Posts

Data Privacy

Security : 3 Pitfalls Facing Privacy in 2018

Earlier this month, CES attendees got a taste of the future with dazzling displays of toy robots, smart assistants, and various AI/VR/8K gadgetry. But amid all the remarkable tech innovations on the horizon, one thing is left off the menu: user privacy. As we anticipate the rocky road ahead, there are three major pitfalls that have privacy experts concerned.

Bio hazard

Biometric authentication—using traits like fingerprints, iris, and voice to unlock devices—will prove to be a significant threat to user privacy in 2018 and beyond. From a user’s perspective, this technology streamlines the authentication process. Convenience, after all, is the primary commodity exchanged for privacy.

Mainstream consumer adoption of biometric tech has grown leaps and bounds recently, with features such as fingerprint readers becoming a mainstay on modern smartphones. Last fall, Apple revealed its Face ID technology, causing some alarm among privacy expertsA key risk in biometric authentication lies in its potential as a single method for accessing multiple devices or facilities.  You can’t change your fingerprints, after all. Biometric access is essentially akin to using the same password across multiple accounts.

“Imagine a scenario where an attacker gains access to a database containing biometric data,” said Webroot Sr. Advanced Threat Research Analyst Eric Klonowski. “That attacker can then potentially replay the attack against a variety of other authenticators.”

That’s not to say that biometrics are dead on arrival. Privacy enthusiasts can find solace in using biometrics in situations such as a two-factor authentication supplement. And forward-thinking efforts within the tech industry, such as partnerships forged by the FIDO Alliance, can help cement authentication standards that truly protect users. For the foreseeable future, however, this new tech has the potential to introduce privacy risks, particularly when it comes to safely storing biometric data.

Big data, big breaches

2017 was kind of a big year for data breaches. Equifax, of course, reined king by exposing the personal information (including Social Security Numbers) of some 140 million people in a spectacular display of shear incompetence. The Equifax breach was so massive that it overshadowed other big-data breaches from the likes of Whole Foods, Uber, and the Republican National Committee.

It seems no one—including the government agencies we trust to guard against the most dangerous online threats—was spared the wrath of serious data leaks. Unfortunately, there is no easy remedy in sight, and the ongoing global invasion of user privacy is forcing new regulatory oversight, such as the upcoming GDPR to protect EU citizens. The accelerated growth of technology, while connecting our world in ways never thought possible, has also completely upended traditional notions surrounding privacy.

The months ahead beg the question: What magnitude of breach will it take to trigger a sea change in our collective expectation of privacy? 

Talent vacuum

The third big issue that will continue to impact privacy across the board is the current lack of young talent in the cybersecurity industry. This shortfall is a real and present danger. According to a report by Frost & Sullivan, the information security workforce will face a worldwide talent shortage of 1.5 million by 2020.

Some of this shortfall is partly to blame on HR teams that fail to fully understand what they need to look for when assessing job candidates. The reality is that the field as a whole is still relatively new and is constantly evolving. Cybersecurity leaders looking to build out diverse teams are wise to search beyond the traditional background in computer science. Webroot Vice President and CISO Gary Hayslip explained that a computer science degree is not something on his radar when recruiting top talent for his teams.

“In cyber today, it’s about having the drive to continually educate yourself on the field, technologies, threats and innovations,” said Hayslip. “It’s about being able to work in teams, manage the resources given to you, and think proactively to protect your organization and reduce the risk exposure to business operations.

Beyond shoring up recruiting practices for information security roles, organizations of all types should consider other tactics, such as providing continual education opportunities, advocating in local and online communities, and inevitably replacing some of that human talent with automation.


This article was provided by our service partner : webroot.com 

Internet Security : How to Avoid Phishing on Social Media

From Facebook to LinkedIn, social media is flat-out rife with phishing attacks. You’ve probably encountered one before… Do fake Oakley sunglasses sales ring a bell?

Phishing attacks attempt to steal your most private information, posing major risks to your online safety. It’s more pressing than ever to have a trained eye to spot and avoid even the most cunning phishing attacks on social media.

Troubled waters

Spammers on social media are masters of their craft and their tactics are demonstrably more effective than their email-based counterparts. According to a report by ZeroFOXup to 66 percent of spear phishing attacks on social media sites are opened by their targets.  This compares to a roughly 30 percent success rate of spear phishing emails, based on findings by Verizon.

Facebook has warned of cybercriminals targeting personal accounts in order to steal information that can be used to launch more effective spear phishing attacks. The social network is taking steps to protect users’ accounts from hostile data collection, including more customizable security and privacy features such as two-factor authentication. Facebook has also been more active in encouraging users to adopt these enhanced security features, as seen in the in-app message below.

Facebook

Types of social phishing attacks

 

Fake customer support accounts

The rise of social media has changed the way customers seek support from brands, with many people turning to Twitter or Facebook over traditional customer support channels. Scammers are taking advantage of this by impersonating the support accounts of major brands such as Amazon, PayPal, and Samsung. This tactic, dubbed ‘angler phishing’ for its deepened deception, is rather prevalent. A 2016 study by Proofpoint found that 19% of social media accountsappearing to represent top brands were fake.

To avoid angler phishing, watch out for slight misspellings or variations in account handles. For example, the Twitter handle @Amazon_Help might be used to impersonate the real support account @AmazonHelp. Also, the blue checkmark badges next to account names on Twitter, Facebook, and Instagram let you know those accounts are verified as being authentic.

Spambot comments

Trending content such as Facebook Live streams are often plagued with spammy comments from accounts that are typically part of an intricate botnet. These spam comments contain URLs that link to phishing sites that try to trick you into entering your personal information, such as a username and password to an online account.

It is best to avoid clicking any links on social media from accounts you are unfamiliar with or otherwise can’t trust. You can also take advantage of security software features such as real-time anti-phishing to automatically block fake sites if you accidently visit them.

Dangerous DMs

Yes, phishing happens within Direct Messages, too. This is often seen from the accounts of friends or family that might be compromised. Hacked social media accounts can be used to send phishing links through direct messages, gaming trust and familiarity to fool you. These phishing attacks trick you into visiting malicious websites or downloading file attachments.

For example, a friend’s Twitter account that has been compromised might send you a direct message with a fake link to connect with them on LinkedIn. This link could direct to a phishing site like the one below in order to trick you into giving up your LinkedIn login.

LinkedIn Fishing Example

While this site may appear to look like the real LinkedIn sign-on page, the site URL in the browser address bar reveals it is indeed a fake phishing site. 

Phony promotions & contests 

Fraudsters are also known to impersonate brands on social media in order to advertise nonexistent promotions. Oftentimes, these phishing attacks will coerce victims into giving up their private information in order to redeem some type of discount or enter a contest. Know the common signs of these scams such as low follower counts, poor grammar and spelling, or a form asking you to give up personal information or make a purchase.

The best way to make sure you are interacting with a brand’s official page on social media is to navigate to their social pages directly from the company’s website. This way you can verify the account is legitimate and you can follow the page from there.

 

ransomware

Internet Security : Why is ransomware still so successful?

There’s no end to ransomware in sight. It’s a simple enough attack — install malware, encrypt data/system, and ask for the ransom — so why aren’t we stopping ransomware?  Security vendors are keenly aware of the issue, as well as the attack vectors and methods, but can’t seem to stay a step ahead, causing ransomware to grow form $1 billion in damages in 2016 to an estimated $5 billion in 2017. There are two basic reasons ransomware continues to be a “success” for cyber criminals.

Reason 1: Malware authors are getting better at their craft

Just when we think we’re getting on top of the ransomware problem, our adversaries alter their tactics or produce new techniques to replicate and cause damage and misery. We’ve recently seen ransomware like WannaCry take advantage of unpatched vulnerabilities in the Windows SMB service to propagate around networks, especially those that had SMB open to the internet — A clever technique borrowed from mid-to-late 90s Windows worm malware like Sasser. We’ve also seen malware writers develop new techniques for installing malicious code onto computers via Microsoft Office. While the threat posed by malicious macros in Office documents has existed for a number of years, we’re now seeing the use of a Microsoft protocol called Dynamic Data Exchange (DDE) to run malicious code. Unlike macro-based attacks, the DDE attack doesn’t give the user a pop-up, prompt or warning, so exploitation is far more effective and successful.

The technological advances made by malware authors are significant, but their soft skills, like social engineering, also keep on getting better. Improved writing, more realistic email presentation, and even solid social engineering tactics are all cause for the increase in their success.

And if you’re good at what you do, make it a service and profit on those that have a similar interest, but lack your skills. Thus, “crime-as-a-service” and “malware-as-a-service” now exist, further perpetuating the ransomware problem. The availability and ease of use of these platforms, means anyone can turn to cybercrime and ransomware with little or no coding or malware experience. These platforms and networks are run by organized cybercrime gangs, for vast profits, so we won’t see them going away any time soon,

Reason 2: We’re causing our own problems

Of course, there’s still one large problem many of us have not dealt with yet, and that’s the weaknesses we ourselves cause that become the entry way for the cybercriminals. WannaCry was so successful because it leveraged an unpatched windows vulnerability. NotPetya did the same. So, what are the weaknesses?

  1. A lack of patching – We continue to shoot ourselves in the foot here, because we don’t have solid protection and prevention routines that include the patching of operating systems and applications — especially those leveraged by ransomware authors to gain access.
  2. Not enough (reliable) backups – A lack of validated backups — the primary ransomware recovery tool — can leave us out in the cold and unproductive. It’s a simple equation: if you have backups, you choose recovery over ransom.
  3. User awareness – Users simply don’t understand the threat, the impact, or the cost of a ransomware infection. But, nor should they really — they have a job to do in accounting or sales, not IT security. Even so, putting in solid phishing training and testing can make a material difference.
  4. A lack of least privilege – The more access a user has, the greater scope of infection the ransomware can have. With 71% of end users say they have access to company data they should not be able to see[1], IT has some serious work to do to ensure privileges are locked down.
  5. No layered defense – A single security solution, such as an antivirus, can only do so much to protect the organization. You need solutions like IPS, an email gateway, endpoint protection, and more all working on concert to give ransomware as little a chance of succeeding as possible.

Doing something about the ransomware problem

What should you do to stop ransomware being so successful? Hide? Run away? Unplug the internet? Probably none of those ideas are likely to solve this problem, although out of sight and all that. I mentioned briefly above, the idea of many thin layers of defense, and while ‘defense in depth’ might seem a little old school and became extinct when we lost control of the network perimeter, there are some ideas we can borrow:

  1. Defense in depth – Make sure you have a solid, proactive security stance in place, including: patching, least privilege, user training, etc.
  2. Protect the endpoint – Desktop and endpoint protection solutions can offer some degree of protection, however, keep in mind that malware can adapt itself to these solutions and circumvent them.
  3. Plan for the worst – Ransomware seems to find a way and you need to make sure you can recover when it does. Backups, off-site backups and backups on different media types are essential. Make sure you test their recovery too, as you don’t want to be finding out how to restore a backup in anger. They say you train hard to fight easy. Never has that been more true for IT contingency planning.

Get these three things right, and you’ll be a lot closer to stopping the rain of ransomware from ruining your day, night or weekend.

 


This article was provided by our service partner : Veeam.com

Security : Worst passwords of 2017 : From ‘123456’ to ‘STARWARS’

Using any of the logins on the list would put you ‘at grave risk for identity theft’

The worst passwords of the year have been revealed in a new report.

“123456” tops the list, as it did in 2016, 2015, 2014 and 2013. For the fourth consecutive year, the next entry on the list is “password”. Variations of each of them comprise six of the other 23 entries in the top 25. “12345678”, “qwerty” and “12345”, meanwhile, complete the top five.

“Use of any of the passwords on this list would put users at grave risk for identity theft,” said SplashData, which released the report.

The company says it “estimates that almost 10 per cent of people” have used at least one of this year’s selection of the 25 worst passwords, and “nearly 3 per cent of people” have used the outright worst password, 123456. It adds that the passwords evaluated for the report were mostly held by people in North America and Western Europe.

“These past two years have been particularly devastating for data security, with a number of well publicized hacks, attacks, ransoms, and even extortion attempts. Millions of records have been stolen,” said SplashData.

The 2017 edition of the list was compiled from more than five million passwords that leaked during the year. However, any login details that leaked as a result of the enormous Yahoo email breach and hacks of adult websites were not considered for the report. SplashData recommends using passwords that are at least 12 characters long, comprising a mix of different character types and both upper- and lowercase letters. The company says you should also use a different password for each of your logins. This, however, can cause a completely different set of problems, as it can be tough to remember multiple logins.

You can save yourself some hassle by signing up to a password manager. “Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure,” said SplashData CEO Morgan Slain.

“Our hope is that our Worst Passwords of the Year list will cause people to take steps to protect themselves online.”

The 25 worst passwords of the year are:

  1. 123456 (unchanged from 2016 list)
  2. password (unchanged)
  3. 12345678 (up one place)
  4. qwerty (up two places)
  5. 12345 (down two places)
  6. 123456789 (new entry)
  7. letmein (new entry)
  8. 1234567 (unchanged)
  9. football (down four places)
  10. iloveyou (new entry)
  11. admin (up four places)
  12. welcome (unchanged)
  13. monkey (new entry)
  14. login (down three places)
  15. abc123 (down one place)
  16. starwars (new entry)
  17. 123123 (new entry)
  18. dragon (up one place)
  19. passw0rd (down one place)
  20. master (up one place)
  21. hello (new entry)
  22. freedom (new entry)
  23. whatever (new entry)
  24. qazwsx (new entry)
  25. trustno1 (new entry)
Managed Security Services

Ransomware Variants an MSP Should Watch Out For

We can all agree that ransomware is one of the biggest and most destructive threats managed service providers and their clients have faced in recent years. Currently, there are well over 120 separate ransomware families, and there’s been a 3,500% increase in cyber criminal internet infrastructure for launching attacks since the beginning of 2016. And nearly 90% of MSP report their clients have been hit by ransomware in the last year. But, in spite of these numbers, nearly 70% of MSP still aren’t completely confident their clients’ endpoints are secure against these insidious attacks.

Know Your Enemy

In addition to maintaining up-to-date endpoint security that uses real-time analysis to detect zero-day attacks, it’s important to know your enemy. Cybersecurity provider Webroot recently put together a list of the top 10 nastiest ransomware variants of 2017. You’ve probably heard of the big, newsworthy names that made the list, like WannaCry, NotPetya, and Locky, but here’s a few more MSPs should watch out for.

  1. CrySis
    CrySis attacks by compromising Remote Desktop Protocol (RDP). RDP is a common method for deploying ransomware because criminals can get into admin accounts that have access to an entire organization. First detected in February 2016, CrySis took some time to spread, and really came into its own in 2017.
  2. Nemucod
    This ransomware variant arrives via phishing emails disguised as a shipping invoice. Nemucod downloads malware and encryption components stored from hacked websites, and would have most likely been the worst of the phishing email attacks for the year, had Locky not resurfaced in August.
  3. Jaff
    Like Nemucod and Locky, Jaff uses phishing emails to spread. It also uses similar techniques to other successful ransomware attacks, including Dridex.
  4. Spora
    This ransomware is distributed by legitimate websites that have been compromised with malicious JavaScript code. The sites display a pop-up prompt to visitors, instructing them to update their Chrome browsers to continue viewing the page. But when the unsuspecting user downloads the “Chrome Font Pack”, they get the infection instead.
  5. Cerber
    Cerber also uses phishing and RDP, but unlike some of its colleagues, it distributes ransomware-as-a-service (RaaS). This “service” allows aspiring cybercriminals to use pre-packaged ransomware tools as they choose, while the Cerber author gets a 30% cut of any profits made.
Keeping Your Clients Safe

There are a number of steps an MSP can take to keep clients safe.

  • First, educate your clients. Be sure to teach them how to spot suspicious emails and how to check legitimacy any time an email seems a little off. We also recommend implementing an end user cybersecurity training program.
  • Second, keep applications and plugins up to date, and make sure your clients are using reliable cloud-based antimalware, web filtering, and firewalls.
  • Third, use your operating system to your advantage. Set up Windows® OS policy restrictions, disable auto-run, disable VBS, and filter executables from emails.
  • Fourth, ensure your clients run regular backups, set up offline air gap backups with multiple copies of each file, and maintain up-to-date business continuity measures.

This article was provided by our service partners Webroot & Connectwise.

Internet Security : New Cryptojacking Tactic may be Stealing Your CPU Power

What if cybercriminals could generate money from victims without ever delivering malware to their systems? That’s exactly what a new phenomenon called “cryptojacking” entails, and it’s been gaining momentum since CoinHive first debuted the mining JavaScript a few months ago.

The intended purpose: whenever a user visits a site that is running this script, the user’s CPU will mine the cryptocurrency Monero for the site owner. This isn’t money out of thin air, though. Users are still on the hook for CPU usage, the cost of which shows up in their electric bill. While it might not be a noticeable amount on your bill (consumer CPU mining is very inefficient), the cryptocurrency adds up fast for site owners who have a lot of visitors. CoinHive’s website claims this is an ad-free way for website owners to generate enough income to pay for the servers. All altruistic excuses aside, it’s clear threat actors are abusing the tactic at the victims’ expense.

cryptojacking

In the image above, we can see that visiting this Portuguese clothing website causes my CPU to spike up to 100%, and the browser process will use as much CPU power as it can. If you’re on a brand new computer and not doing anything beyond browsing the web, a spike like this might not even be noticeable. But if you’re using a slower computer, just navigating the site will become very sluggish.

Cybercriminals using vulnerable websites to host malware isn’t new, but injecting sites with JavaScript to mine Monero is. In case you’re wondering why this script uses Monero instead of Bitcoin, it’s because Monero has the best hash rate on consumer CPUs and has a private blockchain ledger that prevents you from tracking transactions. It’s completely anonymous. Criminals will likely trade their Monero for Bitcoin regularly to make the most of this scam.

CoinHive’s JavaScript can be seen in this website’s HTML:

Cryptojacking Javascript

CoinHive maintains that there is no need block their scripts because of “mandatory” opt-ins:

“This miner will only ever run after an explicit opt-in from the user. The miner never starts without this opt-in. We implemented a secure token to enforce this opt-in on our servers. It is not circumventable by any means and we pledge that it will stay this way. The opt-in token is only valid for the current browser session (at max 24 hours) and the current domain. The user will need to opt-in again in the next session or on a different domain. The opt-in notice is hosted on our servers and cannot be changed by website owners. There is no sneaky way to force users into accepting this opt-in.”

For reference, here’s what an opt-in looks like (assuming you ever do see one):

Cryptojacking-Opt-In-Example

 

Why Webroot blocks cryptojacking sites

Unfortunately, criminals seem to have found methods to suppress or circumvent the opt-in—the compromised sites we’ve evaluated have never prompted us to accept these terms. Since CoinHive receives a 30% cut of all mining profits, they may not be too concerned with how their scripts are being used (or abused). This is very similar to the pay-per-install wrappers we saw a few years ago that were allegedly intended for legitimate use with user consent, but were easily abused by cybercriminals. Meanwhile, the authors who originated the wrapper code made money according to the number of installs, so the nature of usage—benign or malicious—wasn’t too important to them.

To protect our users from being exploited without their consent, we at Webroot have chosen to block websites that run these scripts. Webroot will also block pages that use scripts from any CoinHive copycats, such as the nearly identical Crypto-Loot service.

There are a few other ways to block these sites. You can use browser extensions like Adblock Plus and add your own filters (see the complete walkthrough here.) If you’re looking for more advanced control, extensions like uMatrix will allow you to pick and choose which scripts, iframes, and ads you want to block.


This article was provided by our service partner Webroot.com 

 

vpn

Security : Why You Should Use a VPN on Public WiFi

Working remotely? It only takes a moment on a free WiFi connection for a hacker to access your personal accounts. While complimentary WiFi is convenient, protecting your connection with a VPN is the best way stay safe on public networks, keeping your data and browsing history secure.  

What is a VPN?

VPN stands for “virtual private network” and is a technology that can be used to add privacy and security while online. It’s specifically recommended when using public WiFi which is often less secure and is often no password protected.  

VPN’s act as a bulletproof vest for your internet connection. In addition to encrypting the data exchanged through that connection, they help safeguard your data and can enable private and anonymous web browsing. However, even if you’re using a VPN, you must still be careful about clicking on suspicious links and downloading files that may infect your computer with a virus. Protecting yourself with antivirus software is still necessary.

When and why should you use a VPN?

When checking into your hotel, connecting to the WiFi is often one of the first things you do once settling in. While it may sound like a tempting offer, logging in to an unsecured connection without a VPN is a very bad idea. In July, ZDNet reported the return of hacker group DarkHotel which aims to target hotel guest’s computers after they have logged on to the building’s WiFi. Once compromising a guest’s WiFi, the hacker group can then leverage a series of phishing and social engineering techniques to infect targeted computers. 

Traveling and lodging is just one example of when you can use a VPN to help stay secure and avoid potential attacks, however anyone can benefit from using a VPN.  

From checking Facebook on an airport hotspot, accessing your company files while working remotely or using an open network at your local coffee shop, regardless of the scenario, using a public WiFi can potentially put the data you’re sending over the internet at risk.


This article was provided by our service partner Webroot

Internet Security

Internet Security – Two-Factor Authentication: Why & How You Should Use it

Conventional wisdom about passwords is shifting, as they are increasingly seen as a less-than-ideal internet security measure for securing digital accounts. Even the recommended rules for creating strong passwords were recently thrown out the window. Average users are just too unreliable to regularly create secure passwords that are different across all accounts, so using technology to augment this traditional internet security is imperative.

From online banking to email to cloud-based file storage, much of our high-value information is in danger if a hacker gains access to our most frequently visited sites and accounts. That’s where two-factor authentication comes in.

Two-factor authentication (2FA) adds an extra layer of security to your basic login procedure. When logging into an account, the password is a single factor of authentication, and requiring a second factor to prove you are who you say you are is an added layer of security. Each layer of security that you add, exponentially increases protection from unauthorized access.

Three categories of two-factor authentication:
  1. Something you know, such as a password.
  2. Something you have, such as an ID card, or a mobile phone.
  3. Something you are, a biometric factor such as a fingerprint.

The two factors required should come from two different categories. Often, the second factor after entering a password is a requirement to enter an auto-generated PIN code that has been texted to your mobile phone. This combines two different types of knowledge: something you know (your password) and something you have (your mobile phone to receive a code in SMS text or code from a 2FA app).

Protect accounts with an extra layer of security

Popular social media sites, including Twitter, Facebook, Instagram and Pinterest, have added 2FA to help protect users. In addition, you may have noticed that services from companies such as Apple, Google and Amazon will notify you via email each time you log in from a different device or location.

While 2FA from an SMS text message is popular and much more secure than a password alone, it is one of the weaker types of 2FA. This is because it’s relatively easy for an attacker to gain access to your SMS texts. When you log in to your account and it prompts for a SMS code, the website then sends the code to a service provider and then that goes to your phone.

This is not as secure as everyone thinks, because the phone number is the weakest link in the process. If a criminal wanted to steal your phone number and transfer it to a different SIM card, they would only need to provide an address, the last four digits of your social security number, and maybe a credit card number.

This is exactly the type of data that is leaked in large database breaches, a tactic to which most Americans have fallen victim at some point or another. Once the attacker has changed your phone number to their SIM card, they essentially have your number and receive all your texts, thus compromising the SMS 2FA.

Many people are guilty of using weak passwords or the same login information across several accounts, and if this sounds like you, we recommend that you use authenticator apps such as Google Authenticator and Authy. These apps are widely supported and easy to setup.

Simply go to the “account settings” section on the site you want to enable. There should be an option for 2FA if it is supported. Use the app on your phone to scan the QR code and, just like that, it’s configured to give you easy six-digit encrypted passwords that expire every 30 seconds.

What happens when you’re not using sites that have 2FA enabled? Quite simply, security is not as tight and there’s a higher risk of a hacker gaining access to your accounts. Depending on what is stored, your credit card information, home address, or other sensitive data could be stolen and used to commit fraud or sold on the DarkWeb.

And until passwords are put to death completely, be sure to heed a few safety tips from Gary Hayslip, Webroot CISO, in addition to using two-factor authentication:

“Change passwords periodically, do not recycle passwords, don’t use the same password for your social media account and your bank account, and finally store your passwords in a safe place. Consider using some type of password vault program, avoid keeping passwords on a Post-it note under your keyboard, on your monitor or in a drawer near your computer.” – Webroot CISO Gary Hayslip

—————————————————————————
This article was provided by our service partner : webroot.com
Internet Security

Internet Security : 10 Fundamentals to Fight Breach Fatigue

You don’t have to spend a lot of years in internet security to experience a phenomenon that’s been dubbed breach fatigue: the tendency to get tired of hearing about data security breaches. Breach fatigue can affect people differently based on their professional roles. For IT managers at smaller companies, breach fatigue can lead to a “why bother?” attitude. After all, if a major bank that spends hundreds of millions of dollars a year on internet security can still get hacked, is there any hope for small to midsize businesses?

Unfortunately for MSPs, attitudes like that can undermine your efforts to sell security products and services, so it is important to be ready with a response to this rebuttal. For example, I would say: “Your chances of surviving a cyberattack are actually quite high IF you’ve taken care of the fundamentals.” Before I describe those fundamentals, let me explain why I am confident in that statement.

First, I should note that each time a new data breach makes headlines, it adds to the workload for security researchers. Why? Because we want to find out how that breach happened so we can tell people how to avoid succumbing to the same type of attack. Unfortunately, it can take days or weeks, sometimes even years before we get the full story (which often differs from the first reports of the event).

Remember when JPMorgan Chase suffered what prosecutors later described as “the largest theft of customer data from a US financial institution in history”? When the news of that breach first got out, there was talk of a sophisticated nation state attack, even Russian involvement. We later learned that, although the bank had very sensibly installed two-factor authentication on its servers, it had missed one. That one server was how the hackers, con artists not a nation state, got in.

More recently we learned that an even more shocking breach – Equifax – was due to a failure to patch a well-publicized vulnerability (the congressional testimony of the Equifax CEO, who stepped down in the wake of the breach, suggested that the responsibility for patching rested with one person, who apparently slipped up). Back when Target was breached, internet security alarm bells were ignored and people failed to notice plaintext files full of credit card data being shipped to unapproved FTP servers in Russia.

The overarching theme here is that taking proper care of the fundamentals I’m about to discuss would have stopped many big-name breaches from happening. The good news for smaller companies is that they are likely to have fewer servers to watch over, fewer rogue projects flying under the radar, and simpler data flows to monitor.

So here is my pick of 10 fundamentals which, when properly managed, will go a long way in thwarting the bad guys:

  • 1. Timely patching of vulnerabilities
  • 2. Endpoint protection on all endpoints, including servers, at all times
  • 3. Encryption of data at rest
  • 4. Multi-factor authentication on all remote access, RDP, etc.
  • 5. Network segmentation
  • 6. Network monitoring / data loss prevention
  • 7. Removable media controls
  • 8. Backup and recovery plan
  • 9. Incident response plan
  • 10. Employee security awareness

Yes, that’s a lot of work, but if your customers get it done, their odds of both avoiding and surviving breaches will improve greatly.


This article was provided by our service partner: ESET.

Cisco Umbrella

Cisco Umbrella Has Something New for MSPs

The threat landscape continues to get more sophisticated and complex. In a continued partnership to help MSPs protect their clients, Cisco is excited to announce a new Advanced Cisco Umbrella package specifically designed to help MSPs deliver even deeper protection.

As part of the Cisco Umbrella rollout for MSPs Advanced, centrexIT has become an early adopter. centrexIT, an award-winning Managed Services Provider in Southern California, stands out in the IT industry with a unique take on information technology and business alignment. Although their clients engage with them to support their business technology, network health, cybersecurity, and more, centrexIT’s most important metric isn’t how well the technology is working. It’s how to make their client’s lives easier, more productive, and ultimately make them more profitable. A large part of that goal in 2018, and beyond, is practicing good cybersecurity management.

“We value people over technology,” says Eric Rockwell, CEO of centrexIT. “And that commitment to our Culture of Care in turn leads us to focus on providing excellence in service while using technology that meets the highest of standards.”

That standard is even higher when it comes to security — especially in the face of the many high-profile breaches in security that have taken place throughout the tech industry over the past few years.

“Without following the standards for good cybersecurity controls and adhering to applicable regulations, you’re at a much higher risk of your information being breached — and that’s what you’re seeing on the daily news,” Rockwell says.

Cisco plays a major role in helping centrexIT protect their clients. As long-time partners with Cisco, centrexIT was given the opportunity to be the first to adopt Cisco’s latest security features.

“centrexIT is in the process of transitioning to a Next Gen MSP — an MSP with an MSSP (Managed Security Services Provider) practice,” Rockwell says. “We’re expecting huge growth in our MSSP line of business next year, both from existing MSP clients buying MSSP services as well as non-MSP clients buying MSSP services. Our focus on quality and security will only continue to grow as our clients keep demanding it.”

With the company’s growth and the Culture of Care at the forefront, the centrexIT team was more than ready to adopt the latest features.

“We’re using the new Cisco Umbrella features such as file inspection with anti-virus (AV) engine, Cisco Advanced Malware Protection (AMP), and custom URL blocking to help further protect our clients,” Rockwell says.

File inspection provides centrexIT with even deeper protection. When Umbrella receives a DNS request, it uses intelligence to determine if the request is safe, malicious, or risky — meaning the domain contains both malicious and legitimate content. Safe and malicious requests are routed as usual or blocked, respectively. Risky requests are routed to our cloud-based proxy for deeper inspection. The Umbrella proxy uses Cisco Talos web reputation and other third-party feeds to determine if a URL is malicious. With the advanced package, the proxy will also inspect files attempted to be downloaded from those risky sites using anti-virus (AV) engine and Cisco Advanced Malware Protection (AMP). Based on the outcome of this inspection, the connection is allowed or blocked.

Through custom URL blocking, centrexIT has even more control over information being accessed and in discovering potential security threats. Custom URL blocking gives MSPs the ability to enforce against malicious URLs in a destination list. It provides the flexibility to block specific pages without blocking entire domains.

These new security features are a huge plus for centrexIT and its clients. They help fulfill its core value and meet its key metric, says Rockwell. “At the end of the day, our client’s lives are easier and they’re at peace because they know we’re working tirelessly to care for them and keep their information safe and private.”