In an interview and annual letter both Bill Gates spoke in a warning tone to tech companies. Gates warns tech companies that a government crackdown may be in the future. You can read more in this GeekWire article.
Have you found podcasts to maximize your commute? Whether you enjoy a good listen on the train, in the car or even at the gym later tonight, Entrepreneur has some fantastic episodes on team building. Here are one of the good ones,
Microsoft and others are questioning if intelligence agencies are disclosing security vulnerabilities or not. After 10 countries were affected by the massive hack many are looking to see how to get ahead in the future. You can read more here.
By now, most people have likely heard the term, “Social Engineering” in various contexts. The term can have multiple meanings, but in the context of IT security is defined as the use of deception or manipulation techniques to induce someone to divulge confidential information. This may be as simple as calling a company pretending to be an employee and asking for credentials. Social engineering can range from simple attempts that are easily recognized as illegitimate, such as the well-known “Nigerian Prince” email scams, to extremely complex, targeted attacks that often go undiscovered.
Social engineering attacks can take place using any form of communication, and are thus not limited to network-based protocols. Some examples of real-world social engineering attacks include: an attacker dropping malicious USB drives in a company’s parking lot, an attacker disguising himself as an IT employee or consultant and asking for access to the server room, and an attacker calling a help desk asking for a password reset on an account he does not actually own. In all of these cases, the attack is based on exploiting trust. People have an innate trust for authority, and a strong desire to want to help whenever possible. Unfortunately, these and other human qualities can be leveraged by skilled attackers to gain access.
So how can one prevent or dissuade social engineering attacks? Unfortunately, there is no singular technical solution to prevent social engineering. As is the case with the majority of cybersecurity threats, a “Defense-in-Depth” strategy is the best way to protect against social engineering. Defense-in-depth strategies utilize a combination of technical safeguards, policies and procedures, and employee awareness programs to dramatically decrease the likelihood of a successful attack.
That completes our basic introduction to social engineering. Join us in the next installment of the social engineering series, where we will cover this topic in greater depth. If you would like to talk to our skilled consultants about protecting your business from social engineering, please give us a call.
If you love your Mac, but need Windows for work there is a solution through virtual machine. This Gizmodo article breaks down how virtual machines work, a few pros/cons and solutions to get you started. Let us know how we can help you improve your work efficiency by giving us a call 502-241-2600.
Passwords: the bane of our modern existence. No matter how many new technologies emerge to help assuage our password woes, it seems we will always remain tethered to what seems to be the only remaining vestige of the early days of computing. Passwords are nearly universally reviled – end users dislike the constant cycle of password changes, complexity rules, password history restrictions ad nauseum; administrators hate having to coach the end users through the password creation process, the constant cries of “I forgot my password!”, and the frustration of knowing that at the end of the day, even the most top-tier network security architecture can come crumbling down at the hands of a password carelessly written on a post-it note and tossed in the trash.
So how did we get to this point? Does it really matter if we have a minimum of 42 characters, with two ampersands and a carat, thirteen numbers – distributed randomly, of course – and substitutions throughout? To quote Randall Munroe of the web comic xkcd, “through twenty years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” We propose, along with a growing number of computer security experts, that it is time to reassess the commonly accepted wisdom when it comes to passwords; that we must eschew the idea that it is essential for all passwords to be reset every thirty, sixty, or ninety days, that it is necessary to have an upper and lower case letter, a number, and a special character in every password. In theory, these are good practices to put in place for a variety of reasons; but in practice, these policies only encourage insecure passwords that get upcycled by adding a single digit and an exclamation point to the end – or worse, written on a sticky note and tucked away underneath a keyboard.
So what does the alternative look like? How do we keep systems secure, while minimizing the frustration experienced by everyone involved? NIST recommends we eliminate composition requirements, expiration without reason, password hints, and knowledge-based authentication. What this would mean for the end-user is the end of length, complexity, and history requirements, no more password resets after a defined time, no more “rhymes with bassword” hints, and no more “what was your maternal grandmother’s dog’s father’s name?” secret question/secret answer systems. Additionally, NIST recommends we encourage the use of passphrases rather than passwords, because password length matters substantially more than password complexity.
With these new password guidelines, we will see a drastic reduction in the pain involved in creating and maintaining secure passwords, and hopefully as a result, a reduction in the number of cybersecurity incidents.
Welcome back to our series on ransomware! In the last article we discussed ransomware prevention techniques, but what happens if our defenses fail to stop an infection? That’s where having a solid incident response plan comes into play. An incident response plan is an easy-to-follow document detailing the necessary steps to contain and remediate an infection or breach.
The incident response process for ransomware is very much like any other incident response process, with the notable exception being the decision of whether it makes financial sense to pay the ransom. We generally do not recommend paying the ransom, for a multitude of reasons; but from a purely financial standpoint, it is often cheaper to pay to regain access to your data than to attempt recovery via other means. Paying the ransom can be troublesome, as the organization may open itself to prosecution for providing financial support for a known criminal enterprise, and may be marked by the criminal enterprise as a prime target willing to pay ransom. If you make the decision to pay the ransom, be aware that there are no guarantees that you will even get the decryption keys. For this reason, it is imperative you put the requisite controls in place to stop infections before they start, have a good backup procedure in place, and develop an incident response plan before being infected.
Incident response is broken down into six phases that dictate steps taken prior to, during, and after an infection or breach. These six phases are as follows – this information is from the SANS Institute Incident Handlers Handbook:
In addition to the steps listed above, in the case of a ransomware infection, it is a good idea to keep an offline backup copy of any encrypted files in the event that the encryption scheme is ever broken or the decryption keys released.
That concludes this week’s installment of our series on ransomware! Join us next week, where we’ll be discussing mitigating factors – namely secure backup systems.
Business First recently produced this video from the Small Company of the Year Finalists and Winner. We are honored to share the vision of KCI and to see the faces of those who put servant leadership into practice for our clients each and every day. Enjoy the fun watch!
Welcome back to our series on ransomware. In the last post, we discussed what ransomware is and how it spreads. With this baseline knowledge of how ransomware works, we can work toward preventing ransomware attacks. So, how do you prevent ransomware – and malware in general – from gaining a foothold in your corporate network? The first step to any effective defense is a solid antivirus/antimalware solution. There are many antivirus solutions on the market today, and as with any product, each solution has strengths and weaknesses, but it’s difficult to go wrong when you stick to well-known trusted providers such as Symantec, Kaspersky Labs, Webroot, ESET, AVG, Avast, etc. These products are well tested, constantly updated to deal with the latest threats, and have proven effective at preventing many variants of malware. While it is absolutely necessary to have all computers covered by a good antivirus solution, no antivirus can prevent all attacks all the time. The next step to malware prevention is user awareness. The vast majority of ransomware infections begin with a file opened or application run by a user who has been duped into believing the file or application is benign. Because of this, it pays dividends to ensure your company’s staff is fully aware of the potential threat of malware infection and social engineering. It is important to conduct regular user training sessions, occasionally test social engineering attacks against your company, and have a technology use policy in place to keep information security in the collective mindset of your users. The next steps in prevention are iterative, building upon and enhancing the defenses of antivirus and user awareness. Some examples are spam & virus filtering devices or services that help prevent malicious emails from getting to users’ inboxes, web content filters that block non-business-related or potentially risky websites, next-generation or “deep packet inspection” firewalls that inspect all network traffic for malware signatures, intrusion detection and prevention systems that can actually shut down an attack in progress, and ransomware canaries to limit damage from a successful attack. These solutions can be highly effective, but may come at a fairly high cost of implementation and/or maintenance. Though the cost of implementing some of these additional defenses may be high, a good defense can pay for itself in many cases by preventing a single successful attack. Last but not least, it pays to have a backup plan. Ensuring all business critical data is backed up on a regular (daily at the very least, more frequently if possible) basis, both on- and off-site, will save you the pain of having to pay a criminal enterprise for access to the data you already own. A good backup appliance with cloud replication that cannot be encrypted by ransomware is indispensable if your defenses fail to prevent an infection. Implementing these defenses can save your company thousands of dollars in potential data loss, ransom costs, and lost productivity. Stay tuned for the next installment of this weekly series, where we will discuss what to do if you are hit by a ransom.
If you haven’t heard the term “ransomware” yet, consider yourself lucky. In this multi-part series, we will be discussing the relatively recent strain of malware known as ransomware. As the name suggests, the goal of this particular malicious software is to hold your corporate or personal data hostage, and demand a cash payment using the digital currency Bitcoin or other untraceable digital payment remittance service. In order to defend yourself from ransomware, it is helpful to first understand how it breaks in to your network in the first place.
Most commonly, ransomware is distributed by emails known as “phishing” scams. Phishing emails can be targeted specifically to an industry, company, or individual; or simply generalized and sent out in massive batches to any email addresses the attackers can harvest. Phishing emails are designed to make the recipient take some action, such as opening a malicious attachment, or clicking a hyperlink where malware is hosted, by using social engineering. For example, the email will masquerade as something the victim expects to receive, such as an invoice to the Accounting department, and will provide an incentive for the user to open an attachment with malicious code, like purporting to be a demand for past-due payment. Once the computer has been infected, the ransomware goes to work encrypting files. When file encryption is complete, the ransomware will make its presence known with a ransom note, telling the victim how to make arrangements to obtain the decryption key and regain access to the encrypted data.
In many cases, the ransom note will specify a time at which the decryption keys will become unavailable, or the ransom will increase - generally doubling every 48 hours after infection. These ransom notes can vary in complexity, often they are simple text files telling the victim to email a particular email address, all the way up to full web pages with links to various resources and information to assist the victim in purchasing and sending Bitcoin to the attacker. In some cases, ransomware distributors will even provide their victims with real-time chat support.
With this foundational information about how ransomware spreads, we can begin to build an effective defense. Please stay tuned for future installments of this series, where we will discuss next steps, including prevention, mitigation, and incident response.
Ransomware attacks are happening more often and something that we frequently help clients work through. Perhpas your business has had the malicious headache or you've heard friends talking about Bitcoin and the painful recovery. No More Ransom is a site composed by the collaboration of two great leaders in IT: Intel Security and Kaspersky Labs. The site exists to help clients before or after your computer has been compromised. You can read more here. As always, your KCI team is close by to offer preventative solutions in advance or to help you in times of crisis.
We couldn't say enough good things about our clients and the readers of Business First who nomiated KCI as Business of the Year 2016. It is truly an honor folks!
You can check out the full list of finalists here as we share the space with some pretty fine company.
It has been an incredible year at KCI and we continue to serve you humbly. KCI was recently named one of the Fast 50---fastest-growing private companies in Louisville! We are honored to receive the award at the Fast 50 Luncheon on October 27th at the Louisville Galt House.
For more details check out the Business First article here.