alt tag

Posts Tagged ‘IT security’


79% of Businesses Were Hacked in 2016. Was Yours One of Them?

Tuesday, June 27th, 2017

broken-business-2237920_640

Getting caught off-guard in a cyber security attack is a disaster for any business, large or small—and the frequency of attacks is only getting worse.

According to the CyberEdge 2017 Cyberthreat Defense Report, hackers successfully compromised security at least once for 79.2 percent of businesses over the last 12 months.

These figures may be alarming, but keep in mind that all businesses can (and should) be taking proactive steps to prevent attacks, and to make a quick recovery from any breaches. Here’s how you can protect yourself, with help from a Managed Service Provider.

Increase in data breaches

Even if your business has not been attacked in the past year, the odds of staying under the radar aren’t in your favor. In 2016, businesses experienced a 40 percent increase in data breaches over 2015. The situation is especially bad for smaller businesses: 60 percent of small companies that suffer a major cyber attack go under within six months.

Less severe incidents are more common, but businesses are typically ill-prepared for them. A staggering 63 percent of small business owners report their websites have come under attack by hackers or spammers; of those attacked, 79 percent say they have no plan for what to do if it happens again. Most businesses find that mobile devices and social media services are the weakest links in their online security.

Protective Measures against Cyber Attack

The best protective measures against digital security threats are to secure networks, websites, applications, and social media platforms, and to implement a reliable backup system. The following tips provide a baseline to help your business minimize its security risks:

  • Use unique, secure passwords for all accounts including internal services, external services, email, and connected social media to prevent data breaches.
  • Activate “2-Step Verification” for applicable services.
  • Use Secure HTTP for websites and applications that pass personal information.
  • Take advantage of desktop management services; make sure computers are running up-to-date software to minimize exposure to known security holes.
  • Keep antivirus and anti-malware software updated; run scans on a frequent basis to protect from malware infections.
  • Program internally developed services to prevent SQL injection.
  • Secure the Wi-Fi/Internet and manage employee credentials.
  • Secure mobile devices, tablets, and laptops so they can be disabled if lost or stolen.

In Case of Emergency: Disaster Recovery

Ransomware is major concern for businesses these days: 61 percent of businesses say they were compromised at least once by malware demanding payment to return data. Unfortunately, some companies that decide to pay the ransom still don’t get their data back. The best thing your company can do to protect itself from ransomware is to limit the amount of damage an attack can do through backup and disaster recovery. Using the “3-2-1 backup rule” and running frequent backups can be the difference between losing all of your data permanently, and losing a single day’s work.

Digital security should never take a break. If your business is looking to build a better defense against cyber threats, the experts at MPA Networks can help with both desktop and server management. Contact us today to learn more.

Android and IOS: Is the Device Just Old, or Is It Obsolete?

Tuesday, May 23rd, 2017

clocks-33832_640

When trying to determine if a piece of technology is simply old or completely obsolete, keep in mind that there are different criteria for Android and iOS devices than for desktop and laptop computers. An employee stuck using an obsolete device is likely, after all, to argue that replacing it would increase their productivity.

On the flip side, replacing functional devices too often can spiral out of control into unnecessary expenses.

An IT consulting firm can help your business understand how long a device should remain in use, a safe time range for buying older models, and how to plan upgrade cycles.

How Long Before It’s Over?

The general rule is that a device becomes obsolete about four years after its release. This means that trying to save money by purchasing older devices on the cheap may not work out well, as they are unlikely to receive updates as long as a newer device. Usually you can buy only the most recent and second most recent smartphone devices new, but older refurbished devices are readily available.

The Issues with Old Devices

Determining if a device is aging vs. obsolete is pretty straightforward: If the employee can still complete all necessary work with the device, it is not yet obsolete.

However, older devices often have performance issues; notably, they may operate slower than the latest models. Older devices using Android often receive updates late, too, so users won’t receive security and interface improvement patches as soon as they’re available.

Obsolete Device Issues

Forbes paints a pretty grim picture of aging devices, declaring that smartphones have about two years before they’re obsolete. Still, users can typically continue on without any major problems for an additional year or two.

Once obsolete, however, many devices are prone to disruptive conditions:

  • Security updates are no longer provided.
  • Vital applications are no longer compatible with the operating system.
  • The web browser ceases to display web pages correctly.

The Apple Situation

Officially, Apple considers any product more than five years old obsolete, meaning the company tends to support their devices for a little longer than Android distributors. Apple usually supports iOS devices with the latest operating system for about four years. At this point the device will not receive updates, but it will still likely work for a while longer.

The device typically hits the obsolete category when it no longer runs the most recent version of iOS. If you buy an iOS device that’s already been on the market for two years, you’ll have to plan to replace it in another two years. A one-year-old device will be good for at least three years.

The Android Situation

Android devices have a two-tier obsolescence system in which system updates stop coming and applications stop working. Android is a much more difficult case to gauge because updates need to come through Google, go to the manufacturer, and then reach the phone provider.

Android users can expect operating upgrades for two years after the phone is released, and a few additional months of security updates; both are soft obsolescence moments. What finally ends an Android device’s life (or, at least, its usefulness) is application incompatibility after about four years, which is dependent on the developer. Most try to support the oldest version possible, but this is not always the case.

If you want to make sure your employees are using up-to-date devices that increase productivity, MPA Networks can provide an IT and productivity assessment. Contact us today.

Scheduling Security: Take Control of Your OS Updates

Wednesday, May 10th, 2017

update-1672385_640

It happens to everyone: You turn your computer back on after you intended to leave the office, or come in early to get a head start on a new project, only to be greeted by a 20-minute operating system (OS) update session. This common workplace frustration turns what should have been a four-minute job into a half-hour ordeal, forcing you to stay behind or defeating any time gains from starting early.

OS updates provide essential security fixes that keep your business safe, but the platforms have a knack for pushing updates at what feels like “the worst possible time.”

Here’s what you can do to remain one step ahead of your updates at all times.

Change the Default Settings

Don’t leave operating system updates on their default settings, because they’re likely to interfere with work when you need the devices. The solution to this productivity- and attitude-killing problem is to adjust the system settings to force the updates at a specified time when your team won’t need them. Other software, like Office, Photoshop, and web browsers, tend to be less of a problem, since their update sessions are usually much quicker.

Updates Are a Security Issue

The worst solution to update inconvenience is to disable automatic updates. While updates that don’t add any new features may seem irrelevant, they’re actually doing lots of work keeping you safe behind the scenes in areas like IT security and virus/malware prevention.

According to TrendMictro, malware and other security exploits tend to target known security holes that have already been closed through updates and patches. Instead of finding new exploits, it’s easier for hackers to continue to exploit the old ones and take advantage of users who do not update their computer software.

Schedule Around Work to Increase Productivity

Microsoft usually posts their updates on the second Tuesday of every month, which is commonly known as “Patch Tuesday.” However, this may not work well with your business if it disables employee computers Tuesday night or Wednesday morning. The ideal time for updates will differ depending on your business, but for the typical Monday-to-Friday 9-to-5 office, you will be best served by installing updates around 2 a.m. on Sunday morning. Devices can even be individually customized for each employee based on their personal schedule.

The IT Consulting experts at MPA Networks, serving San Francisco, San Mateo County, San Jose, and other San Francisco Bay Area cities, are ready to help your business make technology work for you, not against you. Scheduling updates is a desktop management and support issue, which IT Managed Services can deliver. Contact us today to find out how we can help you better manage your office computers.

The End of the Samsung Galaxy Note 7: Device Explosions Trigger Full Recalls

Tuesday, December 13th, 2016

samsung-1666557_640

In a rare move, Samsung fully recalled and discontinued production on its previously well-reviewed Galaxy Note 7 model following several verified cases of the devices catching fire. This unexpected turn of events has left a vacuum in the large smartphone and phablet product space. Businesses often rely on these devices to increase productivity on the go, as they are much easier to haul around than a full-sized tablet or laptop.

What’s going on with Samsung’s Galaxy Note 7?

Samsung issued two recalls on the Galaxy Note 7, the second of which included phones that were sent out to replace the faulty ones in the first recall.

Essentially, the problem with the Galaxy Note 7 over other faulty device recalls is that Samsung is unable to figure out exactly why these devices are exploding. Samsung initially thought it was a problem with defective batteries from a supplier, but the fires continued with the new models.

This issue is confined to the Galaxy Note 7: Galaxy S7 and Galaxy S7 Edge. Older Samsung smartphones are not affected. However, Samsung has made the news over defective product problems in the past, including washing machines and microwaves.

Consumer Confidence and Recall Fallout

Because of the safety problems with the devices and tarnished branding, Samsung has discontinued the Galaxy Note 7 product line. The FAA banned Galaxy Note 7 devices from airplanes, even when powered down. According to CNET, 40 percent of people surveyed claim they will not purchase another Samsung phone after this debacle. And while the publication notes that this survey may represent a higher share than reality, there’s no question that the brand has been damaged by bad PR.

The same survey reports that around 30 percent of people will switch to iPhones, while the other 70 percent will switch to a different Android manufacturer. While Samsung’s reputation will certainly take a hit from the Note 7 recall, and Android’s market share will dip slightly, claiming it’s “doomsday for Android” is an exaggeration based on market data.

About Lithium-Ion Battery Safety

Lithium-Ion batteries, which are found in just about every device with a rechargeable power source, are prone to catching fire in overheating, overcharging, and physical damage situations. Issues including swollen and punctured batteries can happen to any phone or device using these batteries. Such problems are, of course, a major safety issue, as the devices can burn people and/or start larger fires.

Galaxy Note 7 Alternatives

Even if your employees love their Galaxy Note 7 devices, they’re not safe to use and should be replaced. Several other viable large-form smartphones on the market can replace most, if not all, of the Note 7’s functionality. Android Community recommends the following devices:

  • Samsung Galaxy Note 5 (there was no Galaxy Note 6 model)
  • Samsung Galaxy 7 Edge
  • LG V20
  • Google Pixel XL
  • Xiaomi Mi 5
  • OnePlus 3
  • Huawei P9 Plus
  • ZTE Axon 7

Alternatively, your employees could look at switching to an iPhone 7 Plus or larger Windows Phone device.

For help improving your business IT productivity and guidance in finding the right technology solutions for your company’s specific needs, contact the experts at MPA Networks today.

Hack of 500 Million Yahoo Accounts Reminds Industry to Increase Security Measures

Wednesday, November 23rd, 2016

password-397652_640

In September 2016, half a billion Yahoo account users received the bad news that their names, email addresses, phone numbers, and security questions were potentially stolen in a 2014 hack.

According to CNET, the Yahoo hack is the largest data breach in history.

In the wake of a major hack like this one, the only silver lining is a powerful reminder for businesses to review their IT security practices. In the case of the Yahoo breach, hackers can use the stolen information to compromise other employee accounts and further extend the reach of the hack. Here’s how they do it, and what you can do to stop them.

The “Forgot My Password” Reverse Hack Trick

Hackers can steal information from many accounts with the information taken from a single account. If you’ve set your Yahoo email address as your “forgot my password” account for other services, a hacker can use a password reset and reminder commands to compromise even more important accounts. Hackers can use stolen security question answers here to obtain other account credentials as well.

The “Same Password, Different Account” Hack

Memorizing a different password for each account is pretty much impossible for the average person. Most people end up using the same password for many accounts. For example, if you own the email addresses “myemail@yahoo.com” and “myemail@gmail.com” and use the same password for both, it’s likely that a hacker who stole your Yahoo password and security questions will try them on the account with the same name on Gmail.

Password Theft Prevention Strategies

Security breach prevention starts with a strategic security plan and a series of best practices:

Account-Specific Logins and Passwords. One way to prevent a hacker from using your stolen username and password on another account is to create site-specific login and password credentials. This is easily accomplished by memory by adding a site-specific prefix or suffix for each account. For example, your Yahoo and Gmail credentials may be “myemailYHOO/YHOOP@ssw0rd” and “GOOGLmyemail/P@ssw0rdGOOGL” respectively. Alternatively, password managers are an easy way to manage login credentials across accounts and generate random passwords.

Secure the Fallback Account. We’ve previously discussed the security benefits of “two-step verification” as an effective way to keep hackers out of your accounts even if they manage to steal your password or security question answers. Make sure all of your accounts that feature a “forgot my password” function lead back to a “two-step” secured email address.

Update Passwords Frequently. Typically, hackers use your stolen information immediately to access your accounts and steal your information. That’s why frequent password changes are often considered a waste of time. However, the Yahoo hack bucks this trend as the information being released in late 2016 came from 2014.

IT security and password protection are an essential part of doing business in the modern digital world. Contact us today for IT consulting advice for better security practices and managed services assistance to help keep your business’s confidential information safe.

Massive IoT DDoS Attack Causes Widespread Internet Outages. Are Your Devices Secured?

Tuesday, November 1st, 2016

finger-769300_640

As you probably know already, the United States experienced its largest Internet blackout in history on October 21, 2016, when Dyn—a service that handles website domain name routing—got hit with a massive distributed denial of service (DDoS) attack from compromised Internet of Things (IoT) devices. The day will be known forevermore as the day your home IP camera kept you from watching Netflix.

The writing has been on the wall for a while now when it comes to IoT security: We’ve previously discussed how IoT devices can be used to watch consumers and break into business networks.

This specific outage is an example of how the tech industry is ignoring security mistakes of the past and failing to take a proactive approach in protecting IoT networks.

The Outage

The October outage included three separate attacks on the Dyn DNS provider, making it impossible for users in the eastern half of the U.S. to access sites including Twitter, Spotify, and Wired. This attack was different from typical DDoS attacks, which utilize malware-compromised computers to overwhelm servers with requests to knock them offline. Instead, it used malware call Mirai that took advantage of IoT devices. These compromised devices then continually requested information from the Dyn servers en masse until the server ran out of power to answer all requests, thus bringing down each site in turn.

This outage did not take down the servers hosting the platforms, but rather the metaphorical doorway necessary to access those sites.

Ongoing Security Concerns

According to ZDNet, the IoT industry is, at the moment, more concerned with putting devices on the market to beat competition than it is with making devices secure. IoT devices are notably easy to hack because of poor port management and weak password protection. IoT devices are also known for not encrypting communication data. October’s attack wasn’t even the first of its kind: A 145,000-device IoT botnet was behind a hospital DDoS attack just one month prior.

What You Can Do

MacWorld recommends changing the default security configuration settings on all IoT devices and running those devices on a secondary network. The Mirai malware works simply by blasting through default username and password credentials—so users could have protected themselves by swapping the default “admin/admin” and “password/password” settings. There are also IoT security hub devices available to compensate for IoT security shortcomings.

IoT devices can offer fantastic perks for your office, but the security concerns are too important to ignore. If you’re interested in improving network security pertaining to IoT devices or looking for advice on which IoT devices would benefit your workplace, don’t hesitate to contact MPA Networks today.

Are Comatose Servers Draining Your Wallet and Leaving You Vulnerable?

Tuesday, August 30th, 2016

bones-1294357_640

Those old servers your business no longer uses—and keeps running anyway—are more than just a security risk: They’re hurting your firm’s bottom line.

The term comatose server describes a functional server, connected to a network, that sits idle virtually all of the time. If your business is running three servers, there’s a high chance that at least one of them is a “zombie server.” 

30 percent of all servers are comatose. This means that approximately 10 million servers across the planet are sitting around doing nothing productive.

According to the Wall Street Journal, most companies are better at getting new servers online than taking old servers offline. A managed service provider (MSP) can help your business identify inactive servers and dismantle them, both to reduce costs and improve security.

Security Concerns

A comatose server can be a major security risk for your business. Unlike that shiny new server running the latest software, the old one is likely running a legacy operating system necessary to utilize older applications. These forgotten servers are also unlikely to receive security updates. If hackers are looking to break into your business network, they are going to have an easy time breaching an outdated system with established security exploits. Because even though these servers aren’t being used, they are likely to hold important—or even confidential—information.

Wasting Electricity

That’s not all, says the Wall Street Journal. The 3.6 million zombie servers in the United States are also wasting a staggering 1.44 gigawatts of electricity—enough to power every home in Chicago. While your business’s unused servers are just a drop in the bucket compared to the national problem, you’re still looking at a hefty energy bill to keep a dormant server running over time. If we consider that, on average, electricity costs 12 cents per kWh in the U.S., that means running a 850-watt server costs about $890 a year. Two comatose servers wasting energy for five years total nearly $9,000 in electricity expenses—money your business could save just by flipping a switch.

Hunting for Zombies

An IT consulting service can help your business identify and dismantle comatose servers. The process involves identifying every server your business owns and runs, and determining which ones aren’t being used anymore. Some older servers may not be running domain-name-system software, so they may not show up when searching the network directory—meaning you may need to hunt them down manually.

Of course, it’s unlikely that a smaller firm has more than a handful of servers, so creating a server inventory is often as straightforward as looking at the office server rack. Businesses that have a much larger group of servers to work with may need a network scanning tool to find servers. But remember: The savings and security benefits begin as soon as the comatose servers are turned off.

Password Managers and Recovery Strategies

Tuesday, August 16th, 2016

password-397656_640

Secure passwords and recovery strategies are an essential part of doing business in the digital age—and password manager programs can help streamline the process.

Password managers store and, often, automate login credentials for individuals across all secured online platforms for easy, secure, and fast access.

Why You Need It

Password-related IT security is an always-hot topic in the tech world; new reports of password security breaches are still hitting headlines with alarming frequency. In June of 2016, hackers hit remote desktop access service GoToMyPC® with a sophisticated attack, causing the company to send out a mass password reset to all of its users. Security breaches like these are a good reminder of why your business should use a password manager.

Everyday Use

Using the same password for every platform is problematic for the obvious fact that hackers can use that one password to break into several accounts. Your best bet is to use different passwords for different platforms—but trying to remember them all can, of course, be a challenge. For services you use infrequently, a password manager can improve productivity by helping you avoid tedious password search and reset processes.

Naturally, the biggest advantage of password manager platforms is that they allow you to easily create and store complex, hack-proof passwords. What do those look like? Here are a few tips: Secure passwords should use 10-12 characters with a mix of capital letters, lowercase letters, numbers, and symbols. And since it’s admittedly difficult for humans to remember 12+ character passwords that look like someone punched a keyboard, a password manager can come to the rescue.

Restoring Secure Access

When it comes to passwords, the best defense is a good offense—but breaches are going to happen. According to PCWorld, password leaks should be treated more like a “when” situation than an “if” situation.

Password managers can help you each step of the way, from locking down compromised accounts to restoring access on all devices so your employees can get back to business like nothing ever happened. After you regain control of the account, the password manager can generate a new, secure password. Additionally, the program will restore access on all of your connected devices by entering the new password in a single location, saving you the time and hassle of re-entering each new password on your work computer, personal desktop, personal laptop, smartphone, tablet, etc.

If you’re worried about password security, talk to your IT consulting service. A local MSP can help your business establish and implement secure password practices and manage them with ease. Check out PC Magazine’s list of top password managers for 2016 for a closer look at your best options.

Defend Your Network Against Advanced Persistent Threats

Tuesday, July 12th, 2016

computer-1500929_640

If you’ve looked over our previous posts since we’ve started our blog, you know how serious we are about protecting your company from everyday cyber-threats—mainly phishingransomware, and various other malware. Today we’d like to discuss a different form of cyber-threat plaguing businesses over the past decade: what the security community has termed advanced persistent threats, or APT.

What exactly is “persistent” about APT? Most hacking attacks can be classified as “smash-and-grab robbery”: Break into a network and make off with anything of value—user identities, account numbers, cash—and disappear before anyone notices.

An APT attack compromises a network’s defenses and stays as long as possibleweeks, months, or years—discreetly infiltrating servers, eavesdropping on email, or discreetly installing remote bots or trojans which enable deeper espionage.

Their primary goal is information—classified material, trade secrets, or intellectual property—that might draw interest on the black market.

Robbery, Inc.: A Worldwide Enterprise

While unsophisticated hackers might lurk in the shadows like criminal gangs, APTs often emanate from professional environments not unlike a prosperous Bay Area tech company—posh high-rise offices, full-time employees with salaries and benefits, and formal product development teams. The difference is they’re conducting business in China, Russia, and other cyber sanctuary nations where international cybersecurity is unenforced and intellectual property laws don’t exist.

The more extensive an APT infection, the harder it is to isolate and eradicate it—like cockroaches under a kitchen sink. Many enterprise IT managers simply accept APT as a fact of life—conceding that trying to combat these intrusions would actually encourage the culprits to dig deeper into the network.

So if APT makes long-term data theft inevitable, how can you still protect yourself? Make the stolen data unusable.

Alphabet Soup? Fight APT with DLP

The second acronym we’ll talk about today is DLP: data leak protection. DLP encrypts sensitive data so that it can only be accessed by authorized users or workstations with a corresponding decryption key. If that data is intercepted by an APT, it’s rendered unreadable—and worthless.

Multiple name-brand security vendors offer a wide range of turnkey DLP solutions. Low-end products will automatically encrypt data which follows specific patterns (Social Security numbers, 16-digit credit cards), while high-end products can be configured to use complex algorithms and language analytics to locate and protect other specific forms of confidential data (such as client files, product designs, or sales figures). When unauthorized access is suspected, files can be temporarily quarantined against a possible data breach before they leave the company network.

Are APTs already lurking within your network? What proprietary data can your business not afford to lose? How can you evaluate DLP products to find the best solution for you? Talk to us for help.

The “Wearable Revolution”: Is Your Company Prepared?

Thursday, July 7th, 2016

smart-watch-821559_640

It’s a fair bet that one of your employees has already shown off a trendy new wearable gadget around the office. What began with Bluetooth earpieces would branch off into smartwatches, smart glasses, wrist-worn fitness trackers, and even smart clothing (including a smart bra!) Research firm Gartner forecasts sales of over 274 million wearable technology products in 2016—soaring past 322 million by 2017.

New Technology = New Targets for Hackers

For better or worse, wearable devices are on their way to becoming part of everyday life—including the workplace. But while manufacturers race to pack every new gadget with interesting bells and whistles, hackers and cyber-crooks are looking for emerging security weaknesses to exploit.

What are the potential security risks with wearable devices?

No Password Protection. Many wearable devices on the market—including high-end fitness trackers with email and social media connectivity—access external networks and store data without the password/PIN protection, biometric authorization, or other user authentication we’ve come to expect on smartphones. If the device is physically lost or stolen, that data is virtually exposed to anyone.

Unencrypted Data. A lack of standard encryption is also an issue for many wearables—either unencrypted files stored locally on the device or unsecured wireless connections when synced with smartphones or other host devices (Bluetooth encryption is avoided as it often causes additional battery drain).

A Spy’s Dream? James Bond (circa the “Goldfinger” era) probably would have loved the miniaturized functions of a modern smartwatch—in particular its ability to record still images, video, and audio. But if that device is hijacked by a malicious hacker, it may become a mobile portal for industrial espionage, either stealing recordings or eavesdropping in real time.

But That’s Not All… If the above reasons weren’t enough to be wary of the influx of wearable devices, a 2015 study released by the University of Illinois revealed that monitoring the electronic motion sensors on a Samsung Gear smartwatch could determine words typed on a keyboard! Think about that before you write your next confidential email or memo.

Where Do Wearables Fit In to Your BYOD Policy?

While wearables are increasingly common on and off the job, they represent an undefined grey area for business IT security. Many operate on their own platforms and aren’t compatible with most MDM solutions designed to regulate smartphones and laptops. Permissible onsite use of wearable devices will need to be incorporated into your company’s formal BYOD policy, which we’ve recommended that our customers define in writing.

Are your employees’ wearable devices a potential “weakest link” in your security chain? For ideas and solutions, talk to us.