Category: IT Security Assessment

This question can be easily answered be asking yourself if you have not had one performed for you in the last year or ever. If that is the case, the answer would be unequivocally YES!

IT and computers, like many other facets of your business, are not “set it and forget it” devices like a fax machine or a stapler. IT systems have changes being made to them on a daily basis and must have regular attention paid to them in order to keep them from harm’s way and your system running smoothly. Just because something terrible has not happened to your IT systems yet does not mean that your system is forever free and clear and does not need any attention. It really means that you been dodging the bullet and the inevitable significant “game-changer” is not far around the corner.

The most common items that are overlooked on a network / IT system and which can cause major issues are user password policy (passwords not set to expire on a regular basis, not required to be 7 characters or better), system security updates policy (is there an actual plan for regular deployment of updates?) and end-user awareness training. Believe it or not, not addressing or forgetting about these mundane items are what the Internet “bad guys” are hoping for. These are the sort of vulnerabilities that they love to see—old user accounts not disabled, users with easy to guess passwords and in the case of MedStar Health—an unpatched network server and workstation.

You may be saying to yourself that “we are just a small entity” no one wants our data or information.” On the Internet, however, your network is just a number (IP address) much like a house address is to the post office. Your “house” has windows and doors which are called ports.

Do you even know where your Internet firewall is located in your office and how do you know whether your Internet protection device is up-to-date with the latest security firmware updates?
Of the most important security devices in your office should not go unchecked for months or even years. You should keep this unit up-to-date with a support contract from the vendor and by applying regular firmware updates. Having it tested with an external penetration test is equally important.

How old it is or is it even a supported device with the hardware manufacturer any longer?
Your security appliance / firewall should be replaced as often as a desktop computer – every three years or so to ensure that you are taking advantage of the latest security and protection technologies.
Internet ports are only a small fraction of the way risks can be introduced into your network.

Other items at which to look are (and there are MANY more than these):

Poor Data Backup Strategies / Disaster Recovery
Is there even a plan to test the backups or a plan to recover from a significant IT security event? You should have a layered approach to data backup and it should be automated, not manual, and should also include some sort of disaster recovery data restore option.

Remote Access / Employees in the Field / Cloud Computing
Are users in the field or working from home offices updated on a regular basis? Are they using public hot-spots for Internet access? Data in the cloud seems nice and convenient but who is looking at your data as it resides on the vendor’s servers? Have you reviewed your service level agreement with your vendor? What happens if they have a “gotcha” virus moment like a large entity like MedStar? How long does it take to get your data back if the vendor gets bought out by another company and the new company discontinues your cloud offering as a way of killing the competition?

Your business should have a well thought out and concise remote access policy for remote users and the computers that they use should be company-owned so that your IT personnel can dictate security policy on them.

Smart Phones
Is there a company-wide policy for use of smart-phones and remote data sync? Do the phones even have the security lock feature turned on? On an iPhone, if not, the data on the phone is NOT encrypted. Same as with remote computer users, the smartphones that your company employees use should be company owned and administered. You cannot tell your employees to be smart and security aware if you do not own it.

Disgruntled Employees
Is there an employee who is not happy about not getting a promotion? Did he /she have a greater level of data security access than they should have given their job description? Threats from within should be of great concern. You need to keep your finger on the pulse of your staff and to have formal policies as to what needs to be done from an IT perspective before you make someone an ex-employee.

So, to answer the question presented to you at the beginning of this post, “How do I know if my company needs a computer IT Network Security Assessment?” With all of the moving parts of an IT system, the better question is, “Can I afford not to?”

And why it could easily happen to your practice or business

Despite MedStar undoubtedly having a very large IT cybersecurity budget, they still fell victim to a ransomware virus allegedly after an employee clicked on a link in an email. The chain of events found its way to an unpatched Linux server that had a security vulnerability on it that dated all the way back to 2008. The Linux software manufacturer developed and supplied a fix for the security issue shortly after it was discovered in the same year, but MedStar’s technical support team left it unpatched.

That leads me to ask—how many machines are still left without the proper security updates applied at their locations but more importantly at your location? Any single workstation, much less a server, can have over a dozen pieces of software that need to be constantly updated. From Adobe Reader, Adobe Flash Player, Java, and Microsoft Office (only to name a few), there are always security flaws and vulnerabilities that are realized by the software vendor who subsequently issues a fix in the form of a download. Most of these downloads have to be downloaded and applied manually. So, if you have a small practice or business without a dedicated technical person looking for these types of issues, you should ask yourself who is making sure that these updates and being applied and that they are current?

Another question that needs to be answered about the MedStar event is why it took so long for MedStar to restore their data and have their systems back online. Reports have suggested that it took close to a week for that to happen. One would imagine that MedStar would have state-of-the-art data backup systems with multiple options for restoration. The best way to combat a ransomware virus is to accept that you had weaknesses in your cyber-defenses and concede that you had a “they got me” moment and do not pay the ransom but rather move on to the data restoration process as soon as possible. With the correct layer of backups, your server should be able to be restored in time measured in hours not days.

Questions to ask yourself about your small medium-sized business or medical practice IT system:

    Is my front-end security in place?
  1. Is my firewall current and does it have the latest firmware updates applied?
  2. Do all of my servers and workstations have the LATEST anti-virus version and definition updates applied?

    Are my data backup systems current and operational?
  1. Is my data backup an automated process or does it rely on a person to manually perform this function?
  2. Has my data backup actually been tested to see if it can restore the files that I need restored?
  3. Is there a layered approach to my backups?
  4. Do I have an off-site data restoration option in the event that there is a major catastrophe at my place of business?

    Have my employees / end-users been educated on what to do and not to do when using company IT systems?

    Do I have an IT manual that outlines what is expected of my employees as it relates to the IT systems?

    Is there a formal disaster recovery plan in place that details the steps to take to recover from a significant IT security event?

    If you answered “no” to any of the above questions, then it’s time to make a change regarding your IT system management.

If you have questions about this article, please contact Dave Thomas, Director of Technology Services, Kenneally Technology Services, 443.829.9897, dthomas@jlktech.com.

Credit rating agency Moody’s Corp. warns that cyber defenses as well as breach detection, prevention and response will be higher priorities in its analysis of the creditworthiness of companies across all sectors, including healthcare and financial services.

Read the complete article from InfoRiskToday

J. L. Kenneally & Company (the parent company of Kenneally Technology Services) will be inducted into the Baltimore County Chamber of Commerce Hall of Fame on Thursday, November 19th and will join well-known area businesses and organizations such as:

  • AAI Corp.
  • Advance Business Systems
  • Verizon Maryland
  • McCormick and Co.
  • Towson University

For more than 30 years, J. L. Kenneally & Company has provided quality tax, accounting and business consulting to closely-held businesses and their owners. Our firm’s experience and expertise are backed by an extraordinary dedication to providing a superior level of client service.

www.jlkcpas.com
www.baltcountycc.com

Security update for Windows: November 10, 2015

Causes Microsoft Outlook to crash, network sign-in issues and Windows desktop black screens.

The security patch (KB 3097877) which was part of the November 10th list of Windows updates is part of security bulletin MS15-115, a “critical update,” in Microsoft’s lexicon, designed to prevent remote code execution triggered by malicious fonts.

It appears to have caused multiple issues including causing MS Outlook to crash, preventing network sign-ins and black screens with no other icons or backgrounds.

If you are experiencing these issues after Tuesday, November 10th, re-run Windows update and apply all of the latest updates.

You can do this in one of two different ways:

Access CONTROL PANEL from your Windows computer and choose to view the control panel with the “small icons” view (A drop down option in the upper right-hand corner of the control panel window). Access the Windows Updates icon and once you have opened Windows updates click on “Check for Windows Updates” on the left-hand side. Choose to apply all of the available updates and reboot when they have finished being applied.

Your computer may also have a Windows update button in the system tray which is the list if icons in the bottom right-hand corner of your Windows desktop next to the system clock. If you hover your mouse pointer over this icon it will state Windows updates. Click the small icon and proceed to apply the updates that are available.

In some instances, you may be required to uninstall the security update in question (KB 3097877) prior to re-applying the new version of the update which resolves the issues.

To do this, access the CONTROL PANEL and Windows Update much in the same way as mentioned above. Choose “Update History” or “View Installed Updates”. Sort the list of security updates by date by clicking on the date column header. Search for (KB 3097877 from November 2015) and double-click to uninstall. Reboot your computer after the update has been uninstalled and the follow the directions at the top of this bulletin to re-apply the resubmitted version of this security update.

If you would like some guidance or assistance with this issue please contact us.