5 Steps to handling a data breach like a pro

With data breaches hitting the headlines every day, many people have become desensitized to them. This isn’t helped by the fact that most attacks that do make the news are those targeting large enterprises, thus leading many small business leaders to believe they’re not attractive enough targets to hackers. Unfortunately, that’s not the case, since small companies often present a sweet spot to attackers who view them as easier targets that still offer substantial rewards.

Many breaches have cost victims their entire business, which is why companies must take every possible measure to protect against the threats and mitigate the damage caused by attackers who do manage to infiltrate their network.

Here are five steps towards minimizing the damage before it gets out of control:

#1. Contain the breach

On average, data breaches go unnoticed for more than six months, often after irreparable damage has already been done. It’s crucial to contain the breach as soon as possible since even a small delay can exponentially increase the damage to your organization.

Isolate compromised systems, such as hacked user accounts or physical assets that have been infected with malware. You should also block any IP addresses from which the attack originated.

#2. Assess the damage

Assess the damage and figure out how hackers managed to gain access to the affected systems in the first place. Starting with a thorough analysis of the compromised system, you’ll need to work your way back to the source of the attack as well as determine which data was affected. Most attacks begin with a phishing scam, so you’ll want to interview your employees to find out if they’ve noticed or interacted with any suspicious emails. You’ll also need to determine the value of the information stolen, learn who it pertains to, and which, if any, compliance regulations it’s subject to.

#3. Notify relevant parties

In cases where customer information, such as personally identifiable data, patient health data, or payment card data, was stolen, you have a legal and ethical duty to warn affected parties so that they have a chance to take the steps necessary to protect themselves. Larger breaches may require you to alert the authorities as well as a major media outlet. You should also notify any other relevant third parties. Regulations require you to report the date the breach was discovered, which data was stolen, and what affected parties need to do to protect themselves.

Although it may be tempting to keep cybersecurity incidents under wraps, coming forward early is better for your business in the long run. Because if external parties discover the breach before your company releases a statement, it can seriously damage your reputation.

#4. Audit your network

Conduct a thorough security audit and threat analysis so you can take the necessary steps to protect against future attacks of the same type. If, like most breaches, the attack started with a phishing scam, you should ensure all your data is encrypted and protected with at least two user verification layers. You’ll also need to train your employees to better identify future risks.

#5. Roll out your recovery plan

To get compromised systems back up and running as soon as possible to minimize the effects of unscheduled downtime, you must have a data backup and disaster recovery (BDR) plan in place. You may need to update your BDR plan to provide better protection against future attacks.

Protect yourself from data breaches by partnering with Netwize. We bring 20 years of business technology experience to the table to drive real growth and reduce the risks associated with digital transformation. Call us today to learn more.

What are DDOS attacks and how should Utah businesses prepare for them?

You’ve probably heard of DDoS attacks before — they’re some of the most common cyberattacks out there. They’re also growing more sophisticated. Generally, the perpetrator attempts to slow down or disrupt a network by overwhelming it with a flood of internet traffic and service requests, until the whole system crumbles under pressure and shuts down.

Experts warn that these common attacks are now growing much larger and more sophisticated. In 2015, the largest DDoS attack consumed around 500 Gbps of data; within a year, that number had doubled, to around 1 Tbps.

And, whereas once it took a skilled cybercriminal to carry out an attack, new, automated tools are putting increasingly sophisticated versions of DDoS attacks into the hands of smaller and less skilled actors. A relative newcomer can purchase a mid-sized DDoS capable of taking a company offline for an entire day for a few hundred dollars on the dark web now. And analysts say the number of DDoS attacks on the private sector has been increasing by 15 percent annually.

Because of Utah’s growing local economy and increasing attractiveness to top international enterprises, it is at the top of many cybercriminals’ hit lists.

Every business needs protection

No matter what sector you operate in, it’s imperative you have some sort of DDoS protection. But many of the classic forms of protection lack adequate safeguards against the nuances of more recent DDoS attacks.

So what’s the best way to stay protected? Consult a professional managed IT services provider (MSP) to tailor a solution that fits your business’s needs and prepares you for a host of cyberattacks.

Plan ahead

Your plan will depend on a thorough security assessment of your business and IT infrastructure. It will prove essential when an attack occurs since there is no time to think about what to do next — you must be prepared to jump into autopilot. Your first act can often define the success of your defense. While details will depend on company size, risk exposure, and several other factors, certain elements remain constant. They include:

  • Tools checklist – Create a list of the tools in your response arsenal so you can more easily identify any holes that may pop up in your defenses. Ideally, you should safeguard your systems with advanced threat prevention systems, firewalls, and security monitoring services. Review your list regularly with a professional to make sure that everything is up to date, since DDoS attacks are ever-evolving.
  • Response team – Before disaster strikes, have a team of trained staff assigned to perform each task in a predetermined chain of responses, and make sure everyone knows exactly which task they are responsible for. Again, the exact chain of responses will depend on company characteristics and is best formulated in consultation with a cybersecurity professional.
  • Team-wide training – Aside from a dedicated response team, there are certain things your entire staff should be trained on. For instance, make sure every employee can identify the early warning signs of a DDoS attack and they know who to contact if they suspect an attack may be occurring.
  • External communications – Less of a technical consideration, but for the sake of business continuity and maintaining positive customer relations, it’s also imperative to design an external communications strategy to let customers, investors, other stakeholders, and the general public know if they need to expect service interruptions, etc. — and that your team has precautions already in place and is responding to the threat now.

These may sound like basic precautions, but they are simple steps that too many businesses in Utah neglect at their own peril. To tailor the specifics of these plans and precautions to your unique business, speak with a NetWize technician today.

8 Ways to boost your network’s security

Every business network handles a range of sensitive data from financial records to intellectual property to personally identifiable information. To protect your organization from the rising tide of cyberthreats, it’s imperative that you take every reasonable step to ensure nothing bad gets in and no confidential records leave through unsecured channels.

#1. Manage risk

There will always be risks, no matter how robust your network security. One of the main jobs of any network security team is to bring this risk down to an acceptable level, one that may be managed and mitigated without getting in the way of innovation and productivity. Administrators must keep full visibility into their digital assets with a centralized web-enabled platform.

#2. Layer your security

If your network infrastructure has a single point of failure, then it’s just a matter of time before it falls victim to a breach. In much the same way that medieval castles had moats, walls and guards to protect them, your network also needs multiple layers of security. This includes an enforced security policy, firewalls, intrusion detection and prevention, and endpoint protection.

#3. Tighten up access controls

Many data breaches occur at the hands of mismanaged access controls. While your apps and data need to be consistently accessible to those who use them for work, it’s always a good idea to follow the principle of least privilege. In other words, nobody should have access to anything they don’t absolutely need to do their jobs. Enabling multifactor authentication, whereby login access is secured with passwords and another authentication method (e.g. temporary security codes sent to the user’s phone), is also a must.

#4. Implement endpoint controls

No matter how robust your overall network security, a single vulnerable endpoint can bring it all crashing down. Endpoints refer to any device connected to the network, including mobile phones and employee-owned devices. Administrators must track every endpoint on the network and grant and revoke access rights as needed. They also need anti-malware software to scan for and remove any harmful programs lying dormant within company devices.

#5. Migrate to the cloud

Looking after hundreds or even thousands of endpoints is hard work, especially when sensitive data potentially resides on every device connected to the network. For this reason, it’s best to avoid storing confidential data on any devices other than a centralized server or, better still, in the cloud where it can be managed and secured as a single connected environment.

#6. Prepare for the worst

You always need to prepare for the worst-case scenario, no matter how thorough your network security protocols might be. New threats come and go, and it’s impossible to protect against every eventuality. That’s why a backup and disaster recovery plan is an integral part of your wider security and compliance strategy.

#7. Train your team

Most data leaks and breaches occur because of human error. This isn’t helped by the fact that many of us have developed poor security habits. Every member of your team is a potential target, which is why security is everyone’s responsibility. An ongoing training program with a top-down approach will create a culture of accountability and security.

#8. Deploy patch management

Software developers regularly release security updates for any products they still support. You should never defer these updates, since doing so may leave the system, and consequently the entire network, vulnerable. If any software or hardware device is nearing the end of its support life cycle, you should retire it as soon as possible.

NetWize helps businesses drive real results and reduce risk with modern technology solutions you can depend on. Call us today to deploy a robust cybersecurity framework that keeps the bad guys at bay.

5 Most overlooked security hazards, and how to mitigate them

The ever-changing nature of the cyberthreat landscape is always taking people by surprise. New threats come and go, and the biggest hazards are often overlooked until it’s too late. Good security practices come with keeping informed about the latest trends and providing regular training to your employees. It’s also important to remember that every business is a target, no matter its size or industry.

Keep your company safe by mitigating the five security hazards that we tend to miss:

#1. Weak authentication methods

These days, people are tasked with trying to remember login credentials for multiple accounts, which is why many people reuse passwords that are easy to remember. This makes them vulnerable. Weak authentication methods are susceptible to brute force attacks. Companies should always enforce strong password policies but, more importantly, add an additional verification layer such as fingerprint scanners or mobile authenticator apps.

#2. Default installations

When installing new hardware or software, it’s often tempting to breeze through the installation process and leave everything at default settings. In many default configurations, devices can easily join networks, but the convenience may pose a security risk. Another common problem is using default router passwords, some of which can easily be discovered online, leaving the entire network vulnerable as a result. It’s important to always look through security and privacy settings and change default passwords.

#3. Lax policy enforcement

You can have all the security policies in the world, but they’re worthless if there’s no concrete way of enforcing them. While a documented information security policy is essential from an administrative perspective, it’s also important that you implement the controls necessary to enforce the rules. Examples include blacklisting prohibited protocols, websites, devices, and apps. You should also implement data loss prevention (DLP) to reduce the risk of information leakage across less secure networks like social media and instant messaging applications.

#4. Inadequate employee awareness

Employees are the first and last line of defense in any organization. Although vulnerabilities in technology often get the blame in the event of a cyberattack, it usually boils down to human error. Hackers are always looking for new ways to exploit unsuspecting victims. That’s why every organization should have a regular employee training with simulations on current and emerging threats.

#5. Single line of defense

Using a firewall to protect a company network and antivirus software to protect endpoints used to be enough. Nowadays, with the ubiquity of cloud-hosted and mobile assets, it’s more important than ever to implement multiple layers of defense to guard against overlooked vulnerabilities and more sophisticated attacks like advanced persistent threats (APT). Many businesses outsource round-the-clock network monitoring and alerts to add an extra security layer.

Netwize prides itself on more than 20 years of experience working with businesses of all sizes to help them become more secure and resilient in today’s increasingly competitive market. Call us today to learn more.

Securing Identities from Phishing – A Financial Sector Perspective

Discussing phishing and communications fraud is often a confusing experience, a territory filled with buzzwords and distorted news of incidents at major corporations.  Getting to the facts underneath the clutter requires understanding that elements of both the “how” and the “why” of cybercriminal methods, have value.

 

Setting the Stage

Let’s define some terminology first: phishing refers to fraudulent attempts to obtain sensitive information by impersonating a trustworthy entity in electronic communication.  The entity being impersonated can be a private organization, a government division, or a specific person.  Phishing can happen via any form of electronic communication including phone calls, SMS text messages, email, instant messaging, social networks, or customer-interactive websites.  Email is the most common phishing vector, and according to research groups like IBM’s X-Threat division, the volume of phishing email has been steadily growing for each of the last five years.  An average corporate user account will receive between 15 and 20 malicious emails per month.

The goal of a phishing campaign is to gain sensitive information which is not otherwise publicly accessible, leading to direct or indirect monetary gain for cybercriminals.  Phishing’s fundamental technique is social engineering: psychological manipulation of people into performing actions that divulge information, thus bypassing physical and digital security mechanisms.  Therefore, user awareness is the best defense against phishing: human beings are the targets, and human preparation can halt even the most advanced phishing campaign.

Phishing is becoming more sophisticated and multi-dimensional with time.  While some phishing attempts seek to complete only one action such as getting a user to click on a malicious link, the real money lies in performing layered attacks that have a sequence of objectives.  Additionally, the subset of attacks known as spear phishing are increasingly effective at triggering a response from targeted users.  Instead of a generic phish communication sent to thousands of recipients, spear phishing crafts content to be contextually relevant to a single organization or even a single person.

Financial professionals are particularly lucrative targets for advanced phishing campaigns.  There is a wide variety of content available about phishing in general, but little guidance specifically tailored to the threat landscape of finance.  By analyzing in detail, both the methods and goals of finance-specific spear phishing campaigns, CPAs and other finance professionals can enhance their ability to resist these attacks.  In this arena knowledge operates like a vaccine, inoculating against the risk and severity of future bad events.

 

Phishing Methods and Goals

 

Method 1: fake login portals

This phishing method has an attacker create a web site which seeks to very closely mimic the “look and feel” of a login page for a corporate software asset.  The page layout, fonts, branding, and color scheme will all be identical to the legitimate login page, but the URL of the website will not be correct, instead belonging to a domain the attacker controls.  The rapid adoption of software-as-a-service application delivery in corporate environments is the primary contributing factor to the growth of this phishing method; users are conditioned to think of credentials entry on websites as a normal daily activity.  Hoping the user does not notice the change in URL, an attacker steals the username and password entered on the page for their own use.  Examples of frequently-mimicked login portals include Microsoft Office 365, SalesForce, and Dropbox.

Credential theft is already a serious security issue in and of itself because it allows an attacker to move laterally within an organization across systems where those credentials are valid.  Once an attacker has access to working login credentials of a corporate user, they can begin sending electronic communications directly as that user, increasing the degree of trust that further victims will afford to the phishing attempts.  One particularly dangerous variant is conversation hijacking: an attacker replies to an existing email thread instead of delivering a new email.  The degree of skepticism a user applies toward a reply to a preexisting conversation is lower by default, and attackers seek to exploit that implicit trust to deliver further malicious content.

Method 2: VIP impersonation

Commonly known as “business email compromise” or “CEO fraud”, this attack method works by having the attacker impersonate someone of hierarchical importance and authority: a CEO, CFO, controller, or in-house legal counsel.  When crafted correctly, the electronic communication will appear to be from the legitimate account for that person of authority.  It may include timely details like their location out of office or reference discussions with clients, details that attackers can gather from social media networks, press releases, or corporate data exploration using compromised credentials.  Common examples of requested actions are to complete wire transfers of large sums of money to a bank account or to send copies of tax documents.  The power of this attack method lies in the ability to create artificial urgency for the target to take the action desired by the attacker.  This can happen either by negative reinforcement, placing an immediate deadline on the action, or by positive reinforcement, invoking a friendly and disarming sense of trust and dependency.

Method 3: malicious attachments

Some classics never go out of style: malicious file attachments are defacto of phishing methods.  Attachments sent to phish finance professionals often take the shape of invoices, forms to electronically sign via software like DocuSign, or Microsoft Office documents with embedded macros and instructions on the first page of the document to override macro security warnings.  All these attachments make good choices because they mimic the normal daily workflow of finance professionals; the attacker is hoping to trick the target into acting on autopilot and not performing a critical examination of the attachment before opening the file.

The attachment, once opened, can deliver any number of malicious software payloads to the target’s computer.  One dangerous example is a class of malware called banking trojans which seek out stored login information to financial institutions and send them to the attacker to use for fraudulent wire transfers or credit card purchases.  Ransomware is another famous malware class, locking a company out of their own files until a ransom payment is delivered in exchange for the decryption key held by the attacker.  However, the largest recent source of growth in illicit profits for cybercriminals is corporate espionage.   Once they use malware to exfiltrate data from corporate networks the attackers can sell that data to competitor companies or use that data to make predictive stock trades based on insider secrets.  Never underestimate the power contained in a general ledger, let alone a recently approved merger proposal or confidential intellectual property.

Method 4: impersonation of regulatory agencies

A phishing attempt using this method would proport to be from the IRS, the SEC, an auditor like Deloitte or KPMG, or from a law firm.  The phishing communication will make a call to action toward the targeted finance professional, requiring them to review a document or send a data set in a reply.  The goal of regulatory impersonation is to steal information, either by intimidating a targeted user into replying or by making the user believe the impersonated actor already has the information and just needs a confirmation copy.  This technique becomes particularly dangerous when the attack is targeting a CPA preparing tax returns and asking for either information on specific individuals or access to practitioner databases.  The attacker often intends to use the stolen information to file fraudulent tax returns and collect tax refunds, an outcome which requires considerable time commitment to remediate.  The IRS requests that financial professionals who receive phishing emails related to taxes forward those emails to phishing@irs.gov for analysis.

Mitigation

Despite the growing sophistication of phishing methods, the situation is far from hopeless.  There are effective mitigation tools available to finance professionals that require nothing more than the use of critical thinking and changes in personal behavior.  One of the best tools to detect phishing is to look for a tone mismatch between the email content and its alleged sender.  This is a bidirectional consideration: an email with a highly informal greeting and an overabundance of slang is suspicious if sent on behalf of a professional organization, as is an email filled with unnaturally formal language when sent by an individual considered a close compatriot.  Attachments should always be treated with suspicion because almost any type of file can be used to deliver malware.  The use of security software to scan electronic communications and block the delivery of malware in attachments acts in compliment with user preparedness, creating better defense in depth against phishing.

Another powerful phishing detection tool is domain auditing: by comparing the text of a web address or portion of an email address after the @ symbol to the known correct text for the person or institution the attacker is attempting to impersonate, an alert user can find the text does not match and reject the phishing attempt.  This auditing needs to be highly precise because attackers often use the smallest possible change to a domain, different by just a one letter or a single added punctuation mark.  The best tool of all to halt phishing is to verify the requested action with the alleged sender prior to acting via a different interactive, real time communication method.  The result of a phone call, a video conference, or an in-person visit with the alleged sender will reveal the truth: they did not send the request, and the phishing attempt ends unsuccessfully.

Stay safe out there.

 

JR Maycock is a 12-year IT veteran with a background spanning corporate, freelance,
And K-12 education environments.  His areas of expertise include identity management, behavioral security, systems architecture, and exploring the alignment of technology with business strategy.  JR currently holds the position of Business Technology Architect at NetWize in Salt Lake City, UT.  He is reachable at jrmaycock@netwize.com.

VIDEO – NetWize Implements Cisco Solutions for Snowbird Ski and Summer Resort

Snowbird Ski and Summer resort is located up Little Cottonwood canyon in Utah. They strive to be one of the premier resorts worldwide – enhancing body, mind and spirit in everything they do. NetWize designed their first ethernet network 20 years ago and has been their trusted go-to technology partner ever since.

Snowbird came to NetWize for assistance when they were having trouble with extremely slow and very expensive microwave internet service. Fiber was finally installed in the canyon and they needed to upgrade their routers to accommodate faster speeds. NetWize helped Snowbird assess their options to replace their current router which could no longer accommodate the large amount of bandwidth with brand new, high-performing Cisco routers. This upgrade provides much faster and more reliable internet service for their resort guests and corporate office employees, which resulted in better operational efficiencies and happy customers. They even reported a 97% customer satisfaction rating on their surveys after the new solution was implemented.

In addition, Snowbird needed a firewall refresh to replace an outdated solution. Based on their needs, NetWize recommended and implemented a new Cisco ASA 5525 X Firewall with Firepower Services solution. This next generation firewall solution gives them a higher level of security and peace of mind with application level control and advanced reporting. With the high number of credit card transactions processed each day, this new solution helped them meet PCI compliance requirements.

Watch the video to learn more about how NetWize helped Snowbird solve infrastructure challenges.

[youtube https://www.youtube.com/watch?v=ZMl7_gXjlsY&w=560&h=315]

Would you like to learn more about how NetWize helps companies with their IT infrastructure needs? Contact us today at inquiries@netwize.com or by calling 801-747-3200, option 2.

WannaCry Update: More Details about the Ransomware Attack

It has been ten days since the WannaCry ransomware attack was unleashed. It has infected nearly 300,000 devices in 150 countries. During that time, many large organizations—including hospitals, banks, and telecom companies—were brought to a halt when their data was encrypted. The yet-to-be identified attackers had received just under $110,000 in ransom at the time this article was published. Despite the initial chaos, details have emerged about how the attack happened, who may be behind it, and other malicious attacks using comparable techniques.

WannaCry: What We Know So Far

It is now believed that Windows 7 users were the hardest hit by WannaCry, which counters initial reports that stated Windows XP users were the most widely affected. In fact, the version of Windows 7 that suffered the brunt of the attack is the x64 Edition, an operating system widely deployed by large organizations. It is unclear whether enterprises are less likely to stay up-to-date with their security patches, or if there are other explanations for the nature of this vulnerability.

Another rumor states that most systems became infected following the distribution of spam emails. However, it has been proven more recently that the malware began by scanning the internet for devices with open Server Message Block (SMB) ports. It then used a modified version of the security exploit “EternalBlue”, an exploit initially developed by the National Security Agency, to install WannaCry on vulnerable machines. Once installed, WannaCry propagated across networks, infecting connected devices, and encrypting more and more user data as it grew.

Who is Behind the WannaCry Attack?

EternalBlue was initially developed by the NSA, only to be leaked by the hacker group known as The Shadow Brokers, along with a number of other weaponized software exploits on April 14, 2017. The connection between The Shadow Brokers and the group that created WannaCry remains unclear.

Cybersecurity company Kaspersky Lab has pointed out similarities between the code used for WannaCry, and code that was used for attacks carried out by hackers known as the Lazarus Group. The Lazarus Group, which has ties to North Korea, is believed to have carried out the cyberattack against Sony Pictures in 2014, as well as a bank heist in Bangladesh in 2016. North Korea is denying involvement in those attacks, as well as WannaCry.

New Malware on the Prowl

All of the recent attention on WannaCry has brought to light new threats that are doing damage via the same security exploits that were originally developed by the NSA. One in particular, “EternalRocks”, is malware that makes use of seven of the weaponized exploits The Shadow Brokers have leaked, which is five more than WannaCry used.

Another malware, “Adylkuzz”, has also been spreading using similar security exploits as WannaCry. Although it hasn’t received the same amount of attention that WannaCry generated, it is thought to have been at work longer, and to have done even more damage in the time since its release. Similar to WannaCry’s reliance on the cryptocurrency Bitcoin, Adylkuzz profits from its use of a digital currency called Monero.

Trust the Experts

In March 2017, Microsoft announced the security patch that prevents the SMB vulnerability enabling the latest wave of attacks. At that time, NetWize made sure its customers were protected by implementing the requisite security update. We are also available for consultation regarding user best practices for optimal security. We always make sure our customers are protected with up-to-date anti-virus protection, and a reliable data backup and disaster recovery process. Ask us about Sophos Intercept-X, and its capabilities for protecting against any type of ransomeware attack.

If you have any questions or concerns regarding recent malware attacks, or cybersecurity in general, please call NetWize at (801) 747-3200, option 1.

WannaCry Ransomware: Learn More About the Attack

A new ransomware attack is infecting hundreds of thousands of devices all over the globe. Starting May 12, the ongoing attack uses malicious software called “WannaCry” (also “WannaCrypt” or “Wanna Decryptor”), which locks users out of their computers, and then demands a ransom for restoring the encrypted files. Ransom demands range from $300 to $600, and are to be paid via bitcoin to one of three designated wallets. It is currently unclear whether the unidentified attackers have unlocked files for the users that have made a ransom payment. As of the morning of May 16, ransom payments had reached over $70,000. In 2013, a comparable ransomeware called CryptoWalker was posted to the internet. The attack pulled in an estimated $30 million in its first 100 days.

The the likelihood that the particular vulnerability enabling the spread of WannaCry will affect customers of NetWize is very low. Thanks to the commitment of our engineers to ensuring our customers’ safety, we made the security patch needed to protect against WannaCry shortly after Microsoft’s recommendation. We also offer advice for best practices that reduce a user’s vulnerability. In addition, we always make sure our customers’ antivirus is up-to-date, and that a reliable data backup and disaster recovery process is in place.

[vimeo 217574866 w=640 h=360]

 

To learn more about the outbreak as it unfolds, check out Wikipedia, and technical support website Bleeping Computer.

As always, if you have any concerns regarding this recent ransomware attack, please call NetWize at (801) 747-3200, option 1. Click here to view our pricing for Sophos Endpoint Protection.

© 2020 NetWize, Inc | Privacy Policy