alt tag

Posts Tagged ‘firewall’


IoT Devices: Security Holes?

Tuesday, March 15th, 2016

network-782707_640

Hackers can take advantage of a newer technology prevalent throughout your business to break into your network and compromise security: Internet of Things devices. Your business may have never considered that the handy new Smart Thermostats throughout the building or the Smart TV in the conference room could actually be used by a hacker to piggy-back onto other devices on your network.

Fortunately, a managed service provider can stay on top of your IT security, installing the latest updates on every computer and all network hardware, and minimizing the risk of experiencing productivity-draining malware and hacks.

Your business could be vulnerable to a major security breach by leaving IoT devices unpatched and running old code.

The Elephant in the Room

In December of 2015, the security experts at TrendMicro identified approximately 6.1 million devices in use, including IoT devices, running software with an unpatched code execution attack security hole. The catch is that the security hole was identified and fixed all the way back in 2012, meaning these devices are still putting their owners at risk. Code vulnerabilities aren’t limited to device firmware, as the security hole TrendMicro found came from a code library found within apps.

A study by HP showed that upwards of 70 percent of all IoT devices are in some way vulnerable to an attack—and according to ZDNet, IoT devices are problematic for business security overall because they lack much of the security sophistication found on devices like laptops. For example, the home IoT market is facing major privacy and security concerns over Baby Monitor hacking. Your company may be concerned about home IoT devices as well if you have employees that work from home.

Plug, Play, and Forget

Hackers aim to exploit the common “set it and forget it” mentality toward IoT devices. Not only are IoT devices prone to security breaches, they are also often neglected as points of concern. When the manufacturer issues an update to patch security problems, your staff may not include IoT devices alongside regular updating practices.

There is plenty that an MSP can do right now to protect your business from IoT security holes, even when security apps and firmware patches aren’t an option. In addition to keeping the device’s operating software up to date, it is also necessary to keep all installed apps updated. Many IoT devices lack a clear interface to implement patches, making the process cumbersome. Security apps work well on devices that support them, but IoT products that lack security app support are a bit trickier to work with.

Another way an IT consultant may suggest to keep IoT devices from impacting the rest of your business’s security is to create a second isolated network for smart devices that can’t directly access your main network. WiFi makes the process relatively inexpensive and straightforward.

Keep your business running productively by taking preemptive action against IoT security faults with a local MSP. You’ll be glad you did.

The Importance of Being Proactive: Why You Need A Breach Response Plan

Thursday, August 6th, 2015

attention-297169_640

Each month, Microsoft releases a new security bulletin. In May of 2015, forty-six vulnerabilities had been identified and fixed, spanning products such as Windows, Internet Explorer, and Office. In June, it was even more. While some of these vulnerabilities were low-threat, others were more critical, like the numerous Internet Explorer weaknesses that would allow attackers easy access to execute very harmful activity.

As vulnerabilities like these are not always exploited, many companies take a lax approach to security.

Is every single one of your firm’s computers and servers—whether in your office or in a data center—updated with these recent patches? How about the patches from last month? And those from last year?

Implementing effective security measures takes up time, energy, and resources, but cutting corners can be even costlier—and sometimes downright catastrophic. To avoid the detrimental effects of an attack, it’s essential to maintain an updated breach response plan.

Strengthening Your Incident Response Plan

In the Digital Age, the occasional technology breach is inevitable. A well-developed breach response plan can help curtail damage in the event of an attack, natural disaster, or other unforeseen event. Here are a few things to consider when creating your plan:

  • Review your security plan at least twice a year. This will allow for any additions or adjustments as necessary.
  • Compose a list of clients, their appropriate contacts, and proper notification protocol for each.
  • Assign responsibilities to individual parties where detailed action is required. Leave nothing to chance. If it’s a crucial matter, be sure you know exactly who is responsible for handling the task at hand.
  • Compile a guidance list of “proper responses” to execute based on the nature and severity of the breach.
  • Devise a restoration plan in which backups and other necessary files are recovered.
  • Managed Service Providers can help develop well-designed response plans. Their knowledge of malware, virus prevention, and disaster recovery is priceless when a serious threat emerges.

Post-Breach Measures

After a breach, you have to clean up. This can involve following your disaster recovery protocols, using tools to clean up the mess, and notifying your clients and business partners.

Your data may be damaged, and you may need to shut down your company operations while you recover data, software, and operating systems from your backup system (assuming that system has not been damaged too).

You will need to figure out how the breach occurred and implement improved security measures to keep it from happening again. Why clean up the mess, only to get hit again with the same problem? A breach can indicate a security lapse, like ignoring updates and patches for servers, workstations, anti-virus, and anti-malware software.

In some states and some industries, you are legally required to notify your clients, employees, and business partners of the breach.

Traffic Monitoring Tools

Traffic monitoring tools can detect hidden malware and communication traffic between your network and the Internet that might indicate a breach. One of these tools is Unified Threat Management (UTM) software that can be implemented inside your office’s firewall as part of a service program.

With the plethora of managed service providers and security tools available, it’s easier than ever to start creating your incident response plan. Getting ahead on your security is a smart business move that could save you a great deal of time and money in the long run.

Preventing Breaches in the First Place

Be smart. Save labor. Save money.

Hackers are growing in number, not shrinking, and they are being paid more and more for their efforts in ransom, extortion, fraudulent advertising, and other areas. The problem isn’t going to get better—so you need to be prepared.

It’s a real pain to recover from a breach. It’s time-consuming, and it can be embarrassing for your firm’s reputation. Your company’s leadership may even come into question by customers and staff.

That’s why the smartest move is to prevent security problems before they happen.

Ask yourself these questions:

Are your anti-virus and anti-malware systems up to date? (In other words, have you made updates in the last day?)

Is each and every one of the workstations, laptops, and servers in your organization patched and protected against viruses?

Do you have a service program that assures patches are up to date—and if an installation is missed or fails, is someone in charge of fixing the problem?

Do you scan your emails for malware and viruses before they come to your email server, wherever it’s located (in your office or in a Cloud data center)?

Do you scan your emails for malware and viruses repeatedly as they lie in storage on your email server? A virus identified today may not have been known to anti-virus manufacturers a month ago, when you first received an infected message.

Does your firewall have UTM? (See above.)

Does your firewall prevent your employees from visiting a sketchy site or being directed, without their knowledge, to a malware-infected website in an innocent-looking email link?

Lastly, do you have a service program or service procedures that manage all of the above? You can’t “load it and you’re done,” and you can’t “set it and forget it.” These services must be actively managed by your own firm or a skilled Managed Services Provider.

Who Does All the Work?

In large companies, these types of proactive security management are carried out by internal IT staffers, outsourced security experts, or a combination of both.

In small businesses, this type of work is best performed by an outsourced Managed Services Provider. It’s becoming too complicated for internal resources to effectively handle proactive security management without outside advice and services. It’s also too complicated and time consuming, in many cases, for a small IT service shop or a single “IT Guy” to keep up with the rapid evolution of network security threats and barriers.

How Do You Know If You’re Protected?

Simple. Hire an IT consulting firm, an IT consultant, or a Managed Services Provider to perform an audit of your company’s computer network. You want to test at least four things:

  • Your internal network security
  • The security between your internal network resources and the outside Internet (outward flow)
  • The security between the Internet and your inside resources (inward flow)
  • Compliance with any regulatory security that applies to your type of business

After almost every virus attack or security breach we hear about, the affected company’s managers say, “I thought we were covered.”

Last month at MPA, we heard this from the manager of a furniture distribution company in the East Bay after ALL of their data and backups were destroyed by a virus. If that happened to your business, could you survive?

Don’t wait until you have a catastrophe on your hands to find out whether your current coverage is enough. Order a Technology Assessment/Security Audit today.

Malvertising: The Next Big Cyber Threat

Thursday, July 16th, 2015

road-sign-579554_640

We’ve spent plenty of time here talking about safeguarding your company against phishing and other forms of cyber-attack. As we’ve discussed, the first line of defense against phishing is to make sure your employees remain vigilant by avoiding email links and shady websites. But there’s a bigger threat on the horizon for anyone who simply surfs the Internet. Hidden malware delivered via online ads, or malvertising, is rapidly spreading across the web—including the most trusted news and entertainment sites millions of us visit every day.

Via banners, pop-ups, and animated ads, cybercrooks can embed hidden lines of code that instruct a web browser to automatically retrieve and install malware programs from an unseen URL—literally a “drive-by download,” undetectable by most common anti-virus programs. Some malvertising scams entice viewers to click on an ad (most often pop-ups offering “software updates”). Others infect a computer simply by loading the page.

Successful malvertising immediately renders a computer susceptible to any of the following:

  • Outright theft (identity, financial, or data) or extortion via ransomware, such as CryptoWall or CryptoLocker, a high-encryption virus which can’t be removed without paying off the crooks—usually in untraceable Bitcoin or wire transfer.
  • The computer can be hijacked into a botnet, a ring of “zombified” computers which are silently manipulated for criminal activities, such as repeatedly clicking on bogus pay-per-click ads, bilking websites out of artificially inflated profits.
  • The malvertising can leave behind a browser exploit kit, malicious code that constantly probes a computer for vulnerabilities within the browser as well as standard plug-ins including Adobe Flash Player, Java, and Microsoft Silverlight. When a weakness is found from the inside—as little as missing the latest security update—the door is open for even more lethal malware.

No Sheriff in Town

Most high-traffic websites outsource their advertising to third-party networks who sell space to advertisers—usually simply accepting ads from the highest bidder—and directly insert ad applets into a web page. You’d think these ad networks would bear the responsibility for screening ads against malvertising, but they’re simply not responding fast enough. Like so much of the Internet world, the frenzied volume of online advertising grew much faster than anyone’s ability to regulate it.

Everyone still assumes law enforcement can effectively police criminal activity in cyberspace… but there’s literally no sheriff in town.

How Can You Protect Yourself?

There are a number of measures you can take right now to defend your company against malvertising:

  • Keep your anti-virus and anti-malware software up to date, and make sure the software continues to update on a regular basis. Some manufacturers update their software daily to combat new threats.
  • Use a Firewall with an activated subscription service for UTM (unified threat management). UTM is a service should provide at least two forms of protection:
  1. Filtering out some viruses and malware as they attempt to pass through the Firewall into your office or home network (whether in an email or on a website).
  2. Prohibiting you and/or your users from visiting sketchy websites—the kind a phishing email might direct you to, with or without your knowledge, in an attempt to infect your computer.
  • Regularly check your browsers for the latest security patches.
  • Modify your browser settings to prevent Flash and Java-based animated ads from running automatically, as well as to flag suspicious website content.
  • Create multiple user accounts for each computer, including a “web surfing” account without administrative rights to install or modify software, and to block malicious exploit kits. Some firms have all desktop accounts for their employees configured without administrative rights for this reason.
  • Consider signing up with a Managed Services Provider (MSP) for a Managed Services Program that supplies anti-virus, anti-malware, and security patching, keeps these systems up to date, and manages the process for success—so you can focus on actually using your technology.

To learn more about the dangers of malvertising and other emerging cyber threats, contact us.

 

Time To Think About Your Company’s Next Tech Refresh?

Wednesday, June 24th, 2015

update-97888_640

As the Bay Area moves into the warmest months of the year, you can enjoy the summer knowing your annual home spring cleaning is behind you—when you tackled all those chores in (literally) one clean sweep over a weekend. With that taken care of, now’s a good time to review your company’s tech refresh strategy—if you have one.

Many employees of small IT companies still think of every desktop workstation the way they view that trusty old Honda Civic they drive to work: Squeeze every last drop of mileage out of it until the wheels fall off. The reality is that the prime “use life” of desktop hardware—computers, monitors, and printers—averages only about three years before costly maintenance issues begin creeping in. A 2013 study commissioned by Intel surveying 736 small businesses around the world revealed that while over one-third retain their computer systems for at least four years, their employees lose an average of 42 working hours per year due to computer downtime—extended maintenance, repairs, and security fixes.

The average repair cost of an older PC is $427, about 1.3 times more than fixing a newer machine.

Quick Fixes vs. Long-Term Preparation

A comprehensive tech refresh goes beyond the desktop. As we’ve talked about, a company firewall and anti-virus protection are the first lines of defense against the relentless onslaught of malicious hacking and cyber-crime. If you don’t remember when you installed your current network firewall system or anti-virus program, you’re quite likely relying on yesterday’s technology to guard against thousands of new threats which increase by the day. You can rely on vendors’ updates and security patches to try to keep pace, or you can set a firm timetable for upgrading to leading-edge tools—such as firewalls with advanced Deep Packet Inspection (DPI) to scan data for viruses—which offer the best defense against that next cyber-attack.

Before reviewing—or establishing—your company’s tech refresh timeline, take a closer look at the current overall condition of your IT system.

Age. How old is your desktop hardware (PCs, monitors, printers, networking equipment, etc.)? Are these assets still under warranty? If not, how long ago did the warranty expire?

Performance. Can you identify any equipment that’s inconsistent or just plain unreliable? Does the resulting downtime mandate an upgrade?

Support or Security Protection. If you have a Microsoft 2003 operating system running on your server, it’s time right now for a tech refresh. Microsoft will stop important security protection patch updates for this server this year. That means that if you still have any 2003 servers, they must be replaced—or they will become sitting ducks for hackers and viruses. Consider whether you should replace the server(s) or migrate your infrastructure to a private Cloud data center.

Capacity. From obsolete microprocessors to maxed-out hard drives, are your older computers bottlenecking your productivity? Can your existing IT infrastructure support upgraded applications?

Risk. What are the potential consequences of a network crash or a malicious cyber-attack? What are your security needs—today and tomorrow?

Update Before It’s Too Late

A tech refresh can take a “big bang” approach—replacing almost everything after three or four years have gone by—or a phased refresh, targeting mission-critical assets ahead of secondary equipment. For a complimentary assessment of your IT infrastructure and recommendations for an effective tech refresh strategy for your company, click here.

Cyber Insurance: Good for my Company?

Wednesday, May 20th, 2015

Cyber liability insurance to cover IT hacking attack financial losses:—a blog for San Francisco, San Mateo, San Jose.

We’ve spent a lot of time on this blog talking about cyber-attacks—from nuisance hacking to data theft to virtual electronic terrorism—and the steps your company can take to defend itself. But what if, despite all your best efforts, you one day discover you’ve still been hacked? An insurance policy may be the best option.

“Cyber liability” coverage has actually existed in the insurance industry for over a decade, but most companies simply didn’t give it much thought—until those high-profile data breaches at Target and Sony flooded the news. As the number of reported hacking incidents continues to soar, many insurance carriers are now specifically excluding electronic data from the “tangible assets” covered in their standard liability policies. And cyber insurance policy sales are increasing.

Even for small businesses handling confidential customer data (particularly financial services), a single cyber-attack can be a major financial hit.

As Bloomberg reported last year, a nationwide survey of small businesses revealed almost half the respondents had already experienced some type of security breach, with the average cleanup cost near $8,700.

Cyber Insurance: What Does It Cover?

Most cyber liability insurance coverage available today generally revolves around these key areas:

Cleanup. Cleaning up the results of the incident can be expensive, especially for a small business. IT experts often have to be brought in to find out what damage occurred, how to resolve it, and how to keep it from happening again. The consequences of a single virus attack could affect your business to the tune of several thousand dollars.

Cyber Extortion. Coverage of “ransom” payments made following credible extortion threats, plus applicable prosecution expenses.

Virus Liability. Compensation to victims who received a virus or malware via a business’s compromised website.

Asset Protection. “Reasonable” costs associated with recovering or replacing lost or corrupted data.

Loss of Revenue. Estimated gross revenue losses during a full or partial interruption of a business’s computer network due to a denial-of-service attack or other act of cyber terrorism (typically covering an outage of up to 48 hours).

Data Breach/Privacy Crisis. The costs associated with notifying people or companies whose data was on the affected servers (as mandated by law in many states including California) and establishing a call center, plus offering complimentary credit monitoring/identity theft restoration and associated legal expenses.

Regulatory Civil Action. Reimbursement for financial penalties imposed by government agencies for violations of protected data laws, such as HIPAA or HI-TECH (the fees themselves and/or court costs).

Getting the Best Deal

Annual premiums for cyber liability insurance can begin around $7,000 for every $1 million of coverage—but as more major carriers enter the growing cyber liability market, expect competition to drive those costs down. And just as an individual may get a better life insurance rate by not smoking and watching their cholesterol, businesses can earn premium discounts by adding advanced security measures such as superior firewalls, encryption, and antivirus software. It pays to shop around for the best coverage at the best price. Better yet, find an insurance broker who specializes in cyber liability.

As hackers grow bolder and even more relentless, the levels of malicious cyber-attacks will get worse before they get better. Just as home, auto, and health insurance are now looked upon as staples, cyber liability insurance may become a necessity for any business, large or small.

The $100,000 Phone Bill: Is Your Office VoIP Phone System the Next Target?

Friday, March 20th, 2015

Avoid information technology VoIP fraud San Francisco, San Mateo, San Jose.

How would you react if your company’s next phone bill revealed a major cost spike—to the tune of over $100,000? It’s actually happening now to small businesses across the U.S., thanks to international VoIP toll fraud—perhaps the fastest growing cyber-threat today.

While many small companies have adopted VoIP (Voice over Internet Protocol) as a cost-effective alternative to traditional phone service, the trade-off is increased security risks. Primarily in Africa and Eastern Europe—those usual hotbeds of cybercrime—hackers have discovered that a VoIP-based PBX system (like other online networks) contains multiple vulnerabilities, which most smaller companies fix only rarely, if ever. Once they successfully hack into a U.S. company’s VoIP network, they can literally hijack its entire PBX and begin placing thousands of calls from that company’s local office lines—typically over a weekend, when nobody will be there to notice.

Long-Distance Robbery

Who do they call? In most cases, they’ve leased international phone numbers with “premium” surcharges (think adult chat or psychic hotlines), resell the calls, and rack up the pay-per-minute profits. And unlike a conventional landline, a single hacked VoIP line can dial several hundred calls simultaneously! Do the math; it all adds up to a lot of money, very quickly.

International law guarantees that somebody must pay those long distance charges—either the victimized company or their VoIP service provider.

As with so much other cybercrime from the Third World, the chances of U.S. law enforcement tracking down the culprits are slim at best. Meanwhile, the victim faces, at the very least, a major multi-week headache contesting that ridiculously huge bill.

Protect Yourself

Your VoIP phone system should be secured as much as any other network. There are steps you can take right now to shield your company from a costly telephone cyberattack:

  • Deactivate Call Forwarding, to prevent rerouting calls to third party numbers—particularly those outside the U.S.

  • Set strong passwords for central root access as well as every phone line and voice mailbox. Then schedule company-wide password changes every six months.

  • Protect your VoIP network behind its own high-security firewall, configured to only accept access from pre-approved IP addresses.

  • Consider Secure Shell encryption (SSH) for an added level of security.

  • Physically isolate your VoIP system from the rest of your network infrastructure—down to the cables and Ethernet switches. If a lucky hacker can use your phone system as a front door for infiltrating your entire company network, then you’ve got even more trouble.

The stakes are simply too high for a do-it-yourself approach to VoIP security, or to think “it won’t happen to us.” Trust an experienced IT partner who not only knows the nuts and bolts of VoIP, but also specializes in cutting-edge network security. Learn more here.

Welcome to the IoT: Will Your TV Be Watching YOU?

Thursday, March 12th, 2015

screen-310714_640

We’ve talked recently about the potential dangers of the rapidly expanding Internet of Things, or IoT. As we discussed, the IoT consists of embedded sensors collecting data from dozens of devices in your daily life—your car, your health and fitness equipment, and even your home thermostat. All that tabulated data is intended to help you, whether it reminds you that your car needs a tune-up, that you’re slacking off on those cardio workouts, or that the heat can shut off because you’re not at home. But just as when the Internet first exploded upon us in the mid-1990s, IoT technology may be growing faster than our ability to regulate it and protect our privacy—from hackers, corporations, and even the government.

Smart Devices: Getting Too Smart?

Consider this recent Salon.com article. The author was excited about buying a state-of-the-art “smart” TV—until he read all 46 pages of the manufacturer’s Privacy Policy.

Think for a moment about the last time you needed to check an “I Agree” box before installing software, downloading music, or applying for a job online. Did you actually read the binding legal contract you were virtually signing? Like most people, you probably skipped that “fine print,” whether it was three pages or 30. “It’s got to be fair,” you assured yourself, “or they couldn’t get away with it.” And you clicked through.

In the case of that smart TV, they actually try to get away with quite a lot. Soon after plugging in that new TV, the user is asked to give their consent to:

  • Set cookies and beacons marking the content you watch and the E-mail you read.

  • Track the apps you use, the websites you visit, and your online interactions with both.

  • Record facial recognition via a built-in camera.

  • A voice recognition feature which may “transmit your spoken words to a third party.”

But what about opt-outs and do-not-track requests, you ask? The TV’s Privacy Policy specifically excludes them. You’re not just watching TV anymore—it’s watching you, too.

New Targets for Hackers … or “Big Brother”?

Are we sounding a little too much like George Orwell here? Maybe. But in this relatively early stage of the IoT, who’s to say your networked household devices won’t be hacked to let a burglar know when you won’t be home? Or after the uproar the federal government created by eavesdropping on millions of cell phone calls via the 2001 Patriot Act, could they someday get permission to monitor citizens via the data collected by their household devices—including their living room TV?

Before you consider upgrading to a smart TV, we recommend you isolate it—along with other IoT devices—from your home or office network via a dual-firewall or “DMZ” configuration. And block that camera the same “low-tech” way many laptop users already do—with a simple piece of black electrical tape over the lens.

For advice and support on protecting your privacy when it comes to IoT devices, contact us at www.mpa.com

Surprising New Study: Email an Essential Cross-Generational Business Asset

Thursday, February 12th, 2015

email-297068_640What was cutting-edge in the 1990s is still relevant today — at least, when it comes to Email technology. According to a new PewResearch report, 61 percent of office workers say Email is “very important” to their work productivity. That same study placed the Internet and landline phones at 54 and 35 percent, respectively. Gadget enthusiasts may be surprised to learn that only 24 percent of office workers consider cellular and smart phones very important, making mobile devices even less important than landlines. And just four percent of workers view social networking sites like Facebook, Twitter, and LinkedIn as essential.

If there’s one indispensable takeaway from this study, it’s that you need to establish and maintain an adequate and reliable Email system if you want to keep your business operating efficiently.

Email continuity equals business continuity, especially when dealing with customers and clients.

Invest in Your Email Service (or Wish You Had)

Despite being contingent on the second most popular office tool (the Internet), Email is a single web service you can spotlight within your IT strategy. Consult with your Managed Services Provider (MSP) to identify the best possible setup to meet your business needs and keep your Email running at top speed. Since your Email service is essential to your operation, it’s crucial to employ a quality, business grade Email service on a reliable server. After all, you’re likely to spend more money on lost payroll from a slow or out-of-service Email system than you would on simply upgrading it.

Whether you’re a law firm, an investment advisor, or a logistics company, your employees require swift communication channels to reach your clients.

Email Continuity

Consider using an Email continuity system to keep things running if you lose power, drop Internet connectivity, experience a server crash, or encounter an Email service disruption. There are now excellent Email continuity systems available that kick in instantly when your Email system or your Email provider goes down or breaks — so you won’t miss a beat. These systems work with workstations, laptops, tablets, and smart phones. Ask your MSP for more information.

Multiple Internet Connections

You can work around Internet outages by using multiple Internet connections at your office. For example, a dual-Internet system setup with two service providers can bail your office out of trouble when your main service provider experiences a local outage. Since ISP availability varies between areas, and since all of the tech you rely on is unlikely to break at the same time, you could use (for example) a Comcast Business cable connection as your main provider, and an XO copper over Ethernet as your backup connection. These are two distinct and independent technologies with different supply routes under the streets to your office.

Your Managed Services Provider (MSP) can even configure a Firewall so that both Internet connections can be used simultaneously and balance each other. When one breaks, the other one keeps working. This is the new way to reliably handle Internet access when “it can’t be down.”

Accessing Email via mobile Internet is a good continuity fallback plan. Just make sure in advance that your Email system is configured on the mobile devices. Also, this does not work if the Email service goes down — only if your office’s Internet access goes down. For true Email continuity with mobile devices, you should investigate Email continuity systems instead (see above).

Build Your Email System Up — and Then Out

The technical aspect is just part of a successful Email business strategy. Training your employees on proper Email procedures and practices is important for establishing a professional and efficient operation.

Implement a standardized Email signature block across your entire firm — including both your company name and logo — to help set a consistent, unified brand tone in the eyes of your customers and clients.

And don’t overlook the importance of keeping your contact databases organized — it’s easy to find yourself wasting time digging up a client’s Email address if your “books” or CRM databases aren’t regularly tidied.

For more information on building a reliable Email system, click here.

Watch Out! Protect Your Home and Office against the Internet of Things

Wednesday, January 28th, 2015

computer-305523_1280

Internet of Things (IoT) devices provide a powerful way to utilize technology to enhance everyday machines in your home or office, from wrist fitness bands to refrigerators to thermostats. The ability to monitor your home security cameras while you’re on vacation, or tell your coffee machine to skip tonight’s brew, makes life a little easier.

New Technology, New Network Security Holes

Beware!

Internet-enabled devices create new security holes that cyber criminals can exploit to steal your information. While you’re probably not storing your credit card information on your IoT washing machine, the device itself could serve as a springboard or gateway for hackers to compromise any system inside your network. The Target store hack in late 2013 is a high-profile example of how criminals can wreak havoc by exploiting an IoT device.

The Target breach didn’t start with an attack on payment servers via the Internet; instead, hackers attacked the system through an HVAC subcontractor’s authentication credentials and made their way in to the main Target network through an air conditioning IoT control device. While the Target hack did expose credit card information, the attack could have been even worse if it gathered enough information for criminals to commit identity theft or drain bank accounts.

Securing Your Network for IoT Devices: The Best Options

A network security breach is a huge productivity killer, typically requiring hours of work to secure the network and compromised personal accounts. While the IoT device security threats may be discouraging for potential technology adopters, you could be missing out on some incredible innovations by refusing to implement IoT devices.

IoT devices can be used safely in your home or business when combined with either a dual-firewall or a firewall with a De-Militarized Zone configuration to isolate Internet-connected devices and stop hackers from using them as a network entry point.

A DMZ is a separate network that sits between the Internet and your in-office or in-home network, offering a more secure environment than the Internet but less secure than your protected internal network. Devices located in the DMZ are severely limited in which other devices in the network they can communicate with, and how they do it — blocking hackers from accessing your laptop after they’ve hacked your IoT wristband.

Since IoT devices are unlikely to receive the same level of security updates and patches as computers and network hardware, they are more vulnerable to security breaches.

You can configure a DMZ with a dual-firewall configuration, or with a higher-end firewall that has DMZ capability.

Alternatively, you can configure a second wireless network that exclusively hosts IoT devices for complete network separation. Under the two-network setup, hackers that break in to IoT devices find themselves on a completely different network than the one that contains your secure information.

IoT security concerns can be minimized with the proper preemptive configuration. IT consulting firms and managed service providers (MSPs) can help you establish a secure network environment if you’re not sure how to configure your firewall(s) for DMZ protection.

Quiz – Can you Find the Malicious Email?

Thursday, December 12th, 2013

Can you Spot the Malicious Emails/s?!

email-threats

After reading through our Cryptolocker and Ransomware blog series and learning how to identify a malicious email, it’s time to put your new virus sleuthing skills to the test.

Read through the list of email subject lines and from names below.  Which email/s  are scams, and which are safe? Please feel free to comment below. We will post the answers in our next blog post.

Note: These are all real emails we have either seen, received, or that have gotten stuck in our firewall – we did not make them up.

Warning: This is more difficult than you think!

(more…)