Stop Phishing Before It Happens

Can You Stop a Phishing Attempt?

Mike Heffley and son fishingI had the opportunity to go camping with my family this past summer.  It was a great little adventure, and when I asked my 6-year-old son what his favorite part of the trip was, he said fishing.

It got me thinking that as business owners, managers, employees, and individuals we are subject to phishing attempts multiple times a day.  My son was so excited that he caught his first fish on our trip.  I’ll always remember the excitement in his eyes as we reeled in that little 4 inch sunny (that we released).  He then proceeded to catch about 5 more, and much to me and my wife’s amusement, one was deemed big enough to keep and take back for dinner!  Imagine how excited scammers are when they get a few nibbles and eventually hook a phish!

With ubiquitous wifi at every coffee shop, airport, and even many downtown areas, there are an unlimited number of hackers and scammers out there phishing for your corporate, personal, and employee information.  Some of these attempts are geared to get very small pieces of information, seemingly not too important.  They allow a scammer to understand how a company “talks” internally, including names and emails of key department heads. They are able to build a corporate profile and can impersonate an internal employee.

Other cyber threats are more obvious if you know what to look for.  Sadly though, some of these phishing ploys are well thought out and many unsuspecting users fall for them.  One popular phishing scam is a fake email from a big bank saying your account was compromised and you need to login in through this special link to update all your information and confirm your personal details.  Many of these are very well thought out and catch some big fish!

And of course, we have ransomware (crypto viruses), malware, advertising bots etc. that can get onto our laptops and tablets and then find their way into company servers where they cost businesses millions of dollars a year in lost data, paid ransoms and time to rebuild systems.

And to clear up a few scams, Microsoft or the IRS will NEVER call you asking for your personal information or to login into your PC to do a free update to Windows or your processor.  Never!  Ever!  Not happening!

Imagine if there were a super smart fish (some really are).  This fish learned that hooks and plastic lures and glowing colored fake salmon egg balls are bad.  This fish learned to avoid such lures and bait.  Compared to other fish that did not know what this fish did, who would have the best chance of not falling for a fishing lure?  Obviously, the fish that learned a bit about the lures and traps used by those trying to catch it.

The same goes for us.  Many phishing ploys are reasonably easy to identify and avoid if you learn what to look for, and learn the common lures and bait used to trick unsuspecting users.  Hackers and Phishers go for volume, don’t do what the masses do and learn to protect yourself and your organization.

Some of the well-known email scams have even made it into pop culture and are the butt of comedians jokes like a rich prince/businessman in the middle east or Africa needs you to help him get their funds into the USA and if you share your bank info, he will share his wealth with you.  You just need to fund the account with $X and confirm your brokerage account info and you will be rewarded handsomely. As crazy as this sounds to most people reading this, I have a very good friend who’s father fell for one of these and it wiped out most of his retirement.

To see some recent cybersecurity hacking successes that compromised surprisingly large organizations, you can check out our previous post from a few months ago about recent cyber attacks.  There are many more since that list was published not that long ago.

By learning what to avoid, you can save yourself and your company a lot of money, time and lost data.  At DTS we launched a product earlier this year that helps companies train their employees on how to identify and avoid common and some not so common cybersecurity attacks including phishing, malware and more.  You can learn more about our Cyber Security Service here.

We do this through a series of online videos and courses and we quiz and test users to see if they understand the training.  If they do not pass, we have them review the training until they understand it.  We also send periodic fake phishing attacks to see if they can identify and avoid them in real life.

We also have higher cybersecurity options that can go far beyond what traditional IT companies offer their clients regarding network and data protection.  Edge security was the gold standard in data protection, meaning if your network perimeter was protected, and nothing could get in through your routers and firewalls etc. you were good.  This is not the case today and has not been for quite some time.  We now routinely set up advanced threat monitoring protocols including behavioral-based monitoring for clients that are concerned with data breaches (internally or externally).

Behavioral-based monitoring goes beyond monitoring for a virus or trojan or even rogue corporate spy.  It flips the equation to say what behavior is normal, and if we detect abnormal behavior what do we do?  For example, an employee has access to a database with sensitive client data.  As part of their job they may access 50 to 200 records a day.  If we detect that this employees login is accessing 300 records in 30 seconds, we know this is not normal, and we shut down that process and send out an alert to determine if this was a legitimate data retrieval call or a data breach.

Remember that not all data security threats are external.  Some threats are internal, and some are intentional.  A business needs to think proactively about protecting their data.  If sensitive data is successfully breached, fines and lawsuits are getting increasingly more expensive.

If you would like to talk to us more about advanced cybersecurity for your organization please call us or fill in our contact form and we will set up a call or in-person visit to discuss your concerns further.  You can find our contact information here.

 

IT Security Like Playing Cat & Mouse

Keeping ahead of the bad guys…

In the field of Cybersecurity, keeping ahead of the bad guys is a never ending battle.  Cybersecurity experts develop advanced software and hardware defenses, and then the bad guys find ways around and through them. Traditional software based solutions claim to be secure, but hackers always find new vulnerabilities and strike unsuspecting companies – and often remain undetected. Organizations install firewalls and antivirus like they have been told, yet hackers, malware, and Ransomware get inside. What can a small or mid-sized company do to keep up with the never-ending challenges of data security?

The answer is our CloudXSecurity services which include customized protection services that extend beyond just the traditional hardware and software. Our comprehensive solution covers all the bases including ongoing risk analysis, policies and procedures, Cybersecurity awareness training, behavior analysis, routine vulnerability mitigation, mobile device management, encryption, and incident detection and response – just to name a few. Our solutions help companies meet and exceed industry requirements including GDPR, PCI, GLBA, and 23 NYCRR 500.

We keep you protected, so you can sleep at night.

Chrome 68 insecure site warning

Google’s Chrome 68 Browser Update and Your Website

Website Security Alert: Your Site Might Display A Scary Looking Warning Starting July 2018

According to Google, starting sometime in July 2018, they will unleash Chrome 68 – their pending web browser update.  Updating Chrome is not that newsworthy, except this update ups the ante for websites that have not yet added an SSL certificate to all their web pages.  As you may know, Google has been pushing strong (and others) to have SSL on all websites.  At first, they only wanted SSL on pages that shared information that was sensitive.  Then they wanted all info shared on SSL pages, and now, they are upping the ante.

In everyday terms, if you see https://yoursite.com then you are fine.  If you do not see the ‘s’ in instead see http://yoursite.com, then starting in July Google will show a very in your face warning to users that this site may not be secure and your personal data may be at risk.  Any page that is not SSL compliant, will now show a scary warning like the one below.

 

Chrome 68 insecure site warningImage Source: Google Security Blog

 

In everyday terms, if you see https://yoursite.com then you are fine…

I am sure you can guess that this is not ideal for websites that are not secure, and even though the site pages will load, many users will most likely be scared off.  Some longtime users or customers may even be worried that such a site was hacked.

Compared to past release updates to Chrome, this version will shout out “Danger Will Robinson, Danger… Do Not Proceed To This Website…”  It does not take a space-traveling robot to recognize that this will most likely result in users leaving your site, and will put your company’s reputation into question.

 

“Danger Will Robinson, Danger… Do Not Proceed To This Website…”

 

Chrome 68 includes a more detailed security check to detect whether your entire website is encrypted. If it is not, Chrome will immediately display a security warning indicating that your site is not secure.

As an example, imagine after this update, a customer goes to your website to look up your phone number, and instead, the first thing they see if a rather obnoxious security alert.  They may think that your company was compromised by a hacker, and worry that their private client information was stolen as part of a security breach.

Similarly, if you sell products or are driving marketing efforts to landing pages and contact forms, visitors who are looking to fill out your contact form, or buy something online could very well be inclined to leave your site.

 

How Do I Test a Site for SSL Encryption?

You can tell whether your site (or any site) is encrypted quite easily. As mentioned prior, your web browser will either display http: or https: in front of a sites url (web address) to indicate a secured or unsecured website.

Chrome also provides a visual indicator:  if there is a green lock next to a website address, the site is encrypted.

ALternately, a visitor can click the information button next to a websites address.  This displays a message stating that a site is or is not secure. Currently, Chrome’s security warning is somewhat hidden (unless the page collects passwords or credit card information).

Starting in July, if any page on your site is not encrypted, your visitors will see a red triangle with the words “not secure” warning visitors about your site.  As mentioned earlier, this warning can cause your website traffic to decrease and cause customers and clients some concern.

 

How Do You Encrypt Your Website?

In everyday terms, you need to apply an SSL Security Certificate on your web server.  This is not as hard as it may seem but does need to be done correctly, and there are important SEO considerations such as mixed content and website versioning to be considered .  It will not affect your SEO if done correctly, and in fact, it may help.

If you have not already secured your website, the good news is that it is normally under 20 minutes of work for a web developer to do, sometimes much less.  Even better, for those with basic web hosting knowledge and are on a host that uses cPanel, you can probably do the basics on your own in under 30 minutes for free (depending on your host it may be as little as 5 to 10 minutes).  Just remember to fix mixed media errors as well as set your version to load only the https:// version if the site.  I did a quick study the other week and some surprisingly big companies got this wrong.

Click the link to the right to learn –> how to set up auto SSL in cPanel 

Do not ignore this, you still have plenty of time to avoid a bad situation.  If you are not comfortable doing this internally, contact your current web host or webmaster and ask them to do it for you.  If you prefer, you can also contact us and we can help as well.

 

Keeping All Your Company Data Safe

If a hacker discovers that your website is not secured, they may use that as an indication that your company has other vulnerabilities that they can exploit. Computers and servers that do not have the latest security patches or modern software can be penetrated using malicious code that can cripple your business.

One of our company strengths is helping our clients set up advanced defenses for cybersecurity threats,  both internally and externally.

We have an entire product line launched in Q1 2018 that helps companies monitor internal networks, behavioral based monitoring of system access, block penetration attempts, educate employees about things like phishing, correct password usage and much more.

Click the link to learn more about our Advanced Cybersecurity Options with our CloudXSecurity Product Suite.  Please get in touch with us if you want to have a more in-depth discussion.

We can run a complimentary security audit on your systems to see if there are issues that should be addressed.

 

A Complete Solution for Your IT Management

If you are not already a customer, Delval Technology Solutions can help your business manage all your day to day IT needs including enhanced network security, keeping your systems updated with the latest patches, increased productivity, on site and off site backups and more. Your can Contact Us HERE

Cyber Security Attacks In The News

Recent CyberSecurity Attacks

Allentown Struggles with $1 Million Cyber-Attack
https://www.infosecurity-magazine.com/news/allentown-struggles-with-1-million/

UK top 500 legal firm credentials leaked on the Dark Web
http://www.zdnet.com/article/uk-top-500-legal-firms-credentials-leaked-on-the-dark-web/

OnePlus hacked; credit card info of 40,000 customers compromised
https://securityboulevard.com/2018/01/oneplus-hacked-credit-card-info-of-40000-customers-compromised/

Nearly Half of the Norway Population Exposed in HealthCare Data Breach
https://thehackernews.com/2018/01/healthcare-data-breach.html

Hospital pays $60,000 to the bad guys to cure malware infection
https://www.theregister.co.uk/AMP/2018/01/16/us_hospital_ransomware_bitcoin

Forever 21 Breach Lasted Over Seven Months
https://www.infosecurity-magazine.com/news/forever-21-breach-lasted-over/

Phishing Exposed Medicaid Details for 30,000 Floridians
https://www.bankinfosecurity.com/phishing-exposed-medicaid-details-for-30000-floridians-a-10563

 

procrastinating with cyber security and privacy

Concerned about Data Privacy and Cyber Security? You’re not alone…

Are you concerned about data security but have not gotten around to doing anything about it? You are not alone according to a recent article over at ZDNet. Most people surveyed on the topic are more concerned than ever, yet have put off taking any actions to make sure they or their business are protected.

It may be that they think the odds are in their favor (they are not), or more possibly could it be that many individuals and businesses do not know what steps they can and should take?

Some solutions for corporate data protection are complex and and require specific knowledge and expertise. Others are very simple, like not leaving default passwords on your devices, or using your significant other’s name as your login password.

At DTS we are constantly analyzing the newest threats, whether they be online, network-based or email based. We implement solutions and industry best practices to ensure our customers are well protected.

While no IT or Managed Services Company or Cybersecurity expert can guarantee you will never be compromised, you can significantly reduce your risk of being a target by being proactive and making sure you are working with an IT company that understands security and data protection.

If you have not done a recent Cybersecurity Risk Analysis, you need to, and we can help.

If you have not recently completed a cyber threat analysis or security risk assessment, you should! We have the tools a know-how to thoroughly test for risks and vulnerabilities, and then work with you to mitigate those risks.

In the meantime, practice strong password protection; change your passwords periodically and NEVER write passwords down on a yellow sticky and post it on your desk. You never know who may see it and what their ultimate intentions may be.

Referenced Source: Zdnet.com data privacy article