Copeland News - October, 2017
We welcome you to the Fall Edition of Copeland News. With technology consistently being used to move businesses forward, it is critical that we continue to inform you about the latest threats and how to best reduce the risk of an attack or system outage.
Multiple security mandates have recently surfaced to force the hand of organizations in high-risk industries. We have collected some of the key concepts from these mandates and have included them below. Many of the concepts are easily implemented and can make big improvements on data security for your business. While you cannot 100% protect against threats, you can reduce the likelihood of a breach and can reduce the damage if one does happen.
As always, if you think of anything today or in the future that you would like to discuss --never hesitate to drop us a note. We are here to help and serve you in any way we can.
In this issue of Copeland News
What's Going On?
Business infrastructure continues to change at alarming rates. While much of the media has reported on the large breaches (Equifax, Target, ECMC, DocuSign), small to medium sized businesses are at a higher risk. Typically the smaller sized organization has less protection, looser procedures and are not paying attention to software patching and updates.
This is how hackers find you:
An individual sets up a bot (a piece of software set to do a routine of tasks automatically) to look out on the internet for any device it can find with a whole or vulnerability. They let it run for a few hours, come back and analyze the results. They don't care where you are located, your industry or size. If they can get in, they get in.
Once in, they slowly poke around to see what they have access to on the network. They try to elevate permissions to allow them to install programs or access data. A typical hacker is on your network for 6 months before anyone knows. They will try to encrypt data, open up ports, collect password information or just flat out steal your data.
They can also come in via email attachments or infecting a website. While antivirus and SPAM protection addresses much of this, the threats are a continuously evolving ahead of these protection technologies.
It is imperative that your management team has a plan to address company policies, IT security, Backup and Disaster Recovery and training for users to better protect against these threats. We can no longer think of a breach as "if it happens" but "when it happens."
New York State DFS Mandate and GDPR Mandate – What we can learn
Takeaways from NYS DFS and GDPR Mandates …
While we are referencing two specific mandates (one for NYS and one that is global), all states have their own regulations in place to protect data and require organizations to report data breaches. This will continue to expand beyond the financial and medical industries and also across state and country borders. Below are some baseline practices all businesses should begin implementing.
Here is a quick definition of the NYS DFS Mandate and the GDPR Mandate:
- New York's Department of Financial Services (DFS) – called "23 NYCRR 500" is intended for financial organizations.
- General Data Protection Regulation (GDPR) – Regulation intended on strengthening and unifying data protection for all individuals within the EU.
Here is a list of key takeaways that these mandates enforce:
- Policies and Training – the easiest and least-costly action for any business is to institute a cybersecurity policy. This would include rules and training for any employee on the following topics:
- BYOD Policy – if bringing your own device to the workplace, policy for proper usage.
- Password Policy – strength of passwords, change interval and historical retention.
- Acceptable Use Policy – how the company data can be used and shared.
- Remote Access Policy – requirements for users working from home.
- Patch Management Policy – defines how software patches are installed and when
- Security Awareness and Training – bringing in experts to train and inform staff on how to best do their jobs and protect company data.
- Having an Information Security Plan – just like a mini business plan, there should be an all-encompassing program defining how your organization will remain up-to-date on security.
- Technologies that will help:
- Encryption – any device that has confidential data stored on it should be encrypted. Email communication that contains any sensitive data should also be encrypted
- Antivirus / AntiMaleware – make sure you are not using Microsoft Security Essentials and Defender. Put in place a managed solution with a portal showing statuses of all viruses and updates
- Backup and Disaster Recovery Plan – have the difficult discussions about what happens if your key applications were to go down or worse, your equipment or facility. Determine the Return to Operations timeline (RTO) to identify when you have to have these applications back online.
- Vulnerability Scanning – software is available to scan your network and external connection for any known vulnerabilities.
- Patch Management – there is software available that can update Microsoft Windows and other applications in a controlled manor with patches released for security.
- Multifactor Authentication – ensuring that logging into critical systems includes something you know and something you have. This requires a username/password and additional proof with a key fob or text to cell phone.
Just like any major change, it is important to have a plan to continuously improve over time. You could address training and policies first, implement Disaster Recovery (to recover if something does happen) and then slowly address each point over time.
Network security - Simple ways to lock down your network
Lock It Up!
Network devices provide PCs, Smartphones, printers and other devices a connection to information on servers and a connection to the internet. Any access point that you add to the network is now a touch point that must be managed. These devices are not "set it and forget it" technologies and need to be updated, swapped and managed. Here are some ways to ensure your network is not being accessed maliciously:
- Default passwords – any time you put in equipment, whether it is a router, WiFi, copier or switch, the default passwords need to be changed. All of these units are preconfigured with a default admin username and password that is available on the internet. If you don't change these credentials, anyone can log into these devices and give access or steal files from hard drives.
- Vulnerability Appliance – It's important to be notified when a device is connecting to your network. There are many software companies that can put an appliance on your network for a monthly fee and scan for any new devices or vulnerabilities. If a new device gains access, an email is sent to an admin as a "heads up."
- Firmware Updates – these are Windows Updates for equipment released by the manufacturer to increase performance and to patch security holes. A check should happen at least once a year.
- Ensure Wireless networks are using WPA2 Security Protocol with AES encryption.
- Firewall Lockdown – the firewall is the router that sits between your network and the internet (connected to your ISP). Here are some critical lockdowns that must be done:
- Change default username/password.
- Turn on brute force attack handling to limit the number of connection attempts at a time.
- Close Ports! Think of your firewall as a brick wall. A port is a brick that makes up the wall. Applications run on specific posts, and in order for them to communicate with the internet, ports need to be open. If you must open a port (for email or other communication), ensure you only allow traffic from a specific IP address. For example, if you have a second office that needs access to a program at the main office, setup the port to only allow traffic from the second office's IP address.
- Update firmware and do yearly penetration testing.
Did you know?
- Backup and Disaster Recovery is not as scary as it used to be. There are many ways to protect your data and applications that cost as much as a multi-function copier. If you cannot be down for more than a day or lose up to a day's worth of data, Backup and DR should be reviewed.
- SSD Drives are becoming more and more a standard at the PC level. For 50.00 dollars more, you can add an SSD Drive which increases performance significantly and extends the life of your PC.
- Server disk space is more affordable than ever. If purchasing a server, ensure you cover your existing needs and add additional resources to handle what may come later. It is much easier and cheaper to purchase up front then to add resources later.
- Email should be migrated to the cloud unless there is a substantial reason to keep in house. If someone sends a message, it should always get delivered whether your internet in the office is up or down.