Don’t Overlook These Information Security Basics

The reason companies fail at information security isn’t because they aren’t installing the latest high-tech defensive software. It’s because they aren’t taking care of the security basics, like installing patches on time. What are some of the other information security basics you might be overlooking?

Managing employee access

Employee access rights shouldn’t be permanent. As job functions change, you should review and revise their access to match the responsibility of their roles. While ideally you’ll do this as soon as they take on a new role, at least review access privileges annually. Even more important, when employees leave the business, you should be sure to disable their access immediately.

Changing default passwords

Admin/admin? Everybody knows that login and password, including the bad guys. It’s easy to overlook changing passwords after you install new software, but it’s necessary in order to keep your systems secure. Use a unique admin password on all your systems in order to ensure you’re protected.

Reviewing security logs

Don’t just review log files after a breach occurs. Log files should be reviewed on an ongoing basis in order to spot breach attempts before they succeed. This doesn’t have to be a purely manual effort; there are good analytics tools to help identify suspicious behavior.

Enforcing secure mobile device usage

It’s convenient to have employees use their mobile devices to conduct business, but it also can be risky. Develop your “bring your own device” policy, teach employees safe mobile computing practices, and consider using mobile device management software to enforce your policies.

Protecting the cloud

Relying on your cloud provider for security of your data in the cloud is a mistake. Information security in the cloud requires both your organization and your cloud provider to take steps to protect your data. In addition, employee “shadow IT” usage of cloud resources can lead to security risks you aren’t aware of; consider using tools that help you detect unauthorized usage of cloud services.

Learn more in 6 Ways to Keep Your Cloud Secure.

Verifying configuration settings

Many security vulnerabilities, especially in the cloud, are the result of incorrect system configuration. Don’t rely on default settings, but make sure you explicitly set them to the values you need. Limit the ability to modify configurations to authorized employees, and use tools to detect configuration changes so they can be reviewed and verified. Use automation to ensure configurations are deployed consistently across all your resources.

Performing risks assessments

There are too many potential security threats to address all of them at once. In order to get the most value from the actions you take, it’s important to assess the risks you face so you can prioritize your responses.

Securing information resources requires implementing basic and advanced controls at multiple levels, including the network, the cloud, and endpoints. CCS Technology Group offers IT security services to help you comprehensively address your information security needs. Contact us to learn how our services can help protect your critical systems and data.

Additional Security Resources

Closing the Most Common Cybersecurity Holes

Is Your Network Safe From Cyber Attacks?

Ransomware 101: Keeping Your Organization Safe

6 Ways to Keep Your Cloud Secure

The simplest way to migrate to the cloud is to lift and shift your applications, migrating them exactly as they are. That doesn’t work for security, though. To make sure your cloud resources are properly protected, you need to review the security features offered by your cloud provider and make sure you implement them properly. You should check out the following:

1. Cloud provider compliance certifications

Meeting your own security standards is easier when the cloud provider offers a strong base. If the cloud provider offers infrastructure certified to meet the compliance standards relevant to your industry, be sure you deploy to that environment.

2. Encrypt your data

Store data in an encrypted format to keep it protected. You can usually easily turn on database encryption in the cloud. It’s simpler to allow the cloud provider to manage the encryption keys, though you’ll gain additional security if you manage them for yourself. Depending on how encryption is implemented, encrypting stored data may not require any application changes, making it compatible with a lift and shift migration.

3. Use identity and access management controls

Identity and access management (IAM) lets you limit access to your cloud resources. You may be able to use the same IAM tools in the cloud as in your data center, allowing you to lift and sift this security control as well. In either case, make sure privileges are set properly.

4. Don’t adopt default cloud configurations

The default configurations established by many cloud providers are not security conscious. Don’t assume they’re set the way you need them. Make sure these settings are appropriate for your applications and modify them when they are not. Where possible, use templates or base cloud images that have the settings you need built in to create all your cloud instances.

5. Separate production, test, and development environments

Because cloud lets you create and shut down instances as needed, you may see recommendations to speed production deployments by turning the “test” instance into production and creating a new test instance the next time you need it. The problem with this is that test environment configurations are often not as secure as those needed in a production environment. You’ll lose a little deployment speed but gain a lot of additional security by keeping the distinction between environments.

6. Don’t forget about the devices that access cloud

Securing your cloud resources requires more than just securing the cloud; it requires securing the devices that access the cloud. Don’t forget about tools such as firewalls to protect your network, and consider mobile device management software to protect your cloud from mobile device risks.

CCS Technology Group’s cloud services ensure your cloud provides a cost-effective, efficient, and secure environment that meets your IT needs. Contact us to learn more about building and using cloud safely.

Additional Cloud Security Resources

Closing Common Cybersecurity Holes

7 Common Mistakes That Place Your Data in Danger

Protecting Your Business Against Phishing Emails

Craft An Effective Disaster Recovery Plan

If you don’t want to be scrambling in the middle of a crisis, you need a plan. Here’s what to think about as you develop your disaster recovery plan to make sure you get out of the situation and back into normal operations fast:

Communications plan

There’s bound to be lots of confusion during an incident, but you don’t want there to be any confusion about who’s in charge. Make sure your plan identifies who decides to invoke the disaster recovery plan and how this will be communicated to everyone who needs to be involved in the recovery.

Scope of potential threats

Crises come in all sizes, from a single accidentally deleted critical file to a fire that destroys your primary data center. Spend time assessing a variety of possible situations and determine how you’ll match your response to the size of the outage.

Lists of systems and people

You’ll need a complete list of all hardware and software that your business uses, as well as network diagrams. Also create a list of all the staff you’ll need to help bring the systems back online, including their contact info. Include contact info for third parties, such as vendors and partners, that may need to make changes on their side to connect to your recovery site.

Priorities and targets

It isn’t possible to bring up all systems at the same time, and it usually isn’t necessary. Take your list of systems and evaluate the priority of each system so you know where you need to focus your effort. For each system, set a specific recovery time objective and recovery point objective, specifying how rapidly you need to restore that system to operation and how much data you can afford to lose. Once you know these numbers, you can craft a recovery strategy for each application to meet those targets.

Recovery procedures

Document the details of the recovery procedures for each application, including the complete details of the commands that need to be executed. Identify the other processes the application depends on in order to start up. Include validations that allow you to confirm the application is running properly in its recovery mode.

Fallback procedures

Once the disaster is over, you’ll want to resume operations in your normal production environment. Executing fallback processes can be as complex as the disaster recovery procedure itself, so document the process to the same level of detail.

Once your disaster recovery plan is complete, schedule a test to validate that it works. Then update the plan with any corrections, clarifications, or critical information that was missed the first time around. Because your infrastructure changes continually, your plan should be a living document. When you place new resources into production, you should also update your plan to include them. The entire plan should be periodically reviewed and tested, at least annually, to make sure there are no omissions and that it works with your current infrastructure.

CCS Technology Group provides comprehensive disaster recovery services. Contact us to find out how you can make your plan more effective.

Did you know three out of four small businesses have no disaster recovery plan at all? Learn more in Why a Business Continuity Plan is Essential.

Additional Disaster Recovery Resources

7 Common Mistakes That Place Your Data in Danger

Backups Are Not A Disaster Recovery Solution

The Differences Between Backups, Disaster Recovery, and Archiving Matter

Don’t Click That Link! Protect Your Business Against Phishing Emails

The weak point in your information security strategy is your people. There’ll always be somebody who falls for a phishing email and clicks on a dangerous link. It’s important to take steps to block dangerous emails.

Phishing Techniques

All online phishing techniques send emails or texts that try to trick employees into allowing malware into your organization or to expose sensitive data. There may be a link to a malicious website masquerading as a legitimate site that prompts employees for login credentials. There may be an attachment that contains malware, including ransomware, that executes when the file is opened. Or the email can impersonate a legitimate contact and request information such as account numbers.

Spear phishing is a targeted form of phishing. Rather than a generic email, these messages are targeted to specific employees and carefully crafted to be believable. CEO fraud uses an email that pretends to be from a senior executive and requests employees to make a financial transaction, such as transferring funds to the attacker’s account.

Learn more in Phishing 101: What it is, how it works and how to avoid it.

Protecting Against Phishing

Guarding against phishing requires both technology that attempts to block the phishing messages and dangerous websites, plus training that teaches employees to recognize them.

Technical Solutions

Antivirus software and spam filters can keep out malware, and web filtering can prevent users from connecting to known dangerous sites. All systems should be kept up to date with security patches. Data loss prevention software can help prevent data from being removed by unauthorized users. Use multifactor authentication to block hackers who’ve gained passwords.

Training Solutions

Perhaps the most important thing to know about training employees is that you need to train all your employees, including senior executives. Senior executives are frequently targets of phishing because their passwords grant access to sensitive systems.  Remind employees not to click on attachments from unknown senders, to double-check all URLs before clicking on them, and not to share their passwords via email.

Training isn’t a one-time process, either. New employees need to be trained, not just current employees. All employees need a periodic refresher. You can also consider periodically creating your own phishing email to test employees and identify personnel who need additional training.

Learn more in Different Kinds of Malware Need Different Kinds of Defenses

With more than 3 billion malicious emails sent daily, there’s a strong chance they’re landing in your employees’ inboxes frequently. Even the best employee can have a moment of carelessness or inattention that leads to a dangerous click, but proper employee training in conjunction with other information security measures can help minimize the risks and the consequences. CCS Technology Group provides security services that educate your employees and guard your systems from threats. Contact us to learn more about protecting yourself from phishing and other cyberattacks.

Additional Cybersecurity Resources

Closing the Most Common Cybersecurity Holes

Spoofing: What it is and how to avoid it

Why a Business Continuity Plan is Essential

Different Kinds of Malware Need Different Kinds of Defenses

One of the reasons information security is so difficult is that there are so many different threats you need to defend against. Malware can take many different routes to get into your systems, and once there, it can do many different things. Keeping your data safe requires protecting against all of those different potential paths and actions.

Malware Can Take Different Routes Into Your Systems

As computers get more and more connected and more of our work and personal lives move online, there are more and more ways for malware to penetrate your defenses. The potential vectors include:

  • viruses. A virus attaches itself to legitimate files so it executes along with the underlying file.
  • worms. Small and self-replicating, worms spread without any user action.
  • trojan. Like the Trojan horse, this malware dresses up as legitimate software to hide its dangerous instructions.
  • malvertising. Online ads aren’t just annoying; they can include malware. In some cases the malware can execute automatically.

Malware Can Do Different Things

Once malware gets into your systems, it allows the hackers to use your systems and steal your data. Malware has the capability to:

  • steal data. Malware can steal data in different ways. One type of malware does this by keystroke logging; by capturing users’ data entry, hackers can learn passwords, account numbers, and other sensitive information. Other types of sophisticated malware can target specific files.
  • hold data hostage. Sometimes hackers don’t want your data, but they know you need your data. Ransomware encrypts your data files so you can’t read them and requires you to pay a ransom (usually in bitcoin or other cryptocurrency) to regain access. This malware can completely shut down your operations until you pay or restore data from clean backups.
  • redirect your browser. Some malware, called adware, displays unwanted advertising. This malware can sometimes take over browsers and redirect them to pages with ads rather than the requested site.
  • turn your PC into a bot or cryptominer. Malware can take over your PC and force it to perform other operations, including participating in a DDoS attack, emailing spam, or cryptomining. This malware doesn’t harm your device or data directly, but can result in poor performance.

Protecting against all these types of malware requires a comprehensive information security strategy. Tools such as firewalls and antivirus software can help keep dangerous software out of your systems. Training users is key to recognizing phishing emails and other malware that makes it through the automated systems. CCS Technology Group helps businesses develop and deploy complete cybersecurity solutions to protect vital company data. Contact us to learn more about the different threats your data faces and how you can defend against them.

Additional Cybersecurity Resources

7 Common Mistakes That Place Your Data in Danger

Phishing 101: What it is, how it works and how to avoid it

Spoofing: What it is and how to avoid it

Don’t Lose Your Files to Ransomware

Think about that panicky feeling you get when you lose one file. Now scale that feeling up and imagine the panic after losing all your files. That’s how you’ll feel if a ransomware attack makes it impossible for you to access any of your data.

Ransomware is a kind of malware that holds your data hostage. When you’re attacked by malware, it encrypts all your data. Since you don’t have the key, you aren’t able to read it. Typically you’re asked to make a payment in cryptocurrency in exchange for the key. If you don’t pay up by the deadline, the key is discarded and your data is lost for good.

Ransomware can be difficult and time-consuming to recover from; one town had to rely on typewriters when their computers were down after an incident. If you don’t have typewriters tucked away in a closet, here are some options to help prevent and respond to ransomware incidents.

Prevent Ransomware Attacks

It’s impossible to completely protect yourself from a ransomware attack; like any other malware, they spread through phishing and social engineering methods that trick your employees into opening dangerous attachments. Training employees is important but not foolproof.

Keeping up with your operating system patches is an important measure, as it reduces the number of vulnerabilities for hackers to exploit. You should also use antivirus software and whitelisting software to block malware and prevent unapproved applications from executing.

Ensure you have a reliable backup and disaster recovery process. This won’t prevent you from becoming a ransomware victim but will reduce the panic if you do.

Recover from a Ransomware Attack

The first thing to know about recovering from a ransomware attack is that you should never ever pay the ransom! For one thing, there’s no guarantee that you’ll receive the decryption key. Plus, once you pay ransom, you’ve shown that you’ll pay ransom, and you make yourself a target for additional ransomware attacks with bigger and bigger ransom demands.

Identify the ransomware that attacked you and see whether there’s a decryptor. This will let you recover your locked files without paying the ransom.

If there isn’t a decryptor (and it’s really not that likely you’ll find one for the exact version of the attack that victimized you), you’ll need to do a scan to remove the malware from your system and then restore files from a clean backup. Unfortunately you’ll lose any new files or modifications made between the time the backup was created and the time you were encrypted—good motivation for doing backups at least nightly. You’ll need to make sure the backup isn’t infected with the malware as well, as some ransomware can attack shared drives.

Then protect yourself from future attacks by hardening your cybersecurity strategy and making sure your backups aren’t vulnerable, perhaps by storing them in the cloud. CCS Technology Group information security services help you develop and implement an approach that protects you against ransomware and the many other common malware threats that target your systems. Contact us to learn more.

7 Common Mistakes That Place Your Data in Danger

Information security is a critical challenge for businesses. Threats come from everywhere; even old fax machines can become entry points for malware. It’s easy to make mistakes when configuring or managing systems and accidentally make yourself vulnerable to attack. Take a few minutes to double-check that you’re not making these common errors.

1. Failing to keep up to date with patches

This is a major mistake with major implications for data security. Applying patches isn’t like locking the barn door after the horses are gone; it’s putting a better lock on the barn door. Without patches, you remain vulnerable to known vulnerabilities. Patches ensure you’re protected against them. Although patching systems and tracking that patches were applied to all systems can be time consuming, it’s important to create a patch routine that keeps your systems current.

2. Disabling or misconfiguring firewalls

Firewall rules are a pain to keep straight. It’s easier to enable access to a range of IP addresses than to a specific server. When applications are retired, it’s easy to forget to cancel the firewall rules that are relevant. As time goes on, the firewall rules become a complex mess that no one really understands. Avoid this problem by adequately documenting firewall rules when they’re added. Perform an annual review to validate that existing rules are still needed, and make sure updating the firewall is part of your process when shutting down an application.

3. Not using network segmentation

If an intruder does manage to make it through your firewall, network segmentation will limit how far they’re able to go, how much data they’re able to access, and how much damage they’re able to do. Like firewalls, managing network segments can become complicated.

4. Using default settings

Default configuration settings may not be optimized for security. When you use enable default administrator accounts and leave them on their default password, you’re leaving the door wide open for anyone to walk in.

5. Failing to control privileged accounts

Unfortunately, misuse of privileges by employees is a common cause of data breaches. Admins should be given individual accounts with the appropriate level of privileges, rather than sharing a common admin account. In addition, privileges should be granted based on roles rather than allocated to users individually, and there should be a periodic review to make sure users have only the privileges appropriate for their job function.

6. Not controlling mobile access

It’s great that employees are able to work from anywhere using their own devices, but this can expose your data to a wide variety of risks, from shoulder surfers to lost devices to malware installed over public WiFi. Make sure you define a “bring your own device” policy so users know about their responsibility to protect corporate data on their devices, and consider using mobile device management or other tools to enforce controls over mobile access to corporate resources.

7. Not inspecting outgoing traffic

Keeping data secure isn’t just about blocking hackers from entering your network; it’s about making sure confidential data doesn’t exit your network. This can be the result either of a breach or of employees using unapproved cloud services or even email to share files. Consider using data loss prevention software that can identify when sensitive data is being sent outside of your environment.

Keeping data safe requires being proactive. If you’re making any of the above mistakes, take action to close the security holes. CCS Technology Group develops comprehensive information security strategies that help you put effective data protection controls into place. Contact us to learn more about avoiding mistakes that threaten your data security.

Additional IT Security Resources

Closing the most common cybersecurity holes

Phishing 101: What it is, how it works and how to avoid it

The cybersecurity employee training checklist

Phishing 101: What it is, how it works and how to avoid it

Ever gone fishing? The cybercrime phishing works in a very similar way.

Tech-savvy con artists bait an email hook, send them out into the internet waters, and pull in personal information that can help them gain access to protected systems.

You know what this means, right? That Nigerian prince doesn’t actually need help transferring “much funds” to “American dollars US.” In fact, if you click on that link, you’re the one likely to suffer heavy losses.

It’s better if you don’t respond at all.

Phishing can also include attachments that download malicious code onto your systems. Keylogging software and other information-gathering viruses give malicious coders access to sensitive data like logins and passwords. Just opening the wrong email could put your entire company database at risk.

Understanding the risk

With phishing, hackers have an easy way to attack that can be highly profitable. Consider the fact that the average cost of a successful phishing attempt on a mid-sized business comes with a $1.6 million price tag.

Enterprise businesses are not exempt, even with massive IT departments and increasingly complex security protocols.

Spear phishing, more targeted phishing attempts that mimic other known users, make up 95 percent of all attacks on enterprise businesses. If you received an email from the CEO, you’d probably open it too—even if it turned out it was from a hacker.

Leaving the bait on the hook

Keeping your company safe from phishing attacks starts with something very basic: education.

Give your employees examples of some of the most sophisticated attack scenarios and strategies to avoid them. For example, if you get an email from “Google” asking you to log in, never use an embedded link. Always load websites using the actual URL, not hyperlinks provided via email. This avoids the risk of spoofed pages designed to capture login credentials.

Ignoring attachments also helps eliminate the risk of ransomware downloads.

In addition to educating your workforce about the most common lines of attack, you can also institute some company-wide defense strategies and tools.

Better passwords using management software

Encouraging your employees to use strong passwords is helpful. But the longer and more complex the password, the more likely users are to write them down, send them to an accessible email box, or otherwise immediately undo their increased security.

Password management software can take care of the problem by automatically filling in software and password information on recognized sites. When the password manager doesn’t recognize the site, it’s a warning sign to employees about a possible spoofed site.

Social media monitoring

Email phishing is still the most common form of phishing, but social media platforms also offer an avenue of attack.

Using fake accounts, hackers can approach your employees through less guarded communications like social media. Monitoring what happens on corporate social accounts and teaching your workers about the risks of corporate espionage through social contact can go a long way toward minimizing your risks.

Partnering with a cybersecurity expert

Small businesses rarely have the budget to support an in-house IT department, and even when they do, cybercriminals are relentless. The number of cyberattacks creeps up every year, leaving you with some tough choices.

Thankfully, it is possible to get high-level protection against phishing without investing in more top-level salaries. Talk to your managed services provider to see how they can provide the defenses you need against phishing attacks, without the cost that comes with a whole new department.

The cybersecurity employee training checklist

By 2019, it’s estimated that cybercrime will cost more than $2 trillion and affect businesses across the world. The numbers indicate how serious this issue is. However, what many business owners don’t realize is what their biggest risk actually is.

Their employees.

Effective cybersecurity employee training is an essential step when it comes to protecting your company. After all, a secure business is a protective one.

Creating, planning and executing cybersecurity training can seem daunting; however, with the tips here, it doesn’t have to be.

What employees need to know to protect your data

While cybersecurity employee training is imperative. And the foundation for network security training is simple. You need to make sure your employees fully understand their role in this.

Some of the things employees should know in include:

  • They have a responsibility to protect company data.
  • Proper document management practices need to be used, along with notification procedures.
  • Passwords need to be strong and secure, so they are not easy to guess.
  • Ensure employees understand that they are not allowed to install unlicensed software on any of the company’s devices.
  • Internet use needs to be restricted to sites that are known to be safe.

How to ensure your employees receive proper cybersecurity training

You almost certainly have anti-virus software, intrusion prevention systems and a strong firewall to protect your network. And even with all of that, isn’t possible to block every single threat out there.

As a result, you have to be able to rely on your employees to keep the network safe.

After all, these are the individuals who are on the front lines. They’re determining whether or not they should download that mysterious email attachment, or click on that oh-so-tempting pop-up ad. One of the best ways to ensure they make the right decision is with quality, cybersecurity employee training.

Provide ongoing cybersecurity training

Cybercriminals and hackers are always looking for new and innovative ways to “trick” even the most experienced users into downloading malware or responding to a malicious email. If you want to ensure your workers don’t fall for these tricks, it’s essential to let them know these threats exist.

Not only do you need initial training when you first hire a new employee, but also ongoing training to ensure that your network is protected from the latest threats out there.

There are some businesses that even send out daily security tips via email to their workforce. Not only is this beneficial in keeping everyone informed, but it helps to keep cybersecurity top of mind.

Make security something personal

When you have employees who aren’t directly involved in your company’s technology efforts, then network security may seem like a foreign concept. However, most of your employees have purchased something from their home computer with a credit card.

You can use this very practical, relatable example to help make your business’s security more personal for your employees. They’re likely careful with their credit card number. They need to be careful with company data, too.

Help them understand that their information is best protected when they follow certain security policies that have been designed to keep the network safe.

Be accessible to employees

Part of cybersecurity training for your employees should include letting them know who to turn to if they experience any type of network security incident, or if there are any questions about cybersecurity. If you don’t have an IT support team on-site, be sure your employees know how to get support and help from your service provider.

Keeping your data safe

If you want to ensure your small business’s network is secure, it starts with proper cybersecurity employee training. Be sure to play your part. Protecting your company’s sensitive information is serious business.

If you need additional help with your cybersecurity employee training, consider reaching out to a security expert. Most managed services providers can help you achieve an optimal level of security and protection.

Spoofing: What it is and how to avoid it

Cyberattacks cost businesses around the world about $15.80 million per company, according to estimates. And the number of security breaches has increased. In fact, the World Economic Forum’s Global Risks Report 2018 says that cyberattacks are now just as threatening as natural disasters such as extreme weather events and catastrophes.

One of the most commonly used scams that businesses are falling prey to is known as spoofing. Let’s take a closer look at what spoofing is and how you can avoid it.

What is spoofing?

Spoofing happens when a hacker gains access to your computer systems and is able to steal personal or sensitive information. That information can be as simple as passwords or as complex as business data.

You may have come across an attempt at spoofing before—for example, in the form of a suspicious email that promises cash rewards or an ad with questionable links. However, spoofing is not limited to spam emails. An intruder can use caller IDs or get you to click on a uniform resource locator (more commonly known as a URL).

There are several types of spoof attacks. Probably the most common are phishing emails, where you are sent a link and then given the option to download something. Even if you clicked the bait, usually nothing will happen unless you download the attachment.

How to safeguard yourself from spoofing

To protect yourself and your organization from spoofing, the best course of action is to avoid clicking any shady-looking links. And never download attachments unless you are absolutely sure the sender is legitimate.

If you have been the victim of URL spoofing, spammers may have attempted to infect your computer’s hardware with a virus. This is why it’s essential to install firewalls. Otherwise, you are putting your business—and your clients’ data—at risk.

You may think of cybercriminal activity as something that is unlikely to affect you or your business. But at the rate the threat is growing, it’s something to take seriously.

A 2017 Juniper Research report forecasts that the number of personal data stolen by spoofing attackers could reach 5 billion in 2020. The authors of the report expect businesses around the world to lose a combined amount of $8 trillion over the next few years.

On your side

If you take a proactive approach to cybersecurity, you are less likely to become a victim of a cyberattack. The first thing to do is examine where your walls of defense may be weak and get expert help to protect your organization.

A little self-directed proactive education can really help in this department. Take the time to keep up with industry news and pay attention to cybersecurity headlines. You can also follow our blog for everything you need to know about cybersecurity, spoofing and business data analytics.

Also, contact your as can a managed IT services provider. They’re there to help. All those years of experience providing IT support and managed IT services make a huge difference when it comes to protecting your business from cybercrime.