No computing environment is immune! Every platform can be exploited by an attacker. Every month security updates include well over 100 fixes to critical security vulnerabilities, many of which could lead to arbitrary code execution. These are exactly the same types of vulnerabilities that Windows malware writers take advantage of. Fortunately for Mac (and Linux) users, their worldwide market share is small enough that malware writers simply haven't bothered with them. If you use OS X on a Mac and don't think you need to install security software, think again! As technologies focus on mobile computing and app based programming the threat is ever-increasing.
Good behavior alone is not enough to protect you from attacks! Visiting porn sites and downloading pirated software puts you at a much higher risk of infection, but even legitimate web sites can be compromised, and seemingly innocent results in a search engine can lead to hostile sites. Antivirus software is one layer among several. Depending on the type of threat, it can be very helpful, even if you consider yourself an expert PC user. But it is not a magic bullet, and it is no replacement for a well-rounded approach to security.
No antivirus software is perfect! It is literally impossible for any security product to identify every possible threat, especially when malware writers are constantly updating their products to avoid detection. Most of the leading antivirus programs can identify and block the overwhelming majority of threats you're likely to encounter online. The fact that they can't reach 100% protection is why security software is only one part of a layered security strategy.
Many types of malware are installed voluntarily! Among the most common threats are Trojans, which spread via social engineering. The job of a malware writer is to convince you to run his innocent-sounding program, which secretly does something other than its stated purpose. It might claim to be a new video playback plugin (like the one I saw last week) but actually turns out to be a program that hides on your PC and steals passwords or sends spam. Social engineering explains how an entire class of malicious fake antivirus programs made it onto the top 10 malware list for the first half of this year.
Malware writers make their living exploiting outdated systems! Ransomware, which demands payment after launching a cyber attack, has become a rising trend among hackers looking for a quick payout. Ransomware is a kind of cyber attack that involves hackers taking control of a computer system and blocking access to it until a ransom is paid. The most common ways of installing the virus are through compromised emails and websites and the downloaded malicious programs utilize vulnerabilities in unpatched systems to wreak havoc. A good backup can save you hundreds if not thousands of dollars as it is the only means of recovery save paying the ransom!
GET A FREE QUOTE!
Whether you are using a wired router or a wireless one, if it is not configured properly, both of them could pose potential security risks!
The common notion that routers are not secure or less secure is true, but only in circumstances where it is used right out of the box without correctly configuring its security settings. If your network is ‘unsecured’ or ‘open’, an intruder can easily gain access to your internal network resources as well as to the Internet, all without your consent. Once the intruder has access to your network, they can use it for a variety of operations, such as:
WHAT SECURITY FEATURES MAKE A WIRED/WIRELESS ROUTER GOOD?
Since its inception, routers have gone through several improvements and security enhancements. Most of the routers on the market today support multiple levels of encryption and offer several security features to help protect your wireless network. Some crucial features include:
Network Address Translation (NAT) : The NAT feature on your router separates your internal network from the Internet. Your router acts as an interface between the global public WAN (Internet) and your private local network. Certain attacks against operating systems like Windows require that the attacker communicate directly with the computer. When a machine is behind a router employing NAT, those attacks go to the router and no further.
Built-in Security Features: The built-in Security features on your router act as a robust entry-point protection system which distinguishes legitimate traffic from unsolicited traffic and rejects uninvited inbound connections.
Integrated Threat Defense: A router with the integrated threat defense feature provides an entry-point level of protection against malicious attacks threats such as worms, viruses, spyware, etc.
Encryption: Make sure the routers you have, or are planning to purchase, supports multiple encryption methods. Encryption provides the most secure connection to your network.
Router manufacturer’s often release firmware updates to address security vulnerabilities and offer product enhancements. If there is no firmware update available, you should consider replacing your router.
Warning: Updating router firmware is a critical process and we recommend that you seek assistance from a qualified technician! Every system has a flaw, but that doesn’t necessarily mean you should avoid it!
With just a few security measures, you can enjoy your connected home or business network!
GET A FREE QUOTE!
The primary purpose of encryption is to protect the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks. Modern encryption algorithms play a vital role in the security assurance of IT systems and communications as they can provide not only confidentiality, but also the following key elements of security:
Authentication: the origin of a message can be verified
Integrity: proof that the contents of a message have not been changed since it was sent
Non-repudiation: the sender of a message cannot deny sending the message
The word encryption comes from the Greek word kryptos, meaning hidden or secret! The use of encryption is nearly as old as the art of communication itself. As early as 1900 BC, an Egyptian scribe used non-standard hieroglyphs to hide the meaning of an inscription. In a time when most people couldn't read, simply writing a message was often enough, but encryption schemes soon developed to convert messages into unreadable groups of figures to protect the message's secrecy while it was carried from one place to another. The contents of a message were reordered (transposition) or replaced (substitution) with other characters, symbols, numbers or pictures in order to conceal its meaning.
In 700 BC, the Spartans wrote sensitive messages on strips of leather wrapped around sticks. When the tape was unwound the characters became meaningless, but with a stick of exactly the same diameter, the recipient could recreate (decipher) the message. Later, the Romans used what's known as the Caesar Shift Cipher, a monoalphabetic cipher in which each letter is shifted by an agreed number. So, for example, if the agreed number is three, then the message, "Be at the gates at six" would become "eh dw wkh jdwhv dw vla". At first glance this may look difficult to decipher, but juxtapositioning the start of the alphabet until the letters make sense doesn't take long. Also, the vowels and other commonly used letters like T and S can be quickly deduced using frequency analysis, and that information in turn can be used to decipher the rest of the message.
The Middle Ages saw the emergence of polyalphabetic substitution, which uses multiple substitution alphabets to limit the use of frequency analysis to crack a cipher. This method of encrypting messages remained popular despite many implementations that failed to adequately conceal when the substitution changed, also known as key progression. Possibly the most famous implementation of a polyalphabetic substitution cipher is the Enigma electro-mechanical rotor cipher machine used by the Germans during World War Two.
It was not until the mid-1970s that encryption took a major leap forward. Until this point, all encryption schemes used the same secret for encrypting and decrypting a message: a symmetric key. In 1976, B. Whitfield Diffie and Martin Hellman's paper New Directions in Cryptography solved one of the fundamental problems of cryptography, namely how to securely distribute the encryption key to those who need it. This breakthrough was followed shortly afterwards by RSA, an implementation of public-key cryptography using asymmetric algorithms, which ushered in a new era of encryption.
GET A FREE QUOTE!
Let’s face it. Users are the weakest link in any network security scenario. But since they are also the reason we have IT and more to the point…a job…we need to make sure we take care of them and they take care of us.
Training: Before a user ever gets a network account, they need training on what to do, what not to do, and how to go about protecting themselves and the network. This needs to be done first, and repeatedly, with at least an annual review and update.
Unique accounts: No shared accounts…ever! Make sure every user gets a unique account that can be attributed only to them. Make sure they know the penalty for revealing their credentials to another is death by tickling.
Separation between normal user and privileged user accounts: This goes more for the sysadmins reading this than end users, so do as we say and not as you do…make sure you log on with a regular account, and only authenticate with your privileged account when you need to do admin work. Otherwise, you never know when you might accidentally click something that runs with those elevated privileges.
Multifactor authentication: If you look at every major hack that has hit the news in the past couple of years, from TJ Max to Target to Premera to the Office of Personnel Management…one thing could have prevented them all. Two factor authentication. Every one of those hacks started with compromised credentials which were simply username and password. The most annoying of all these is that OPM was supposed to already be using 2FA, but wasn’t. Of course, neither was most of the government. That has finally changed, but it’s a little late for the millions of people whose personal information was stolen.
Up to date information: Keep the data current in your system. Make sure contact details, job titles, managers, etc. are all updated whenever there is a change so that if you do need to look something up on a user, you have what you need, and not their phone number from seven years ago when they were first hired.
Review of group memberships when roles change: Given least privilege, it needs to be standard operating procedure to review and revise group memberships and other access privileges when a user changes jobs. If their new role does not require access to resources that their old role gave them, remove that access.
No sharing of accounts between test and production, or between any two external services: This one is critical. If you have multiple environments it may be very tempting to share credential specifics between them. That makes it much more likely that compromise can occur, especially if the lab or UAT environment doesn’t have the same security measures as production does, or that the hack of one external service could reveal your credentials that could then be used to log onto other services. Pop quiz…is your username and password for Facebook the same as for Twitter? If you answered yes, you’re doing it wrong.
Disable stale accounts: Delete the really old ones: Run a scheduled task to disable, and report, on any accounts that haven’t been used to authenticate in a fixed period of time. I think two weeks is good, but most would say 30 days. Have another run at least once a month that identifies accounts that have been disabled for 90 days, and deletes them. Old accounts can be ‘resurrected’ to provide access, through social engineering or oopses. Don’t be a victim.
GET A FREE QUOTE!
Teaching workers how to protect your company’s network can bolster your small business defenses!
For all the firewalls, intrusion prevention systems, and anti-virus software you install on your network, it’s impossible to block every security threat to your small business. To a large degree, you need to rely on your employees to help keep your network safe. They’re on the front lines, deciding every day whether or not to download a mysterious email file attachment or to click on a tempting pop-up window. Employees need to be trained not only on why network security is crucial but also on what they can do to help prevent security attacks to the company and possibly to themselves.
The hard part is that this often requires asking employees to change their behavior. They may have to stop writing down their passwords in plain sight, stop downloading new software from the Internet, and start using passwords or stronger passwords on all of their devices, even their own smartphones. The key is to entice users to follow your security policies by showing them how they benefit from tighter network security, even if that means they can’t access Facebook when on the company network.
Here are five ways you can educate your employees about network security:
1. Engage in ongoing security training. Hackers are constantly trying clever new ways to trick even the most sophisticated users into downloading their malware or respond to a hoax email. Helping your users stay ahead of these tricks is critically important to the security of your network. Employees should receive network security training during their initial new hire orientation. But that’s not enough; training should be ongoing. Users need regular reminders, whether it’s to change their network password every few months or tips on recognizing the latest phishing scheme. Some businesses I know send a daily security tip via email to their employees. If you don’t have the in-house resources to provide this kind of ongoing effort, you and your employees can subscribe to The SANS Institute’s Security Awareness Tip of the Day.
2. Make security personal. Network security may seem like an abstract concept to employees who aren’t responsible for your company’s technology efforts. But I bet just about all of your users have home computers and make online purchases using a credit card; you can use that scenario to make your company’s security personal to your employees. Help employees understand that their information, including details about their identity, is better protected if they follow security policies to keep the corporate network locked down. Network security impacts everyone who accesses your network, and they need to understand that.
3. Be accessible to users. Employees need to know who to go to if they experience a network security incident or if they have questions about security, such as a suspicious email or an unusual pop-up window. If you don’t have on-site IT support, make sure everyone knows how to contact support personnel through your provider. It’s equally important that users know what to do—or not to do—while waiting for an answer from your security expert.
4. Tell users what to do. Security training should include information on how employees should respond to a security incident as well as how to avoid one. What should users do if they click on an attachment that turns out to be infected? Do they call your security expert for help or should they take some immediate action with their computer on their own? Employees need to know how to respond, including whether to immediately shut down their browser windows or computers if necessary.
5. Make security easy. Even the most thoroughly trained and well meaning user might be tempted to circumvent your security measures if they’re difficult to follow; so, make it easy for users to follow your policies. For example, configure your applications to automatically prompt users to change their passwords on a regular basis and make sure your anti-virus software updates automatically when it won’t interfere with employees’ workday. Also, don’t fault the user who reports a security breach. You want employees to feel safe so that they come to you with any potential security risk. Consider having an employee award program for rewarding the right behavior.
GET A FREE QUOTE!
Raptor IT Consultants LLC
© 2016 RaptorITConsulting LLC All rights reserved