IT Support Blog for Small Business Owners

Think like a Hacker: How would you break into your company’s IT?

Posted by David S. Mulvey on Fri, Dec 30, 2016

Do You Have Weak Domain Passwords?

A company’s own users are usually the most vulnerable point of attack; and unfortunately, the most common point of entPassword-Hacking.jpgry for a hacker. Weak domain user passwords can easily be guessed and discovered. But you can avoid this with strict user authentication standards. Businesses have to teach their employees about proper password best practices. For instance, secure passwords should be at least 8 digits long, include a capital letter and a number and a symbol. You should also require that user passwords are updated every 90 days.  By implementing these two simple practices you can make a hacker’s job almost impossible to break your domain passwords and gain access to your network.

Local Administrator Password Attacks

Once a hacker has access to your administrative passwords, they essentially have control over your whole network. Local IT administrators can become lax in their password security, especially if they work in a small office that has not had a recent cyber security scare. All non-IT employees in a company should not have administrator access rights. Only provide domain administrator rights or the keys to the kingdom to a manager and your IT employee or IT service provider. By securing most of your employee’s access rights you really increase your chances of not being hacked.

Written Passwords Are Easy Prey for a Hacker

Passwords that have been written down are always considered to be a risk factor. Who has access to your office and can copy down all of your written passwords? Your night time cleaning company, a plumber, a visiting client or vendor? It’s extremely important to let your employees know that it is a company security policy to not write down any user ID’s or passwords.  Discuss your policy with everyone, insure that writing down passwords is akin to giving your company checking account out to non-employees.

Insufficient Password Segmentation

Another issue that often arises within smaller businesses is that a single password may create a domino effect, giving a hacker access to your entire network. With insufficient network segmentation, a hacker only need to be able to hack a single password, and with that single password, gain access to every server, every application and all of your company data. Implementing password segmentation, a hacker will only be able to access a very limited amount of data, designed for a single user. You can also ask your IT department or IT service provider to isolate critical databases from other servers on your network. Using physical isolation is just as effective as using limited password segmentation.

You can see here, that by implementing some passwords best practices, which are not that difficult to add, you can drastically improve your chances of not being hacked. Dont ignore recent cyber security attacks!  Remember to think like a hacker, and secure the easy stuff before you work on the harder and more expensive stuff. Chances are, by taking a few simple actions you can make a hacker move on to an easier target to attack.

Security Management

Topics: IT security, IT Cyber Security Issues, IT Password Security, Hacker

It’s Not Okay to Ignore these Recent IT Cyber Security Issues

Posted by David Mulvey on Wed, Mar 04, 2015

IT Cyber SecurityFebruary showers bring May flowers. Well that’s exactly how things are not going in Philadelphia nor is that what is happening with IT cyber security! February 2015 brought three important IT security issues to every IT department to contend with. If you had outsourced your IT security to ANP these would not be your concern, ANP would have handled them for you. However, if you are doing your own IT here are three big issues you should be proactively addressing:
  1. If you user use Firefox, update it now. Open Firefox, click on the little square icon near the top-right of your screen that is composed of three horizontal bars. Then click the question mark for “help”. Third, select “About Firefox.” Firefox will automatically download the latest version. The latest version, just released, includes important security patches that you need. Want to learn more, Click HERE.

  2. If you company uses Lenovo laptops, uninstall Superfish now. Starting in as early as 2010, Lenovo has pre-installed Superfish on some of their laptops. This junk-ware software is vulnerable to man-in-the-middle attacks. This means websites, such as banking and email, can be spoofed without a warning from the browser. Remove the application immediately. Want to learn more, Click HERE.

  3. Install Microsoft's Critical Security Update Now. Microsoft has released a critical security update to address multiple vulnerabilities in Internet Explorer. Exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system if the user views a specially crafted webpage. This security update is rated critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. Want to learn more, Click HERE.

As an IT Professional you simply cannot become lackadaisical regarding the patching of your IT environment. As an IT manager I often find that my IT professionals are so busy with their day-to-day responsibilities that it’s almost impossible to expect them to remain up to date with the latest IT Cyber security issues. I often visit the United States Computer Emergency Readiness Team website which is run by the Department of Homeland Security. The website is an excellent resource for all things cyber-security! Check out the US-CERT website by Click HERE.

 

Request A Free Network Assessment

Topics: IT security, IT Cyber Security, IT Cyber Security Issues

Is Your Network Security Adequate? Think Again!

Posted by Michael Silverman on Tue, Feb 18, 2014

network security resized 600Back on February 7th, NBC reported on potential security risks at the Olympic Games.  There was a lot of controversy about the article itself, but, accurate or a hoax, IT security doesn’t get the attention it should in small businesses.  More and more organizations, large and small, are being audited either by regulatory agencies or by existing or potential clients.  Years back, news was about virus attacks, followed by malware; today we’re regularly hearing about hacking.  Everyone wants to know their data is secure.

Data security is critical to ANP’s network management practices.  We protect data by leveraging “organizational wide” network security management best practices.  Having a firewall, unique passwords, and anti-virus programs might feel adequate, but times have been changing.  It’s critical to look closely not only at the IT infrastructure within your offices, but also at equipment owned by your staff and maybe even your vendors.

As I’m writing this blog, I’m sitting at home on my personal computer connected to the office.  There are lots of options for remote workers these days, but there are also network security risks that need to be mitigated if you have a mobile or remote work force.  Let’s touch on a few.

Home computers are usually vulnerable to viruses and malware due to lack of ongoing management and “the kiddie factor.”  Microsoft and other vendors do an adequate job of providing anti-virus and malware support for home computers, but only if the tools are leveraged and leveraged correctly.  If virus or malware activity infects your home computer and it is connected to the office network, you’ve just introduced a “back door” network security risk.  Could your organization be vulnerable to a home-based worker?

What about mobile devices like smart phones and tablets?  Apple iPhones and iPads are acknowledged to be natively more secure than Android devices.  Do your employees use both for connecting to the office?  You may limit their use to email, but do you also allow them into the office?  Onto the office wireless network?   ANP regularly performs Network Assessments for prospective clients.  It’s surprising to see how few companies segment their networks, restricting mobile device traffic solely to guest wireless networks.  There are also data security risks associated with email on mobile devices.  Just last week we completed an assessment for a company that was sending unsecured email to mobile devices, risking precious client information being shared with the outside world.

What about inside your offices?  Firewalls are designed to protect your network, and they do, but they are only one piece of the network security equation. Some of my clients leverage Intrusion Detection software to further analyze traffic passing through their firewall.  Though this software can be pricey, understanding the data these systems produce reinforces the need for a strong network security policy and operational discipline.  

In a 30-day period, I’ve seen “locked down” firewalls allow attempts at accessing servers from almost 20 different countries around the world.  That’s why network security is about a “system” of hardware, software, and operational procedures tightly woven to protect the organization and its sensitive data.

IT Security Equation

Here are a few questions to discuss with your IT staff or outsourced provider. Your answers will determine the next steps needed to establish appropriate levels of network and data security in your business:

  • How old is our Firewall and how current is its Operating System?
  • What is our Server and Workstation Patch status and update process?
  • Do we have any Windows XP computers in our network?
  • What is our password management strategy?
  • How do we control and manage access to sensitive information on our Servers?
  • Do we have a guest wireless network for employee smart phones and guest traffic?
  • When is the last time we had an outside network security Assessment?
Have any questions or comments? Interested in a free network assessment? Click the button below.
Request A Free Network Assessment

Topics: data security, IT security, network security, network assessment

Data Security Breaches: Not just a Big Business Threat.

Posted by Scott Persechino on Mon, Feb 17, 2014

data security breach resized 600If a big company like Target or Neiman Marcus can suffer a Data Security Breach, it can certainly happen to your small company. In fact, it’s probably more likely to happen. And though no business, big or small, is ever guaranteed to be completely protected from a data security breach, if a company does not take the proper proactive security steps, it will almost definitely happen.

After millions of shoppers fell victim to massive data breaches at Target and Neiman Marcus, investigations revealed that the mastermind behind the malware used in the attacks was a 17-year-old boy. For reference, malware is destructive computer software that interferes with normal computer functions, or sends personal data about users to unauthorized parties over the Internet. That is exactly what happened in these two breaches. Investigators have revealed that the teen allegedly created the malware last March, and started selling it to an unreported number of cyberhackers in Eastern Europe. The teen is from the Ukraine, and authorities believe the malware leveraged in these breaches was used by hackers in Russia. Up to 110 million Target shoppers had much of their personal information like credit card numbers, PINs, and even personal addresses compromised because of the breach. Can you imagine how your customers would react if they were victimized like this because of a network security breach at your company?

Companies, regardless of size, rely on critical business data to succeed and flourish. Based on a recent study, more than 78% of organizations have suffered from at least one data breach over the past two years.  Your company may face considerable financial liabilities if it loses sensitive data. Even worse is the damage to your reputation, especially since most consumers say they would entirely stop dealing with an organization in the event of a security breach. Even small businesses with antivirus solutions in place are prime cybercrime targets.

Three surprising ways that small companies are more likely to suffer a worse data breach:

  1. Small business data breaches are more likely to go unnoticed. Target's data breach was first spotted by tech journalists and security firms who noticed that hackers were trying to sell a large amount of stolen data on underground websites. The massive amount of stolen credit card information alerted journalists that something was going on. However, when a small business is hacked, it will most likely go unnoticed by these watchdog groups. Hackers will glean less information, and so no one hack will lead to noticeable changes in data black markets.
  2. Media attention protects large businesses, but not small ones. Hackers often wait to use stolen data from data breaches at large companies, but they might not be so shy with small business breaches. When a company like Target is hacked, rather than going on a spending spree, identity thieves delay using stolen credit cards until the fuss dies down and consumers and credit monitoring services stop watching their accounts so closely. Small businesses are more likely to be hit immediately and harder with identity theft because hackers know there isn't the same scrutiny.
  3. Small businesses are underinsured. Many large businesses have Cyber Liability Insurance, which covers them when they are hacked. This policy pays for the credit monitoring services that are currently protecting Target's customers. By contrast, small business owners very rarely are carrying this type of coverage.

Three Myths and Facts the Small Business Owner should be aware of:

MYTH #1: My business is too small to be a target.
FACT: Size does not matter. Believing you are not susceptible to a breach, combined with the vast amount of data your business holds, potential employee negligence, and a lack of a dedicated IT staff makes your business a prime target for attackers. In fact, the majority of small businesses agree they can’t do enough to protect their data using the measures and technologies they currently have in place.

Cyber criminals do not discriminate. As long as they can gain profit and find anything lucrative to exploit, they will. Understanding the threats your business faces, their potential impact, and the regulations you need to follow is really the least any business owner should be doing.

MYTH #2: The antivirus I have is good enough.
FACT: Traditional antivirus software is not a cure-all. An advanced persistent cyber threat can manage to stay undetected in a network or system for a long period while progressing toward its goal—usually to steal data. An advanced persistent cyber threat’s ability to bypass blacklisting allows it to move within the network without detection and steal corporate passwords in order to gain access to other systems.

Since attackers consider small businesses prime targets, relying on traditional security technologies can also put you at risk for a customized malware attack in which hackers identify their victims and purposefully infect the user's computer to steal data. Customized malware attacks account for most data breaches and the chances of a data breach are higher when businesses believe that their traditional antivirus is enough to protect their assets, particularly against customized attacks.

MYTH #3: I can trust my employees and don’t have to worry about enforcing data security policies.
FACT: A company’s greatest asset—its employees—can also be its weakest link. The top reasons cited for data loss were employees’ tendency to open attachments or click links embedded in spam, to leave their systems unattended, to change their passwords too infrequently, and to visit restricted sites. This negligence puts critical business data at risk from data-stealing cybercriminals and malicious insiders. Research shows that 56% of employees frequently store sensitive data on their laptops, smartphones, tablets, and other mobile devices. This means there is more than a 50% chance that confidential information can land in the wrong hands should they lose these devices.

What you can do about it:

Start with these IT security best practices:
• Secure, encrypt, and password protect sensitive customer and employee data.
• Set rules for your employees; don’t let Social Networking compromise your data.
• Dispose of sensitive documents completely and securely.
• Limit access to sensitive data.
• Ensure that all software and systems are updated as needed.
• Put up firewalls to block hackers.
• Establish secure remote access protocol.
• Establish and adhere to a privacy policy.

The bottom line:

Patch the holes in your organization’s walls. Identify which information is critical, who could and should be able to access it, then investigate the best ways to protect it with the aid of a trusted IT advisor or your Managed Service Provider. Like holes or cracks in walls, areas where your company data is most vulnerable can cause your security perimeter to crumble.  ANP is offering a free IT Webinar for business owners this month regarding how to secure your company data. Register by clicking on the button below:

FREE IT Webinar Your Data is Under Attack Stop Data Theft Click Here to Register

Topics: data security, IT security, network security, data security breaches

How does a Business Owner Insure IT Security with Employees?

Posted by Scott Persechino on Sun, Dec 22, 2013

IT SecurityHaving worked in the technology field for many years, I’ve developed a certain perspective regarding the security of technology devices in my office and in my home…and frankly, I’m not sure if it’s “healthy” or “unhealthy”.  Here in my office, if I take a look at the devices connected around me, I see a computer with connections to internal resources as well as external Internet- and cloud-based resources; I see a little USB drive hanging off my computer; I see a smart phone with all sorts of applications loaded on it; I see an IP-based phone, with voice mail, and all sorts of other capabilities.  At home, I have a cable modem, a little wireless router, a few cable boxes, telephones with voice mail service, and a couple of smart appliances.  Although all of these devices are either essential for me to be able to do my job…or help make my time at home be more convenient and enjoyable, I can’t help but think they all have one thing in common…and that is all of these devices can be hacked!

The simple truth is that if you can plug it in, or connect it to a “network”, your device, no matter what it is, can be taken over by someone else. And the truth is that someone doesn’t have to be an experienced hacker to do some serious damage…either on purpose or by accident.

Frankly, I’m a minimalist when it comes to technology…I want to turn things on and have them work.  I don’t need every fancy attribute, but I expect that my equipment will work, and I don’t need any hassles with hackers.  Part of what makes new technology so exciting is that, unlike the old days, it works right out of the box. Now any “non-techie” can download just about any application very easily, and it just works.  However, with this “tech world” being more accessible, it also becomes more problematic…and the hackers love it!

Take a look at a quick list of devices that “experts” think will be vulnerable over the next few years as the Internet of Things becomes more widespread.  Here are the pretty obvious items: smart phones; smart watches; office computers; tablets; home computers; the cloud (services, storage, software); ATMs at banks; printers; GPS devices; Wi-Fi routers; web cams; thumb and portable USB drives; cable box or DVR; voice mail (especially those with a global call-in numbers that don’t lock out after successive failed attempts)

But how about these “less obvious” items…these might be the “hack-able” devices of the future: power strips (today, they can be infected with malware); power cords for your devices (software code can be implanted now); luggage trackers (such as the Trakdot); connected glasses (Google Glass); gaming consoles: PS3, Kinect, Nintendo; refrigerators (such as Samsung); cars with computer operating systems; smart pens (like the Livescribe); gesture control devices (such as the Leap); cameras; smart alarm clocks; coffee makers; key fobs; light switches; moisture sensors; traffic lights (MIRT transmitters can change lights to green in two to three seconds); highway signs that spell out text  And I didn’t even mention medical devices, which are frighteningly exposed to hackers.

The proliferation of all this technology creates a constant need to keep devices updated and secure. For small- to medium-sized business owners in particular, where your internal IT support may be minimal and less-experienced at best, you are uniquely vulnerable.  Experts believe the most vulnerable device in any American house is the cable box, because it is so rarely updated.  However, if a hacker takes out your cable box, the damage is pretty well contained…hopefully.  Yet, if a hacker takes out your company’s server, or critical workstations are compromised, it could bring your company to its knees, and potentially put you out of business.

If what I’m saying makes you uneasy, you’re not alone. So how should we think about our constant vulnerability? Whether it’s “healthy or unhealthy”, I make a daily assumption that everything I do is hack-able.  I have an awareness of potential vulnerabilities, and I’m trying to develop an evolving set of street smarts…all business owners should as well.

For example, when you’re traveling and working on the road, consider carrying your own Wi-Fi hotspot. You can use a secure virtual private network (VPN) to send and receive email, and to access content that you have stored in the cloud. (Truth be told, that network can be hacked too, but at least your IT person or your managed services provider can watch the logs of what information is coming and going, and attempt to fight off intruders.)

Another good rule of thumb is to keep your network cloaked, meaning, don’t name it “Joe’s Hotspot”, if your name is Joe Smith.  As a managed service provider who performs regular network assessments for prospects, we routinely look at networks, and are astonished to see how many people use their own names or the names of their companies in their naming conventions. One approach is to change the names of all your devices to your mobile phone number. That way, if your laptop is lost or stolen for example, someone will see a phone number rather than your name, and perhaps there will be less of an incentive to poke around your machine to see what’s there.

Another idea is to use passwords that are easy to remember, but difficult to crack. Experts say you’re best off with a long phrase that also includes numbers and at least one capital letter. For example, something like “Iwant99pizzasand12sodasfordinnertonight” is actually more secure than “Gx1U2y,” because the algorithms that are used to crack passwords have to process many more computations when the password is longer.  Speaking of passwords, as much of a pain as it is, please change them regularly…weekly is recommended. It should go without saying that each one of your networks and devices should have a different password. When was the last time you changed yours?  Since I know you’re wondering: there is no workaround for this and no way to short-cut the management of your own passwords.  Again, another function you could look to your managed services provider for assistance.

Another good rule is to turn off your peripherals when they’re not in use, including printers.  Same goes for nonessentials on your network, such as additional computers, game consoles, and the like. The more things you have plugged in, the more opportunities there are for penetration. Be cognizant of who’s plugging “what” into your network. An innocent-looking thumb drive can destroy your computer within seconds…scary.

The good “healthy” news is that the “tech world” is open to all, offering fantastic business opportunities “in the office”…not to mention that it teach kids how to use and control the many devices that are undeniably tied to their futures “at home”.  The truth is that open networks are vital to innovation…however, the “unhealthy” truth is that they aren’t totally secure…and probably never will be…

It is incumbent upon a business owner to insure himself that as his company data is proliferated over smart phones, home networks, everything remains secure! ANP can help you evaluate if in fact you have everything secured, what happens when an employees laptop or smart phone is stolen; can your company wipe off the data? ANP can help, check out our free network assessment below.

 Request A Free Network Assessment

Topics: IT Technology, IT security, Business Owners, Virtual Private network, home network, security of your company

Subscribe By Entering Your Email

Follow ANP



Latest ANP Blogs

Browse by Category