Bryley Basics: Password Protection

Passwords are typically stolen during what’s called a phishing attack.

Phishing emails are malicious emails sent by criminals attempting to compromise your personal information. They often appear to be legitimate, so beware!

Most phishing emails are disguised as messages from an authoritative entity asking you to visit a website and enter personal information. These websites are set up to gather personal details, which they can then use to hack into your accounts and commit fraud. Some links and attachments in these emails contain malicious software, known as malware, which will install itself on your computer. Malware then collects data such as usernames and passwords.

Another way passwords are stolen is simply due to the face that some people use weak passwords.  If it’s easy to guess your password, then you have put yourself at greater risk of suddenly becoming a victim.

So, how do you stop someone from stealing your password?

First you will need to be aware of what real websites look like so that you know what false ones look like. If you know what to look for, and are suspicious by default each time you enter your password online, it will go a long way in preventing successful phishing attempts.

Each time you get an email about resetting your password, read the email address it’s coming from to make sure the domain name is real.  It usually says “something@websitename.com.   For example, “ITsupport@YouBank.com” would indicate that you’re getting the email from YourBank.com.

However, hackers can spoof email addresses too. Therefore, when you open a link in an email, check that the web browser resolves the link properly.

If you open a link that appears as “YourBank.com” and the link changes to “SomethingOtherThanThat.com, then you need to exit the page immediately.

If you’re ever suspicious, just type the website URL directly into the navigation bar. Open your browser and type “YourBank.com” if that’s where you want to go. This way you can ensure that you are on the legitimate website, and not a fake one.

Another safeguard is to set up two-factor authentication (if the website supports it) so that each time you log in, you not only need your password but also a code. The code is often sent to the user’s phone or email, so the hacker would need not only your password, but also access to your email account or phone.

If you think someone might steal your password using the password reset trick mentioned above, either choose more complex questions or simply avoid answering them truthfully to make it nearly impossible for a hacker to guess.  Simple passwords need to be avoided, it’s that simple.  If you need help remembering your complex passwords, you can store your passwords in a free password manager.

It is always advisable to store sensitive information like your credit card or bank details, within online accounts that are hosted by companies you trust. For example, if an odd website that you’ve never purchased from before is asking for your bank details, you might think twice about it or use something secure like PayPal or a temporary or reloadable card, to fulfill the payment.

When in doubt, don’t click.  Legitimate organizations will not ask you to disclose personal data via email.

March 31st is World Backup Day – Create a Properly Planned Backup Process

With March 31st being World Backup Day, it only seems right to talk about the importance of having a well-planned backup process.  Every day we read about malicious attacks on organizations, and there is no doubt that these attacks, especially ransomware, will continue to grow drastically in 2018.

Ransomware is a form of malware based on encryption software that seeks payment (ransom) to undo the damage it causes; when infected, the malware typically encrypts all data files, rendering them useless until the ransom is paid.  Encryption software scrambles a files’ contents and creates an encryption key, essentially a code used to reverse the process.  Unless you have this key and the encryption software, the files remain unreadable.

Ransom prices will vary depending on the ransomware variant and the price or exchange rates of digital currencies. Thanks to the perceived anonymity offered by cryptocurrencies, ransomware operators commonly specify ransom payments in bitcoins.  Recent ransomware variants have also listed alternative payment options such as iTunes and Amazon gift cards.  Paying the ransom is risky, and not recommended.  It will not guarantee that users will get the decryption key or unlock tool required to regain access to the infected system, and it potentially will make you more of a target in the future.

The only way to thwart ransomware is by restoring the corrupted files through a backup that was created before the infection.

A properly planned and implemented backup process is vital since data stored on a network server represents many hours of effort over time, making it impractical and usually impossible to recreate.  A properly functioning, multi-point-in-time backup is necessary to provide restoration under these and other scenarios:

  • A server fails
  • A file is deleted
  • A template is written over
  • An application upgrade fails and must be restored
  • A document is inadvertently changed and saved by a user

A backup should be a complete, recoverable copy of not just data, but the entire server/network environment.  It should have these properties:

  • Sequenced over many days
  • Complete image
  • Offsite storage

If you’re ready to get serious about protecting your business data, select a talented company, like Bryley Systems, to help you implement a Backup/Data Recovery solution to eliminate weak links in your security chain.  Let us help you develop an organization-wide policy to help prevent data loss.  Please contact us at 978.562.6077 or Email us today.  We are here to help.

5 Reasons You Need a VPN Policy

The security of your business is heavily dependent on the ability of employees and executives alike to stay safe wherever they go. They need to make sure their online activities remain unimpeded and that public networks don’t become a data leak risk. Such a leak could damage your company’s reputation and set your business back months.

One of the main tools used to help businesses overcome these obstacles is a Virtual Private Network (VPN), which is a service that can connect a user to an offsite secure server using an encrypted connection. The encryption allows people to keep themselves safe from hackers on public networks (or any unsafe network). The server hides their IP address, allowing them to keep their activities anonymous and get access to restricted or blocked websites.

teamwork

All of these things are great, but VPNs can also cause confusion if not used uniformly or correctly. A “bring your own VPN” policy can prove disastrous for several reasons. Your business needs a standard policy, and here are the five main benefits of instating one:

You Can Better Manage the Configurations

Sometimes VPNs need to be managed to work best for the company. If you have a universal VPN policy or even a universally proscribed VPN for employees (in which case it would be recommended to provide access with company funds to facilitate control), then you can know that everyone has settings acceptable to the interests of the company by making those mandatory settings clear. No one will feel as though another has an unfair advantage as well.

You can use these to limit access to certain websites or regions, or simply help people who don’t know better maximize their speed and access. This kind of plan is absolutely essential if you plan on setting up your own VPN server at your company (although this should only really be done by large organizations), as messing around too much can make things more difficult for other users. It might be worth it to include a “tips and tricks” section next to them.

Uniform Universal Access

Any business should know what their employees are capable of not only in their skillsets but in the tools they are using. If you don’t have a general VPN for the company and everyone is just using their own, you might find that someone’s tool isn’t up to par with what the company needs. In the worst case scenario, someone might download a VPN application that is malware in disguise, not checking up on the service first. This could lead to a massive data breach in addition to dropped communications at a potentially crucial moment.

If your company decides upon a singular (and well-reviewed) VPN to work with and provides access or subscriptions to all relevant employees, then it will be easier to work with those remote and travelling employees knowing that they all are getting the same level of access. Chance and circumstance will be removed from the equation, and your IT specialists will be thanking you for months.

Exact Knowledge of Security

If you have a strong VPN policy that is regularly enforced, you can work under the assumption that all employees using a VPN will have a set level of security wherever they go. This allows you to send and receive sensitive information with much less risk, because unfortunately not all VPNs are created equal.

You don’t want some employees vulnerable to cyberattacks and cyberespionage while others are fine. They might feel emboldened in their security practices by the fact that they use a VPN. In your policies you need to reiterate that danger doesn’t go away entirely due to VPN use, and by having company-wide policies, you can focus on what dangers still prevail. A VPN policy will remind people that it’s not a panacea, but it should always be used.

Rules and Guidelines

People use VPNs for different reasons. Some of those reasons are strictly security related, and others are related to torrenting or pirating files. Most people wouldn’t think to download the latest box office hit on their VPN at the office, but such things do happen, and you need to be prepared for any situation.

If you have a VPN policy, then your company can clearly spell out what VPNs are to be used for and what is acceptable online behavior. Some of it can relate to already existing technology guidelines, but even those should be reiterated in your VPN policy (it won’t do any harm). No one will be able to say they didn’t know better, and clear action can be taken if these rules are broken.

Usage Control and Easier Management

Something you will want to take into consideration is who you allow to use a VPN. If your company is providing VPNs and has strict rules surrounding them, you should only allow employees to use them, not friends and family members. They might have good intentions but later cause a data breach or other critical issue down the line.

A policy will allow you to manage potential issues such as these with little difficulty, and having a pre-selected VPN and policies means that you or someone else can spend less time learning about different VPNs and more time focusing on a single one to optimize. You will be better able to know about potential activity and potential problems, letting human concerns take the forefront.

phoneBlue

VPN guidelines aren’t too difficult to come up with, and in the long run, they will save any business a good deal of time and resources. Implemented correctly, employees won’t have any problems adjusting to them and the company will be safe with a full array of useful information available at all times.

Do you think there are any other reasons that a company should have VPN guidelines? Do you have recommendations of your own that you would like to share with your fellow readers? Any stories regarding a “bring your own VPN” policy that didn’t work out? The sharing of information makes us all improve, so please leave a comment below and continue the conversation about this important tool.

By Cassie Phillips
SecureThoughts.com

The Internet of Things: Convenience vs. Risk

The Internet of Things (IoT) is everywhere.  These convenient devices are in our homes and offices as well as in our pockets.  Along with the convenience they provide there are some security risks associated by using these devices.  There have been a number of known security breaches reported in the news regarding this topic, and those breaches included massive distributed denial-of-service (DDoS) attacks, and botnet hijacking attacks which have caused major disruption to organizations.

What is potentially affected?  All those devices that communicate and can be accessed via the Internet based upon their IP addresses.  That would include traditional office equipment such as copiers, printers, video projectors, and even televisions in reception areas.  Some of the less obvious devices would be climate control, motion detection systems and security lighting systems which are equipped with remote access can be controlled over the Internet. And, don’t forget the smartphones and smartwatches – these personal devices play a role in a company’s security.  These devices create access points and the best way to be secure is to define a policy to put protections in to place.

Many IoT devices are produced with the very basic software, which often can’t be updated.  As people become more aware of risk, some IoT devices are being brought up to current security standards with periodic firmware updates.  It’s a good start, but the majority of internet-ready devices cannot be integrated into the conventional IT hardware or software protections with which companies protect themselves against internet-based attacks. The variety of new internet-ready devices brings a mass of new data traffic to the network that must be managed and secured by IT departments. But it’s complicated by the variety of network protocols used by all of these various device types.  These devices are being used for personal and business and sometimes the lines of use will cross.  The integration of personal devices will pose a security risk simply because more and more attacks on companies are started against individual employees. As an example, if a device is infected with malware or a virus, it can be used to gain traction and then wreak havoc when it connects to the company’s network.  The tricky part is defining who should be responsible for IoT security – however, it is an important step.

The first consideration you need to make is whether or not connecting a particular device will be a large enough benefit to be worth the inherent risks. Depending on the device, an IoT device could be used to spy on you, steal your data, and track your whereabouts. If the device in question directly offers you a helpful, worthwhile utility, it may be worth the risk. If the connected device serves little purpose beyond its novelty, or its purpose could just as easily be managed by a staff member, it is probably best to leave it disconnected.

By taking inventory you have a benchmark as to all the devices that will connect to the Internet.  An organization should evaluate every single device that is added to the network.  Desktops, laptops and servers are generally tested extensively but mobile devices should also be added to the list.  Oftentimes devices are ignored even though they actively communicate over the network, and strict attention should be given to those devices that send data.  It’s very important to set guidelines for the use of IoT devices.  Be sure to define which devices are permitted on the company network and what data exchange with the network or Internet is desired.  The proper security technology will prevent unwanted traffic.

IoT introduces additional complexity for security.  Organizations are advised to monitor the data traffic to and from IoT devices in their network. Perimeter-based solutions are not adequate in today’s IT environment because users and apps can no longer be contained inside a organization’s network, behind a clearly defined protective wall.  Organizations need to evaluate new security concepts that have already proven reliable as workplace tools of mobile employees and remote offices.  For example, a protective shield from the cloud can scan all incoming and outgoing data traffic for malicious code, regardless of the device used.  With cloud solutions, organizations gain control of all internet-based traffic and can actively manage which communications are permitted or should be blocked. This can include preventing the printer from automatically ordering toner and restricting all other devices to a minimum amount of communication on the web. You should also make sure that the environment that you are using an IoT device in is as secure as possible. Making sure that your firmware is updated will ensure that you have the latest security patches and fixes for the various exploits and vulnerabilities that the IoT may present. If possible, this process should be automated so that your IoT devices, as well as your router, are fully updated.  It may also be a good idea to check if your router supports guest networking. With guest networking, you can keep potentially risky IoT devices off of your main business network, protecting its contents.  Organizations should always make sure that passwords are in line with best practices, and that you are not reusing passwords between devices and accounts. Following these guidelines means that even if one of your accounts is comprised, the rest of your accounts are safe behind a different set of credentials.

Ultimately, the best way to keep your organization safe from IoT issues is to establish rules regarding the use of these devices and monitor their permissions. Extending the consideration of whether or not a device needs to be connected, you need to establish if it even needs to be in the office. After all, a smartwatch can offer some business utility, whereas a smart trash can (which does in fact exist) does not.

Monitoring your organization’s network can help you identify if any unapproved devices have made a connection.

The Importance of BU/DR in the Manufacturing Industry

What would happen to your organization if plant production was taken to a halt?  How would you get it back up and running?  Or, could you?

Whether the disaster is caused by mother nature, a human error, a cyber-attack of some sort (and yes, there are many types), it can wreak havoc on your organization – it can even take the company down to its knees.  Each moment of downtime equates to lost dollars and lost customer satisfaction. Manufacturing firms have to effectively ensure that production and distribution is consistent.

Technology is used throughout manufacturing in many ways – to store data, run automated machinery on the plant floor, track inventory and support distribution. Your technology is intertwined with your business processes and if you suddenly weren’t able to use those processes, it could be a catastrophic situation.

A few scenarios of how a disaster can disrupt manufacturing, and what you can proactively avoid it.

Halt in Production.  Complex automated equipment and inventory tracking are just two processes that are severely influenced during a disaster. Do you have a recovery plan in place for a worst-case scenario?  Production logistics may be the most challenging area to recuperate, but having a strong backup and disaster recovery (BU/DR) plan safeguards data and allows for immediate access to mission-critical applications.

Whether your organization experiences a cyber-attack, or even a power outage that shuts down productivity for several hours, all of your applications used to run the automated machinery will not work because the system cannot connect to the network. Depending on the size of your plant(s), you could be facing up to millions of dollars in lost revenue and customer reimbursement.

BU/DR To The Rescue.  If your senior management team turned to a BU/DR expert – like Bryley Systems –  to assess the possible vulnerabilities associated with an outage and developed a proactive plan to recover and access data, your BU/DR provider would be able to access your data and apps to get your operations back up and running with a minimum amount of downtime.

Halt in Distribution.  Downtime is never acceptable when it comes to distribution.  All schedules must be strictly followed to satisfy delivery expectations. Customers don’t care if your warehouse floods.  They want to receive their order on time. Logistics management utilizes computerized tracking and ERP systems to understand how many products are stored and where they are at any given time to enhance product readiness and customer fulfillment.

Imagine this scenario – you work as an IT Director for a large New England pharmaceutical manufacturing company. Your network is more vulnerable to external hacker attempts simply due to the size of your business and the value of your data.   All of a sudden, your systems are corrupted with vicious malware and the entire database is inaccessible. To continue operations at your normal efficiency level and avoid downtime, your backup and recovery disaster plan kicks in to eliminate the malware and restore your plant data to where it was before the attack. Investing in a custom BU/DR plan serves as disaster protection ensuring your ability to move products to their destination.

The key to effective disaster recovery is planning ahead. Partnering with a BU/DR professional to support your critical infrastructure and resources adds additional layers of security and communication. When unexpected disasters strike, your recovery strategy will be there to save the day by restoring your data and reducing your downtime.

 

The Bryley BU/DR process:

  • For on-premise equipment, we deploy a BU/DR appliance onsite to provide local backup-and-restore capability and to speed recovery.
  • We take an encrypted image of your system and copy it to our data center.
  • We stream encrypted, differential changes from your site to our datacenter

Isn’t the survival and security of your manufacturing organization worth the investment of BU/DR?  Our team of experts will help you navigate through this process and implement the most effective BU/DR tailored to your environment and budget.  Contact us at 978-562-6077, or by email at ITExperts@Bryley.com to learn more. We are here to help.

How CPA Firms Can Benefit from Managed IT Services

Let security and confidentiality be your watchwords!

When it comes to safeguarding your CPA firm’s confidential data, there is zero tolerance for risk. CPAs rely upon various forms of technology to gather data – whether it is a tax return or an independent audit.

CPA firms have made great strides by implementing such technology as electronic data management systems, client portals, and cloud-computing systems. However, records maintained by CPA firms must remain confidential because of professional standards, statutes, and regulations governing record retention. Data breaches can happen in numerous ways, including the following: fraud, hacking, improper disposal of data, or even a lost or stolen device.

A CPA firm will need their IT department (or an outsourced Managed IT Services vendor) to implement and maintain a comprehensive list of data and network security controls. It is helpful to understand the basics:

Perimeter security. This first line of defense includes firewall and intrusion detection systems, in addition to intrusion prevention systems. These should be configured with appropriate restrictions to block and filter both incoming and outgoing Internet traffic.

Endpoint security. Endpoint security requires each computing device on a corporate network to comply with established standards before network access is granted. These measures protect the servers and workstations and include safeguards such as administrative access limitations and anti-virus protection.

Network monitoring. Part of the control environment should include a frequent and ongoing monitoring program for all IT systems.

What We Do

circles

Comprehensive Support Program™ (CSP) — Bryley provides ongoing, proactive maintenance and remediation support to ensure a stable, highly-available computer network. Our most-popular Comprehensive Support Program (CSP) consolidates all end-user devices (mobile and desktop), servers, and computer-network equipment issues into one, Bryley-managed, fixed-fee program. Among the many services delivered under the Managed IT umbrella, Bryley installs and manages all software updates and patches.

Secure Network™ (SN) – An ongoing, managed-IT service that prevents intrusion, malware, and spam from entering the computer network through its Internet gateway and can restrict web-site surfing to inappropriate sites.

Multi-Point Security Hardening Service™ (MPSHS) – A periodic review to harden your computer-network security by reviewing/updating policies and configurations and testing. With this program, Bryley Systems can help your organization comply with the technical aspects of Massachusetts 201 CMR 17.00.

If you are looking for a business partner to help you navigate the ever-changing technology and cybersecurity landscape, we’re here for you. For more information about Bryley’s full array of Managed IT Services, Managed Cloud Services, and Cybersecurity Services please contact us at 978.562.6077 or by email at ITExperts@Bryley.com.

Pop Quiz: How Prepared is Your Company to Recover If Disaster Strikes?

You depend on your IT systems every day, but how dependable are they really?  If your company was subjected to a sudden loss of power could you keep working, or would business stop?  What if the power didn’t come back on for several days, or even a week?  Most importantly, have you already asked yourself these questions, and if so, do you have a written action plan to address them?

If you are at all unsure of how a disaster would impact your business, and how you might recover, here is a great little quiz to help you get the wheels turning.

1. How frequently are your company’s critical systems backed up?  Is it more than once a day?

2. If your company lost power, would your systems keep running without any interruption?

3. In the event of a system failure, could your company’s data be restored to working order quickly?

4. If your company experienced a security breach, do you have a clean set of data backups available and could they be restored in a timely fashion?

5. Does your company have a fail-over site it could revert to if your primary systems become inaccessible?

6. Does your company have a written disaster recovery plan to refer to in case of emergency?  If yes, do your employees know where to find it, and are they trained in implementing it?

If you were able to answer “yes” to these questions, congratulations!  Your company is in relatively good shape in terms of its ability to cope with a disaster.  If you answered “no” to any of the questions on this list, however, it would be a good idea to spend some time putting a plan together to address any gaps in your ability to recover from a disaster.

As a Managed IT provider, Bryley Systems specializes is helping companies plan for disaster and mitigate the risk of a loss of data.  If you think you could use a hand putting together an effective disaster recovery plan, why not give us a call at 978.562.6077.  We are here to help.

Smartphone Security

We all love receiving new technology during the holiday season, but we must remember to protect it.  Whether we like it or not, cell phones and laptops are no longer simply devices – they are an extension of ourselves.  They house important information and records that we wouldn’t dare give a stranger (social security numbers, passwords, confidential information). In fact, we use them for socializing, shopping, banking, browsing, and much more.  Simply for the ease of use, it becomes a habit to stay logged into your accounts on your devices, but the downside is that if your phone is lost or stolen, it can lead to identify theft.  Someone could also hack your phone and access information via web-pages you have visited.  The importance of smartphone security is something we should all be aware of and implement right away.

Nearly 40% of data breaches are caused by mobile devices.

  1. Employee negligence is typically due to employees who are busy, traveling constantly, or hurrying through a task, and simply not knowing or paying attention to the risks involved.
  2. Theft is a big problem since there are ways to breach a smartphone.
  3. Malicious attacks. Hackers are responsible for the majority of breaches and thrive on those who leave the doors wide open to an attack.  Don’t leave yourself vulnerable.

Here are some tips to enjoy that new device as well as protect your privacy and information:

  • Activate Screen Lock. Perhaps the easiest and first line of defense on any device is the lock screen. After any time of inactivity (usually 30 seconds for cell phones and slightly longer for laptops and desktops), the device should be enabled to auto-lock so no one else can access your information.  On a cell phone, the code is usually four characters, but can be longer.  No matter how protective you may be of your devices, there’s no guarantee that you may not accidentally leave it somewhere.
    • Encryption can do a lot to protect your phone’s data and the good news is that all iPhones and newer Android versions come with their phone automatically encrypt once you set a password.
  • Mind your Apps. We all like the simplicity and efficiency that apps provide, but it’s important to keep an eye on them. There has been an increase in malware attacks, especially on smartphones, since most users gain access to confidential information.  Always read the small print and consider the personal information the app requires. If an app requires significant personal information, reconsider installing it.
    • Always use official app stores. App stores generally approve and vet apps prior to granting them space on the platform. (Always make sure the Web site URL starts with a secure https:// and contains a locked padlock icon.)
    • Check permission for the app. Some apps will ask permission to access certain aspects of the device. While it will make sense for a GPS to ask for your location, the same cannot be said for a flashlight app asking permission to access your text messages.
  • Browse Carefully. When you access a web browser on your smartphone, you should be very careful because it is easy to accept messages that pop up. For instance, you might decide to save your password and other information as it leads to easier access later on.  Unfortunately, that can provide others a way to copy your data. Always use reliable and safe websites and never enter your information on new or unknown websites, especially when they are asking for sensitive information like your credit card or bank details.
  • Remote Wipe. Have security knowing that if your phone is lost or stolen, you can safely wipe the device to protect the data from falling into the wrong hands.  A similar feature can be enabled after a certain number of failed passwords to access the phone (usually it is around 10 attempts before the device is wiped).  This service provided to our clients enrolled under the CSP agreement.
  • Use caution with any links you receive via email or text message. Exercise caution when clicking on links. Phishing scams are not limited to email – a text message can incite you to click on a malicious link or ask for personal information.
  • Do not alter security settings for convenience. Tampering with your phone’s factory settings, jailbreaking, or rooting your phone undermines the built-in security features offered by your wireless service and smartphone, while making it more susceptible to an attack.
  • All Wi-Fi was not created equal. Be mindful when using open Wi-Fi. When you are not using your wireless connection, you should keep it switched off. This can ensure that no one else can connect to your device without your permission or knowledge. You should also check your device’s network settings as they might be configured to connect to a network automatically when in range and may not ask for permission. In addition, your home wireless router should also be protected through a password or security code.
  • Run the Updates. Don’t put off downloading updates. Many updates tweak and fix several flaws on your phone that could open a backdoor for hackers.
  • Wipe data on your old phone before you donate, resell, or recycle it. Your smartphone contains personal data you want to keep private when you dispose your old phone. To protect your privacy, completely erase data off of your phone and reset the phone to its initial factory settings.

 

https://heimdalsecurity.com/blog/smartphone-security-guide-keep-your-phone-data-safe/#
http://www.nsiserv.com/blog/mobile-security-threats
http://www.smallbiztechnology.com/
https://www.networkworld.com/category/malware-cybercrime/
https://www.fcc.gov/smartphone-security
http://pcworld.com