Your Small Network Is More Valuable Than You Think

When I discuss network security with small businesses I always hear the same refrain, “We don’t have anything worth stealing, so why should we care about information security?”  Sometimes I think I audibly groan when they are halfway through that sentence. We are so secure in the idea that our mundane work is of no significance that we often overlook the value that is literally right in front of our faces.

It’s not you; it’s your computer and your bandwidth that intruders are after. If they can also dig up some juicy info that someone else might pay for, well that’s just icing on the cake.

Let’s take a small 5 computer workgroup office setup for an example. This might be a boring network for those going about their day to day tasks, but it’s a playground for the mischievous. This is a perfect network for a hacker to use as a botnet node (computers in a botnet, called nodes or zombies, are often ordinary computers sitting on desktops in homes and offices around the world) to launch attacks on larger more protected networks.  A botnet is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, in order to send spam messages.  It could also be used for nothing more than just to force that user that beat you on an online game off the internet for a week using a DDOS (distributed denial-of-service) attack which occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers.  Perhaps they’re more ambitious and decide to use your network to serve out a hidden website on TOR (free software for enabling anonymous communication) in order to sell drugs or other black market goods and services. Maybe they just need a place to stash an illicit trove of child porn; your network will do just fine. Besides when the cops catch on they will kick down your door, not theirs.

On the internet, size doesn’t matter, but security does.  To those intruders that wish to use your network for their purposes it just matters that you are there.

Lane_prof_91A0963-2-2

Lane Monk, Systems Engineer

NO, You Really Should Be Using a Password Manager By Now!

Every couple of weeks we see a familiar news article “Website XYZ hacked, millions of accounts exposed”, but we seldom think about how that affects us.  So why should you change all of your passwords just because LinkedIn lost a few (117million, to be exact) accounts?

Because, you use that password all the time, all over the web and they know it. Hackers are a lot of things, but mostly they can be lazy, just like the rest of us. The first thing that a hacker will do is to check other sites (especially social media) to see if that email address / password they have in their list will work on your account. You may have noticed a few months ago  that you started getting emails every time you signed onto your account using a new computer. They warned you that you have just signed on from a new location. It’s with these alerts your web service provider is trying to prevent others from accessing your account. Of course, if it’s your email account they just hacked, they could very easily delete the email before you even read it.  Billy Mays once said “…but wait, there’s more!!”

Hackers often use these large lists of real accounts (called “dumps”) and their associated passwords to create a word list (or “dictionary”) that they will then use later to attempt to gain access to other accounts. Using these “dictionary attacks” is more successful when the passwords in the dictionary have been thought up by people and not programs.  And large dumps like the LinkedIn hack help create serious dictionaries. Of course having 117 million passwords is going to help hackers crack a few codes, but it gets even worse when they cross reference these accounts with other hacks to create more refined lists that can be used for more targeted attacks on your accounts, because you are more predictable that you think.

Let’s face it, you’re bad at passwords. You make them too easy to guess because there are too many passwords to remember.  Any requirement for you to change your password every 90 days results in you using a few passwords that you remember or just adding a number (usually +1) to the end.  It’s all just bad, but you shouldn’t feel bad. You didn’t make this system and let’s face it, the system isn’t very good.

But Password Managers are here to help you out! Just remember a single secure password and your password manager will handle the rest.  No more bad passwords, let KeePass generate one for you and remember it FOREVER! Pesky websites you need to register for but are never going to go back to? Let LastPass generate and remember that throwaway account! And if XYZ.COM gets attacked by the black hats, so what! They didn’t get anything from you plus all of your accounts have different passwords anyway. You’re in the clear and can go back to finding that cute cat video for your “10 best AWW!!” list.

You can find KeePass here:

http://keepass.info/

You can find LastPass here:

https://lastpass.com/

Lane_prof_91A0963-2-2  Lane Monk, Systems Engineer

Are you securing the keys to your company?

Today’s headlines are full of security breaches and the penalties are steep. You can lock the doors to your office but how do you lock up your data? With mobile access and cloud computing your data can be available anywhere. Passwords are the only barrier to unauthorized access and should protect every workstation and every data application on the workstation.

You wouldn’t lock your office with a skeleton key so you shouldn’t lock your data with simple passwords. The best ones are lone, complex, and look incomprehensible, which are difficult to remember especially when changed often. Passwords should be at least 8 characters long with a mix of uppercase, lowercase, numerals, and special characters. Never use personal information or words found in the dictionary and don’t use the same passwords for less secure sites (e.g. shopping) as you do for more secure ones (e.g. your electronic health records [EHR]).

To make them complex but memorable use a few of these tips together: Combine two or more “keywords” as a base, or generate keywords by making a mnemonic from a phrase or sentence, such a ftybr for “follow the yellow brick road”. Make some of the letters uppercase, and substitute special characters for letters such as @ for a, ! for 1, or $ for s. Use the buttons on your phone to convert some of the letters into digits such as 8 for T, U, or V. You can include a special date but put some of the digits at the beginning and some at the end.

Now that you have strong passwords, protect them! Never write them, share them, or save them on your computer.

Gordon-WaltonGordon Walton, President

Is BYOD good for your organization?

There’s a lot of talk today about BYOD (Bring Your Own Device), the practice of employees bringing their own mobile technology into the workplace for work-related purposes.  This practice, using laptops, tablets and smartphones, is also known as the consumerization of IT.  It is increasingly prevalent in many businesses and can improve worker productivity and satisfaction.  However, it introduces significant challenges to data security.

Maintaining security can be very difficult on devices not owned by organization.  Most of us are aware of the risk of compromised data, and now personal devices are being connected to the corporate network.  These devices are carried in and out of your office and then connected to personal and unsecured networks.  If confidential information is accessed, it may be stored on the smartphone for ease of use.  Many users have backup services in the cloud.  Once there, your data is beyond your reach and out of your control.  And if that smartphone is lost or stolen, untrusted parties can gain access to anything stored on the phone.

Make sure you have a BYOD policy that clearly defines expectations and rules of engagement.  Minimum security requirements and tools for the device should be specified as a requirement before connecting to company resources.  Work with your IT provider to evaluate your specific needs and risks, develop policies and implement technology safeguards to protect your data.  Be sure that your policy specifies how data will be retrieved and removed from personal devices when an employee leaves your organization.  Don’t become the next case study in compromised private information.

Gordon-WaltonGordon Walton, President