats to junk mail, it stops or rejects threats before they reach the user. If URLs are present in an email, Proofpoint’s system opens every link inside a controlled sandbox environment. “This action and analysis allows it to determine if the link is legitimate and safe before it releases the email to the recipient,” said Chang.

In addition to its stellar record, Proofpoint’s four subscription tiers also offer features that many clients of Anderson Technologies request. An Essentials Business account gives access to most of Proofpoint’s features, but the Advanced and Pro levels include email encryption (and along with that, HIPAA and PCI compliance) and social media account protection. Pro also offers a tamper-proof, off-site, unlimited (10 year) email archive.

With this distinctive solution, Anderson Technologies’ managed services team brought their answer back to Intrante.

Why Email?

According to Bragg, “email threats are extremely common, and probably one of the most targeted systems.” Email is the perfect delivery system for malware, spam, and phishing campaigns, all of which saw an increase in 2017, according to Symantec’s Email Threat Report. Email can be utilized by bots, entities with malicious intent, and acts (unintentional or intentional) by authorized users to spread these threats.

Even educated employees can miss the subtle tricks of an effective spammer.

Phishing emails may look and feel like they come from a well-known company, like Amazon, Apple, PayPal, or UPS. Frequently, these attacks ask the reader to “click here to log in to your account,” providing login information to a wolf in sheep’s clothing. These attacks are easy to mass generate and make money for the perpetrators even if only 1 in 100 falls for the trap.

According to Symantec’s Email Threat Report, “one out of every nine email users encountered email malware in the first half of 2017!” These emails typically offer an attachment disguised as an invoice or other important document. These may appear to be sent from other employees and may even be routed through their real email addresses.

Malware-spreading emails typically urge the reader to act NOW, inhibiting the thought process through urgency.

Another vulnerability tied to email is information hacking.

Even comparably low-value targets can provide lucrative information to hackers—information like other user names, passwords, client information, industry secrets, or proprietary data. Email is as insecure as a postcard. As long as it is only read by the intended recipient, your message is moderately safe. Even so, never send passwords, financial credentials, Social Security numbers, etc., in a plain-text email.  Once in the wrong hands, unencrypted email is easy to read.

Don’t be fooled. “Even with additional layers of filtering and security,” says Chang, “there will always be malicious emails that get through. Teaching employees to be wary and practice caution is the best defense.” Take advantage of education services like free seminars, or Anderson Technologies’ free eBook on cyber security.

Email may be the perfect vehicle for bad actors to find their way into your network, but you and your business don’t have to be a victim. With spam monitoring and encryption services like those offered by Proofpoint, a mistake or foolhardy action doesn’t have to mean the destruction of your business.

Protect Today!

Anderson Technologies strives to ensure the IT products and tools it recommends are fully vetted and employed internally first. Principal Mark Anderson reports that after implementing Proofpoint Essentials, his junk email count has dropped by over 90%! According to Symantec’s Email Threat Report, an estimated $1,177.42 annual cost for the time one employee spends managing spam.

Bragg recommends a layered approach to email security.  The first layer being perimeter protection with a good hardware firewall that has additional malware and intrusion defense capabilities.  From there, Bragg notes the importance of enterprise-grade anti-virus software on all workstations and servers. It is important that this software be closely monitored and updated to truly be effective. The final layer is spam filtering, and for that, Anderson Technologies recommends Proofpoint.

Of course, there is also user training, which is “challenging,” according to Bragg, “but necessary.”  Even for businesses that are confident in their employees’ cyber security training regarding email, Proofpoint brings operations closer to a Zero Trust mindset, truly making your operations secure.

Are you interested in adding a spam filtering or encryption service to your business? Contact Anderson Technologies today! Email info@andersontech.com or call 314.394.3001.

*Names have been changed to protect the identity of the business and its executives.

Human Behavior Impacts Cyber Security

“The Russians Have Hacked into Our Computer…” – Human Behavior and Cyber Security

Here at Anderson Technologies, we’ve reported on a wide variety of topics to help keep you and your business’s technology safe from harm: breaking news on security breaches like the Equifax hack and KRACK, password security tips, the importance of firewalls, and many more. But sometimes preventing trouble isn’t about the hardware or software you deploy—it’s about your people.

We all know someone who has fallen victim to a phone or email scam. Many of us have received a desperate call from a friend or family member trying to undo an unknowingly self-inflicted intrusion on their personal or financial information.

A member of the Anderson Technologies team recently received this harried voicemail from a family member:

“The Russians have hacked into our computer, and we’ve been on the phone for half an hour or so with India. The guy’s helped me reestablish my password but he thinks we should do some further work and maybe take the modem to the Apple store.”

From an objective perspective, this scam appears obvious. Why would the Russian government want to hack your personal home computer? How did these “tech support” guys get your information to call you and fix the problem? Thankfully, no permanent damage was done in this particular case, but you may find yourself wondering who could fall for such a transparent scheme.

Scammers target unsuspecting consumers and use data gathered from the web to build trust and elicit the missing pieces needed to access private account information. But how do these choreographed schemes apply to your business?

It’ll Never Happen to Me

Who do you picture when you hear the words “scam victim”? Several common stereotypes come to mind. The Better Business Bureau (BBB) released a comprehensive report that breaks down the perceptions we have about scam victims. Their 2016 survey shows that most people inaccurately predict scam victims to be older, retired, or less-educated blue-collar workers or women.

If you don’t fall into those categories, it’s still too soon to consider yourself safe! Thinking scammers won’t hound you because you are (at least in your own mind) an improbable target leaves you exposed and off guard.

For this we can blame optimism bias, or the tendency for individuals to believe they are less likely than others to be vulnerable to negative events. Even when the BBB or the Federal Trade Commission (FTC) releases accounts and warnings about the thousands of scams reported each day, in-the-know readers might react by thinking these threats don’t apply to them. Do you think you’re too smart to be fooled? What would you have that a hacker would want anyway? A quick skim of some unsuspecting person’s scam story, and you’re back to your usual technological habits.

“It stands to reason that individuals who believe they are not at risk will be less receptive to efforts to provide protective information,” says BBB’s marketplace scams report. “Media coverage, with victims shaped to fit squarely into these categories, risks being digested by the public simply as intriguing ‘real life drama’ affirming their beliefs.”

What the statistics show, however, is that all consumers are equally at risk. Some scams do target the “typical” grandmother or otherwise negligent prey (more on those tailored cons below), but the BBB research found that the groups at highest risk of losing money to a scam are college-educated individuals between the ages of 25 and 54. An estimated 90% of scam incidents go unreported, which goes to show how the inaccurate stigmas surrounding scam victims have infected our culture. No one wants to admit they were tricked.

But We Have a Firewall!

Personal consumer scams may not seem like they’re much of a threat to your business. Like any physical crime, cyber crime can’t gain access to your business unless there is an open door or a breach of some sort, such as when someone opens an email or picks up a phone. Who your employees share information with on their own time may not seem to be your concern as a business owner, but good personal practice translates into a stronger, safer business.

Cyber crime is changing. Phishing and spear-phishing campaigns are some of the most commonly-encountered scams by businesses, and they’re now more dangerous than ever. Hackers and scammers seek larger payouts now instead of quantitative scale. Rather than targeting individuals as they’ve done in the past, scammers are now narrowing their crosshairs to strike organizations. No business, large or small, is safe.

Hacking into your business’s hardware systems or networks is only one way to gain unauthorized information. Dedicated spear-phishing tactics use data mined from public accounts and web activity to target specific departments or employees. The only thing that separates personal consumer scams from business scams are the lies the criminal uses to try to break down your barriers.

Scammers often take advantage of brand familiarity and emotional response. Unexpected messages from a random email address or blocked phone number are much easier to ignore than a seemingly safe communication from the Yellow Pages or UPS.

One scam that aims directly at businesses is the “Directory Scam.” Employees receive a call from a well-known or non-existent agency requesting business information to update their directory. When your employee provides them with your business’s address and contact information, they send a fake invoice for the “service” and, if questioned, often fire back with edited audio from their previous call that “proves” your employee accepted the charges.

Another targeted hustle that’s gained steam over the last couple of years is known as the “Grandparent Scam.” In this case study, the victim receives a call from a scammer who claims to be his grandson needing bail money. This scam may seem ridiculous, but many have fallen victim to it because the caller knows the names of the grandparent and child as well as other personal information that would encourage one to believe they’re telling the truth. The scariest part about this scam is that the scammer called this victim at his place of work, further illustrating that public data on the web is available to anyone with the knowledge to find it.

What Steps Can I Take to Protect My Business?

BBB is one of many organizations to provide a checklist of actions to take against common scams. While most of the lists aren’t geared towards business owners, many of the habits suggested perform double-duty in both your professional and personal life. Anderson Technologies has a few tips for applying that knowledge specifically to your financial livelihood:

  • Keep an open dialogue with your employees and vendors about cyber security practices. Educating employees—Anderson Technologies has covered employee cyber security education in the past and takes it very seriously—protects their well-being as well as your business’s.
  • Educate yourself about what kinds of scams you or your business might encounter. BBB has compiled a thorough list here.
  • Be wary of email attachments. If you didn’t request it, you probably shouldn’t open it.
  • Use technology to your best advantage. Know how firewalls, anti-malware software, secure browsing, and network safety can benefit your business.
  • Develop a system for inspecting invoices. If you’re a larger company with many different clients and vendors, it’s easy for rip-offs to fall through the cracks.
  • Ask your IT provider about resources that can keep you safe. There are many programs that do some of the background work for you: NoMoRobo, LastPass, HTTPS Everywhere, Proofpoint, and so many more! Some of them are free, and others are not. Talk to a professional to determine the best investment for your business.
  • Question everything. Zero-trust practices can be employed over time, making universal authentication easier for everyone involved.

“The Russians have hacked into our computer” example at the top of this article is one of hundreds of similar scams permeating every demographic, consumer and business alike. In hindsight, it may be humorous to imagine someone getting so caught up in the urgency and persuasiveness of a slimy scam artist. However, when it’s happening, you or your employees may truly believe your business is at stake.

For more information on avoiding scams that target you or your business, download our free cyber security eBook or contact our team today.

How to report scams:

Zero Trust IT Service Model Keeps Your Network Safe

Trust No One: The Anatomy of a New Security Model

The world of information technology sometimes feels like an old seafarer’s map showing monsters lurking in deep waters and warning, “There be danger here.” The digital world doesn’t need to be so melodramatic, but no company should ignore the warning that danger is all around.

From ransomware to malware to hackers stealing private data, businesses need a strong IT infrastructure to protect against these threats. Zero Trust Architecture, or the Zero Trust model, is a highly secure method of protecting your data that has gained popularity in the last few years. It switches up the traditional idea of “trust but verify” to “never trust and always verify” and can be implemented over time with existing technology.

What Does Zero Trust Mean?

Zero Trust is exactly what its name implies. Trust no one entering your network no matter where they are located, whether from the security of your office or logged into the unsecured Wi-Fi of a hotel. John Kindervag, creator of the Zero Trust model, refers to the danger of the current system as “relying on a broken trust model” where there is a consistent failure to verify when a person accesses the system from a trusted source. Once the user, harmless or malicious, is past the perimeter security, they become a trusted user and have access to the network.

The Zero Trust model eliminates this danger by having no trusted source or trusted user that could be overlooked in the verification process. All traffic, anywhere in the network, is subject to segmentation, authentication, and verification. According to the Zero Trust model:

  • All resources should be accessed in a secure way regardless of location or user.
  • No user receives access to all information. Strictly enforce access to information on a need-to-know basis.
  • All traffic going into or out of the system is inspected and logged in order to catch malicious traffic.

What does this mean? Imagine your system is a battleship. Inside, there are hatches that can be sealed to cut off a breached part of the ship so the whole vessel doesn’t sink.

In the current popular method, all the hatches are open once you make it inside the ship. The only barrier is the outer hull, the perimeter security of your system, and you can move freely throughout the ship without reauthenticating.

In Zero Trust, every hatch on the ship is closed, and you must have the proper access codes to open each door. Once you’ve proven yourself, only the room you need information from is opened, all other hatches remain closed and protected. In order to get to information you’re not supposed to have, you’d have to break through each door one at a time, all while someone is monitoring your movement through the ship.

Via network segmentation and next-generation firewalls, Zero Trust uses existing security features such as multifactor authentication, analytics, encryption, security groups, and file system permissions to secure all information and allow in only those who have proven they should have access.

How Should I Start a Zero Trust Model?

Zero Trust is more than just the technology—it’s a way of thinking about who has access to your network. Trying to overhaul your entire system to a Zero Trust model in one go would be expensive and confusing and could lead to downtime that your business can’t afford. It also requires a great deal of technological know-how, IT security, and consistent management in order to give appropriate access to the correct people for the intended information.

For most businesses, when implementing a Zero Trust model, start small. While a complete overhaul would be costly, Zero Trust features can be easily adapted into current systems in pieces and, over the course of several years, be built into all areas of a business’s systems. Many new features of business technology, such as cloud services, already work well with the Zero Trust model and can be easily adapted.

Any business wanting to begin the move to a Zero Trust model should identify a small piece of their system, such as customer personal identifying information or credit card information, and institute segmentation and authentications around that information. You can then build your Zero Trust network from there over time.

Allow Managed Services to Bring Zero Trust to You

The Zero Trust model is a good way to secure your information, but if you don’t have your own IT department, it can be a challenge to implement. Zero Trust requires more than an IT company to set it up, walk away, and leave it to run. It will take time and constant adjustment to bring your current network into a complete Zero Trust model. A managed IT services company like Anderson Technologies is the best way to ensure your business is moving toward a Zero Trust model. Managed IT services can offer:

  • equipment set up
  • implementation
  • maintenance
  • employee training (most important)

For a small business, taking the time necessary to figure out IT improvements like this on your own can hinder the daily running of your business. Don’t let security get in the way of serving your customers. Zero Trust eliminates the threat of trusting too much but only if properly installed.

For more information about moving toward a Zero Trust model, contact Anderson Technologies by email at info@andersontech.com or by phone at 314.394.3001.