alt tag

Posts from June, 2016

The “Seven Deadly Sins” of Ransomware

Wednesday, June 29th, 2016



Readers of our blog over the past few years know we were among the first in the Bay Area to warn our customers about the growing threats of ransomware—from the emergence of CryptoLocker and CryptoWall to our federal government’s startling admission that they’re virtually powerless to stop it.

Mostly originating from sophisticated cyber-gangs in Eastern Europe, ransomware may be the most profitable organized crime scheme in the world today.

We weren’t exactly surprised, then, when we received 2016 Will Be the Year Ransomware Holds America Hostage,” a 40-page report from The Institute for Critical Infrastructure Technology (ICIT), a non-profit cybersecurity think tank.

The ICIT report is a comprehensive review of the ransomware landscape—from its earliest origins to the major active strains “in the wild” to the likeliest targets (particularly American small businesses). Today we’d like to highlight the seven delivery channels of ransomware and other malware infections—what we refer to as “The Seven Deadly Sins.”

1. Traffic Distribution Systems (TDS)

If you visit a website and suddenly see an annoying pop-up ad, it’s because the website sold your “click” to a TDS vendor, who contracted with a third-party advertiser. Pop-up blockers have rendered most pop-up ads obsolete, but some of the shadiest TDS vendors contract directly with ransomware groups to spread exploit kits and “drive-by downloads.”

2. Malvertising

As we discussed last July, even trusted web pages can include third party ads embedded with malware-inducing code. One click on a bogus ad can wreak havoc.

3. Phishing Emails

From phony bills and résumés to bogus “unsubscribe” links in annoying spam, email recipients can be tricked into clicking a link allowing an instant viral download of ransomware. Research reveals that despite strong security training, up to 15% of employees still get duped by phishing schemes.

4. Gradual Downloaders

Exploit kits and ransomware can be discreetly downloaded in “segments” over time, evading detection by most anti-virus defenses.

5. Social Engineering

Also known as simple “human ignorance,” a user can be tricked into downloading a phony software update or other trusted download link—even ignoring warning messages (as happened to a friend of ours) only to allow a costly malware infection.

6. Self-Propagation

Once inside a single computer, the most sophisticated ransomware strains can automatically replicate through an entire network via the victim’s address book. ICIT expects that self-replicating ransomware will evolve to infect multiple devices within the Internet of Things.

7. Ransomware as a Service (RaaS)

ICIT predicts that the largest ransomware creators will syndicate “retail versions” of their products to less sophisticated criminals and lower-level hackers who’ll perform the day-to-day grunt work of hunting down new victims around the world. The creator collects a percentage of every successful ransom payment.

In the coming weeks, we’ll continue to examine ransomware and other cyberthreats our customers need to defend against. For more on how to protect your company, contact us.

Is It Time to Switch to Flash Storage?

Tuesday, June 21st, 2016


More and more businesses are switching their storage solutions from hard disk drives (HDDs) to solid state drives (SSDs) for one simple reason: the appeal of faster loading times and increased productivity. However, HDDs can still be the better choice in cases where maximum capacity is more important than performance. Your local managed service provider can help your company determine whether making the switch is worth your while.

Changes in the Market

All the performance boosts in the world won’t matter if the device is prohibitively expensive.

However, SSD prices are quickly falling while HDD prices remain stagnant, making flash storage an increasingly attractive option.

In 2012, SSD storage cost about ten times as much as HDD storage for the same capacity. According to a PC World, the price difference has decreased to four times the cost in 2016, with projections narrowing the gap to three times by 2017. Price-parity could occur between 2017 and 2019.

SSD: Performance, Durability, and Physical Space

Most of the excitement around SSD storage comes from its ability to access data at speeds of up to 100 times faster than HDDs. In addition to faster access, SSDs do not need to move a read/write head around while reading and writing data, so seek times become negligible. This is helpful when working with a massive amount of smaller files, as well as with larger, fragmented files. SSDs are a more durable solution, ideal for devices that move around because they have no moving parts.

HDD: Affordable Capacity and Rewriting

HDDs currently offer the most possible storage space for the lowest possible cost. While HDDs have longer load times than SSDs, comparative performance losses can be minimal, especially in workflows where the storage device is rarely accessed. Flash SSDs aren’t built to handle constant re-writes over the same space thousands of times like HDDs. So HDDs will last longer if your business works with large amounts of data that is constantly overwritten.


Ultimately, your IT consulting firm will make different recommendations depending on the types of devices in use and how those devices are used. When it comes to laptops, the extra investment in an SSD is almost always worth it, especially if the employees are unlikely to use the extra storage space afforded by an HDD of similar cost. Thirty percent of shipped laptops come equipped with an SSD.

With desktop computers, it comes down to the need for a performance boost. If employees aren’t working with a lot of locally stored data on their desktop systems, SSDs afford an impressive performance boost, and the lost storage capacity will go unnoticed. However, HDDs may still win out when it comes to server-based storage. While servers running high-demand applications will see substantial performance boosts when switching to SSDs, the cost difference can still be a hurdle. HDDs still dominate in cases where performance isn’t an issue, as with cold storage.

MSPs are a great asset for determining your company’s optimal data storage solutions. HDDs still have a place in the business environment—but given the current trends, they could be obsolete within a decade.

Where’s Your Company’s WISP? Why You Need One NOW

Tuesday, June 14th, 2016


A WISP is one of the most important documents for any company doing business over the Internet—which, in this day and age, is pretty much everybody. Who’s responsible for drafting and maintaining your company’s WISP? Or are you even sure what a WISP is? If not, your company is already at serious risk for additional legal action—lawsuits and punitive fines—following a data breach, whether the result of external hacking or internal human error.

WISP stands for Written Information Security Programessentially your company’s formal road map for safeguarding the privacy of customers’ Personally Identifiable Information (PII), as well as a response plan after a data breach—including customer notification.

WISPs are already required for companies dealing in financial services (the Gramm–Leach–Bliley Act) or medical health records (HIPAA). Additionally, most states now have their own laws governing data privacy standards for businesses.

Here in California, the California Data Protection Act (Civil Code Section 1798.80-1798.84) requires businesses to “implement and maintain reasonable security procedures” to ensure the electronic privacy of customers’ personal information—their names combined with any of the following:

  • Usernames/passwords for online accounts
  • Social Security/Driver’s License numbers
  • Credit/debit card numbers
  • Medical history/health insurance records

How Much Is “Reasonable”?

The tricky thing here is that the California law doesn’t define what “reasonable security procedures” really are. And if even one of your customers resides out of state, your company is likewise bound by the corresponding data protection laws in that state—such as Massachusetts, where a WISP is a legal business requirement. At a time when new corporate data breaches seem to grab headlines every month, a formal WISP program for any company—large or small—is just good common sense.

Cover All the Bases

What are the elements of a comprehensive, iron-clad WISP? Here are the essential points to cover:

  • The designated person(s) to administrate the WISP
  • An assessment of reasonably foreseeable risks to security/confidentiality of protected PII data
  • Locations where personal information is stored (electronic or hard copies, as well as access from portable devices)
  • Specific measures to safeguard confidential data (encryption, firewalls, security patches, or more)
  • Ongoing employee data security training, with disciplinary policy for WISP violations
  • Monitoring and review of the program’s effectiveness, annually or as necessary
  • Your company’s official breach response plan

The Commonwealth of Massachusetts offers a good WISP template for small businesses here.

Most importantly, if your company is partnered with a managed service provider or other third-party IT services, make sure they’re on board with your WISP program—that they’ll take time to assist in crafting your initial policy in addition to providing regular enforcement and documentation. We certainly will.

Data Sanitization: Are You Erasing Your Old PCs COMPLETELY?

Tuesday, June 7th, 2016


One of our pet peeves with some of our new customers is that once we come in to upgrade their IT network, they’re careless about disposing their old hardware—specifically, their PC hard drives. They think that by simply deleting their existing files—email, customer records, and other sensitive or proprietary data—that information will be fully erased and irretrievable. That couldn’t be further from the truth.

Deleting a file merely tells the computer that the space it occupies on the hard drive is no longer deemed “protected.” It will physically remain on the drive—encoded in ones and zeros—until those binary digits are overwritten by new data.

If your desktop or laptop PC has reached the proverbial “end of the line,” there won’t be any further input to write over those old files. Before it leaves your control forever, you’ll need to take additional steps to ensure its hard memory is absolutely wiped away.

How Clean Is “Clean”?

For many years, the gold standard for data sanitization was the Gutmann method, where the entire drive was manually rewritten—all in ones or zeros, or binary gibberish—a whopping 35 times, or passes. Today there are a range of standards employed around the world. Our Department of Defense (DoD) considers three passes to be sufficient for national security.

Data wiping isn’t as complicated as it might sound, though there are a few differences between the traditional rotating hard disk drives (HDDs) and the smaller, flash-based solid state drives (SSDs) commonly built into laptops. It can actually be a DIY project, thanks to several time-tested freeware utilities favored by IT pros and computer geeks alike:

  • Eraser thoroughly overwrites all or selected files of an HDD drive—from the Gutmann 35-pass standard downward. It can also be configured to wipe specific files or sectors of the drive on a regular basis.
  • Roadkil’s Disk Wipe effectively cleanses data from both internal HDD and SSD drives, via multiple passes (we recommend at least the DoD standard of three).
  • Darik’s Boot and Nuke, commonly known as DBAN, has remained largely unchanged since the earliest versions of Windows (forgive the primitive interface’s resemblance to the infamous “Blue Screen of Death”). While DBAN still holds an excellent reputation as a comprehensive HDD data cleanser, like most utility software of its era, it can take a full day or more to finish the job.

“Non-Technical” Alternatives

It’s also possible to render a hard drive permanently inoperable using simple methods: a hammer, power drill, or hacksaw—anything to physically destroy it. Some electronics recyclers around the Bay Area will feed your hard drive into a shredder, for an additional fee. Whether you rely on software or brute force, never say goodbye to a computer before knowing its hard drive can never be accessed again.

For more ideas about the full “life cycle” of IT data security, talk to us.

Data Breaches: Dark Times in the Golden State?

Wednesday, June 1st, 2016


Being the cyber-security geeks we are, we took great interest in combing through this year’s California Data Breach Report, released by the Attorney General’s office this past February. The report tabulates data collected from breach incidents which expose confidential information of 500 or more individuals, reported to the Attorney General as required by California law since 2012.

Over these past four years, there has been a total of 657 reported incidents, affecting over 49 million Californians—from Social Security and driver’s license numbers to financial accounts to health records, logins, and passwords.

By the Numbers: Not Much News to Us

The breakdown of California data breaches came as little surprise to us:

  • Malware and hacking accounted for over half of all breaches (54%), while responsible for a whopping 90% of all stolen personal records.
  • While physical breaches—lost or stolen unencrypted data on computers and mobile devices—came in a distant second (22%), they were the most reported by healthcare providers and small businesses.
  • Other breaches were attributed to human error (17%) or intentional misuse or unauthorized access by company insiders (7%).

After 178 reported major breaches in 2015 alone, the report estimates almost three in five Californians were victims of loss or theft of data.

Plug the Leaks, Block the Hackers

The second half of the report offers multiple recommendations for preventing data breaches in the future. Specifically discussed is the expanded use of multi-factor authentication (as we’ve already recommended) in place of simple, easy-to-guess user passwords such as “qwerty” or “12345” (as we’ve likewise lamented in a previous post). Stronger encryption standards are needed to protect confidential data, particularly within the healthcare sector.

However, the Attorney General’s primary recommendation is that all business and government organizations adopt their own risk management strategy based around the Critical Security Controls for Effective Cyber Defense, a comprehensive 20-point plan developed by the Center for Internet Security.

While a mishmash of federal and state-to-state regulations offer varying effectiveness against data breaches, the California report cites voluntary compliance with the CIS Controls as “a minimum level of information security that all organizations that collect or maintain personal information should meet,” while falling short of the full 20 standards constitutes “a lack of reasonable security.”

We agree the CIS Controls represent a solid roadmap, effectively “covering all the bases” when it comes to data protection. When you discuss security with a potential MSP partner, mention the CIS Controls as a baseline. If they downplay such a structured approach, you’re probably talking with the wrong vendor.

How well is your company meeting California’s data security guidelines? For a few tips on getting better, ask us today.