Having secure remote access is not convenient. To provide secure remote access, you must have a multi-faceted system in place with at least a two-level authentication method to allow users into your network and avoid giving access to unwanted users.
If you think about your network like a home, consider there are windows and doors in your home that allow you and others to enter and leave. You put locks on the openings in your home to control who enters and keep unwanted visitors from entering. Security on your network is based on that same simple principal. There are vulnerabilities in computer networks that must be “locked down” to control who has access to them. We find that many business owners are not aware of the vulnerabilities they may have in their network and computer systems because they don’t know enough about remote access or what their “doors and windows” are.
“In today’s environment, teenagers are able to hack into your computer system.”
Security and secure systems should be a deterrent for random people to hack into your network and computer systems. The more secure and inconvenient it is for someone to hack into your system, the more likely they will move on to the next system that is easier to get into.
Here are basic best practices for implementing secure remote access to your network and computer systems.
Remote User “Requirements”
- Use Business-Owned Devices – Remote workers using company-owned computer and mobile devices so you can dictate security policy on that computer is a major requirement. At no point should they be using their own computer, installing their own applications on it, or using it for personal reasons. As a business-owned computer, you have the right and ability to monitor the security and configuration of that unit. If it’s someone’s personal computer, you don’t have the right to do that.
- Encrypted Devices – All remote access computers and phones should be encrypted. Users must enter a password to enter the device. If the device gets lost, it should be configured so that it is automatically rendered useless.
- No Public WiFi – Remote users should use their own phone hotspot or MiFi devices to connect to the Internet. Users should not be using public WiFi. Your IT manager can configure these devices to ensure these hotspot applications are set up. Remote users should not use hotel or restaurant WiFi as these may not be secure.
- Encrypted Connections – Some level of security software should be in use (Virtual Private Network – VPN, or other) to ensure that the physical connection from remote to host is secure.
- Avoid Using Freeware or Shareware Solutions for Remote Access – Remote users should not use free versions of Team Viewer, VNC Viewer, etc. Opt instead to use the purchased versions of these applications, if necessary, and ensure your IT manager has control over how they are configured.
Best Practices for Business Owners
- Ensure you have remote access to this computer to apply security updates to it on a regular basis.
- Ensure that utilities set up so that you may remotely monitor these devices to ensure they are being used according to company IT security policies.
- If you’re concerned about employee productivity, software can be installed on the devices to track employee productivity.
- If you’re concerned about employees accessing social media, personal email, or other sites from company-owned devices, software can be installed that can filter content when remote users browse the Internet restricting their access to these areas.
Remote access is one component of your overall IT computing environment. Kenneally Technology Services can review your remote access capabilities to see what improvements are needed to ensure your systems and data remain secure. An IT security assessment will help you ensure your networks vulnerabilities are eliminated and “open doors” are locked down.
Posted on May 9, 2016 in IT Security, IT Security Assessment
This question can be easily answered be asking yourself if you have not had one performed for you in the last year or ever. If that is the case, the answer would be unequivocally YES!
IT and computers, like many other facets of your business, are not “set it and forget it” devices like a fax machine or a stapler. IT systems have changes being made to them on a daily basis and must have regular attention paid to them in order to keep them from harm’s way and your system running smoothly. Just because something terrible has not happened to your IT systems yet does not mean that your system is forever free and clear and does not need any attention. It really means that you been dodging the bullet and the inevitable significant “game-changer” is not far around the corner.
The most common items that are overlooked on a network / IT system and which can cause major issues are user password policy (passwords not set to expire on a regular basis, not required to be 7 characters or better), system security updates policy (is there an actual plan for regular deployment of updates?) and end-user awareness training. Believe it or not, not addressing or forgetting about these mundane items are what the Internet “bad guys” are hoping for. These are the sort of vulnerabilities that they love to see—old user accounts not disabled, users with easy to guess passwords and in the case of MedStar Health—an unpatched network server and workstation.
You may be saying to yourself that “we are just a small entity” no one wants our data or information.” On the Internet, however, your network is just a number (IP address) much like a house address is to the post office. Your “house” has windows and doors which are called ports.
Do you even know where your Internet firewall is located in your office and how do you know whether your Internet protection device is up-to-date with the latest security firmware updates?
Of the most important security devices in your office should not go unchecked for months or even years. You should keep this unit up-to-date with a support contract from the vendor and by applying regular firmware updates. Having it tested with an external penetration test is equally important.
How old it is or is it even a supported device with the hardware manufacturer any longer?
Your security appliance / firewall should be replaced as often as a desktop computer – every three years or so to ensure that you are taking advantage of the latest security and protection technologies.
Internet ports are only a small fraction of the way risks can be introduced into your network.
Other items at which to look are (and there are MANY more than these):
Poor Data Backup Strategies / Disaster Recovery
Is there even a plan to test the backups or a plan to recover from a significant IT security event? You should have a layered approach to data backup and it should be automated, not manual, and should also include some sort of disaster recovery data restore option.
Remote Access / Employees in the Field / Cloud Computing
Are users in the field or working from home offices updated on a regular basis? Are they using public hot-spots for Internet access? Data in the cloud seems nice and convenient but who is looking at your data as it resides on the vendor’s servers? Have you reviewed your service level agreement with your vendor? What happens if they have a “gotcha” virus moment like a large entity like MedStar? How long does it take to get your data back if the vendor gets bought out by another company and the new company discontinues your cloud offering as a way of killing the competition?
Your business should have a well thought out and concise remote access policy for remote users and the computers that they use should be company-owned so that your IT personnel can dictate security policy on them.
Smart Phones
Is there a company-wide policy for use of smart-phones and remote data sync? Do the phones even have the security lock feature turned on? On an iPhone, if not, the data on the phone is NOT encrypted. Same as with remote computer users, the smartphones that your company employees use should be company owned and administered. You cannot tell your employees to be smart and security aware if you do not own it.
Disgruntled Employees
Is there an employee who is not happy about not getting a promotion? Did he /she have a greater level of data security access than they should have given their job description? Threats from within should be of great concern. You need to keep your finger on the pulse of your staff and to have formal policies as to what needs to be done from an IT perspective before you make someone an ex-employee.
So, to answer the question presented to you at the beginning of this post, “How do I know if my company needs a computer IT Network Security Assessment?” With all of the moving parts of an IT system, the better question is, “Can I afford not to?”
Ransomware is a type of malware that prevents or limits users from accessing their system or data. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to unlock their data.
Users may encounter this threat through a variety of ways. Ransomware can be downloaded by users by visiting malicious websites. It can also be downloaded by other malware. Some ransomware are delivered as attachments to spammed email. Once executed in the system, a ransomware can either lock the computer screen or encrypt predetermined files with a password. Once infected, the malware shows the instructions on how users can pay for the ransom. The second type of ransomware locks files like documents, spreadsheets and other important files.
Attackers may use one of several different approaches to extort money from their victims:
- After a victim discovers he cannot open a file, he receives an email ransom note demanding a relatively small amount of money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever. These ransoms are often required to be paid in hard-to-trace Internet currency.
- The victim is tricked into believing he is the subject of a police investigation. After being informed that unlicensed software or illegal web content has been found on his computer, the victim is given instructions for how to pay an electronic fine.
- The malware encrypts the victim’s data but does nothing else. In this approach, the data kidnapper anticipates that the victim will look on the Internet for how to fix the problem and makes money by selling anti-ransomware software on legitimate websites.
Security companies first identified the CryptoLocker attacks in September 2013, believe that the virus struck 250,000 computers in its first 100 days. Other security researchers believe the latest versions of ransomware were created by hackers in Eastern Europe and Russia. The hackers conceal their identities by deploying the virus through the dark web. The dark web, an unindexed arm of the Internet, allows users to bounce their communications through multiple computer servers to make them nearly impossible to trace.
The hacker infects computers by sending tainted e-mails that appear to come from the FBI, local police agencies or package delivery services such as UPS and FedEx, or in PDF attachments. When the user opens the e-mail or file, the virus infects the PC. The hacker will also implant the viruses on websites, then try to lure people there, often with pornography or the promise of free items.
The best way to combat a CryptoLocker virus or other ransomware is to establish a line of defense by using paid-for security software from a reliable security software vendor. Keep both the application and virus definition lists up to date. Virus definitions are the lists of malware and viruses that the program knows how to address. Using a spam-blocking software or spam hardware device will limit the amount of tainted emails that reach your inbox in the first place.
Last, but certainly not least, always make multiple copies of your data. The best way to recover from a ransomware virus is not to give in and pay the ransom, but rather wipe the hard drive of the infected machines, reload, and then restore the data. Sometimes having principals and not paying the ransom is not the easiest way, but it’s the best way!
Posted on April 20, 2016 in Data Breach, IT Security, IT Security Assessment
And why it could easily happen to your practice or business
Despite MedStar undoubtedly having a very large IT cybersecurity budget, they still fell victim to a ransomware virus allegedly after an employee clicked on a link in an email. The chain of events found its way to an unpatched Linux server that had a security vulnerability on it that dated all the way back to 2008. The Linux software manufacturer developed and supplied a fix for the security issue shortly after it was discovered in the same year, but MedStar’s technical support team left it unpatched.
That leads me to ask—how many machines are still left without the proper security updates applied at their locations but more importantly at your location? Any single workstation, much less a server, can have over a dozen pieces of software that need to be constantly updated. From Adobe Reader, Adobe Flash Player, Java, and Microsoft Office (only to name a few), there are always security flaws and vulnerabilities that are realized by the software vendor who subsequently issues a fix in the form of a download. Most of these downloads have to be downloaded and applied manually. So, if you have a small practice or business without a dedicated technical person looking for these types of issues, you should ask yourself who is making sure that these updates and being applied and that they are current?
Another question that needs to be answered about the MedStar event is why it took so long for MedStar to restore their data and have their systems back online. Reports have suggested that it took close to a week for that to happen. One would imagine that MedStar would have state-of-the-art data backup systems with multiple options for restoration. The best way to combat a ransomware virus is to accept that you had weaknesses in your cyber-defenses and concede that you had a “they got me” moment and do not pay the ransom but rather move on to the data restoration process as soon as possible. With the correct layer of backups, your server should be able to be restored in time measured in hours not days.
Questions to ask yourself about your small medium-sized business or medical practice IT system:
- Is my front-end security in place?
- Is my firewall current and does it have the latest firmware updates applied?
- Do all of my servers and workstations have the LATEST anti-virus version and definition updates applied?
- Are my data backup systems current and operational?
- Is my data backup an automated process or does it rely on a person to manually perform this function?
- Has my data backup actually been tested to see if it can restore the files that I need restored?
- Is there a layered approach to my backups?
- Do I have an off-site data restoration option in the event that there is a major catastrophe at my place of business?
- Have my employees / end-users been educated on what to do and not to do when using company IT systems?
- Do I have an IT manual that outlines what is expected of my employees as it relates to the IT systems?
- Is there a formal disaster recovery plan in place that details the steps to take to recover from a significant IT security event?
- If you answered “no” to any of the above questions, then it’s time to make a change regarding your IT system management.
If you have questions about this article, please contact Dave Thomas, Director of Technology Services, Kenneally Technology Services, 443.829.9897, dthomas@jlktech.com.
Posted on November 25, 2015 in Data Breach, IT Security, IT Security Assessment
Credit rating agency Moody’s Corp. warns that cyber defenses as well as breach detection, prevention and response will be higher priorities in its analysis of the creditworthiness of companies across all sectors, including healthcare and financial services.
Read the complete article from InfoRiskToday