National Cyber Security Awareness Month

was created as a collaboratiCybersecuritymonthve effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.

Our focus today is with small to medium businesses. Homeland security has created a Cyber Security Guide that will be used as a reference for today’s talk.

Yes, this is the same group that is responsible for airline security. I know many people see things that Homeland security does not do well, but their Cyber Security Planning guide is good place to start a conversation.

Businesses large and small can and need to do more to protect against growing cyber threats. As larger companies take steps to secure their systems, less secure small businesses are easier targets for cyber criminals.

 

Where do you start?

 

  • Identify and categorize your business information.
    • Your customer list is a key part of the business. Does everyone have access to this list? Do you restrict how this information is used?
    • Your sub-contractors or vendors are an important asset to your business.
    • Your business processes can be unique to your operation.
    • What other information would you consider your intellectual property?
      • Customer sales records
      • Credit card transactions
      • Medical records
      • Employee payroll records
      • Email lists
      • Marketing plans
      • Business leads
      • Produce design and development plans
    • Who should have access to your business information? Is it all stored where everyone can see all of your business? Is it encrypted so only the right people can read or change the data?

 

 

  • Company Policies, setting the rules for business conduct
    • Written policies are necessary in the employee handbook for these topics
      • Computer and Internet usage
        • You have to state that the equipment the business purchased are for business use. Unless it is in writing an employee can use any of the equipment for their own use.
      • Social media policy, even if you don’t use social media in your business, someone is talking about you.
      • Email usage policy including that you have the right to monitor company email usage. What to say and how to say it.
      • Privacy Policy for employee, customer or client information
        • Personally Identifiable Information
          • Name, address, social security number, email address, home phone number, cell phone number, date of birth
        • Personal health information
        • Customer Information
          • Names, address, payment information, credit card numbers, shipping information, purchase history, buying preferences

 

 

  • Train employees and yourself frequently, 2-3 times a year
    • Social engineering, also known as “pretexting,” is used by many criminals, both online and off, to trick unsuspecting people into giving away their personal information and/or installing malicious software onto their computers, devices or networks. Social engineering is successful because the bad guys are doing their best to make their work look and sound legitimate, sometimes even helpful, which makes it easier to deceive users.
    • What to look for in an email message that is really a phishing attempt
    • What information to give out to a telephone inquiry to your business. Find out who you are talking with. What do they need to know and why.

 

 

Secure your business network

You pay for the office, Internet connection, email service, and computers. You set the rules with your company policies.

What is multi layered security?

 

  • Don’t rely on just one technology to stay safe on the Internet
    • Just having an anti-virus program on your computer is not enough to prevent data loss or a compromised network or computer.
      • You can scan for viruses and malware at your Internet connection with one vendor and scan the computers, or end points with another vendor.
    • Control outbound Internet access, things that are not done on retail based routers.
      • Do you need to reach web sites in China to run your business? Do you need to talk with all of China or just a few places where you have contacts? You can apply this process to all 252 county codes on the Internet.
      • Filter non-business access outbound
        • Porn sites, hate sites, shopping sites, social media sites
        • Do you need to run a Chinese peer to peer application specifically centered on users uploading media content for other users to view using their application? If not then stop high risk traffic from exiting your network. Block 275 high or very high risk network traffic protocols that you just don’t use. Retail shelf routers don’t care or know what protocols( network language) the packets are using.
        • Log access to network to have an audit trail when something goes wrong.
      • Keep your software current. The Java program alone has had 101 security patches in the last year. The typical computer has 67 programs loaded that could become back doors to hackers if you don’t have the latest security patches.  A software patch management program will get you status for every machine in your office.
      • Passswords
        • If you have not changed your password this year how many people might have access to your information.
          • Change every time you have an employee leave. You change the locks or physical codes when someone leaves, why not your electronic locks
          • Use a password manager; you have to many passwords to remember today.
          • Don’t use a password on the list of the 1000 most common passwords
          • Use a pass phrase or sentence to unlock your password manager.
          • Two factor authentication methods, which require two types of evidence that you are who you claim to be, are safer than using just static passwords
            • Google and Microsoft have phone apps that will send authentication codes when you login from another location.
            • LastPass sends an email to your registered account when you access the service from a new location.
          • WiFi
            • WiFi Protected Setup
              • Created for home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases.
              • Wi-Fi protected setup is susceptible to attack because of a basic design flaw.  According to Computer Emerency Readyness Team, CERT, they are “unaware of a practical solution to this problem.”
              • September 2014 a security researcher, Dominique Bongard, demonstrated that  WPS could also be cracked offline using a computer.  This process extracts the third message from one failed access to the router.  This number is used to decode the 8 digit pin for the wireless access point.  Your access point no longer needs more than one unsuccessful log in to reveal it’s permanent secret code.
              • Is you WiFi access turned on 24 X 7 or just during the office hours?
              • Is you WiFi connected to your network with business information?
              • All these things happen with retail routers made for home use.
              • WLAN access should be restricted to specific devices and specific users to the greatest extent possible while meeting your company’s business needs.
              • Are you using the default password on your router?
                • Botnets capture routers with default passwords to disrupt Internet traffic.
              • Remote Access
                • If your company needs to provide remote access to your company’s internal network over the Internet, one popular and secure option is to employ a secure Virtual Private Network (VPN) system accompanied by strong two-factor authentication, using either hardware or software tokens.
                  • The easier the stores make it for managers to remotely handle payment transactions, the easier it’s also for thieves.
                  • Trustwave last year estimated that 63% of 450 data breaches studied by the security vendor were caused by security vulnerabilities that were introduced by a third party. Don’t become a “Target”.
                • All those phones and tablets
                  • You know everyone in your office has a smart phone. No one may have exactly the same phone unless you issued all of the devices. Now your company email is on each of those devices. When someone leaves the company how to do wipe the old company email off the device? Or do you just let them walk off with every customer contact that exists in your Exchange server?
                • USB drives
                  • Do you allow anyone to plug in a USB device to a machine on your network?

When you become one of the 60%.

According to the Verizon data survey 60% of data breaches occur in companies with less than 100 employees. What do you need to do now?

  • Arizona law applies to all non-encrypted personally identifiable information.
    • Name and social security number, all employee names have social security numbers in your payroll database.
    • Name and driver’s license or state id number.
    • Name and any of the following
      • Debit card number, credit card number, financial account number, password, security code or access code that would allow account access.
    • Must conduct a prompt investigation to determine if there has been a data breach. If this is true, you need to notify anyone that maybe effected. This notification occurs after law enforcement determines that it will not compromise their investigation.
      • This includes the loss of a laptop, notebook or flash drive with unencrypted data on the device.

 

 

 

 

Free Firewall with a 3 year subscription

Cyberoam Sophos
Are you tired of waiting for your business to be the next news headline with a security breach? You can protect your business network and intellectual property with a next generation firewall. But wait, you should also have full access to the fast Internet connection you purchased from Cox Verizon or Century Link. Get protection and speed with the fastest firewall system available for small and medium businesses, a Cyberoam NG universal threat management system.

You can block Internet access by country to stop data being leaked out to China, Russia, eastern Europe or any other country in the world. Even if the bad guys get in stop the information going out to other countries with Cyberoam’s NG firewalls. You can also block over 1000 protocol types from sending information out through your network connection. This includes proxy sites, the tor network and peer to peer network protocols. Cyberoam identifies and stops unwanted information on your network. Why would any of us want to allow a Chinese peer to peer application specifically centered around users uploading media content for other users to view to run inside your office network. Blocking unwanted traffic reduces your exposure to an attack.

Sophos Security Labs discovers on average 25,000 newly infected web pages per day. Everyone knows that an Internet router from a retail store just does not protect you from today’s threats. Cyberoam devices scan web traffic for viruses and malware. Intrusion detection and intrusion detection are part of the three year subscription to automatically stop new exploits coming to your network. On device reporting includes reports for PCI-DSS, HIPAA, GLBA and SOX compliance requirements. The identity and policy network security tracks all of your users activity by user login names. Know what your employees do online.

Through August 31, 2015 a TVSP subscription protects you with Gateway Anti-Virus & Anti-Spyware, Anti-Spam, Web & Application Filter, Intrusion Prevention System, 24X7 Email, phone and chat Tech Support. And you get a free next generation firewall.

Get your next generation firewall here.

Sony Pictures lessons for Small Business

SonyPicturesThe Sony Pictures network breech has lessons to be learned for small business. Sony’s corporate network allowed access to Internet sites around the world. Malware that caused the problem communicated with control servers in Bolivia, university in Thailand and on a network at the St. Regis Bangkok. From the FBI press release about the Sony Investigation “the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.” Does your business attempt to stop communication between your network and North Korea?  Sony Pictures did not have this foresight. Having controls of where Internet traffic is allowed keeps your business information safer. Reviewing your Internet traffic also helps you understand what your employees are doing with their time at work.

High speed Internet connections allow you to find great information in seconds, but unlimited access to the whole world is not necessary to make your business run effectively. Everyone needs to process credit and debt card information, but do the machines that process card information talk only to the processor or do they talk to anyone that asks for a connection? Simple restrictions can make a big difference. If you have a retail Internet gateway the default installation will allow access from your network to any place in the world. Freedom is great but with the amount of Internet traffic significant information can be lost. Last year’s breech at Target had 60,000 alerts about the intrusion that were lost in the noise of information overload. Restricting where you can go on the Internet does cause some problems. On client could not order sugar free candy from Amazon because the web destination site was in Switzerland. This caused a few emails and phone calls, but this candy was ordered and the access was closed after the transaction.

Next generation firewalls can restrict, collect and summarize what is flowing in and out of your business. Microsoft’s free program EMET should be loaded on each Windows system to impede access to your computers. Keep your Mac and Windows machines up to date with software patches. Use protection software at the computer to fend off attacks. Do not open suspicious email or attachments. Use a password manager to keeps complex unique passwords for every site and application. Your sensitive information should be encrypted. Regular backups should be done and stored in multiple locations. Sony Pictures Entertainment was hit with a strain of malware designed to wipe all computer hard drives within the company’s network.  Restoring the information will occur after the investigation concludes.  What would this cost your business? All new machines to run the company until the forensic analysis is complete?

One ounce of prevention is worth a pound of cure. Jason Spaltro, currently Sony’s Senior VP of Information Security, told CIO Magazine following an earlier hack of Sony’s servers: “It’s a valid business decision to accept the risk…. I will not invest $10 million to avoid a possible $1 million loss.”  Sony Pictures had internal servers and computers taken over and gigabytes of information stolen. The $60 million dollar cyber insurance policy that Sony has may not cover the costs of this problem, How much cyber insurance does your business have?

IBM data loss study released this summer showed each lost record cost a small to medium business $62 in direct costs and $141 in indirect costs. This was for small business losses of less than 100,000 records. A Cyber insurance policy should only be necessary if your business is connect to the Internet.

Microsoft EMET 5.0 released

Microsoft may not be the most respected name in secure software products, but if you do Microsoft EMET 5.0not use EMET on all of your machines you miss the best free mitigation available for Windows operating systems. EMET is classified as a utility by Microsoft. The purpose of the utility is to make it harder for any attack of a known software vulnerability in any program. This gives you another security buffer for Adobe, Java, Office products or the custom program that you need to run your business.

These defenses are not available in any of the current Microsoft operating systems.  You must use the EMET utility to provide this extra layer of protection. The cost of adding EMET is always less than remediation of an infected system or the loss of sensitive information.

Attack Surface Reduction (ASR) and Export Address Table Filtering Plus (EATF+) are two new features added to EMET 5.0.  ASR can prevent modules or plug-ins in programs from automatically executing code.  This feature protects Microsoft Word, Excel and PowerPoint from loading the Adobe Flash player.  EATF+ can help detect and disrupt some current techniques used to execute code when a vulnerability is exploited.  EMET 5.0 can also terminate an Internet browsing SSL connection, https:, that has a untrusted certificate without sending session data to the source internet site. This keeps your identity safe from anyone that is using a suspicious certificate online.

Microsoft’s EMET should be tested with your software before you deploy this utility in a production environment.

Microsoft EMET 5.0
How many ways do you protect your software programs?

The EMET 5.5 utility is available at the Microsoft download center.

Your Android Phone Data

Android PhoneTwenty used Android phones contained over 40,000 recoverable pictures and user data.  Avast Software researchers purchased twenty used Android phones from eBay that were sold as wiped clean of user data.  Since the file format in the user data area on the Android OS only marks the areas as available for use the pictures, emails, text messages and contact names were still available on the phones.  A standard device reset does not clear you user data area on your Android based phone.  You need to write over the data to erase the contents of the pictures, text messages and emails.

Avast’s free Anti-Theft app can securely wipe data off of your phone and help you locate your phone if it is lost.  Your phone data can be erased remotely from a computer or another smart phone.  The premium version of this app can mark the device as stolen if the wrong password is entered three times.  The premium app will cost you $14.99 per year.

Secure Bulldozer is another app that can clear you phone of all of the user data.  This app is tested using a legal restoration tool and confirmed that the deleted information could not be restored. This software is a patented solution to erase all of the data in your smart phone or tablet.  Two versions of the Bulldozer app are available for your use.  The free app cannot clear documents from your smart device, but the paid app for $9.31 can erase everything from your phone.

When I checked for used Android phone I found 11,000 on eBay, 850 on Amazon and 120 on Craig’s List in Phoenix, AZ.  How many people knew how to correctly erase data on these phones?  On average there seems to be about 2,000 pictures on each used smart phone.