Today the FBI issued a renewed Public Service Announcement (PSA) warning to businesses regarding cyber crime, and more specifically ransomware risk. If you are not taking action, you are going backward. All businesses should be regularly reviewing their cybersecurity posture and seeking to make incremental improvements. Start making improvements today and use the FBI’s PSA as a blueprint.
The PSA can be found at https://www.ic3.gov/media/2019/191002.aspx.
Cyber defense best practices include:
- Regularly back up your data and verify backup integrity.
- Focus on awareness and training for employees.
- Patch your operating systems, software, and firmware on devices.
- Ensure antivirus and anti-malware is in use on all devices and routinely updated.
- Implement access controls to limit access based on the principle of least access required to limit potential impact/spread of an attack.
More best practices are listed in the FBI’s PSA. Go West IT helps businesses do all of these things and more every day. The choice is yours, stand still and go backward or choose to mitigate the known risk to your business.
Please reach out to Go West IT if you have any concerns for your business.
– Go West IT
My tour of the @Microsoft Cyber Defense Operations Center (CDOC) this week was the highlight of my visit to the Microsoft campus in Redmond, WA. I was one of approximately 150 Microsoft partners invited to attend a small & medium sized business (SMB) partner executive briefing. The briefing provided @GoWestIT with a valuable road map for new solutions to improve productivity and security for our small business customers. I love seeing what is ahead and the briefing was heavy on Artificial Intelligence (AI), and Machine Learning (ML) and there is no doubt small businesses will benefit from these technologies delivered via the Microsoft Azure cloud.
I was most impressed with what Microsoft has been doing rather than what is coming. Microsoft developed technology to create digital fingerprints of photos and has donated the use of this technology to organizations like Dartmouth University to help fight the exploitation and abuse of children. The exploitation statistics are staggering and Microsoft is leading the charge to address the problem with technology by helping to trace images back to the source and thereby the criminal and then to aid law enforcement in building cases to prosecute the criminals. I had no idea that Microsoft was doing so much in this regard and it is impressive to see what an organization like Microsoft can accomplish for the better good when they point their resources and skills at a problem.
Our chaperone explained the jurisdictional challenges associated with finding and prosecuting criminals across national boarders and the antiquated laws used to prosecute cyber crime. Many cyber criminals are prosecuted under centuries old laws pertaining to chattel (cattle). The very old laws were introduced to protect property rights for cattle that wander across a property line and end up being butchered by a neighbor neighbor. Perhaps it is time for some updates to international law to help fight cybercrime?
I always enjoy talking cyber security. If you want to visit about what I saw and learned please just let me know. We can jump on a call or meet for coffee.
Do you remember when Windows XP reached the end of its support lifecycle? We sure do, and it’s about to happen again with Windows 7 and Server 2008.
Microsoft supports their operating systems for a minimum of 10 years following public release, after which, they pick a date to end all security updates for good. This is what we call End of Life, or EOL.
Windows 7 and Server 2008 are reaching EOL on 1/14/2020 just like Windows XP did in 2015. This does not mean that your computer or server will power down on 1/14/2020 and refuse to turn back on. What EOL means is simply that you Windows 7 PC or Server 2008 has received its final security update on Tuesday, 1/14/2020, and will forever remain unpatched and unprotected from vulnerabilities that become known after that date.
Why is EOL a concern?
Every Tuesday, Microsoft publishes a list of newly discovered and exploited vulnerabilities across their operating systems along with corresponding patches to fix the vulnerabilities for supported operating systems. Criminals study Microsoft’s list and reverse-engineer the public list of exploits and patches to take advantage of unpatched operating systems. Since most of the behind-the-scenes code remains consistent between older and newer operating systems, unsupported systems running Windows 7 and Server 2008 become the easiest, most obvious targets. Every time your computer or server accesses a web-page, it includes its operating system, broadcasting to the world that it is vulnerable.
You may be asking yourself: “I am running Server 2008 or Windows 7. What do I do?”
You have 4 options:
- Upgrade your operating system: This is the least-expensive option, but you are still stuck with your aging hardware. In addition, you’ve sunk several hundred dollars’ worth of labor and licensing into an aging computer. This is an OK choice if your computer is fairly new.
- Replace the computer with a modern system: This is self-explanatory. New computers (especially servers) are expensive, but now you have a brand-new computer with many years of life ahead of it.
- Migrate to Azure: This option only applies to Server 2008. If you migrate your Windows Server 2008 to Azure, Microsoft is offering an additional 3 years of extended support and security updates at no cost. Migrating to Azure is a relatively simple process and has several distinct advantages over physical servers, such as the ability to upsize or downsize resources on demand, improved security if configured properly, and the eradication of hardware failure.
- Ignore EOL and keep using your operating system: This is a very bad idea in the age of viruses, malware, and cyber-attacks. Even if this computer’s use is “coupon-clipping” only, consider your keystrokes, webcam, microphone, and browsing activity potentially compromised.
I’m often contacted by CEOs or managers after a business experiences a cyber incident that results in real damages. After describing the event, they often ask if they should fire an employee who fell victim to a social engineering attack (vishing, phishing, credential harvesting…). In most cases the answer is a resounding NO! First, the business just spent the amount of the loss training the individual because that person will never again fall for the same type of attack. Second, it is HIGHLY likely that the manager and/or company failed this individual by not implementing the proper controls and providing the proper training to prevent the breach in the first place. Third, if you do fire the employee, they will likely go to a competitor who will be happy to have a good employee who is more savvy than most about cyber risk.
If you own a business or have responsibility for managing business risk you need to take steps to protect your business, your shareholders, your employees, your vendors, and most importantly your customers. It’s on you! It is likely that you’ve delegated responsibility for IT support and cyber security, but you are the leader and you are responsible for defining your expectations and supporting the initiatives to implement controls, procedures, and training. If you haven’t implemented controls and trained your people, it’s on you. Don’t fire the employee who fell victim to an attack. Step up and protect your employees.
– David Lewien, President
I really hate hearing from customers and prospective customers that we were right and that they wish they had taken our advice to harden their systems and implement tighter security controls before their breach. Feedback from customers suggests the inconvenience of implementing additional controls is often what keeps them from taking action as opposed to the cost, which is negligible for some of the most effective controls like Multi-Factor Authentication (MFA). If you think the controls are inconvenient, you should spend some time visiting with someone who has been through a breach.
The most likely cyber-attack a small business will experience is an email breach which quickly lead to real payment fraud losses, reputational damage, and compliance risk. Once a criminal organization (yes, there are organizations attacking your small business) has success breaching one email account, you can expect the attacks to increase in volume and sophistication. Businesses can dramatically reduce email breach risk with relatively little cost and yes, some minor inconvenience.
Take the Next Steps
If you own a business or have are responsible for managing business risk, you need to take steps to protect your business, your shareholders, your employees, your vendors, and most importantly your customers. You must take action to implement additional controls. Start by asking your IT professionals to implement controls for yourself so you can understand first-hand how the controls protect your business and the level of inconvenience the controls may cause. This puts you in the best position possible to make informed decisions about how to protect your business and champion initiatives to tighten controls.
If you’ve done nothing to date, start with implementing MFA for your business email and then work with an IT professional to constantly review and improve security controls around all your systems and data.
I’m right and I hope I never have to tell you “I told you so”.
Your credentials can be phished, period. If you think you’re above being phished, you’re wrong. We all have weak moments and the criminals are really good at praying on our whims and emotions. Trust me, you can be phished. Don’t put so much pressure on yourself. Implement multi-factor authentication (MFA) wherever possible to protect your accounts even if you are phished. This is so important that we put together a video to show you how. Watch this video. Please just give us a call if you want help or want to discuss additional configuration options to ease implementation for your business. We will be happy to help.
If you don’t know anything about Office 365 Multi-Factor Authentication please check out our blog and video from December 2017 for a complete overview https://www.gowestit.com/office-365-multi-factor-authentication.
Go West IT just completed our second annual SOC 2, Type 2 audit. This is an expensive and time consuming process and it absolutely makes us better every single year.
SOC stands for Service Organization Controls and a Type 2 audit tests our use of and adherence to a defined set of controls over the course of a year. We won’t receive our results in the form of a SOC audit report for another thirty days or so but I already know it was worth the expense and effort. Go West IT learns something and improves each time we conduct an internal review, assessment, and our annual SOC audit. These exercises make us better and in turn deliver greater value to our customers.
A SOC audit is a great way for your organization to get information about how your vendors and partners have designed controls for security, availability, confidentiality, processing integrity, and confidentiality or privacy. The SOC report provides you with a list of the tested controls that are audited by a third party and lists out exceptions that were uncovered during the audit period. It is a great way for you to validate the statements that most companies make about how they care for your information.
A SOC audit is no guarantee of security but it is a good indication that a business spends time and effort developing systems and controls to mitigate risk.
If you are a Go West IT customer and would like to see a copy of our SOC audit please just contact your Account Manager and we will make sure you get a copy of the report as soon as it is delivered. Please contact me directly if you have questions about the SOC audit process or what controls Go West IT has implemented to protect our customers.
Last but not least, please spend a few minutes thinking about how your organization might improve by assessing risks and taking action to implement controls to mitigate risk. Please just call Go West IT if you want help taking the first step.
Your business is vulnerable to cyber criminals, period.
The truth is that no business is fully “secure”. Rather, businesses assume various amounts of acceptable risk. Your responsibility is to figure out where your organization lies on the security spectrum, how much cyber risk you are willing to comfortably assume, and continually act to reduce your risk to those levels.
We understand that most businesses, especially SMB’s, can’t and won’t do everything their IT provider may recommend. This is true for a myriad of reasons including operational efficiency, timing, focus on your core business, and of course budget considerations. We also believe that most businesses do not realize the amount of risk which they current assume. If you did, you would likely already be doing more!
To this end, Go West IT has developed our “Top Ten Task to Mitigate Cyber Risk”
Review your security posture with your current IT provider and discuss how to implement the next best thing you can do to reduce your risk (HINT: If you’ve done nothing to date, start with backups, patching, and multi-factor authentication). If you need help please give us a shout, our experts will help you recognize, plan, and take the steps to mitigate your risk.
Understand where you are today… know where you want to be tomorrow… build the roadmap to get you there. You can reduce your risk, get started today!
President, Go West IT
Go West is providing this security alert as a cautionary measure for users with a consumer grade router or network attached storage device at their home or small business. Due to a recent malware attack known as VPNFilter, the FBI and US-CERT are encouraging users with home devices from Linksys, MikroTik, NetGear, TP-Link and QNAP to reboot the device. Users should also ensure device firmware is up-to-date and change passwords on these devices.
What Is It
VPNFilter targets small home and office routers and network attached storage devices. Once infected, the device allows criminals the ability to launch further attacks, collect personal website information, block network traffic, or they can render the device completely unusable.
Official US-CERT alert statement: https://www.us-cert.gov/ncas/alerts/TA18-145A
How Does It Impact Me
There is very little risk associated with this malware attack for commercial organizations utilizing business grade devices. However, it is vital that organizations be aware of the vulnerability for remote users connecting from a home office. Those users are more likely to be using a consumer grade router and should follow the recommended procedures.
If you have concerns or questions regarding a potential consumer grade router at your business please reach out to Go West support at firstname.lastname@example.org.