Cyber Security

12 posts

Email’s High Risk Threat

Protecting from cyberthreats requires strong layered security

Email filtering technology is one of the layers many businesses neglect. Email protection as part of your overall security services reduce vulnerable to targeted email attacks that can potentially cause damage to multiple applications in your networks. 

Email is the #1 attack vector used by cybercriminals

One wrong click can bring down an entire network and the business depending on that network. Deploying powerful, professional-grade email filtering technology can help reduce the risk of cyberattacks and ensure greater uptime and business continuity.

Mitigate risk with strong email security built for your business

It’s important to assess your risks and implement email security with the right combination of security layers, such as web protection, patch management, firewall management, strong password management tools, and endpoint protection—including a solid backup solution. 

Cloud-based applications still need specialized protection

Many business folks question why they need extra security when using cloud solutions like Microsoft 365 or G Suite, assuming cloud-based solutions and collaboration tools take care of all their security and data retention needs for them. While they are generally secure and constantly improving their security technology, nothing is perfect. These industry giants provide key targets for cybercriminals. Recently, the U.S. Federal Bureau of Investigation issued a warning of hackers targeting Microsoft 365 accounts and Google Suite with business email compromise attacks. A layered security approach with reliable security solutions deployed in your business can make the difference between losing business due to a data breach or winning new business due to having a reputation for trust and protection. 

Sources

1 – “2019 Data Breach Investigations Report,” by Verizon @ https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report-emea.pdf (Accessed September 2020).

2 – “Watch out for Office 365 and G Suite scams, FBI warns businesses,” Naked Security by Sophos @ https://nakedsecurity.sophos.com/2020/03/10/watch-out-for-office-365-and-g-suite-scams-fbi-warns-businesses/ (Accessed September 2020).

Utilize Systems Monitoring To Meet HIPAA Requirements

nurse computerAll systems monitoring should be configured to facilitate HIPPA compliance. However, the first step dictates that one deploys systems monitoring to all devices resident on the health care providers’ network. This often forgotten area of technology management needs illuminating to help bring some order and methodology to deploying activities that keep your medical enterprise fully HIPAA compliant.

HIPAA Security Rules specifically outline US national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI). The HIPAA Security Rules are divided into 3 distinct categories and below is a summary of each.

  • Administrative Safeguards. This section of the HIPAA security requirements is focused upon establishing a risk analysis process, with periodic reviews, assigning security management responsibilities, formulating security policies and procedures and establishing appropriate workforce security training.
  • Physical Safeguards. This section of the HIPAA security requirements is focused upon securely controlling physical access: to data processing facilities, workstations and devices as well as physical media which contains PHI (personal health information).
  • Technical Safeguards. This section of the HIPAA security requirements is focused upon establishing specific technical security controls which aim to protect PHI via the following key aspects: data access control, data & access auditing, integrity and transmission security.

Below is a detailed description of each HIPAA related configuration item and the required guidance towards a HIPAA compliant configuration. As per the HIPAA requirements, for items listed as Addressable the entity must perform one of the 3 options: 1) Implement the required control as stated 2) Implement an alternative control which meets the intent of the original control 3) If implementing either, they must document the technical and or business constraint which prevents them from doing so. For items listed as “Required” the entity is required to implement this control as stated.

164.308(a)(3)(ii)(C) – Terminating Access

Addressable

Have you implemented procedures for terminating access to EPHI when an employee leaves your organization or as required by paragraph (a)(3)(ii)(B) of this section?

» Recommendation: Utilize the systems monitoring dashboard to remotely remove terminated employees from all in-scope EPHI related systems.

164.308(a)(5)(ii)(A) – Security Reminders

Addressable

Do you provide periodic information security reminders?

» Recommendation: Utilize systems monitoring to push periodic reminders to the in-scope workstations.

164.308(a)(5)(ii)(B) – Malicious Software

Addressable

Do you have policies and procedures for guarding against, detecting, and reporting malicious software?

» Recommendation: systems monitoring provides managed antivirus services that guard, detect and report against malicious software.

164.308(a)(5)(ii)(C) – Monitoring Login’s

Addressable

Do you have procedures for monitoring login attempts and reporting discrepancies?

» Recommendation: Utilizing the systems monitoring dashboard, develop procedures to periodically review audit logs and login attempts.

164.308(a)(5)(ii)(D) – Password Management

Addressable

Do you have procedures for creating, changing, and safeguarding passwords?

» Recommendation: Via the centralized management capabilities of the systems monitoring dashboard, develop procedures to create, change and safeguard passwords.

164.312(a)(2)(i) – User Identity

Required

Have you assigned a unique name and/or number for identifying and tracking user identity?

» Recommendation: systems monitoring requires each user ID to be unique and tracks activity according to such. Further, ensure there are no shared user accounts within the client environments you manage.

164.312(a)(2)(iii) – Inactive Sessions

Addressable

Have you implemented procedures that terminate an electronic session after a predetermined time of inactivity?

» Recommendation: systems monitoring automatically times out inactive user sessions.

164.312(a)(2)(iv) – Encrypting EPHI Data

Addressable

Have you implemented a mechanism to encrypt and decrypt EPHI?

» Recommendation: systems monitoring mail automatically and transparently encrypts all mail archives with secure AES 256bit encryption, thereby protecting any EPHI information potentially contained within the archive.

164.312(b)(2) – Audit Reporting

Required

Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI?

» Recommendation: User audit reports are dynamically generated by default and can be accessed at any time via the systems monitoring dashboard. Develop procedures to periodically review and investigate any discrepancies.

164.312(d) – Authentication to EPHI Data

Required

Have you implemented Person or Entity Authentication procedures to verify that a person or entity seeking access EPHI is the one claimed?

» Recommendation: Consult with your client and determine the appropriate level of security. Upon such, implement strong password authentication & for further security, configure the systems monitoring dashboard to validate source IP addresses.

164.312(e)(2)(ii) – Encrypt EPHI Data in Transit

Addressable

Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate?

» Recommendation: Configure systems monitoring mail to only transmit email traffic via IMAPS (IMAP over SSL) as this will securely encrypt and protect EPHI transmitted via email over the Internet.

Network Solutions Email Problems

Just received this update from my Exchange service provider about email problems with Network Solutions.

Service Advisory: [my provider] has discovered a possible issue with certain Network Solutions name servers. When looking up DNS information for domains hosted on Network Solutions or when querying Network Solutions name servers, we have seen intermittent time outs. This issue was discovered when customer reported bounce backs for people trying to send them mail. People sending to domains hosted on these servers may receive similar bounce backs. After some research, we found reports of similar issues by other companies (outside of [my provider]) and reports from Network Solutions stating that there may be a Denial of Service Attack (DDOS). We will monitor this issue and provide an update when the issue has been resolved by Network Solutions.

Such a shame that a company the size of Network Solutions allows this to happen. Top shelf Dynamic DNS provider Dyn, aka Dynamic Network Services, Inc and DNS provider OpenDNS figured out DNS long ago.

If it were my business depending on email, I would think seriously about deploying excellent hosting from Bluehost with DNS from OpenDNS and Dynamic DNS from Dynamic Network Services, Inc

Bluehost consistently makes it into the top hosting companies acclaimed “the best and brightest of the hosting world” by WordPress.

Family Internet Protection

Easily Block Adult Web Content From Your Family’s Internet

OpenDNS, one of the world’s top DNS providers, created FamilyShield, a free tool to help your family secure your Internet connection from Adult websites that are unsuitable for children, malware and virus websites and phishing websites that steal your personal information.

You can protect your family by following several very simple steps.

Navigate to the OpenDNS FamilyShield page and locate Setup FamilyShield. Click on “Set up FamilyShield”

 

fs

 

Enter your email address and click "Let’s Begin!" or, click "continue" to continue setup without signing up.

sufs

 

Select Router or Computer.

 

rc

 

Follow the simple instructions for your particular setup and you’re done!

I’ve used OpenDNS as a least cost/first deployment tool for years. If you want to monitor Internet usage as well as block and unblock websites, try the OpenDNS Basic product, also free, but it requires some additional configuration.Combined with a computer security product, your computers and laptops will run secure for years. And, your family will be protected from the dark side of the Internet.

Interested In A Used Copy Machine

Next time you turn your copy machine back to the leasing company, you might want to consider cleaning it up a bit. No, I’m not talking about the dust and coffee stains. This video will knock your lights out.

The good news; most copy machine manuals detail the process to delete data on the machines. Copy machine manuals can easily be found on the Internet. Or, pull the drive from the machine and wipe it or replace it with an ebay drive.

Great News For Small Business – Free Security Software

If your small business has ten or less computers, you can now install Microsoft Security Essentials for free.

Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.

Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.

Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.

I’ve used Microsoft Security Essentials for some time now and have had good success with it. A ten computer license for ESET Smart Security costs $509.90 for one year. Microsoft just handed you enough money to purchase a new desktop computer every year. Sounds like a great offer to me.

Beware Of Twitter User Name Identity Theft

Strangest thing happened to me the other night while I reviewed Google alerts that watch my name, company name and social networking user names. I like to keep an eye out for strange happenings so I’m not blind sided by something. The Google alert for my Twitter username picked up one of my tweets.

I thought that strange so I investigated. Upon clicking the link, I was directed to this Twitter site:

lookslikeme

Looks like my Twitter page, but it’s not. After I reviewed the tweets, I decided to delete a couple then tried to logon to my Twitter account. Suddenly, IE security kicked in, alerting me to the account information phishing scam.

itsnotme

Seems that someone‘s after unsuspecting Twitter users. So, time for all of you IE users to update your web browsers to the latest versions. I’m glad I did.

QuickBooks PCI Compliant

Beginning in 2004, the single most important question that merchants need to ask about their business software has to do with PCI Compliance. “The Payment Card Industry (PCI) has created the Data Security Standards (DSS) in order to support merchants. Credit Card companies now require merchants to be aware of and compliant with the Data Security Standards… Merchants, Is Your POS System PCI Compliant?”

Point of Sale or POS systems bear the brunt of the load when it comes to credit card transactions in the modern retail sales business establishment. It’s nice to know that according to VISA’s List of Validated Payment Applications , Intuit’s QuickBooks ranks as a fully PCI compliant software. I consistently recommend QuickBooks Merchant Services to clients mostly because it mitigates PCI risk.

I also recommend that people use the old style dial out or dual ip-dial out credit card terminal that uses a standard telephone line whenever possible because it shifts PCI compliance back to the merchant service provider. Avoid the newer network type terminals because no typical small business network can pass PCI’s muster without the business spending a great deal of money on special firewalls and logging software.

terminal_vx570

I’m simply amazed that since 2004, credit card companies and banks have successfully shifted the risk of data breach to merchants that use their services all while building inherently less secure transactional hardware and software APIs simply because of the need to connect through the Internet.

Merchants are in a terrible position. Check out  this video.

The bankers birthed an entire new business model on unloading credit card risk to merchants. Kind of reminds you of the ridiculous fees and interest rates we are paying to the same banks.

Millions tricked by 'scareware'

Great article on BBC this morning detailing the “security” software forced on unsuspecting computer users. Fortunately, two simple solutions will stop this dead in it’s tracks.

Use OpenDNS when configuring your home or office network. Your web browser will not go where a name cannot be resolved to an ip address.

Use a UTM device for your firewall. Unified Threat Management should be the choice of any educational or business entity. This year, UTM is now affordable to home network users.

If all else fails, buy your security software from a reputable manufacturer.

Secure WordPress With Proactive Upgrade Management

Frank Corso wrote an excellent plugin called Quote Master. It adds a widget that displays random quotes, as well as others features, which I’ve used to display "Murphy’s Law" on my sidebar for some time now. With a bit of a hack, I added my "Murphy’s Law" tidbits by replacing Frank’s quotes.

ml

With Frank’s latest plugin release, his architecture completely changed, so I’ve removed "Murphy’s Law" from my site for a while. This situation got me to thinking about my view of WordPress security and the necessity to proactively perform upgrades.

Once upon a time, the upgrading ordeal consumed much of my time. Today, thanks to Matt and team, upgrading is a breeze. My favorite quote from Matt’s article, "How to Keep WordPress Secure" reads like this:

“A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)”

I use "Upgrade Notification by Email" By Konrad Karpieszuk  to send me a daily notification if any of my WordPress installations are out of date. I believe in proactively upgrading the WordPress core as well as plugins and themes, so much so that I will loose functionality such as Murphy’s Law, for a brief time.

If I manage your WordPress installations, you can rest assured that your WordPress will be up to date and secure. If I don’t manage your WordPress installations, contact me.