Posts

Pop Quiz: How Secure is Your Student Educational Data?

Pop Quiz: How Secure is Your Student Educational Data?

The dangers that cyber threats pose to our children have never been greater. For the schools that protect our children, and who store our student’s data, there is no child’s play in keeping our kids safe from cyber threats. Take this quick test below to see if your school and education networks are current with the IT innovations that fight today’s sophisticated cyber threats.

Does Your School Budget Allow for Proper Cybersecurity?

Education is no stranger to tight budgets. Essential programs and courses are routinely cut from cash strapped institutions. Indeed, one of the main challenges to IT administrators in education is having an adequate budget to meet the pressing and emerging cybersecurity issues in school districts.
But as education data systems become increasingly integrated with cloud computing and storage, your school needs the very best in current IT protection. When you’re counting every expense, you need cybersecurity that exceeds your expectations and performs at a fraction of what other vendors charge.

Does Your School Have Proper Identity Security?

It might be hard to imagine why anyone would want to steal your student’s identification. But when you consider how few minors have a credit file, their ID can be a “clean slate” for anyone needing a clean credit report to open utility accounts, credit cards or to take out loans.

Because parents have never before had to monitor their minor’s credit report—and children cannot be expected to monitor their own credit history—the actions of criminals who use a child’s identity can go undetected for a very long time. This makes schools a gold mine for hackers.

Hacking of schools and education facilities is on the rise, the steps you take to protect your student and their ID are the first steps to combating the several creative tactics hackers use to gain access to your network.

Are You Paying Attention to Your Student’s Data?

It is not enough to count on FERPA to monitor your IT security systems and ensure they are up to standard. Recently, major loopholes have been discovered in FERPA which allow EDTech companies to act as school officials and mine and collect your student’s data—data which is then vulnerable to third party hackers.

Make sure your parents and educators are informed on student data disclosure forms, Acceptable Use Policies (AUPs), and opt-out practices. When parents and children know their rights and the limits of EDTech in their school or district, they are able to make wise decisions based on that information.

Are Your Tech Devices Secure?

There is no question that tech devices elevate learning and help students prepare for the technological innovations they’ll encounter beyond education. This is why more than a third of U.S. students are using school issued devices.

Consider the extensive opportunities that allow hackers to access a school’s network through its devices. Not only can it be impossible to chase after the massive input from so many devices, but young students are often prime targets for hackers since they may not be familiar with the many clever tactics hackers use to gain access to sensitive information. That’s why it is more important than ever to make sure the network connected to your school’s devices is secure.

Can Your Student’s Infiltrate Your Own School Security System?

Historically, curious and tech-savvy students have always pushed the ethical limits of what educators deem acceptable use. But with all the information that can be found on integrated district networks, kids have never had more ways to access and exploit the sensitive information of their peers.

Whether it’s for financial gain, to carry out personal grudges, or even boredom, many students are proving highly capable at navigating sophisticated education security systems. Smart schools are not taking chances and, instead, opting for top-notch network security to eliminate threats from outside, and from within.

Student Data Security May Be the Smartest Move

How did you do? If you answered ‘maybe’ to any of these topics, give CIT a call today. Let us know how we can help you ace this test with the very best in education data security. With CIT on your side, you can rest assured that your network is as secure as you keep your students.

Information Security Policy: But Why?

Why do you need an information security policy

Information Security Policy: But Why?

The word POLICY alone inspires a wince just reading it!  A policy is the ‘how to’ and “what to do’, for specific individuals or groups.  No one likes being told what to do or how to do it, right?   When it comes to protecting assets, a policy is critical.  Since Information IS an asset, information must be protected and controlled. More specifically, how it is accessed, used, changed, communicated, and even destroyed.

What is an Information Security Policy?

An Information Security Policy is the ‘how to’, ‘what to do’, and even ‘what NOT to do’ for information within an environment.  The policy:

  • Defines what information is going to be protected
  • Defines and communicates the protection measures that will be used
  • Defines the controls needed to access, use, modify, communicate and destroy
  • Sets guidelines on how the controls are implemented (Think Procedures!)
  • Communicates the controls used to manage information
  • Identifies the consequences of non-compliance

Yikes.  An Information Security Policy seems even more daunting than just saying ‘policy’ but isn’t as complicated as it first appears.

Who needs an Information Security Policy?

Arguably, everyone and anyone with information resources.  If information resources need management and protection, an Information Security Policy is necessary.  But is it that complicated?  Maybe not.

At Home, does everyone in the household know:

  • Who has keys or access to your house? Who is allowed?  How is access controlled or granted?
  • Who controls access to your wireless network?
  • The “Parental Controls” on app download or purchases?
  • Consequences of ‘surfing’ inappropriate’ sites, or outside of set hours of operation?

Elements of an Information Security Policy may be disguised as normal rules in a household (above) like the examples above.  Repercussions of going outside rules at home are typically never documented, but very real. Consequences are known and enforced, and likely not written down anywhere.  While effective within a household, “Go ask Mom”, “Dad said no” or “You’re grounded” aren’t necessarily effective management and enforcement in an organization.

In an organization, it is fundamentally the same as management within a household but requires more standardized definition and documentation.  The risk to information resources is greater in an organization, and realistically, behavior in an organization can’t be managed with just normal household rules.  A documented and communicated Information Security Policy is crucial to the control and management of information resources to mitigate the greater risk.  Information protections might include, but would not be limited to:

  • Identifying critical resources to users, and how access to the resources is gained and managed
  • Outlining what is allowable, and not allowable by users with company-owned devices
  • Clearly defined consequences of non-compliance or inaction.

For an organization, an Information Security Policy must be succinct.   It is essential to communicate the rules of engagement, surrounding information protection.  It protects the organization, its information, and its users.

Why?

It’s important.  REALLY important.

An Information Security policy is the key to a good security program, allowing users to understand information is a valuable resource.  An Information Security Policy takes the guesswork out of security management by setting standards, defining behavior expectations, and documenting procedures, to meet the accepted level of security risks to information within an environment.

At home or in any organization, the definition, communication, and enforcement of an Information Security Policy, improves the safety and security of the critical mass

Prepare For and Prevent Ransomware Attacks

Focus on cybersecurity

Prepare For and Prevent Ransomware Attacks

Ransomware attacks, such as CryptoLocker, CyrptoWall, Locky, Chimera, Zepto, and the like, have become one of the best money-making exploits for cyber-criminals, with new variants appearing on the scene every month.  These attacks usually start with a phishing email and a ZIP file attachment or a malicious link, so email vigilance can help.  But there have been some variants that open the attack using other means including sophisticated exploit kits that take advantage of system vulnerabilities.

Once the attack has completed, the only way to decrypt your files is to pay the ransom for the decryption key, or to restore your files from a good, working backup.  

The best defense is to avoid the infection in the first place.  Here are 9 tips to help you:

  1. Training – Cybersecurity awareness training can teach your employees how to recognize phishing emails, and teach them about the dangers of email attachments and links.  Learning how to confirm the authenticity of an email by confirming with the sender, or analyzing links and attachments with a tool such as VirusTotal can do more to protect your business than almost any other tactic.
  2. Know what you own – Having an accurate inventory of everything attached to your network will prevent an attack from being launched from an unknown, old, or unpatched system.  Software tools such as Network Detective can help round up that information.
  3. Patch and update – Keeping operating systems and software updated is critically important.  Most updates address security issues that could be exploited by an attacker.
  4. What’s it worth?  – What is the cost to the company if your data is held for ransom?  Hollywood Presbyterian Hospital paid $17,000 for the key mainly because it was cheaper than restoring everything from backup.
  5. Current working backups – It’s pretty hard to restore from backup if you don’t have them.  Another important task is to actually test the backup and see if it works.  Many a restore has failed because nobody ever tested it before it was needed.  Offsite or cloud-based backups can be an important option, too.
  6. Network segmentation –  Flat networks, where everyone is connected to the same subnet and can access anything make it easy for an attacker to do the same.  Using VLANS and other network segmentation techniques and keep an infection from spreading to every computer
  7. Pentesting – Your IT staff or contractor should be performing regular vulnerability assessments and penetration tests to find the holes in your network security.  If you need outside help for this activity, get it.  Find someone who specializes in this work.
  8. Fire drill – Have a process for employees to follow to alert the IT staff and warn other employees of suspected phishing and other attacks.
  9. Remote Access – If employees, vendors, suppliers, contractors, or customers have access to your network, you are only as secure as the weakest of the bunch.  Make sure everyone with access to your network is adhering to your security standards.

This is a short list of preventive activities your company can undertake to prevent and attack. For further Cybersecurity services and solutions offered by CIT, contact us at 651.255.5780.

Cybersecurity for Business | Part 2

Cybersecurity hacking malware protection

Cybersecurity for Business | Part 2

Educating yourself never stops, nor does CyberSecurity for your organization. We hope you take the few minutes to review our security talking points.

In Part 1 of this article, we highlighted some of the challenges of passwords and their management. In Part 2, we would like to focus on what can be done to help improve the process of creating passwords as well as provide insights into the management of them. In Part 1 of this article, we highlighted some of the challenges of passwords and their management. In Part 2, we would like to focus on what can be done to help improve the process of creating passwords as well as provide insights into the management of them.

What can you do? There are several recommendations that will help improve personal and business security. One of the best places to start is with passwords. It is highly recommended that users have a unique, strong password for each login.

What is considered a strong password? 

It is recommended to use passwords that contain a combination of lowercase & uppercase letters, numbers, and special characters. Although the Summer18! password meets these criteria, it is easily guessed. To help mitigate this risk, users are asked to create passwords that do not contain:

  • Dictionary words
  • Names
  • Significant dates such as birthdates, anniversaries, etc.

To create a strong password, it is recommended to create a passphrase. Once you have a phrase, you can then use that to create a password that is both complicated and difficult to guess while remaining easy to remember.

  • Phrase: Tom Brady wears number 12 and plays for the Pats.
  • Password: TBw#12&pftP

Taking it to the limit with Password Managers. 

Balancing the desire for easy-to-use passwords and requirements of secure passwords is often difficult. Another solution that can help with the stresses of needing so many passwords that are unique are Password managers, such as PassPortal. These tools are designed to help alleviate this issue by storing all your passwords. To access your password vault, a single password is required. Once inside the vault, users can access all their other passwords. To further secure the vault, it can be paired with a multi-factor authentication tool.

We are more than happy to schedule a meeting to discuss all services and solutions as it relates to security for your organization.

Cybersecurity for Business | Part 1

Cybersecurity for Business | Part 1

Educating yourself never stops, nor does CyberSecurity for your organization. We hope you take the few minutes to review our security talking points.

As your trusted IT partner, we wanted to take a moment to speak to the ever-growing discussion regarding passwords. 

As technology becomes an integral part of business and our personal lives, employees are faced with the challenge of managing all their passwords.

What would be the typical outcome?

In 2012, the average user managed 6.5 passwords. By 2016, this average increased to 25 accounts. As social media as well as businesses expand products and services, this number continues to grow exponentially. With so many accounts to manage, users rely on a few habits to help them manage so many passwords. This includes writing passwords on a sticky note or in a notebook and which is often left in a convenient place, such as at their desk. Additionally, employees begin reusing the same password between websites or slightly modifying the same core password. For example, Summer17! and Summer18!. If a password is successfully phished, the same password could be used to access any number of websites where passwords may have been reused.

In a recent report1, it was discovered that 1/3 users reuse at least one password. Over 50% of users reuse and modify the same password.

Weak passwords are commonly used because they are easier to remember. Paired with the reuse of passwords, this leads to further security risks.

Okay, but I hate passwords! As mentioned previously, since the average person manages so many accounts, users tend to rely on passwords that are convenient, easy to type and remember. Below are the top 10 worst passwords for 20172:

123456123456789
passwordletmein
123456781234567
qwertyfootball
12345iloveyou

If you are using any of the passwords listed above, we’d highly recommend changing them today! For additional insights on improving passwords and usage look for part 2 of this series next week.

1 The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services [Research Study] http://people.cs.vt.edu/gangwang/pass.pdf
2 SplashData’s Top 100 Worst Passwords of 2017 https://s13639.pcdn.co/wp-content/uploads/2017/12/Top-100-Worst-Passwords-of-2017a.pdf

All I want for Christmas is Your Credentials

Christmas Computer Cybersecurity

Cybersecurity Threats during the Holidays

October marks the beginning of the holiday shopping season as holidaymakers prepare for year-end festivities. This jolly season unfortunately brings with it a far less pleasant time of year – phishing season. Distracted organizations, charitable givers, and busy shoppers make prime targets for cyber attackers looking to weasel their way into your wallet. Phishing incidents jump over 50% from the annual average between October and January. Bah! Humbug!

Here’s an early gift that will hopefully make your holiday season a bit less phishy. Be on the lookout. Winter is coming.

Phishing Trends

  • SAAS AND WEBMAIL PRETEXTING.
    • Phishing emails that purport to be from popular software-as-a-service (SaaS) and webmail services, such as Microsoft 365, G Suite, and DocuSign.
    • To steal your credentials by presenting you with fake login pages, prime for credential harvesting.
    • report by APWG found that SaaS and webmail services’ pretexting jumped by more than 15% between Q3 2018 and Q1 2019.
  • HTTPS PHISHING.
    • Malicious websites using SSL certificates.
    • To trick you into trusting malicious links, based on the misconception that a URL appended with “HTTPS” is safe.
    • report by APWG found that between Q1 2018 and Q1 2019, the number of phishing websites using SSL certificates increased by more than 20%.
  • BUSINESS EMAIL COMPROMISE (BEC).
    • Phishing emails with no links or attachments that appear to be from someone within your organization, like your boss or a co-worker.
    • To convince you that the sender is someone you know and trust, to solicit compliance with requests for wire transfers, gift cards, or information.
    • The FBI has reported that BEC has cost victims more than $23 billion since 2016, with a 100% increase in losses between May 2018 and July 2019 alone.

Do You Have a Virus Running? You’d Better Go Catch It!

Does your computer have a virus

Do You Have a Virus Running? You’d Better Go Catch It!

The world of cybersecurity is constantly changing. 230,000 new malware samples are produced every day. It can seem like a daunting challenge to keep up with and monitor your devices for new and adapting malicious software (“malware”). However, there are some basic signs and steps that will help protect your devices and your data from nefarious parties and their hunt for your money and data.

Signs Your Computer May Be Infected with Malware

  • Missing or inaccessible files;
  • Lack of storage space;
  • Unexpected crashing;
  • Lengthy or abnormal boot-up times;
  • Corrupted email, i.e., if other people are receiving strange emails from you.

How to Protect Your Computer from Malware

  • Back up your data. 29% of users HAVE NEVER backed up the data on their computers. One day your hard drive might fail, or you might have a cryptovirus that encrypts all your files. So, it’s best to stay ahead of the game.
  • Use anti-virus software, such as Bitdefender, and be sure to keep it up-to-date, and run daily scans.
  • Verify any links and attachments within emails before opening them. If you’re unsure about an email’s authenticity and cannot verify its source, delete it!
  • Use a STRONG password! The best thing to use is a password manager such as LastPass or Pass Portal. You only have to remember one password to log in and then you can create strong auto-generated passwords for other sites that you use.
  • Use an ad blocker, such as AdBlock.
  • Patch your computer. Don’t forget about third-party application patching!

The Three Simple Ways to Harden Your Network

Protection against Hacking Malware Ransomware Scareware

The Three Simple Ways to Harden Your Network

The core of improving your cybersecurity readiness is to reduce exposure to the most common threats to individuals and systems.  This is referred to as “hardening your network”.

Greatly Reduce Cybersecurity Risks

Enable multi-factor authentication on all accounts.

  • Access to websites and applications has long been protected solely by a password. However, in the current cybersecurity environment, additional measures must be taken to secure accounts. Otherwise, if an employee is phished or shares their password, the account is at risk of an unauthorized login.
  • To prevent unauthorized access, multi-factor authentication should be enabled on all supported websites and applications. Free solutions, such as Google Authenticator and SMS, often prompt upon each login attempt. Enterprise solutions, such as Duo and Okta, allow companies to define when a user is challenged for their multi-factor authentication code.

Use a separate administrator account.

  • Network administrators frequently use the same account to check emails, surf the Internet, and purchase items online. To prevent an administrative account from becoming compromised, it is recommended to create a separate account that’s only used for admin-related tasks

Educate employees about cyber risks.

  • While there is always a risk of insider threats, most security incidents are caused by a mistake. A security incident may occur due to a system misconfiguration, falling for a phishing email, or leaving a door open.
  • Rather than relying solely on technical solutions to protect the network, employees should be considered your social firewall. When employees are trained on how they can protect the network, an organization’s risk is greatly reduced. Employees need to perceive cybersecurity as a mindset rather than as just a solution.

Work from Home Cybersecurity

WFH Work From Home Computer Protection

Work from Home Cybersecurity

The 4 Most Important Things You Can Do to Improve Security at Home

October is National Cyber Security Awareness Month.  The CIT Security team has put together a few articles that will be shared throughout the month designed to help keep you informed about current threats and a few recommendations to help secure you and your personal data.  Today’s article is about passwords securing your personal information, but these tips can and should be used in the workplace as well.

Most organizations work to keep their users and their data safe, but what should you be doing at home?

PASSWORDS AND PASSWORD MANAGERS.

  • Passwords continue to be a painful requirement for nearly everything online. Banking, Social Media, etc.  You name it, you need to create an account.
  • The biggest issue is also the biggest risk that users face, daily. They reuse passwords. If passwords are reused and ultimately exposed via phishing, they could be used to access many different accounts.
  • We highly recommend using a password manager to help create unique and strong passwords. There are several options, many have a free version for personal use. These will help you generate passwords, provide plugins for your web browsers to help streamline logging into sites, and so on.  Many also have an application for your mobile device allowing you to access your passwords wherever you may be.  A few options include Lastpass, Dashlane, 1Password, etc.

USE MULTI-FACTOR EVERYWHERE POSSIBLE.

  • Even if you are using a password manager the risk of the password being harvested and used is still very high. Phishing attacks are incredibly prevalent in your daily life. Phishing attacks are often focused on obtaining your passwords.
  • To help mitigate the risk of your password being used by someone other than you, we highly recommend implementing Multi-Factor Authentication. Multifactor has been made available for most applications, including Social Media, Gaming platforms, email, and Banking all provide methods to add a layer of authentication.
  • Passwords are something you know. A second factor would be something you have.  For example, a physical device such as Yubikey, an application like Google Authenticator or even SMS messages are considerably stronger than just a password.
  • A quick web search should help you with finding what Multi-factor is available for any given application.

USE CAUTION WHEN OPENING ATTACHMENTS AND LINKS.

  • Users can be exposed to risks of Phishing, Viruses, Malware, and Ransomware by following malicious links or opening attachments
  • Be diligent. Pay extra attention to what has been sent to you. If you are unsure, it’s better to be safe than sorry.  We would highly recommend going to sites directly versus following links in the email.
  • Another option would be to use Virus Total. This toolset will allow you to paste in a URL or upload attachments to validate if they are malicious or safe

PATCHING WINDOWS AND SYSTEM APPLICATIONS

  • Our last tip is about keeping your systems up to date, try to keep up with Patching. Enable automatic Windows patches or use a patch management tool such as Manage Engine, PDQ Deploy or Thor by Heimdal security are all excellent choices with free versions available.

Phishing and Spearphishing: Don’t Take the Bait

Phishing and Spearphishing: Don’t Take the Bait

If you could just prevent your staff from clicking on links or opening attachments in phishing emails, 95% of your cybersecurity problems would be prevented.

As perimeter defenses and anti-malware software products have become more effective, cyber-attackers have turned to the phishing email approach as their number one favorite method for acquiring user names and passwords or gaining unauthorized access to computers on your network. The spearphishing variation is when the attacker has done enough reconnaissance on your company to send an email to the one person they know would be the most helpful. Here are some recent examples, as reported on CSO.com:

Phishing emails play on people’s willingness to trust. Some common types include:Email from the boss.

Email from the Boss

 This is usually a request appearing to come from someone far up the food chain, and usually is a request for a large wire transfer. Take time to verify these requests with a phone call. This is usually a spearphishing email sent to the bookkeeper, accountant or CFO.

Your account is broken.

 Email will appear to come from a company you do business with, complete with a link to a look-alike login page. Usually designed to steal login credentials or credit card information, or both.

Let’s make a deal. 

The advanced fee fraud or “Nigerian” email promises untold riches if only you will send some good faith money or provide you bank routing and account number for the huge deposit. Either way your money will disappear.

So precious.

In this case you are sent something enticing, like a free GoPro or iPhone, a cute cat video, or a game, or a gift certificate.

Your shipment is damaged. 

Designed to look like they came from UPS, FedEx, USPS, or other shipping services, there is a sad story about your shipment, and an attachment to open or a link to click.

phishing emails play on people's willingness to trust

Clicking on the links or opening attachments usually will install a remote access Trojan horse malware program that will allow the attacker to log into your computer from across the Internet. That sort of access gives them the ability to bypass your firewall. The malware usually includes a module that disables your anti-malware software too.