data security Archives | Anderson Technologies

Posts

HIPAA Part 6: Plan for the Worst

June 4, 2019/in Data Security, How To /by Marcia Spicer

No one likes to think they’ll suffer a disaster, a ransomware attack, or a data breach, but hope isn’t enough to satisfy HIPAA. The question is no longer if something will happen, but when. HIPAA expects you to plan, prepare, test, and be ready for anything that could disrupt the confidentiality, integrity, or availability of your ePHI and affect patient care.

In this installment of our HIPAA series, we’re going to look at the different kinds of disaster planning HIPAA requires and the importance of knowing how to implement them.

Security standard §164.308(a)(7): Contingency Plan is an umbrella term for a number of more specific plans that are meant to ensure the availability, integrity, and confidentiality of ePHI in the event of a disaster or other major security incident. While the Security Rule doesn’t explicitly require you to include other parts of your business, non-electronic PHI is still covered by the Privacy Rule, and most cyber security insurance plans require some degree of business contingency planning.

First Things First

Before you can start making plans to keep your business going during and after a disaster or cyber security incident, you first need to know what parts of your business, hardware, software, and data are critical to operations and security. HIPAA requires this in implementation specification §164.308(a)(7)(ii)(E): Applications and Data Criticality Analysis. But don’t let its position after the contingency plans fool you. This needs to be done first and foremost.

Even though §164.308(a)(7) only references assessing “specific applications and data,” if you are implementing business-wide contingency plans, you’ll want to go through all your daily operations and vital processes to determine what you can’t do a day’s worth of business without and what you could leave for when your world is no longer upside down. Without this information, you won’t be able to create the plans necessary to fulfill the following implementation specifications.

The Big Four

One thing to remember about the plans listed below is that they don’t have to be completely isolated from each other. You might find combining pieces together (such as lists of vendors, hardware, software, etc.) is more practical than listing them in each plan separately. What’s important is that employees are trained, know what they are responsible for, and where to access this information in an emergency situation. There’s no use making a plan if no one uses it.

Following standardized responses should minimize errors, particularly those that might be caused by stressful incident handling situations.” – NIST SP 800-61r2 Computer Security Incident Handling

164.308(a)(7)(ii)(A): Data Backup Plan

What does it do? Your data backup plan is one of your most vital recovery plans. It provides you with assurances of data integrity and availability in emergency situations. For healthcare facilities directly caring for patients, data loss or network failure could mean the inability to treat patients. All ePHI must be backed up, preferably in a place that won’t suffer the same disaster as your facility, such as in cloud storage or in a separate secure location.

Your data backup plan should include who is responsible for maintaining the backups, verifying all data is being backed up, testing that backups can be retrieved, and who to contact when backups are needed.

When does it go into effect? You should make this a priority. Your data backup plan needs to be up and running before an emergency strikes.

A data backup plan is also one of the best defenses against ransomware. Read more about that here!

164.308(a)(7)(ii)(B) Disaster Recovery Plan

What does it do? The complexity of a disaster recovery plan depends on how much of your business you choose to include. §164.308(a)(7)(ii)(B) specifies you must “establish (and implement as needed) procedures to restore any loss of data.” More comprehensive business-wide plans would include other data vital to the company that isn’t specifically ePHI.

A disaster recovery plan should include the hardware, software, backups, environment, vendors, business associates, etc., necessary to recover data lost in a disaster or cyber security incident. It also covers the people responsible for coordinating and performing all disaster recovery efforts. Employees assigned in this plan should be trained and ready to fulfill their duties in the event of a disaster.

When does it go into effect? A disaster recovery plan helps you recover lost data and infrastructure after a disaster or cyber security incident has occurred.

164.308(a)(7)(ii)(C): Emergency Mode Operation Plan

What does it do? This plan could also be called a continuity of operations plan. Its intent is to keep your business or facility operating at a level necessary to ensure patient safety and ePHI security the moment a disaster hits. Downtime can not only cost a lot of money, but can be detrimental to facilities actively caring for patients.

By having the procedures in place for any number of emergency situations, employees can react immediately, know who to contact, how to bring critical business processes back online, and maintain the necessary security and privacy standards required by HIPAA. A good emergency mode operations plan should have contact names, numbers, first response expectations, and anything else an employee would need to recover critical operations in the first 12-36 hours.

More than the other plans, having done a thorough and accurate criticality analysis is vital to a successful emergency mode operation plan. You need to be aware of what you need to restore and in what order it needs to be restored to effectively continue with daily operations as best you can. Failure to do a proper criticality analysis can waste time and resources by focusing recovery efforts on functions that aren’t immediately necessary.

When does it go into effect? An emergency mode operations plan should be implemented during a disaster to keep the business going, and, in the case of healthcare facilities, to keep patients safe and cared for appropriately.

Business Continuity

What does it do? You’ll notice that there is no implementation specification that goes along with this plan. The Security Rule doesn’t specifically require a business continuity plan, but it can be a useful addition to a set of contingency plans.

While the other plans all focus on what happens during or immediately after an emergency situation to keep your business running, a business continuity plan focuses on getting you back to where you were before the disaster. What are the lower priority vendors or clients that you might have missed contacting already? Do you know all the hardware and software that needs to be replaced or recovered? Think of it as the long-haul plan that doesn’t let you forget about the little things. Disasters are stressful, and a good business continuity plan can keep you on track through the mental fatigue that can set in after a disaster.

When does it go into effect? Business continuity plans help you bring your entire business back to normal day-to-day operations after a disaster occurs and the crisis period is over.

Incident Response

There are many different kinds of cyber security incidents that could affect your business. While all incidents are major problems when they occur, you may not require the full emergency responses planned out above. In these cases, individual plans geared directly to cyber problems can be useful tools.

Depending on your risk, you may want more than the two plans below, but if you’re covered by HIPAA, these are important ones to include with your disaster management plans. The better prepared you are for an incident, the safer you can make your data and the faster you can recover from an attack.

Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve.” — 2018 Cost of a Data Breach Study, Ponemon Institute (emphasis added)

Data Breach Response Plan

While a breach is any impermissible use or disclosure of PHI, a data breach response plan focuses on ePHI specifically. It lays out how to secure your systems after a breach, who to contact if you need more support, what to do once the threat is identified and fixed, and who must be notified of a breach of ePHI or other personally identifiable information (PII). (Remember, properly encrypted data isn’t a breach.) The FTC has a good outline for what to incorporate into your data response plan, and the HHS thoroughly explains all the requirements of a breach under HIPAA.

Ransomware Attack Response Plan

The criticality of care facilities combined with the black market price of ePHI makes the healthcare industry a prime target for ransomware and other cyber attacks. And like most cyber attacks, ransomware deals two-fold damage, from the recovery itself to the subsequent breach notifications that must follow. (Remember, unless you can prove that ePHI has not been accessed due to safeguards in place, it’s a breach. For more on Ransomware and HIPAA, see the HHS’s Fact Sheet.)

A ransomware attack response plan sets up the procedures your employees should take in the event of a ransomware attack, such as steps to quarantine an infected machine, who to contact, and what not to do. It should also have procedures for technicians and management in how to secure the network, purge the system, recover lost data (per the data backup plan), and notify required parties. Also include the contact information of the law enforcement department to report the attack to, whether that is local, state, or federal. (For more information see the Department of Justice’s guide, “How to Protect Your Networks from Ransomware.”)

Test! Test! Test!

Most important of all, you need to test your contingency plans routinely and make sure all your employees are trained and know where to find the plan in emergency conditions. A plan no one knows about or can find is a plan that won’t be implemented. Besides, HIPAA requires it.

So make contingency plans part of your annual and new hire training. Make sure all your employees can find the plans and know what they are responsible for. Make sure everyone knows who’s in charge during emergency situations so that plans can be implemented fast and efficiently. It can save you time, money, and headaches when the worst happens.

If you need help implementing a cyber security incident response plan or training your employees in the best practices, contact Anderson Technologies at 314.394.3001 or by email by info@andersontech.com.

Don’t Hold the Door Open for Cyber Criminals

June 12, 2018/in Data Security, News /by Anderson Technologies

Here in St. Louis, you’re likely to hear people saying they’re heading to Bread Co. for lunch, even if Panera is the sign above the restaurant. That’s because to St. Louisans, Panera will always be Saint Louis Bread Company. But recently, residents were relieved the St. Louis name wasn’t attached to Panera’s recent cyber security blunder.

On April 2, Brian Krebs of security news website KrebsOnSecurity broke the story that customer data from Panera’s loyalty program—including names, email and physical addresses, birthdays, and the last four digits of credit card numbers—was available through an insecure API on their website. Worse yet, Panera had been notified about the defect eight months prior in August 2017 and did nothing to resolve the problem.

Cyber security researcher Dylan Houlihan found the flaw in Panera’s API and, after confirming the extent of the problem, contacted Panera’s cyber security team. He notes that reaching out to Panera was difficult as there was no information available for who to contact if security holes were found. Panera’s response was less than stellar. In Houlihan’s detailed account of their communication, Panera’s director of information security, Mike Gustavison, was suspicious of him, and after receiving proof of the problem, took several days to reply that they would work to resolve it.

Except they didn’t.

Every month, Houlihan checked to see if the flaw was fixed, only to see that customer data was still unprotected. Finally, in April 2018, he contacted Krebs to make the matter public and force Panera to respond. They did. Within two hours Panera claimed they patched the problem.

Except they hadn’t.

Krebs continued to monitor the website and found that, while the information was no longer accessible to the public, if a member logged into their free Panera account, they could still exploit the flaw. He also discovered that it extended to other parts of Panera’s business, such as the catering website.

After the negative media coverage, Panera took down its website and patched the problem properly. In a tweet following the incident, Krebs estimates that up to 37 million accounts could have been made public because of this flaw. While there is no evidence yet that malicious agents accessed the data, this was still a terrible security breach.

How Often Does This Really Happen?

It’s easy to lose the details in light of Panera’s poor response and subsequent inaction, but accidental data breaches from misconfigured hardware or software happen far more often than you might imagine.

March 6, 2017: River City Media left more than a billion email accounts exposed to the public, some with personal information. Also exposed were detailed records of their own illegal spamming activities. The problem—no password protection on the backups.
June 19, 2017: Deep Root Analytics left millions of Americans’ addresses, birthdays, phone numbers, and political views on a variety of topics open to the public. The problem—misconfigured user permission settings.
October 3, 2017: A National Credit Federation cloud storage bucket was found to be open to public access, revealing personal, credit, and financial information of tens of thousands of its customers. The problem—misconfigured user permission settings.
October 6, 2017: An Alteryx cloud storage bucket was found to be accessible to anyone with a free Amazon Web Services account. It exposed personal data, Experian marketing data, and US Census data for more than 123 million American households. The problem—misconfigured user permission settings.
April 9, 2018: A flaw similar to Panera’s was discovered in P. F. Chang’s rewards website. The problem—an insecure API.
April 23, 2018: After rebuilding their website following a ransomware attack, MEDantex’s new customer portal contained abilities intended only for employees, including accessing confidential patient records without authentication. The problem—a bug on the website.
May 17, 2018: LocationSmart’s demo feature is found to be able to track the location of almost any cell phone without the user’s consent. The problem—an insecure API.

What Does This Mean for a Small Business Owner?

These examples of private, financial, and personal information leaked unintentionally serve as a warning to all business owners. While there’s a sense of poetic justice that River City Media revealed their own criminal activities by forgetting to add a password, the truth is, not all data you could reveal belongs to other people. You can be a cyber threat to your own business.

Few businesses can run day to day without some amount of personal, customer, or vendor data stored either on their network or in cloud storage. The technicalities of properly configuring security for these electronic databases can be daunting, but even when things appear to be simplified for you, all it takes is one open port, one missing password, or one unsecured application for the door to your data to be left wide open.

This is why it’s vital for businesses to have their systems set up by IT professionals and to perform network security audits routinely to ensure both the hardware and the software are configured correctly. It’s not enough to simply hire an IT consultant once and assume your system is secure. Files get moved, employees are hired, and new hardware is installed—all leaving room for new settings to supersede old ones, or worse, be forgotten all together. A network security audit performed at least annually gives you peace of mind that your cyber doors are tightly closed and locked.

What Should You Do to Protect Your Business?

While it’s crucial to know how to avoid opening the door to criminals, knowing how to respond to a breach is just as important. Here are a few simple steps you can take to avoid or address an accidental data breach.

Hire IT professionals to set up all hardware and software. Your customers trust you to be the expert in your field, so trust the IT professionals to be the experts in theirs. Make sure all your hardware and software have been properly configured from the start.
Perform annual network security audits. Just because you configured everything correctly, doesn’t mean it will stay that way. Your business changes all the time, so it’s best to check the doors and windows before someone else notices they’re open.
Know your hardware. Many business owners don’t realize what’s in their hardware closet. Can you point to your hardware firewall with confidence? Are you certain it’s the correct type for your business? Ask an IT professional to review your hardware with you so you understand what you need and how it works. Doing so will improve your ability to spot potential problems.
Have a way people can contact you about problems they find. One lesson learned from the Panera breach is how important it is that people can contact you with problems they’ve noticed. Many security researchers who find flaws due to misconfiguration just want you to know about the issue so it can be resolved. Make sure they can get in touch. Larger companies should have separate contact information specifically for security issues to keep them from being lost with other routine technical issues customers might have.
Respond quickly to any problems found. Don’t wait eight months or for public embarrassment to sound the alarm before responding to an accidental data breach. If you act swiftly, your data may still be kept safe. In many accidental breaches, the problem was found not by criminals but cyber researchers.

No company wants to find themselves in a situation like Panera’s, so make sure your network security is done right. If you’d like to learn more about configuring your systems or to schedule a network security audit, contact Anderson Technologies by phone at 314.394.3001 or by email at info@andersontech.com.

Equifax Hack Updates: What You Can Do NOW to Keep Your Credit Safe

December 21, 2017/in Data Security, News /by Anderson Technologies

It has been over six months since the massive hack of credit monitoring company Equifax, and over three since the attack was disclosed. We now know that 145 million Americans (and 15.2 million Europeans) have been affected.

Due to the data stolen—names, social security numbers, addresses—the victims of the Equifax hack must be wary of their credit for the rest of their lives. Attackers can use leaked data to create profiles for spear phishing attacks or round out existing profiles, making identity theft even easier to perpetrate.

We covered the data breach in a previous blog post, “Equifax Hack 101: What You Need to Know to Keep Your Credit Safe,” but the news hasn’t stopped rolling in. In this post we address new developments, and additional actions you, as an individual or as a small business owner, can take to mitigate the hack.

Protecting Your Personal Data

Our initial post details credit monitoring and credit freezes. Some agencies recently introduced a “credit lock,” which they claim is easier and less expensive for the user while also more effective. The difference between a lock and a freeze is that a freeze is state-monitored, and a lock is controlled by the company only. “I take strong exception to the credit bureaus’ increasing use of the term ‘credit lock’ to steer people away from securing a freeze on their file,” says Brian Krebs of Krebs On Security. Don’t be fooled by credit lock offers.

You can also talk to lenders (mortgages, banks, etc.) about what steps they are taking to prevent someone from misusing leaked information. Challenge these organizations to take additional steps like providing internal credit monitoring alerts to keep customers safe.

Tax return filing fraud is one thing that credit freezes or monitoring cannot protect. File as early as possible to prevent your refund from going to a scammer. This is not a new problem. The IRS recently issued reminders and new alerts regarding tax fraud.

While most of the information obtained from the Equifax hack was actually already in the hands of tax fraudsters, remain vigilant because criminals are continuing to adjust their tactics. The IRS even reports instances of fraud targeting hurricane victims and tax professionals in addition to the average citizen.

The Troubling Behavior within Equifax

The hack itself isn’t the only problem with Equifax.

After a data breach, many companies are able to save face by being upfront with customers, providing adequate solutions, and cracking down on security. Unfortunately, Equifax missed these cues.

Even after fixing the questionable language in the Terms of Use initially included, in their TrustedID program Equifax continues to come under fire. Initially, the PIN numbers granted to customers seeking a security freeze consisted of the date and time the freeze was granted. This has since been corrected, but what an oversight! Many users have also had difficulty contacting the company to change their PIN.

The site Equifax set up for customers to check if they were affected by the hack continues to cause problems. Because Equifax failed to secure similar domains it was susceptible to phishing scams. Thankfully, the third-party sites (one actually directed to by Equifax itself) were benevolent—pointing out how easily scammers could use a similar domain to obtain your information. Then, in early October, Equifax temporarily took down a page about the hack because it, too, had been hacked. Criminals injected malicious code to trick users into downloading adware from fraudulent links.

As of November 3^rd, Equifax’s internal investigation into allegations of suspicious trades made by top Equifax executives concluded that none of their employees were guilty of insider trading. These allegations are still under investigation by the House Financial Services Committee.

Moreover, Equifax was allegedly warned about the vulnerabilities to its systems one year ago in December by a security researcher. “These allegations, if accurate, reinforce indications that Equifax—which has a significant business selling data protection tools—was shockingly negligent and incompetent when it came to security,” says Jeff John Roberts of Fortune Magazine.

These problems have been a cause of concern for many consumers, however it is important to note that Equifax is continuing to offer credit freeze at no charge through January 31, 2018, and, through TrustedID, offers free credit monitoring and up to $1 million in identity theft insurance.

Can We Expect Any Changes to the Industry?

Beyond being proactive with your personal protection, customers must look to Congress and other government agencies to implement changes. Speak to your representatives about your concerns for the future. Many are already investigating reasons why the Equifax hack was possible and ways to prevent hacks like it in the future.

Laws also need to change regarding reporting compliance. Lawmakers and industry leaders agree that consumers should have been alerted to the Equifax hack far earlier.

In our initial article, we noted that several class-action lawsuits were being filed against Equifax; however, after an October 24 vote by Congress to disallow class-action suits against banks and credit companies, the future of these cases is unclear.

After initially trusting Equifax with a “bridge” contract for work on the IRS’s Secure Access program, the Government Accountability Office rescinded the contract, at least temporarily. They may work with another credit monitoring agency on the project, but some members of Congress are questioning the rationale behind trusting any credit bureau with so much data.

It’s possible we may be looking at the end of the social security number—or at least moving away from the strict reliance we now place on SSNs for identity. The best identity theft protection may be to stop using easily hacked information.

Tips for Small Businesses

Small businesses should look at the response from Equifax and at the controversy surrounding it and wonder what they can do differently when dealing with private information.

The first step for small businesses should be a thought experiment. Think about potential risk as well as known and unknown vulnerabilities in your internal network. Do you trust your current cyber security company to protect your data from a data breach? What are the consequences of a data breach like the Equifax hack in your company? What would the cost to your company be?

For many small businesses, investing in stronger cyber security protection is a clear solution. Your IT department or an outside cyber security company can help analyze your systems. If personnel are constantly putting out fires, as seems to be the case with Equifax, they may not be able to keep everything else up to standard.

Invest in security that provides monitoring, analysis, and dedicated attention. At Anderson Technologies, a St. Louis IT company, we often start with a full network audit, helping clients identify areas of concern and providing the path to a more secure network.

Beyond your network, take time to train and retrain employees on the technology used and best practices for staying safe, both online and off. The best identity theft protection is education. Get a free eBook from Anderson Technologies to teach your employees the foundations of cyber security safety now!

Anderson Technologies is a St. Louis cyber security company that specializes in protecting client data. For more information on our services, email info@andersontech.com or call 314.394.3001 today.

Three Critical Reasons to Choose a Wired Network for Your Small Business

December 19, 2017/in Data Security, General, Managed Services /by Anderson Technologies

You may be sacrificing speed, security, and stability if you’re running solely on a wireless network. Traditional wired internet has many advantages for small businesses.

When it comes to network security and speed, it’s important to start from the ground up. Is the network for your small business wired, wireless, or a combination of both? On what equipment does the network run? What’s the difference between wired and wireless networks? While wireless networks have advantages, Anderson Technologies recommends a wired connection whenever possible. Here’s why.

Speed

One of Anderson Technologies’ clients experienced dramatically slow speeds on its wireless network prior to signing up for managed IT services. While the business paid for a 300-megabit connection, its laptops only accessed 1 to 12-megabit speeds! Its internet service provider was more than happy to increase bandwidth on the wireless router, but this added expense didn’t improve the usability of the network.

The Anderson Technologies team analyzed the office’s wireless network and discovered it broadcasted on a frequency with considerable interference from competing devices in neighboring offices. They upgraded the router and firewall hardware, which enabled the network to broadcast on unused, clear bandwidth. As a result, the client’s speed is now far closer to the 300-megabit connection it pays for.

Wireless networks are constantly competing against natural phenomena like lightning, other wireless networks in the area, and radio interference. All of which affect speed and performance. One of the biggest disadvantages of wireless networks is that they lose speed when the number of competing devices increases. With the expanding utilization of the Internet of Things, this problem will only continue to grow.

The Internet of Things (IoT) offers convenient features for security systems, lighting, and even appliances. However, these gadgets depend heavily on your wireless network. Have you ever noticed a loss in network speed around internet-connected devices? This is a common problem. Small businesses are increasing their reliance on IoT for the accessibility they provide, but the investment may be hurting their wireless network speeds.

Ultimately, wired networks are significantly faster than wireless ones. While Anderson Technologies’ client was happy to approach the 300-megabit speed for its wireless network, hardline wires can run at gigabit speeds. No matter what the provider-rated speed of a wireless connection is, real-world speed is always slower due to overhead, competing devices, interference, and network traffic. The advantage of a wired network is that it guarantees a faster speed from the beginning, and unlike a wireless network, it won’t lose speed when exposed to interference.

Stability

Compared to a wireless connection, a wired line isn’t affected by nature, equipment, and competing devices. Once installed, a wired network rarely breaks. This stability is vital to small businesses.

Another Anderson Technologies client previously experienced poor performance on its wireless network. In the middle of important tasks, the network would drop and then slowly come back online, requiring multiple restarts a day—losing valuable time and energy.

When Anderson Technologies performed a preliminary audit of the environment, the team immediately discovered the problem: poor equipment. The client was running the entire network on barely home-grade wireless access points (WAPs). On top of that, the WAPs were not situated optimally to provide wireless for the entire office.

Enterprise-level equipment is important for every small business network but especially for wireless connections. This technology is already running at a disadvantage, and subpar hardware won’t provide the wireless network a business needs.

If your business runs mostly on portable systems like laptops and other mobile devices a capable wired network is still possible. Investing in a dock for laptops is a great solution. They aren’t costly, and when a laptop is docked, it can access the advantages of a wired network.

Security

Wired networks also outperform wireless when it comes to security. As seen in the recent KRACK threat, wireless security isn’t as robust as we once believed. With a wireless connection, web traffic travels via radio waves, and even encrypted traffic can be captured with proximity and the right malicious tools. It is more difficult for a criminal to access a hard-wired network.

Out of 600 small and medium-sized businesses surveyed for the 2016 State of SMB Cybersecurity Report, half had been breached in the past 12 months. While bigger targets make the news, this trend means the chances of your network coming under fire are high. Small businesses dealing in confidential internal and client data can’t afford to be hacked.

With threats to small businesses on the rise, many still don’t consider themselves vulnerable. Half of the small businesses surveyed at a recent conference said their wireless networks were not partitioned from visitor access. That means clients waiting in the foyer—or cyber criminals—were accessing the same network that housed confidential client data. Data sent on public wireless networks is simply not as safe as when a wired network is used.

Optimize Your Wireless Internet

If you do choose to go with a wireless network, here are some tips for getting the most from your connection:

Identify busy wireless frequencies, and broadcast your network away from that traffic. This can help your network obtain the speed you pay for.
Keep public and private access to your network partitioned. Visitors and users off the street don’t need to access private data vital to your business. Partitioning your network provides the customer service of a wireless network while keeping your business safe.
Consider using a wired connection for stationary desktops and install docking stations for laptops. This allows fast, secure, and stable access to the wired network, while keeping a wireless connection available for mobile work.
Update network equipment regularly.
Use enterprise-level equipment.
Contact an IT provider for tips catered to your business’ specific needs and goals

Anderson Technologies is a St. Louis IT consulting firm. Let us help you weigh the options of wired vs wireless networks for your small business. To see if you qualify for a free network audit, email info@andersontech.com or call 314.394.3001 today.

KRACKed: The Fissure in Wireless Security

October 18, 2017/in Data Security, News /by Anderson Technologies

Internet surfing on mobile devices has seemed relatively safe since the 2001 Wi-Fi security protocol update and the advent of wireless data encryption. The WPA2 encryption standard mostly shielded us from being hacked on our private networks. However, new research from Belgian cyber security expert Mathy Vanhoef exposes a threat that proves our false sense of security is coming to an end thanks to the Key Reinstallation Attack (KRACK) vulnerability.

What Is the KRACK WPA2 Hack and How Does It Work?

WPA2 (or Wi-Fi Protected Access 2) is one of the current wireless security standards. Unlike its predecessors, it securely encrypts web traffic by way of a “four-way handshake” process that randomly generates an encryption key every time a device with matching credentials accesses a wireless network. This handshake protects your private home and business networks different with four authentication exchanges, ensuring information you send back and forth over the network is safely encrypted.

The KRACK vulnerability interferes with the four-way handshake by way of the encryption key; KRACK records the key and reinstalls it to be used multiple times. This allows the attacker access to communications between your device and wireless access point, as well as any information that isn’t otherwise encrypted. Hackers could potentially view and steal your credit card information, passwords, shared files, and any other private information sent across the web.

One caveat of the KRACK vulnerability is that hackers need to be within the range of your Wi-Fi network. This means that your personal information is safe from hackers on the other side of the world, but anyone in close proximity could gain access to your network traffic if they have technical skills. And even though a hacker must be in range to exploit this vulnerability, it’s possible KRACK could be used for packet injection (explained here) or inserting malware or ransomware into websites.

How Can I Protect My Network Privacy?

Though KRACK is disrupting our WPA2 sanctuary, there are many ways to ensure you’re safe—or as safe as you can be—until the WPA2 protocol is updated to prevent these attacks.

Update Your Router

Most people don’t think about updating their router in the same way you update your phone or laptop software, but this is a vital step to protecting your wireless network from KRACK. You can find instructions to update some of the more common manufacturers’ router firmware here. If your router doesn’t belong to one of the companies that has released a firmware patch, you should contact your internet service provider.

Update All Devices with Wi-Fi Connectivity

Thanks to Apple and Microsoft’s specific implementation of WPA2, they aren’t as vulnerable as other devices. However, that doesn’t mean your iPhone is safe. Mathy Vanhoef’s blog publicizing the vulnerability includes a demonstration of an attack on an Android device and links to examples of bypassing encryption in Apple operating systems, as well as other common encrypted applications. Any device with Wi-Fi capabilities needs to be updated as soon as patches are released. In the meantime, use Ethernet or cellular data on your mobile device if possible.

Utilize Other Methods of Encryption

Even when this WPA2 vulnerability no longer exists, you should make sure you’re communicating with websites securely. Many websites use HTTPS, which you may have noticed during browsing sessions. Thankfully, most websites that handle sensitive personal information (banking and financial sites, etc.) already default to secure browsing, which encrypts private data. Browser extensions like HTTPS Everywhere will force sites to browse securely when the option is available. Communicating over a virtual private network (VPN) also encrypts all traffic, rendering it safe from KRACK. However, be aware that VPN providers may store your data in other ways, so make sure to research and select a trusted company.

Take Stock of Your IoT Devices

The Internet of Things, while still new technology, is notorious for its inherent security weaknesses. Any IoT devices you have connected to your wireless network may need to be disconnected until patches are available. Information from most IoT devices is probably harmless even if hackers were able to gain access to it, but unless each device encrypts traffic, your privacy could still be compromised.

Thankfully, this vulnerability is getting much publicity. The US Computer Emergency Readiness Team continues to update its list of over 100 vendors and their software updates, and none of the indexed vulnerabilities are yet known to be used outside of research. It’s unlikely that an everyday WPA2 user has been affected by this breaking vulnerability, but it would be wise to exercise caution until more information and software updates are released. Be wary of any unfamiliar wireless networks, and keep an eye out for any notices from your hardware and internet service providers.

For more help keeping your network safe from KRACK and other threats, contact the experts at Anderson Technologies at 314.394.3001 or info@andersontech.com.

Equifax Hack 101: What You Need to Know to Keep Your Credit Safe

September 22, 2017/in Data Security, News /by Anderson Technologies

Credit plays a ubiquitous role in our lives. What can we do when the systems we trust fail us?

Corporate cyber security breaches are more common than many people realize. The recent headline-making Equifax data hack affects upwards of 143 million Americans, making it one of the largest risks to personal information to date. This breach is leading consumers to question their safety from identity theft and whether credit bureaus and ancillary companies have their best interests at heart.

What happened?

Equifax is one of the three biggest credit reporting agencies that collect consumer credit information. You don’t have to submit any of your personal information to Equifax for them to have it—if you’ve applied for a car loan, mortgage, or credit card, Equifax likely has your data in their system.

A vulnerability in an Equifax web application framework, Apache Struts, was discovered and disclosed in March of 2017. At that time, patches were implemented, though these efforts did not completely solve the problem and in late July suspicious traffic was noted. According to their press release about the breach, Equifax’s security team then “investigated and blocked the suspicious traffic that was identified.” Three days later (August 2, 2017), Equifax hired Mandiant, an independent cyber security consulting firm, to evaluate the damage.

After analyzing the scope of the breach, Mandiant discovered that personal information of 143 million Americans had been exposed, along with credit card numbers of 209,000 Americans, dispute documents for 182,000 Americans, and various information of certain United Kingdom and Canadian residents. In direct response to this analysis, Equifax provided a site for consumers to check whether their information may have been compromised and subsequently sign up for a free year of credit monitoring.

How is Equifax handling the situation?

Some of Equifax’s actions haven’t been viewed optimistically. A public relations nightmare ensued after the discovery of an arbitration clause in Equifax’s Terms of Use. The language apparently waived the rights of consumers who signed up for credit monitoring to sue Equifax in relation to the security breach. It took Equifax until September 13 to release a statement that they had removed the offending clause from their Terms of Use.

Executive personnel changes also followed in the days after the hack disclosure. However, allegations of insider trading that purportedly took place after the breach was discovered have not yet been publicly addressed.

On September 20, several sources reported that Equifax incorrectly linked customers to a fake website designed to look like the signup site for credit monitoring. Fortunately, the person who set up the fake site did not have malicious intent, but the situation revealed how easily criminals could take advantage of Equifax’s oversights and gather even more personal information.

What’s the damage?

Unfortunately, unlike many previous cyber security incidents, the type of data gathered in this breach will have a serious impact for years to come. Criminals now have their hands on Social Security numbers, records of open credit accounts, and other personal data from Equifax’s stockpile of consumer profiles. Attackers can now build targeted spear phishing attacks that, if executed well, will seem extremely legitimate to many users.

Will credit monitoring prevent my information from being compromised?

In short, no. Credit monitoring does nothing to prevent thieves from accessing your personal information. It only keeps an eye out for suspicious activity regarding your credit file. Many credit bureaus and agencies advertise the service for a fee. The free year of TrustedID Premier offered by Equifax in light of this most recent breach also provides identity theft insurance, which covers up to $1 million of certain expenses, such as legal fees, related to recovering your credit information in the event of theft.

There likely won’t be any negative effects from submitting your information to Equifax and enrolling in the free year of TrustedID Premier, but until a few days ago the site was infamously broken. Some users reported receiving different messages depending on the device used to submit their inquiry. Equifax claims it fixed the site on September 13.

If you are already fastidious about monitoring your lines of credit, there’s not much to be gained by sharing additional personal information and enrolling in free credit monitoring. The olive branch from Equifax is welcome but may not make a significant impact depending on the consumer.

What other steps can I take?

There are two big moves anyone can make at any time to protect their personal information—submitting a fraud alert or requesting a credit freeze. Both actions are effective in ensuring criminals don’t have easy access to your credit, though they work in different ways.

You can request a fraud alert by contacting the credit bureaus (Equifax, Experian, TransUnion, and a smaller but still significant bureau, Innovis), but you must provide varying amounts of paperwork and personal information before your application is complete. This must be done independently for each company. Once your fraud alert is in place, lenders can still access your credit information but they can’t grant credit in your name without contacting you first.

If you don’t want your credit files to be viewed by anyone other than yourself, applying for a credit freeze is the way to go. Even though new lines of credit can still be applied for in your name, none can be opened unless you “unfreeze” your credit files to give access. Again, this process must be completed at each credit bureau. Consumer Union offers a thorough how-to guide on placing a security freeze on your credit files and what fees you should expect depending on which state you live in. Unfortunately, many states require fees to lift a credit freeze as well; this means you might have to pay every time you want to move or apply for a car loan. However, the costs associated with this protection are much smaller compared to the time and trouble involved with being a victim of identity theft.

Those affected can also seek legal recourse. A firm in Oregon has already filed a class-action lawsuit against Equifax, claiming that the company failed “to maintain adequate electronic security safeguards as part of a corporate effort to save money.” At least 23 other lawsuits are in the works, filed in 14 states and the District of Columbia. A federal panel will review and likely combine these cases into a single lawsuit. If class-action status is granted, affected customers will be able to join.

Even if Equifax deems you unlikely to have been impacted by the hack, it would be wise to use this opportunity to evaluate the security of your credit information and keep a closer eye on your credit scores.

Anderson Technologies is a St. Louis cyber security company that specializes in protecting client data. For more information on our services, email info@andersontech.com or call 314.394.3001 today.

Quotables: Security on the Go: Protecting the Data on Your Mobile Devices

September 18, 2017/in Data Security, Quotables /by Anderson Technologies

We recently published a guest article about protecting data on mobile devices.

Read our full guest contribution on TechSpective’s website:

https://techspective.net/2017/05/18/security-go-protecting-data-mobile-devices/

Are you in need of expert IT consulting? Anderson Technologies is a St. Louis IT consulting firm that specializes in system administration for small businesses. Let us help you today! Give us a call at 314.394.3001 or email us at info@andersontech.com.

What are Quotables? This is a category in our posts to highlight any publications that benefit from our expert IT consulting advice and quote us in articles for their readers.

Encryption: The Small Business Owner’s Secret Weapon

April 14, 2017/in Data Security, General /by Anderson Technologies

With small business cyber crime on the rise, business owners need to do everything they can to protect themselves and their data. Here’s how encryption can help.

Encryption is a way to secure your data, either while it is stored on a system or device, such as a hard drive or smartphone, or while it is in transit, such as being transmitted across networks.

Encryption comes from the Greek word “kryptos,” meaning hidden or secret. When data is encrypted, it is transformed so only the intended parties can read it by utilizing a secret key. This is done automatically with the help of encryption technology, which uses an algorithm called a cipher to “disguise” your data and allows people with the right key to decrypt, or unscramble, the information and view the plain text. (For a more in-depth description of how encryption works, review this article from MakeUseOf.) Encryption is used routinely in the digital realm to keep businesses and customers secure. For example, encryption protects your financial information at the ATM, or when you are making an online purchase if you are patronizing a site using SSL.

For small businesses, encryption is an underutilized form of protection. When your information is not encrypted, you make a hacker’s job easier. Should they infiltrate your network, they will be able to easily use the plain-text information they steal. However, if your data is encrypted, they won’t be able to interpret it, or you will have at least made it much more challenging for them to do so. (Cyber criminals can take steps to decrypt data, but it requires tools, expertise, and time, so you’re very likely deterring all but the most persistent ones.)

The Role of Encryption in Healthcare Cyber Security

Cyber criminals target the healthcare industry more frequently than any other sector. IBM’s 2016 Cyber Security Intelligence Index, a survey of IBM’s Security Services clients, found that companies storing patient data experience 36 percent more security threats than organizations in other verticals. These companies are targeted frequently because of the high-value customer data they possess. People’s personal health and financial information are prime targets for thieves who use it for identity theft or ransomware attacks. While many businesses use some form of encryption to protect data in transit, too few use the strategy to protect data at rest. Healthcare data encryption is especially critical. Considering the increased role portable technology devices like laptops, mobile phones, and flash drives play in business operations, and the rise in data security threats, this is particularly important.

A security breach isn’t just bad news for your clients whose information has been compromised, it is also bad news for your organization. According to the HIPAA Breach Notification Rule, organizations must “provide notification following a breach of unsecured protected health information.” If the breach affects more than 500 individuals, the organization also has to inform the media. That is certainly not the kind of press anyone is looking for.

Here is where encryption comes in. The incident is not considered a breach if the individual’s information is protected and the business can prove that the data has a low probability of being compromised. This is assessed using a variety of risk factors. Encryption is cited as one of the technologies and methodologies for “rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” In short, encryption can protect your customers and your company in the event of a security breach. (More information about this rule is available here. Businesses should read and understand HIPAA rules in their entirety and work with their legal counsel to understand their ramifications.)

According to the latest healthcare cyber security report by Redspin, Breach Report 2016: Protected Health Information (PHI), there was a 320 percent increase in the number of providers victimized by hackers in 2016 compared to the previous year. Most of these attacks targeted smaller offices. This annual report routinely includes recommendations for reducing vulnerabilities, and year after year, encryption makes the list. The latest iteration acknowledges the growing role laptops, smartphones, and flash drives play in companies’ day-to-day operations and, in light of this, describes encrypting data “at rest and in motion” as a “sure-fire, but still often neglected, way to avoid the breach report.¹”

Encryption is a valuable protective measure for all small businesses regardless of industry segment. It is a proven way to help protect your valuable data and should be part of your small business’s approach to data security.

Do you need assistance with small business data encryption? Anderson Technologies, a team of cyber security specialists in St. Louis, has extensive experience working with small businesses to keep their organizations secure. To learn more, call 314.394.3001 or email info@andersontech.com today.

¹ “Breach Report 2016: Protected Health Information (PHI), February 2017, by Cynergistek and Redspin, pg. 18

Where is My Backup Located?

May 11, 2016/in Data Security, General, Managed Services /by Anderson Technologies

You may not believe this at first, but geography can be essential to the integrity of computer systems. If your company experiences a local disaster, where you house your backup data becomes imperative. The following computer backup solutions illustrate the three location-specific types, each with pros and cons.

On-Premise

Implementing an on-premise backup is a simple way to establish a local backup data repository. These backups are straightforward to put in place and can be saved to external hard drives, flash drives, tapes, or other electronic media. Computers can be programmed to back up files automatically or manually. We recommend systematizing the process and establishing a backup schedule that meets your company’s data recovery requirements.

Offsite

Some businesses perform an offsite backup daily or weekly to a removable media device and then transport it to a separate location. It is important to store your data in more than one physical location should something happen at the primary office to compromise the integrity of the local backups. While this may seem arduous and time-intensive, offsite backups protect against theft, fire, or other natural disasters that could otherwise compromise your business.

Cloud-Based

Utilizing a reliable internet connection, cloud-based services automatically back up data from your local systems to remote servers over secure, encrypted connections. Depending on the options selected and how they are configured, some cloud-based backup solutions can also be programmed to save a second copy of data to a local data repository. This gives a company the best of both worlds (on-premise and offsite through the cloud) and provides peace of mind that all of your digital data is safe and available in case anything happens to your computers.

Which of These Backup Solutions Is Right for You?

	On-Premise	Offsite	Cloud-Based
System Requirements	Backup host computer, backup software, external hard drive(s), tapes, or other electronic media	Backup host computer, backup software, removable media	Software subscription, reliable internet connection
Costs/Fees	Higher initial out-of-pocket cost for backup software and backup media	Higher initial out-of-pocket cost for backup software and removable backup media; Occasional purchases of additional removable media (depending on retention policy)	Monthly fee varies based on number of machines to backup and amount of data
Time to Manage	After initial setup, the system is programmed to back up files automatically but user monitoring is required to audit process	Manual backups can be performed anytime	After initial setup, the system is programmed to back up files automatically; Full monitoring available
Data Accessibility	On-premise only	Must be retrieved from offsite location	Available via secure credentials anywhere internet connection is available
Data Encryption	Limited by hardware and software	Limited by hardware and software	Full data encryption
Synchronization	Can be programmed to execute backups frequently — hourly, daily, weekly, etc.	None; Remote media transfers handled manually	Can be programmed to execute backups frequently —continually (in some cases), hourly, daily, weekly, etc.
Risk/Liability	Single location point of failure	Removable media could be lost, stolen, or dropped/corrupted in transit	Retrieval of data unavailable during internet outages (unless local copy also configured)

At Anderson Technologies, the backup solution we most frequently recommend is a cloud-based solution that has the ability to perform a “dual-destination” backup. Clients have on-premise recovery options as well as cloud recovery in the case of complete office loss due to fire, flood, or other natural disasters.

If you’d like to consult with one of our specialists about your backup system needs, please call us at 314.394.3001 or send an email to sales@andersontech.com.

St. Louis Computer Experts Share Their Secrets for IT Infrastructure Success

January 19, 2016/in Data Security, General, Managed Services /by Anderson Technologies

The start of a new year is full of expectation and a great time to look forward and plan how to best grow and “do things better.” We recently spent time reflecting on some of the IT challenges we’ve seen small to mid-sized businesses experience and how best to avoid them. The question becomes, “What do businesses need to do well in the IT infrastructure space in order to best set themselves up for success?”

Two primary categories must be addressed: internal and external systems and efforts. Throughout the coming year, our St. Louis computer experts will share more detailed information on many of these areas to give you technological peace of mind. For now, let’s take a quick look at infrastructure issues you need to be thinking about.

Internally: Within Your Office

Maintaining a stable computer infrastructure environment
- How well do your workstations, servers, routers, firewalls, printers, and other hardware operate? Are they secured against external threats? Are they up-to-date or just “limping along?”
Having a reliable wired and wireless network
- Do clients or employees bring their laptops to meetings in conference rooms? Do you allow open access to your Wi-Fi network, or are those networks password-protected? Do you have both PCs and Macs and, if so, can they talk to each other? Can they both save documents to any shared drives you may have? When you send something to the printer does it actually print, or does it go into a “black hole” of unprinted documents?
Managing robust network security
- Your networks should be secure and accessible only by those with approved access. Are there any vulnerabilities in your systems that need to be remedied?
Consistently backing up business-critical data
- Losing a file erases your time, data, and effort. Make sure you have backups that actually work. Have you tested your backup systems recently to see if you can actually retrieve a document from your backup system? Just because it’s sitting somewhere “in the cloud” doesn’t necessarily mean that it’s properly backed up.
Protecting computer infrastructure and business-critical data from malware: viruses, spam, ransomware (cryptolocker)
- It only takes one corrupted file to wreak havoc with your whole data infrastructure. If you are in a non-critical industry, it might not seem worth the extra effort to properly protect yourself. But if data reliability and systems functionality are important to your business, you’ll want your systems locked down like Fort Knox.
Protecting clients’ private data
- Whether the law requires you (for firms entrusted with sensitive client information) or whether it’s more of an expectation in your industry, you need to have the proper systems in place to protect customer records and personal data.
Being vigilant against developing cyber threats
- Cyber crime happens at the speed of data. Hackers know that a brilliant piece of malicious code today will be worth very little six months from now. They won’t wait, neither should you.
Complying with all governmental regulations appropriate for your industry (HIPAA, etc.)
- For some industries, there are very specific, very strict rules that need to be followed; for others, there are merely “guidelines” that act as the hallmark of a company following “best practices.” Do you know the rules for your industry, and do you have a plan to keep abreast of changing regulations?

Externally: What Do You Need?

Reliable e-mail platform capable of weeding out spam as much as possible
- Of the hundreds of e-mails you get a day, how many of them could be classified as digital junk mail? Can you access your e-mails from anywhere, and does your e-mail automatically update in a timely manner? While it might seem like a hassle to switch e-mail platform providers, the benefits might be worth it!
A digital presence which accurately communicates your organization’s value to your target audience
- Websites, social media platforms, SEO efforts, Google AdWords campaigns and a whole host of other digital outlets should put you in the spotlight in the most strategically-grounded way.
Reliable website hosting
- Not all web hosting is created equal. For a few additional dollars per month, have the confidence your website is automatically backed up,secured from external threats, and kept “up-to-date.”
Reliable telephony infrastructure
- How many problems do you experience with your VoIP phone system in a day?Lost calls equate to frustrated customers and potentially lost sales. Don’t let an outdated telephone system weaken your growth efforts.
The ability to collaborate effectively with clients, employees, and vendors
- Let’s face it; we live in a shared, digital world where sending files via FTP and e-mail is considered too slow. People don’t want to wait for files to be delivered via e-mail; they want them immediately! And they want to be able to make changes and share those changes with colleagues or clients right now. Set yourself up with fastest methods of data transfer and enhance your collaboration efforts.

There are a many components to keep track of and successfully put in place in order to fully realize a reliable IT infrastructure. Master them and your business will experience less hassles, less downtime, and less computer angst. Keep a firm grasp on these core concepts and you’ll experience more—more productivity, more confidence, and more success.

And as always, if you have a pressing need we’d be happy to help!

Posts

Latest News