Posts

Wouldn’t it be great if technology could solve every problem for your workforce? In reality, every IT solution has its limitations, including security defenses. As I’ve written in previous articles, 100-percent security does not exist. The credibility of anyone who tells you a system can never be breached should immediately decline if they make this preposterous claim. Most likely, that person is claiming a specific attack or breach can be prevented with a certain solution, but no solution provides 100-percent security because the person using the system is the weakest link of the system. Armed with this knowledge and an amazing understanding of human psychology, cyber criminals target the person using the system with a variety of threat vectors. Phishing is a cyberattack that uses a disguised email as a weapon to provoke a response by the reader to perform some action desired by the attacker, such as wiring money. In a phishing attack (pronounced “fishing”), the attacker is masquerading as a person or company the user would already trust.

For example, imagine I am the billing person at BIC Magazine, and my email address is rkyslinger@bicalliance.com. I’ve sent you invoices before, and we may have even spoken on the phone a few times or met at an event. One day, you receive an email from me stating we changed our bank, and I provide the bank information in the email. Since you know me, you don’t consider the topic all that unusual because companies do change banks, so you comply. Later, you discover you were not really communicating with me at all. Instead, the email address of the sender was rkyslinger@bicallaince.com, which is a legitimate domain, but it isn’t owned by BIC at all. Instead, the domain name simply transposed two of the letters in the domain, which our brains do not always decipher. The attacker used the knowledge of your purchasing relationship with BIC to get you to change how you sent your payment. The email was legitimate in its style, substance and wording, so it was not blocked by any of your company’s email security systems. The reason the process worked is because a simple underlying assumption was not tested: “Am I really getting this email from who the sender claims to be?” Now, I know many of you are thinking, “Who would fall for such a simple sleight of hand?” The reality is many of the subscribers of this very magazine have wired money to someone claiming to be a vendor they trust. I know this for a fact because I’ve consulted for these companies on how these attacks can be prevented.

The issue is we are too friendly and cozy with our email, and we trust it because it doesn’t look unusual. If it looks like a duck, smells like a duck and quacks like a duck, then it must be legitimate. This psychology is exactly what the attacker is relying upon to get a person to act differently. But even if my email address was legitimate, many people would still have acted because their assumption would be my mailbox wasn’t compromised. How can you — as the reader of the email — ascertain the sender’s mailbox hasn’t been breached? In reality, you have absolutely no way to determine this information except to turn to your trusty telephone and call the sender to verify they actually sent the message. If the email has been breached, you certainly don’t want to email asking, “Is this request legitimate?” So call them. Does this sound like too much trouble? Well, I’ve seen $20,000 to several hundred thousand dollars transferred simply because the recipient of the email didn’t verify the message with a two-minute telephone call.

In most cases, if your organization actually falls victim to these attacks, your cyber insurance policy would cover some or all of the loss after your deductible. The real solution is to act like Ronald Reagan, who stated, “Trust, but verify.” “Trust, but verify” each email that is causing any change in your behavior, especially if money is changing hands. A quick voice call will confirm a legitimate request 99 percent of the time and give you a chance to chat with a colleague or vendor instead of costing your organization a lot of time and money.

For more information, visit www. omnipotech.com or call (281) 768-4308.

You roll into work on a Monday morning and learn your network has been infected with ransomware. The attackers have encrypted 100 percent of your data and demand a ransom paid in Bitcoin. You have less than 24 hours to make payment. What do you do? While this scenario may be hypothetical, the threat is all too real. You could just pay the ransom, but if you’ve never bought Bitcoin before, you will be surprised to know there is a three-day holding period once you transfer the U.S. dollars to Coinbase, the world’s largest Bitcoin exchange. If the attacker allows you to extend the period, you will find that a the ransom, but if you’ve never bought Bitcoin before, you will be surprised to know there is a three-day holding period once you transfer the U.S. dollars to Coinbase, the world’s largest Bitcoin exchange. If the attacker allows you to extend the period, you will find that a transfer of Bitcoin can take another three days. Can your business survive without access to your accounting system, payroll, accounts receivable, accounts payable, project files, scheduling, operations database, sales information and possibly email for an entire week? Do you have another plan in the event that you pay the ransom and they don’t give you the entire encryption key? (It occurs frequently.) You may be saying to yourself, “It won’t happen to us,” but many people have damaged their businesses and their firms’ reputation with this erroneous belief. Sure, an attack on your network may not be deadly, but you should consider these threats “black swan” events that can cause existential events.

So, how do you protect yourself? The reality is your network, your email and every digital device you have can be attacked at any time. Perhaps we get comfortable believing our company is too small or no one would want our data, but the reality is the malware and ransomware industry generates billions of dollars annually worldwide, and the smaller you are, the less sophisticated your security and disaster recovery will be. Many people imagine some nerdy hacker sitting in a dark room surrounded by monitors with empty bags of potato chips and half-consumed bottles of soda as the attacker manually tries to penetrate your network, guess your password or exploit a known vulnerability that your systems have not been proactively updated to eliminate.

Unfortunately, these attacks are carried out by global criminal organizations that are as well funded as drug cartels. They use ever-changing methods and rely upon your comfort, procrastination and ignorance regarding the sophistication of the attacks so you don’t take proactive action.

Here are the steps you should take to protect yourself: Your organization must have backups, business continuity and disaster recovery. These three terms are sometimes used synonymously, but they are very different. A backup is simply a copy of the data, and you may have more than one copy going back hours or even years, but you can’t operate from data alone. You must have the underlying operating system, databases and applications. Business continuity is a network design that assumes one or more failures will inevitably occur. Business continuity is a continuously updated and tested process with active systems that allow your business to restore to the last good backup to keep your business running. A business continuity system doesn’t need to have 100 percent of the performance of the primary system, but it will need to have 100 percent of the data, applications and security, and provide ongoing backups to keep your firm operating because you will be adding new data to it.

Finally, you need an offsite disaster recovery system that is physically and geographically separate from your primary systems. Understand the cloud is wherever your data exists, and you should have a disaster recovery copy of your data that is not in your primary cloud. The reality is 100-percent network security can only exist if users have no internal or external access to the data or the systems, but computers are worthless without access to the data. Have a plan and test it just like you prepare for safety training at your place of business or within a plant.

Next issue, I will review a layered security approach to thwart various types of attacks.

For more information, visit www.omnipotech.com or call (281) 768-4308.

If you could have either convenience or security, which would you choose? For most people, it is convenience. As Americans, we enjoy high-speed internet in every populated area, which has moved many aspects of lives, including banking, shopping and entertainment, to applications delivered through cloud services.

The internet has made our lives very convenient because we can work remotely, transact business, communicate and shop from any populated location on the planet. Of course, all these websites, services and networks require a username and password, so we choose something convenient and easy for us to remember.

Unfortunately, your convenience is a hacker’s dream come true. Your logon credentials are a combination of a username and password. Since your username is unique, the most common username is a person’s email address or a combination of first and last name with numbers. None of these usernames are complicated. In order to make your life easy, you use the same password for all your sites. However, what is easy for you is also easy for hackers. We live in a world where state actors and global criminal organizations are constantly seeking to penetrate every network in the world. The number of network addresses worldwide is a known and fixed quantity, and each firewall has exactly 65,535 ports. Some of the largest organizations with billions in security budgets have already been hacked, including Equifax, Yahoo, LinkedIn and, in 2017, the National Security Agency. The reality is all computing infrastructure will ultimately be compromised.

When a site is hacked, your convenient logon credentials are sold on the dark web worldwide. Your credentials are then loaded into a large, distributed database spanning continents. and robots located on millions of malware-infected computers will attempt to use your credentials to unlock every website or IP address in the world; this is the reality of the digital economy. However, using a password manager allows you to have unique and complicated logon credentials while providing convenience, regardless of the device or operating system you are using.

LastPass.com is a tool you can use personally, with family members or with teams to ensure logon credentials for every website, network access or service are unique and complex. The tool works in every browser, including Internet Explorer, Safari, Chrome, Opera and Firefox, and on all Apple and Android devices. It allows you to have one location to store every logon to every service. You are probably thinking, “If they get hacked, then all my data will still be at risk.” LastPass and other cloud password managers require you to have a master password to access the service on any device or browser. Your logon information is used as one-half of the encryption key to secure the database, ensuring nobody can read the data if the LastPass infrastructure is compromised.

LastPass supports two-factor authentication, further ensuring only you have access to your logon info. The tool has the ability to auto-login to sites and can fill forms with addresses, credit cards or other information. The tool can also store notes. I use it to store PDF copies of my driver’s license, passport info and pictures for every family member, TSA Known Traveler Number, insurance ID cards, health care cards and even the PIN numbers used to freeze my credit on all three bureaus. LastPass has a password generator, allowing you to create the longest, most complex passwords and save them so you never have to remember them. For instance, my Amazon.com logon is 27 characters long, and I have it configured to auto-change this password every month. LastPass has plans ranging from free to $4 per month for a family of six. Business plans range from $4-$6 per user per month. Protect yourself and keep your convenience by substituting one Starbucks drink per month with a password manager like LastPass to begin securing your digital credentials today.

For more information, visit www.omnipotech.com or call (281) 768-4308.