alt tag

Posts Tagged ‘encryption’


Massive IoT DDoS Attack Causes Widespread Internet Outages. Are Your Devices Secured?

Tuesday, November 1st, 2016

finger-769300_640

As you probably know already, the United States experienced its largest Internet blackout in history on October 21, 2016, when Dyn—a service that handles website domain name routing—got hit with a massive distributed denial of service (DDoS) attack from compromised Internet of Things (IoT) devices. The day will be known forevermore as the day your home IP camera kept you from watching Netflix.

The writing has been on the wall for a while now when it comes to IoT security: We’ve previously discussed how IoT devices can be used to watch consumers and break into business networks.

This specific outage is an example of how the tech industry is ignoring security mistakes of the past and failing to take a proactive approach in protecting IoT networks.

The Outage

The October outage included three separate attacks on the Dyn DNS provider, making it impossible for users in the eastern half of the U.S. to access sites including Twitter, Spotify, and Wired. This attack was different from typical DDoS attacks, which utilize malware-compromised computers to overwhelm servers with requests to knock them offline. Instead, it used malware call Mirai that took advantage of IoT devices. These compromised devices then continually requested information from the Dyn servers en masse until the server ran out of power to answer all requests, thus bringing down each site in turn.

This outage did not take down the servers hosting the platforms, but rather the metaphorical doorway necessary to access those sites.

Ongoing Security Concerns

According to ZDNet, the IoT industry is, at the moment, more concerned with putting devices on the market to beat competition than it is with making devices secure. IoT devices are notably easy to hack because of poor port management and weak password protection. IoT devices are also known for not encrypting communication data. October’s attack wasn’t even the first of its kind: A 145,000-device IoT botnet was behind a hospital DDoS attack just one month prior.

What You Can Do

MacWorld recommends changing the default security configuration settings on all IoT devices and running those devices on a secondary network. The Mirai malware works simply by blasting through default username and password credentials—so users could have protected themselves by swapping the default “admin/admin” and “password/password” settings. There are also IoT security hub devices available to compensate for IoT security shortcomings.

IoT devices can offer fantastic perks for your office, but the security concerns are too important to ignore. If you’re interested in improving network security pertaining to IoT devices or looking for advice on which IoT devices would benefit your workplace, don’t hesitate to contact MPA Networks today.

Don’t Forget About Printer Security

Tuesday, August 9th, 2016

icon-287144_640

There was a time when printers—in your office or home—were considered relatively “simple” office equipment: plug it in, connect it to the local network, and keep the ink fresh, and there wasn’t much else to worry about.

But times have changed.

Today’s business printers—enterprise-level equipment or smaller, multi-function printer/scanner/copiers—include as much document storage capabilities and sophisticated processing power as any other point on the network, another example of the ever-expanding Internet of Things. But while PCs and laptops are almost constantly under the watchful eye of their individual users, networked printers generally sit by themselves for long stretches of time when there are no “jobs” to print.

For many companies, unsecured printers become the weakest link in their network security chain—and a prime point of entry for hackers.

Malicious Mischief, or Worse

Case in point: This past March, a notorious Internet “troll” targeted over a dozen prominent universities around the U.S., hijacking multiple networked printers to print racist material. Colleges were considered an inviting target because printers are often purchased directly by academic departments with little oversight by campus IT management.

Since around 2000, most business-class imaging products have included their own hard drives—capable of storing every document ever printed or copied. A 2010 investigative report by CBS News revealed that “high mileage” used photocopiers—typically available for a few hundred dollars on the resale market—contained un-encrypted hard drives with a slew of easily retrievable data—account numbers on copied checks, pay stubs with personal info, and other valued commodities for any identity thief.

Practicing Printer Hygiene

We’ve noticed many new customers who’ve neglected security on their office printers. Here are a few important areas to keep in mind:

  • Management. Appoint a single person as your printer “administrator”—understanding its functions, instructing others how to operate it, basic maintenance (beyond paper jams or toner changes), and enforcing security policy. Check for stray documents left in the input or output trays at the end of the workday.
  • Protection. Make sure your printers are included in your network firewalls and other security measures.
  • Updates. Unlike computers, manufacturers’ firmware updates are rarely downloaded automatically. Check often for the latest online security patches.
  • Authentication. Require users to be present at the printer during every print job, requiring individual passwords, smart badges, or fingerprint scans.
  • Encryption. Encode both network traffic and documents stored on the printer’s hard drive.
  • Data Scrubbing. As we’ve recommended for computers, make sure a printer’s internal memory is completely wiped clean at the end of its use life.

For more ideas on safeguarding your printers along with the rest of your network, talk with us.

Defend Your Network Against Advanced Persistent Threats

Tuesday, July 12th, 2016

computer-1500929_640

If you’ve looked over our previous posts since we’ve started our blog, you know how serious we are about protecting your company from everyday cyber-threats—mainly phishingransomware, and various other malware. Today we’d like to discuss a different form of cyber-threat plaguing businesses over the past decade: what the security community has termed advanced persistent threats, or APT.

What exactly is “persistent” about APT? Most hacking attacks can be classified as “smash-and-grab robbery”: Break into a network and make off with anything of value—user identities, account numbers, cash—and disappear before anyone notices.

An APT attack compromises a network’s defenses and stays as long as possibleweeks, months, or years—discreetly infiltrating servers, eavesdropping on email, or discreetly installing remote bots or trojans which enable deeper espionage.

Their primary goal is information—classified material, trade secrets, or intellectual property—that might draw interest on the black market.

Robbery, Inc.: A Worldwide Enterprise

While unsophisticated hackers might lurk in the shadows like criminal gangs, APTs often emanate from professional environments not unlike a prosperous Bay Area tech company—posh high-rise offices, full-time employees with salaries and benefits, and formal product development teams. The difference is they’re conducting business in China, Russia, and other cyber sanctuary nations where international cybersecurity is unenforced and intellectual property laws don’t exist.

The more extensive an APT infection, the harder it is to isolate and eradicate it—like cockroaches under a kitchen sink. Many enterprise IT managers simply accept APT as a fact of life—conceding that trying to combat these intrusions would actually encourage the culprits to dig deeper into the network.

So if APT makes long-term data theft inevitable, how can you still protect yourself? Make the stolen data unusable.

Alphabet Soup? Fight APT with DLP

The second acronym we’ll talk about today is DLP: data leak protection. DLP encrypts sensitive data so that it can only be accessed by authorized users or workstations with a corresponding decryption key. If that data is intercepted by an APT, it’s rendered unreadable—and worthless.

Multiple name-brand security vendors offer a wide range of turnkey DLP solutions. Low-end products will automatically encrypt data which follows specific patterns (Social Security numbers, 16-digit credit cards), while high-end products can be configured to use complex algorithms and language analytics to locate and protect other specific forms of confidential data (such as client files, product designs, or sales figures). When unauthorized access is suspected, files can be temporarily quarantined against a possible data breach before they leave the company network.

Are APTs already lurking within your network? What proprietary data can your business not afford to lose? How can you evaluate DLP products to find the best solution for you? Talk to us for help.

Data Breaches: Dark Times in the Golden State?

Wednesday, June 1st, 2016

lock-156641_640

Being the cyber-security geeks we are, we took great interest in combing through this year’s California Data Breach Report, released by the Attorney General’s office this past February. The report tabulates data collected from breach incidents which expose confidential information of 500 or more individuals, reported to the Attorney General as required by California law since 2012.

Over these past four years, there has been a total of 657 reported incidents, affecting over 49 million Californians—from Social Security and driver’s license numbers to financial accounts to health records, logins, and passwords.

By the Numbers: Not Much News to Us

The breakdown of California data breaches came as little surprise to us:

  • Malware and hacking accounted for over half of all breaches (54%), while responsible for a whopping 90% of all stolen personal records.
  • While physical breaches—lost or stolen unencrypted data on computers and mobile devices—came in a distant second (22%), they were the most reported by healthcare providers and small businesses.
  • Other breaches were attributed to human error (17%) or intentional misuse or unauthorized access by company insiders (7%).

After 178 reported major breaches in 2015 alone, the report estimates almost three in five Californians were victims of loss or theft of data.

Plug the Leaks, Block the Hackers

The second half of the report offers multiple recommendations for preventing data breaches in the future. Specifically discussed is the expanded use of multi-factor authentication (as we’ve already recommended) in place of simple, easy-to-guess user passwords such as “qwerty” or “12345” (as we’ve likewise lamented in a previous post). Stronger encryption standards are needed to protect confidential data, particularly within the healthcare sector.

However, the Attorney General’s primary recommendation is that all business and government organizations adopt their own risk management strategy based around the Critical Security Controls for Effective Cyber Defense, a comprehensive 20-point plan developed by the Center for Internet Security.

While a mishmash of federal and state-to-state regulations offer varying effectiveness against data breaches, the California report cites voluntary compliance with the CIS Controls as “a minimum level of information security that all organizations that collect or maintain personal information should meet,” while falling short of the full 20 standards constitutes “a lack of reasonable security.”

We agree the CIS Controls represent a solid roadmap, effectively “covering all the bases” when it comes to data protection. When you discuss security with a potential MSP partner, mention the CIS Controls as a baseline. If they downplay such a structured approach, you’re probably talking with the wrong vendor.

How well is your company meeting California’s data security guidelines? For a few tips on getting better, ask us today.

Are Your Smartphones Properly “Containerized”?

Tuesday, April 26th, 2016

garden-1134180_640

Earlier today the cashier at the local drive-thru miskeyed the amount of cash I gave him into his register. Somewhat sheepishly, he asked if I had a smartphone so I could verify the correct amount of change. Fortunately, I never leave home without it.

In fact, how well could you function today without your smartphone? It’s more than a telephone, camera, or calculator. It’s really a miniaturized computer—with most of the capabilities of a desktop or laptop. For better or worse, it’s a device we’ve come to rely upon.

A Mobile World

The mobility of smartphones has likewise made them indispensable work tools. Once upon a time, professionals carried a company-issued “work phone” along with their personal cell phone.

But today, given a choice, most would rather access work-related data from a single device in their pockets. This creates unique issues, however:

  • How safe is confidential company data on an unsecured mobile device? If it’s lost or stolen, what are the consequences? And how many of the countless downloadable user apps stealthily require permission to access—or even modify—other properties of the phone?
  • By the same token, users are reluctant to link their company network with the same device they use for private activities—personal email, music, photos, or their online dating profile.

How many companies wrestle with defining security of their employees’ access between business and personal data via their smartphones? This is a very important facet of a comprehensive BYOD (bring-your-own-device) policyas we’ve already talked about.

Containerization = Safety and Privacy

The answer for smartphones revolves around what has been termed containerization—creating a virtual partition between business and personal applications within a single device. When switched to a containerized “business mode,” all inbound/outbound network traffic is automatically secured via supplemental authentication, advanced 240-bit encryption, and other measures which block out unauthorized apps—or malware.

If the phone is lost or stolen—or the employee leaves the company—network access from that device can be remotely severed in a flash. Meanwhile, the user can toggle their phone back into conventional Android or iOS smartphone mode, assuring their personal apps and files remain private and “unsnoopable” by Big Brother (or at least their boss).

Containerization is a fairly new buzzword in mobile security, but there’s already a slew of vendors hopping on the bandwagon and offering a wide range of turnkey products. Which options offer the right protection and the best bang-for-the-buck? As usual with IT decisions, finding the right solution can be daunting—but we have the expertise to help. To learn more about containerization and more of the latest developments in IT security, talk with us.

iPhone “Backdoor”? It Already Exists! Why Your Company Needs It

Tuesday, March 8th, 2016

iphone-926235_640February’s big story in the tech world was the conflict between Apple and the FBI over the creation of a “backdoor” to retrieve encrypted data on iPhones. The government is looking for any clue as to what—or, more specifically, who—motivated Syed Farook, along with his wife, to gun down his San Bernardino co-workers at an office party. Meanwhile, Apple CEO Tim Cook, along with other high-profile tech leaders, warn that the existence of such an “anti-encryption key” could become a slippery slope—ultimately threatening individual privacy as well as the security of all virtually-protected data, personal or business.

Apple steadfastly refuses to comply with the FBI’s court order, and the battle is likely to reach the Supreme Court. And if the Court’s pivotal ninth seat remains unfilled due to political gridlock, the whole issue could remain undecided for quite awhile.

Finding the Facts

In the midst of this landmark security vs. privacy brouhaha, one key fact of the case is being underreported: The iPhone 5c the FBI wants to unlock was Farook’s business phone, issued to him by the San Bernardino County Health Department. He destroyed his personal phone—which he most likely used to actually discuss the terror plot—before the couple’s fatal shootout with police.

How could this highly-vocal Apple-FBI standoff have been averted in the first place? By using an encryption backdoor that already exists—completely legal, and, for businesses, absolutely necessary: mobile device management (MDM) software.

MDM allows users to enjoy the same mobile productivity—apps, email, documents, file-sharing—that they’d expect from an onsite network, while enabling IT administrators to ensure every device remains compliant with company security standards (configuration settings, updated security patches, and limiting unauthorized use of the device).

More importantly in this case, MDM can, if necessary, bypass a security passcode to regain access to the company-issued device. Ironically, San Bernardino County had already contracted with an MDM vendor, but simply hadn’t gotten around to installing the software on mobile equipment in Farook’s department, due mainly to the lack of a formal MDM implementation policy.

Your MDM Solution? Choose Wisely

As mobile computing and BYOD become increasingly common in the modern workplace, MDM is essential for every company. You’ll find products from a slew of vendors, large and small, at competitive prices, but here are some key points to look for:

  • Ease-of-use (look for free trials of MDM products)
  • Full compatibility with both iOS and Android platforms
  • Functionality across multiple devices and wireless carriers
  • Seamless integration of all company-used apps (email, data, SaaS)
  • Pricing structure (per device or flat rate)

Choosing the right MDM solution—and effectively implementing it across your organization—is another IT challenge facing your company today. We can help.

The Dangers of Free Public Wi-Fi: How To Protect Your Network

Tuesday, February 2nd, 2016

wireless-signal-1119306_640

How dependent have you and your employees become on public Wi-Fi outside the office? Mobile hotspots are almost everywhere now—from coffee houses and fast-food restaurants to hotels and airports (and even aboard most planes). Without Wi-Fi access, many of us feel alarmingly “disconnected”—as if we’ve driven 20 miles before realizing we left our phone at home! (Can you recall where and when you last saw a pay phone?)

Risky Business

We’ve come to rely on free Wi-Fi for its sheer convenience, but how secure is it, exactly—particularly for business purposes? Actually, not much at all.

Most commercial-grade public Wi-Fi has been made as technically simple as possible to maximize the number of simultaneous users and avoid connection issues which might require a time-consuming call to a Help Desk. There are no cumbersome firewalls, encryption, or other standard frontline defenses you’d expect from your company’s onsite network.

Even a public hotspot requiring a password offers little real security if all users use the same common login. This makes free public Wi-Fi an especially inviting target for hacking. A minimally-skilled cyber-crook can eavesdrop on Wi-Fi data traffic via black market software on a tablet hidden in a backpack, while a more sophisticated hacker can go as far as creating a bogus duplicate hotspot for users to mistakenly log into. Once connected, the hacker has free reign over the user’s personal data—email, social media, bank accounts, and more—as well as any important business files (even if they’re not open at the time). The vulnerabilities of public Wi-Fi are the weakest link in your IT security chain.

Saving Private Data

What’s the best defense against malicious Wi-Fi snooping? If you aren’t familiar with VPN (Virtual Private Network), your company is already at serious risk. A VPN server essentially acts as a third-party “buffer” between a mobile device and the company network (or the at-large Internet). Using a VPN app installed on the device, the Wi-Fi user connects to the company’s VPN instead of connecting directly to their usual browser homepage. The VPN then thoroughly encrypts all end-to-end data traffic to and from the user’s mobile device. If a hacker intercepts that Wi-Fi data stream, they’ll only receive unintelligible gobbledygook.

Adding a VPN layer of security is relatively painless. A VPN option is actually built into Windows (do a file search for “VPN”). There’s also a wide range of VPN client/server software and real-time services from trusted vendors, or a custom solution can be developed, typically based around SSL (the same level of security most banking sites use) or other advanced protocols.

Are your employees unknowingly putting your company at risk whenever they flip open their laptop at the coffee shop down the street? Feel free to share your concerns with us.