alt tag

Security Posts


Alternative Employee Device Security: Fingerprints, Facial Recognition, and Iris Scans, Oh My!

Tuesday, October 17th, 2017

So far, 2017 has been an eventful year for increasing access to password-alternative smartphone and laptop unlocking techniques. Notably, Samsung added Face unlocking to the Galaxy S8 line and Apple introduced Face ID on the iPhone X. Of particular note, facial recognition is a convenient alternative to the traditional password-entry methods because all a device owner needs to do is look at the screen to unlock the device.

Security or Convenience?

However, these password alternatives still require a master password, so they’re really less about increasing security and more about making it more convenient to sign into a device. Alternative unlocking methods greatly range in security potential, so it’s prudent for businesses to determine whether each meets reliability standards.

Face Scanning: The New Front-Runner

Face scanning, as its name implies, uses one or more cameras on the screen-side of the device to “scan” the user’s face to determine if the person is allowed to access the device. Unfortunately, face scanning isn’t off to a great start as users have found easy ways to trick the Samsung Galaxy Note 8’s facial recognition with a photograph of the owner. This is a pretty common problem with two-dimensional facial recognition technology.

However, three-dimensional scanning has a much better track record. The iPhone X uses depth scanning on its various tracking points so a photo won’t fool it. According to Apple, the chance two people will have matching Face IDs is one in a million. Depth-based scanning is also available on Windows 10 PCs equipped with an Intel RealSense 3D camera.

Iris Scanning

Iris scanning is a lot like facial recognition scanning except it uses just the eyes instead of the entire face. Found on phones going as far back as the Galaxy S6, Iris scanning has similar security strengths and weaknesses to facial recognition scanning.

However, Iris scanning isn’t as convenient because it requires a closer view, may not work as well in high-light conditions and can have issues with glasses.

Fingerprint

Fingerprint scanning has been available on smartphones since 2011 and much longer on laptop computers: it’s the established common alternative to a typed password. It’s reasonably convenient and offers satisfactory security: Apple argues their system has a 1 in 50,000 chance of two people have a matching print. These scanners are commonly used on phones via the “home” or “center” button, while newer phones like the Galaxy S8 sport a scanner on the back of the device.

However, fingerprint scanners have a reputation for being easily fooled. For example, someone could make a “key copy” of the owner’s fingerprint using a dental mold and Play-Doh. While it’s unlikely someone who steals a device through a crime-of-opportunity will be able to unlock the fingerprint, it is an issue for specifically targeted high-value employee devices.

If your business is looking to review its device security practices, the IT consulting experts at MPA Networks are ready to help. Contact us today!

Equifax Breach: What does it teach us about IT security?

Tuesday, October 3rd, 2017

The 2017 Equifax hack is teaching a painful lesson about the necessity of businesses keeping up with software patches to avoid catastrophic damage. The hack, which resulted in potentially exposing the financial information necessary to steal a person’s identity for 143 million U.S. customers, could have been easily avoided if the company had applied a patch to fix the exploited software vulnerability. This event highlights the importance of patching software in IT security. Applying an update which takes relatively little time can make the difference between business as usual and potentially bankrupting your company.

What Happened?

According to CNN, Equifax failed to apply a software patch to a widely-used tool called Apache Struts, which the company uses for its online dispute portal. The patch in question addressed an established, known security exploit in the software. Running software without applying existing security patches is widely considered the number one biggest cybersecurity risk for both businesses and consumers because hackers know just where to hit.

Hackers took advantage of Equifax’s lack of speed in applying the patch and had a two-month window to break through the company’s online defenses and steal confidential information. The exact information the hackers stole from each customer varies but included items like Social Security numbers, driver’s license numbers, addresses, and birth dates — all of which could be used in identity theft.

Why Should My Business Care?

  • A hack can financially destroy your companyAccording to TechRepublic, Equifax is looking at a $20.2 billion price tag for repairing the hacking damage, which is a full $8.3 billion more than the company’s market valuation.
  • Lawsuits may follow: As of mid-September 2017, Equifax is facing 23 class action lawsuits over the hack. One of the lawsuits is seeking $70 billion in damages.
  • Executives may lose jobs: In the case of Equifax, a CIO and a CSO are retiring or otherwise leaving the company because of the security breach.

IT Security: Current Changes as a Solution

Unfortunately for those looking for a quick fix, the solution doesn’t come from the machines, but rather the people who use and maintain them. Major hacks like the one against Equifax are a reminder that businesses need to hold IT staff accountable for patching software: it’s not something done when convenient, but on a regular schedule or as soon as possible.

If your business doesn’t want to end up like Equifax, your IT staff should make patch implementation a priority. Making security a higher priority means paying closer attention to when your vendors and software providers issue updates. Your staff can ease the process by applying automatic patching whenever possible and picking a light workday to run regular updates on all machines.

The IT consulting experts at MPA Networks can help answer your questions about IT security and how to keep your business safe. Services like desktop support and management emphasize protecting your staff’s devices from security threats through regular patch maintenance. Contact us today!

Adobe Flash: The Rumors of My Death Have Been Greatly Exaggerated…Until 2020

Tuesday, August 29th, 2017

Adobe Flash, the web content standard the Internet loves to hate, will soon meet its ultimate demise: Adobe will finish phasing out the platform in 2020. Flash, first introduced in the early 2000s, has been on a gradual decline for almost as long as it was on the rise. Fortunately for your company’s IT security, this shift will make your computers safer at the expense of losing support for older web content. Here’s what you need to know about Adobe Flash ending.

Trends in Design

While Flash provides rich content for desktop and laptop computer users, the multimedia software platform received its terminal diagnosis when trends shifted towards the mobile web. Flash’s relevance continued to decline as web sites moved away from running separated desktop and mobile sites by adopting a singular “responsive design which requires Flash-free content.

The Slow Death of Adobe Flash

Late Apple Co-Founder Steve Jobs, who played a major role in creating much of the popular computer technology in use today, is credited with signaling the beginning of the end with his public letter, “Thoughts on Flash.” Instead of weening iOS devices off of Flash content, Apple opted to avoid supporting the standard altogether on iPhones and iPads in favor of HTML5 and H.264.

While mobile devices were the first to abandon Flash, desktop devices kept it on life-support for a few more years. Google followed suit with dropping Flash from Android devices in 2012 and YouTube switched to HTML 5 as the default video player for all devices in 2015. The standard took more hits in 2016: both Chrome and Firefox started blocking Flash by default, forcing users to “opt-in” to enable any Flash content.

Performance Issues

Flash isn’t great for device battery life or SEO-friendly web design. Flash content is typically CPU intensive and inefficient, so it forces the device to do a lot of work even after downloading content. For example, Flash video can eat through a device’s battery life twice as fast as the same content encoded in H.264. Flash content is also notoriously poor for SEO because search engine crawlers can’t properly examine the content. Additionally, Flash-content can take several times longer to load which translates into a large share of the audience abandoning the page due to speed.

Security Issues with Adobe Flash

Unfortunately for Flash, security issues create a situation where leaving the plug-ins installed on a computer to continue supporting content leaves the device vulnerable to attack. Flash is riddled with security holes. Even after Steve Jobs called out Adobe for the security problems back in 2010, Adobe’s vulnerability patches continue to be met with newly discovered vulnerabilities. Symantec observed and reported Flash vulnerabilities in 20142015, and 2016. Hackers frequently exploit Flash’s security shortcomings to upload malware onto devices.

Is your business ready to operate in a Flash-free world? MPA Networks can help through IT Managed Services and desktop management by helping your business phase out lingering Flash-required software and removing Flash installations on your devices. Contact us today to learn more!

The Internal SMB IT Security Threat: Overconfidence In Cyber Security Preparedness

Tuesday, August 15th, 2017

According to a 2017 published study by Advisen and Experian, one of the biggest threats facing small businesses comes from within, such as overconfidence in the organization’s ability to protect itself and recover from cyber security attacks. While businesses in the survey aren’t claiming to have exceptional cyber security plans and policies in place, there is a disconnection on how well prepared companies  believe they are compared to third-party security experts. Modesty is an often overlooked virtue in business cyber security; knowing that your business needs to continually evolve and improve practices is a defense mechanism of its own.

The People Problem

email-1903444_1920

Hackers are shifting their attention to a different part of the system when trying to break in: the human aspect. Hackers are using increasingly sophisticated phishing scams through email, web-linking, and phone calls to trick humans into handing over information instead of dealing with strong technical security implementations.

According to the Experian survey, “80 percent of legal experts and 68 percent of brokers were concerned, versus just 61 percent of risk managers”, pertaining to employees able to successfully identify and avoid phishing and social engineering attacks. Businesses, then, need to emphasize employee education on avoiding phishing and social engineering attacks.

Internal Vs. External Perspectives

According to the Experian survey, on a preparedness scale of 1-to-5, business risk managers rated their employee education programs 3.36. However, legal experts and data brokers gave those same programs 2.91 and 2.57 scores respectively. This disconnect is important because it shows that businesses tend to realize that they have a lot of room for improvement but they undershoot how far their practices need to grow.

Fortunately, firms aren’t as off-base when it comes to assessing preparedness versus other businesses: 54 percent of companies report that their IT security preparedness is better than their competition. Employees further removed from the metaphorical front-lines may be more confident. According to a Deloitte study, 76 percent of business executives are “highly confident” in their firm’s ability to respond to a cyber security attack.

Looking Ahead

Different businesses face different challenges. According to a FICO survey, telecommunications businesses were the most confident whereas healthcare organizations were the least confident in their company’s cyber security protection. However, the healthcare industry perspective could stem from hackers narrowing-in on the hospitals and healthcare providers as the top target. The legal industry and financial service industry businesses are also major targets for cyber attacks.

The silver-lining in the Experian survey is that businesses and security experts are in agreement on what their biggest security concerns should be: phishing for personal/financial information, ransomware attacks, and IoT vulnerabilities. Is your business looking to improve its cybersecurity practices? The IT consulting experts at MPA Networks can help. Whether it’s through desktop support and management or disaster recovery solutions, your company can always work to improve cyber security. Contact us today!

Addressing the Unique Ransomware IT Security Issues in Healthcare

Tuesday, August 8th, 2017

Ransomware, a type of malware that holds a computer hostage and tries to force the victim to pay money to recover access, is a nightmare for any business, but the healthcare industry faces the more severe side of a ransomware attack. The healthcare industry receives a whopping 15 percent of all ransomware attacks across all industries. It’s therefore essential to look at why the healthcare industry is such a prime target so businesses can adjust their IT security strategies to keep both information and patients safe.

ecg-1953179_1920

Why is the Healthcare Industry a Prime Target for Ransomware?

While the malware family tree is fairly expansive, the ransomware branch alone is responsible for 72 percent of all malware attacks in hospitals for 2016. Even though industry experts say victims should never pay the ransom, one study found as many as half of victims have done exactly that. Unfortunately, this pattern persists because it works. The healthcare industry, with an emphasis on hospitals, exhibit three behavioral patterns that make them prime targets:

  • Hospitals have a reputation for running on older operating systems with known vulnerabilities hackers can exploit. Hospitals may need to use outdated operating systems to work with vital, legacy software. Alternatively, it could also be an IT oversight. Even Macs are vulnerable to ransomware.
  • Healthcare operations may need access to specific computers and files immediately or they risk losing a patient’s life, so this makes them a prime target to pay the ransom. When faced with paying a $500 unlock fee or risk a patient dying, there’s not enough time to look at other options.
  • Hackers assume healthcare operations are financially well off and can afford to pay the ransom.

Phishing with Spears, Not Nets

Since healthcare operations are such a prime target, hackers are going as far as creating ransomware-infection mechanisms that emulate specific software. For example, the ransomware infection mechanism may create a window that’s designed to look like a common patient information window. However, instead of closing the window or saving changes, the window forces the computer to download malware. These attacks are often aimed at specific employees with top-level-access.

What the Healthcare Industry Can Do

  • Backups Are A Lifeline: The more often your business runs data backups, the less information it stands to lose. Frequent backups allow your business to access versions of files just a few hours to days old, which minimizes the damage ransomware can inflict.
  • Emphasize Keeping Software Up-To-Date: Ransomware rarely reinvents the wheel and instead relies on exploiting known security holes that vendors have already patched up. Making sure every program on every computer in your business updates to the latest version as soon as possible will offer exceptional ransomware protection.
  • Use the Cloud: Ransomware has a very difficult time seizing data from applications run through the cloud. Therefore, switching to a cloud platform offers additional security.

While the healthcare industry is a prime target for malware, all businesses need to be concerned about the many types of ransomware in the wild. If you would like to learn more about how your healthcare business or other type of company can protect itself from ransomware, contact the experts at MPA today!

You might also want to read: The “Seven Deadly Sins” of Ransomware.

Looking at USB/NFC Keys for Extra Account Security

Tuesday, August 1st, 2017

Hijacked accounts are an IT security nightmare, so it makes sense for your company to look at new technology for better ways to keep your digital assets safe. While security professionals are working out new ways to look at what account credentials are, sometimes with mixed results like with Samsung’s iris-scanner:  it’s clear that the username/password system alone isn’t enough anymore. According to PC World, a new device-based authentication key called “YubiKey” plugs countless security holes by requiring the connecting of a physical device to a computer or smartphone to access accounts.

hacker-1944688_1280

Increased Security, Tougher to Crack with YubiKey

The authentication device solution owes its lineage to the 2-step verification system, which forces the user trying to access the account to enter a time-sensitive key sent to the user through a secondary device to access an account. Usually, to save effort, these systems flag a device as allowed after a one-time authentication. The YubiKey changes that requirement so that the access key device needs to be physically connected to the device accessing the account: disconnecting the device means logging out of the account. This offers increased security because it prevents people from accessing accounts on stolen, authenticated devices and prevents anyone else from being able to use the account at the same time as the key holder.

Avoiding the SMS Pitfall

Physical authentication devices do not need to transmit a key to the user, only send the key to the site hosting the account which makes them much more secure. In 2016, hackers found a way to intercept 2-Factor authentication system messages sent over SMS text-messaging, which put a huge dent in the method’s dependability. Hackers strike businesses incredibly frequently, so any way that your company can stay ahead of them helps.

USB is the Standard-Bearer, NFC is Forward-Thinking

The biggest problem many new security methods face stems from cross-device compatibility. If the authentication device won’t work with a person’s computer, phone, or other devices, it’s not going to be widely used. However, the YubiKey works around this problem by being compatible with both the USB ports devices have been using since 1994 and NFC found in many newer devices that may lack a USB port. Supporting standards like USB and NFC eliminates the most substantial barrier between the authentication device and the end-user.

However helpful devices like the YubiKey are, progress doesn’t stop there. A similar device called “Token,” which is a biometric token ring acts as an authentication device and can also require a fingerprint scan for additional protection. If your business is looking to take a step forward in IT securitycontact the experts at MPA Networks today!

You might also want to read:

Addressing the Unique Ransomware IT Security Issues in Healthcare

Is Your Office Router Secure? 

Is Your Office Router Secure?

Tuesday, July 25th, 2017

network-connection-414415_1920

In June 2017, WikiLeaks released secret documents that exposed the tools the CIA uses to infiltrate public and private networks through routers. These documents have shined a light on how easy it is for someone to hack a router.

This begs the question, are your business’ IT security practices keeping your data safe? Is your office router secure? There’s plenty your business can do to protect your routers, which are often loaded with security holes from nefarious individuals. Here are some tips to help keep your router secure.

How to Secure Office Router: Change the Default Admin Name and Password

It’s very common for routers to ship with manufacturer-specific default admin credentials – these are often as simple as using the name “admin” for the admin name and having a blank password. Changing these to a unique name and secure password will go a very long way in protecting your network. To put the severity of this issue into perspective: hackers took advantage of default credentials on IoT devices to launch a massive attack on important Internet infrastructure servers in late 2016.

The information is easily accessible. There are websites like routerpasswords.com that store the default credential settings for just about any router on the market. However, these sites themselves can be helpful for individuals who reset a device to factory settings and forget the default credentials.

Change the SSID

LifeHacker recommends changing your network’s broadcast name, or SSID, because the default names usually give away the router’s manufacturer and may give hints as to the model number. Knowing the brand makes it much easier to break into a router because manufacturers tend to leave the same security holes across many models.

Change the Firmware

If the router supports its alternative firmware like DD-WRT or Tomato, installing either will give the router a security edge. In addition to changing the firmware to something other than what the manufacturer uses, which will render brand-specific firmware exploits useless, these alternative firmware implementations are more secure than what comes stock. If you can’t change the firmware, just make sure your IT staff keeps the router running the latest official version.

Disable Unused Features

Improve router security by turning off any feature your company isn’t using. Disabling features can also disable the security exploits that existing within the features themselves. Unused features can include things like remote administration, Telnet access, WPS, and UPnP.

How to Tell If You’ve Been Hacked (and What to do Next)

A good hack is an invisible hack, so your business should periodically check to see if your network security has been compromised. Hackers can try to accumulate a massive network of hacked routers to perform IoT botnet-style attacks, which may only show occasional performance drops as symptoms.

Checking the router is pretty straightforward. Technology expert Kim Komando recommends using the online tool F-Secure Router Checker to scan for issues. If the test identifies a hacked router, the fastest way to resolve the problem is to run a factory reset on the router, update the firmware, set secure credentials, and reconfigure the network.

The router is just one part of your company’s network; the experts at MPA provide network management services that address both performance and security.  Contact us today to learn more!

Flaws in 2-Factor Authentication Methods Could Leave You Vulnerable

Tuesday, July 11th, 2017

If your business is using 2-factor authentication, or 2FA, methods to secure your important accounts, you may need to investigate better ways to implement the practice. Security experts widely recommend using 2FA, a system which utilizes a second security level of authorization in addition to a password to keep hackers out of accounts even when they have the password. However, not all delivery methods for transmitting that second code, token, or credential are equal.

According to Mashable, hackers have found a way to exploit the SMS text message-based delivery code method popular with services like Twitter.

technology-1940695_640

The SMS Flaw

SMS messaging proved itself as a viable solution for getting a device capable of receiving 2FA authentication codes into the hands of the average person because most people already own a compatible device. Using text messaging is very practical because SMS-compatible cellular phones are so widely used that it’s almost expected that a user already has a compatible device; it doesn’t even need to be a smartphone to utilize this method.

However, a 2017 bank account draining heist is shining a light on how hackers can exploit SMS-based code delivery by re-routing or intercepting text messages. Instead of manipulating the account or security platform, the hackers hit the vulnerable text messaging system instead. According to Ars Technica, hackers were able to exploit the widely used Signaling System No. 7 telephony system to redirect 2FA token messages from banks to bypass security. This method can work on any platform using SS7.

Should My Business Stop 2-Factor through SMS?

Your business should not abandon 2FA just because hackers found one way to break through it. Using 2-Factor is still more secure than not using it: it still creates an additional step for the hacker to get through. However, it does mean that your business should consider switching over to alternative code delivery methods whenever applicable.

  • Look for applications like the Google Authenticator app for enabling account access, which uses secure HTTP communication to send the validation code instead of SMS.
  • While they include an additional expense, 2FA security key fobs offer far more secure options over SMS.
  • Services typically send an email alert whenever a new device is used to access the account: pay attention to these because they can alert you immediately if your account has been hijacked. You can change the password at this time to minimize any damage.

If your business is looking to plug its potential security leaks, the IT consulting experts at MPA Networks can help. Finding the right tools for your business’s unique needs is an important part of any security strategy. Find out more and contact us today!

79% of Businesses Were Hacked in 2016. Was Yours One of Them?

Tuesday, June 27th, 2017

broken-business-2237920_640

Getting caught off-guard in a cyber security attack is a disaster for any business, large or small—and the frequency of attacks is only getting worse.

According to the CyberEdge 2017 Cyberthreat Defense Report, hackers successfully compromised security at least once for 79.2 percent of businesses over the last 12 months.

These figures may be alarming, but keep in mind that all businesses can (and should) be taking proactive steps to prevent attacks, and to make a quick recovery from any breaches. Here’s how you can protect yourself, with help from a Managed Service Provider.

Increase in data breaches

Even if your business has not been attacked in the past year, the odds of staying under the radar aren’t in your favor. In 2016, businesses experienced a 40 percent increase in data breaches over 2015. The situation is especially bad for smaller businesses: 60 percent of small companies that suffer a major cyber attack go under within six months.

Less severe incidents are more common, but businesses are typically ill-prepared for them. A staggering 63 percent of small business owners report their websites have come under attack by hackers or spammers; of those attacked, 79 percent say they have no plan for what to do if it happens again. Most businesses find that mobile devices and social media services are the weakest links in their online security.

Protective Measures against Cyber Attack

The best protective measures against digital security threats are to secure networks, websites, applications, and social media platforms, and to implement a reliable backup system. The following tips provide a baseline to help your business minimize its security risks:

  • Use unique, secure passwords for all accounts including internal services, external services, email, and connected social media to prevent data breaches.
  • Activate “2-Step Verification” for applicable services.
  • Use Secure HTTP for websites and applications that pass personal information.
  • Take advantage of desktop management services; make sure computers are running up-to-date software to minimize exposure to known security holes.
  • Keep antivirus and anti-malware software updated; run scans on a frequent basis to protect from malware infections.
  • Program internally developed services to prevent SQL injection.
  • Secure the Wi-Fi/Internet and manage employee credentials.
  • Secure mobile devices, tablets, and laptops so they can be disabled if lost or stolen.

In Case of Emergency: Disaster Recovery

Ransomware is major concern for businesses these days: 61 percent of businesses say they were compromised at least once by malware demanding payment to return data. Unfortunately, some companies that decide to pay the ransom still don’t get their data back. The best thing your company can do to protect itself from ransomware is to limit the amount of damage an attack can do through backup and disaster recovery. Using the “3-2-1 backup rule” and running frequent backups can be the difference between losing all of your data permanently, and losing a single day’s work.

Digital security should never take a break. If your business is looking to build a better defense against cyber threats, the experts at MPA Networks can help with both desktop and server management. Contact us today to learn more.

Android and IOS: Is the Device Just Old, or Is It Obsolete?

Tuesday, May 23rd, 2017

clocks-33832_640

When trying to determine if a piece of technology is simply old or completely obsolete, keep in mind that there are different criteria for Android and iOS devices than for desktop and laptop computers. An employee stuck using an obsolete device is likely, after all, to argue that replacing it would increase their productivity.

On the flip side, replacing functional devices too often can spiral out of control into unnecessary expenses.

An IT consulting firm can help your business understand how long a device should remain in use, a safe time range for buying older models, and how to plan upgrade cycles.

When Does A Device Become Obsolete?

The general rule is that a device becomes obsolete about four years after its release. This means that trying to save money by purchasing older devices on the cheap may not work out well, as they are unlikely to receive updates as long as a newer device. Usually you can buy only the most recent and second most recent smartphone devices new, but older refurbished devices are readily available.

Performance Issues with Old Devices

Determining if a device is aging vs. obsolete is pretty straightforward: If the employee can still complete all necessary work with the device, it is not yet obsolete.

However, older devices often have performance issues; notably, they may operate slower than the latest models. Older devices using Android often receive updates late, too, so users won’t receive security and interface improvement patches as soon as they’re available.

When Does a Smartphone Become Obsolete?

Forbes paints a pretty grim picture of aging devices, declaring that smartphones have about two years before they’re obsolete. Still, users can typically continue on without any major problems for an additional year or two.

Once obsolete, however, many devices are prone to disruptive conditions:

  • Security updates are no longer provided.
  • Vital applications are no longer compatible with the operating system.
  • The web browser ceases to display web pages correctly.

When Does Apple Consider Devices Obsolete?

Officially, Apple considers any product more than five years old obsolete, meaning the company tends to support their devices for a little longer than Android distributors. Apple usually supports iOS devices with the latest operating system for about four years. At this point the device will not receive updates, but it will still likely work for a while longer.

The device typically hits the obsolete category when it no longer runs the most recent version of iOS. If you buy an iOS device that’s already been on the market for two years, you’ll have to plan to replace it in another two years. A one-year-old device will be good for at least three years.

How Long Can Android Users Expect Operating Upgrades?

Android devices have a two-tier obsolescence system in which system updates stop coming and applications stop working. Android is a much more difficult case to gauge because updates need to come through Google, go to the manufacturer, and then reach the phone provider.

Android users can expect operating upgrades for two years after the phone is released, and a few additional months of security updates; both are soft obsolescence moments. What finally ends an Android device’s life (or, at least, its usefulness) is application incompatibility after about four years, which is dependent on the developer. Most try to support the oldest version possible, but this is not always the case.

If you want to make sure your employees are using up-to-date devices that increase productivity, MPA Networks can provide an IT and productivity assessment. Contact us today.