Tracie Wilcox, President of On Tap Credit Union talks about how On Tap came to be, staying connected in a digital world, and the importance of work place culture. Watch the full video podcast here.
Tag Archive for: cybersecurity
Jamie Yancy. EVP, COO, and CTO of Native American Bank joins David to talk about the role technology plays in helping under served communities, trust, and his views on digital transformation. Watch the full video podcast here.
It was not that long ago that cyber insurance was something only purchased by large companies with a heavy reliance on data processing. Today, cyber insurance is something that many small businesses carry, and every small business should consider. If a business has the support of a cyber insurance carrier it creates a safety net in the wake of a cybercrime incident.
Cyber insurance claims most often result from a business falling victim to cybercrime such as ransomware, data theft, or payment fraud. In these situations, the cyber insurance carriers should be brought to the table as soon as possible. Cyber insurance carriers create policies to include resources in the form of services to help minimize potential losses. These services include incident response, forensic investigation services, remediation, business resumption services, and even ransomware negotiation services. They do this because they understand that the manner in which a business responds to an incident can help minimize potential loss.
Cybercrime events can take a heavy toll on business operations, along with a substantial mental toll on business leaders, most of whom do not possess the skills and tools required to deal effectively with a cyber incident. Go West IT has experience dealing with cyber events both with the aid of an insurance carrier and without and have seen the difference that having an insurance company in your corner can make. It can turn a stressful and potentially costly event into a manageable business obstacle.
Check out Go West IT’s full article regarding cyber insurance.
Contact Go West IT for more information.
What is an incident response plan?
Cyber incidents are on the rise. This has been true and will continue to be true for the foreseeable future. It is important to have a solid incident response plan, regardless of the size of your organization.
An incident response plan includes six key components:
- Lessons Learned – Review & Improve
An incident, in the context of Information Technology (IT) & data security, is any event that threatens the security and preservation of systems, data, people, and ultimately businesses. An incident is most often thought of as event perpetrated by a threat actor (criminal) in an attempt to disrupt a system, gain unauthorized access to systems and data, to change systems, to alter or destroy data, or to disrupt the legitimate intended use of systems and data.
Preparation for an incident requires that a business accept that an incident may occur and plan for how to deal with this eventuality. The result of preparation is the incident response plan. Preparation amounts to considering the various types of incidents that might occur and contemplating what resources, information, and planning might be necessary to deal with an incident, and then staging resources and planning so that you can call up the resources and refer to the plan in the event of a real incident. Preparation saves valuable time and may mitigate the actual damage or cost incurred to recover from an incident.
Identification is becoming aware of the fact that your business has experienced an incident. Most cyberattacks start long before a business is aware of the incident. Identification typically starts with an indication of breach (IoC) which can come from MANY sources. An IoC might be:
- An alert from a monitoring or detection platform (antivirus, EDR, device health…)
- A user encountering an encrypted file in your systems (ransomware)
- Receipt of a ransom demand letter
- A suspicious transaction on a bank statement
- Receipt of an odd email
- Notification from an email recipient that they received a strange email from your company
- A user being locked out of a system
An indication of compromise may lead to identification of an incident that will kick the incident response plan into action. Businesses should seek to move from identification to containment as quickly as possible.
Containment is the effort and actions taken to keep the incident from getting worse. This stage often requires the help of an IT expert to quickly gather details, determine the best course of action and taking action to neutralize the threat while preserving data and evidence. Containment also requires a good communication plan that includes keeping key personnel informed while limiting dissemination of information to those who DO NOT have a need to know. For example, an IT expert might determine that certain systems need to be disconnected from networks or that certain accounts or services should be disabled to contain a threat. At the same time, leadership personnel may need to quickly establish who needs to know what is happening and perhaps as importantly, who should not be informed so that proper consideration may be given to the nature of the communication that should occur between the business, vendors, customers, and even the public or media. Communication during the containment stage is typically limited to only those individuals who play a role in containment or in managing communications. Disclosure of the incident to affected parties typically comes during the remediation or recovery phase.
The Eradication and remediation stage is when a business endeavors to eliminate the threat. This stage often includes validating data integrity, validating access controls, restoring systems and data to a known good state, and preparing for the resumption of business operations. The duration of eradication and remediation will vary based on the nature of and impact of the incident. When the duration is prolonged, this stage may also require significant a communication component to keep stakeholders informed. This is also the stage where insurance carriers are notified if the business has cyber insurance. Cyber insurance carriers often bring significant resources to the table during this stage to include forensic investigations, remediation recommendations, legal support, and incident response resources. This stage often includes frequent status meetings with stakeholders and IT professionals.
It is important to consider preservation of evidence prior to eradication if the incident has the potential for data privacy, contractual, or other legal implications. Forensic evidence most often requires full backups of effected systems and preservation of any log files.
Recovery is the process of resuming business operations. Resumption of operations should not occur until eradication and remediation is complete. Recovery duration will vary based on the nature and extent of the incident and additional monitoring and support is typically employed to prevent recurrence of the incident and/or early detection of unintended consequences that results from the original incident or the containment and eradication stages.
Recovery will also include notification and/or disclosure of the incident to affected parties. Legal counsel is often involved if disclosure is required and insurance carriers play a key role in the recovery stage if cyber insurance coverage was in place at the time of the incident.
Lessons learned is the process of reviewing the incident with an eye to prevent reoccurrence and to improve the response process. Eliminating 100% of the risk associated with cyber incidents is not possible. The objective should be to continually mitigate risk when and where feasible. Looking back at cyber incidents almost always reveals a control or action that may have prevented or at least mitigated the likelihood of the incident in the first place. It is important to leverage the valuable and often expensive knowledge a business gains as a result of responding to an incident.
Businesses are rapidly shifting to work from home strategies in response to the current COVID-19 situation. Many are already adept at working from home and have strategies in place to protect networks, endpoints, and systems. They have proven policies in place to keep tabs on business IT assets and ensure that systems are constantly patched while temporarily disconnected from the office network. Antivirus monitoring still occurs, and their IT Managed Service Provider has already helped to secure remote access to systems and manage endpoint controls to keep their business secure.
This list is for businesses who did not have a plan in place and are being forced to shift rapidly. There is still plenty that you can do to protect your business during a less than ideal work from home (WFH) situation.
If you run a business and have staff temporarily working from home, it is extremely important that you implement multi-factor authentication (MFA) for your email platform (Office 365, Gmail, etc.) and for VPN access. MFA is the very best way to reduce the most likely cyberattack vector, credential harvesting via email phishing.
The following is a list of things that you can ask of your remote workers. Some of them will be able to tackle these tasks on their own, others will need help. Do what you can now and circle back to close any gaps as time permits.
Practical, easily implemented, work from home security strategies.
- Update the firmware on home Wi-Fi routers. Cyber criminals take advantage of known vulnerabilities to gain access to your home network. Fortunately, router manufacturers routinely release patches for known vulnerabilities, you just need to apply them.
- Step 1 – Log into your router. If you don’t know how to do this, first find the name and model number of your Wi-Fi router. Then, search Google for instructions on how to access your router’s internal web server/admin page. In most cases you access this via a web browser on a computer connected to your network.
- Step 2 – Take a backup. Backups give you a restore point should something goes wrong during the update. Look through the Admin settings in the router to find a backup option. If you can’t find it, Google your router model to find instructions.
- Step 2 – Run updates. Look through the Admin settings in the router to find a firmware update option. Again, if you can’t find it, turn to Google for some help.
- Set a new admin password on your home Wi-Fi router. The administrative credentials you used to access your router are the keys to the castle. They should NOT be left at the manufacturer defaults (e.g. admin, password) and they should be very strong.
- Step 1 – Log into the router with your existing admin credentials. If you don’t know them or don’t remember them, turn to Google to see if you can find instructions on how to reset the password OR try the default credentials for your router and give that a try.
- Step 2 – Look through the Admin settings in the router to find an option to change the admin password. Change it to something unique and long (15 – 26 characters). The longer the password, the better. Make sure to record the new password so you can find it when you need it (a password manager is the best place to store credentials). Make sure the admin password on your home Wi-Fi router is NOT the default and it is long (15 – 26 characters)
- Save the non-business Internet browsing, social media, email, and chat for your personal devices and your home/personal Wi-Fi network. As tempting as it might be to browse the Internet while your co-workers aren’t looking over your shoulder, you don’t want to be the one to introduce a virus while you’re working from home without your business firewall and otherrestrictions to keep you protected. Do it on your own device, not the business device.
- Devices accessing and storing any sensitive, confidential, or personally identifiable information (PII) should be encrypted. Windows 10 Professional operating systems can be encrypted using the built in Bitlocker. Be sure to keep a record of the encryption keys. When possible, a PIN code or passphrase on boot up is preferred to using windows credentials to unlock. If you are using a computer owned by your employer, you should consult with your IT department or management before encrypting the device on your own.
- If you are using a personal device (PC, Laptop, iPad…) to work from home (or if your business doesn’t already have a strategy in place for antivirus, operating system patches, account privileges, and a password manager):
- Install and update a good antivirus application. If you don’t have antivirus software, consider using Windows Defender (free for Windows devices and baked into Windows 10) or consider purchasing one. Macs also need antivirus protection.
- Make sure antivirus is running and launch the antivirus program to check for updates and set the software to automatically update as required.
- Check for Operating System updates and install them until there are no more updates to install. If you don’t know how to do this, Google “how to run updates on [your operating system here]” and follow the instructions. If you have a Windows device the instructions should come from Microsoft. If you have a Mac, the instructions should come from Apple. Do NOT download updates from anywhere other than the manufacture. Windows and Mac updates are performed from the device and you don’t need to visit a website for updates. Be careful not to download updates from a malicious website.
- For Windows, click on the start icon and type “Windows Updates” and choose the option to install updates on your computer.
- Create a separate admin account to be used only when you must perform an administrative task (i.e. install a printer or a new application). Use a non-admin account for your day to day personal and work tasks.
- Step 1 – Create a new user on your computer with administrative rights. Keep a record of the new username and password (a password manager is the best place to store credentials).
- Step 2 – Log off your computer and log in with the new admin user you created.
- Step 3- Find your primary user account and make that user a non-admin or “standard” user.
- Step 4 – Log off with the admin account, log back in with your primary user account and work as usual. If you are prompted for administrative credentials while trying to install software, a printer, running updates, or some other expected reason, enter your admin credentials to allow the task to complete. If you are prompted for admin credentials out of the blue, it might be an indication that you’ve tripped across malicious software that is attempting to install on your system. Don’t enter the admin credentials unless you are sure it is for a legitimate purpose.
- Purchase and use a password manager. There are many on the market. Following are a few of the most popular:
- Be on the lookout for email phishing scams designed to harvest your credentials and gain access to your work or personal email. Criminals will absolutely attempt to use the fear and uncertainty surrounding the COVID-19 environment to entice people to cough up their usernames and passwords. You will likely see “apply for assistance…”, “sign up now for information…”, “login to protect your account…”, “login to access government assistance…”. Suspicion is not retroactive. Slow down and think before you act. Anything marked “urgent” or where you are being pressured to “act now” should raise your level of suspicion.
- Proactively change passwords that haven’t been changed in the last 30 days. Consider the following:
- Workstation (Windows or Mac) login.
- Office 365
- Windows Active Directory
- Personal email
- Wi-Fi Router admin credentials
- Wi-Fi wireless password (SSID & Guest)
- Take an inventory of where you are storing important data (business and personal). Is that data being backed up? If not, implement a backup strategy. If this needs to be done on the fly consider an online cloud service or backing up to USB drive and then getting that drive disconnected from your systems so that it isn’t encrypted along with everything else on your computer in the event of a ransomware attack.
The above guidance is provided with the intention of helping businesses and their people while we all work to make sound decisions in a rapidly changing environment. These guidelines are not comprehensive. Rather, they are intended to address some of the most significant risks. Some of the above recommendations will not be possible in your environment and may even give rise to other issues.
If you are using IT assets owned by your employer, it is very important that you consult with your IT personnel or IT Managed Service Provider before acting. They may already be managing some of these things for you and/or ad hoc changes might cause other issues.
If you run a business and would like help managing the above tasks proactively and without having to rely on your personnel to do this on their own, please call Go West IT. We will be happy to help, and we have resources standing by to tackle this for you.
I really hate hearing from customers and prospective customers that we were right and that they wish they had taken our advice to harden their systems and implement tighter security controls before their breach. Feedback from customers suggests the inconvenience of implementing additional controls is often what keeps them from taking action as opposed to the cost, which is negligible for some of the most effective controls like Multi-Factor Authentication (MFA). If you think the controls are inconvenient, you should spend some time visiting with someone who has been through a breach.
The most likely cyber-attack a small business will experience is an email breach which quickly lead to real payment fraud losses, reputational damage, and compliance risk. Once a criminal organization (yes, there are organizations attacking your small business) has success breaching one email account, you can expect the attacks to increase in volume and sophistication. Businesses can dramatically reduce email breach risk with relatively little cost and yes, some minor inconvenience.
Take the Next Steps
If you own a business or have are responsible for managing business risk, you need to take steps to protect your business, your shareholders, your employees, your vendors, and most importantly your customers. You must take action to implement additional controls. Start by asking your IT professionals to implement controls for yourself so you can understand first-hand how the controls protect your business and the level of inconvenience the controls may cause. This puts you in the best position possible to make informed decisions about how to protect your business and champion initiatives to tighten controls.
If you’ve done nothing to date, start with implementing MFA for your business email and then work with an IT professional to constantly review and improve security controls around all your systems and data.
I’m right and I hope I never have to tell you “I told you so”.
Your credentials can be phished, period. If you think you’re above being phished, you’re wrong. We all have weak moments and the criminals are really good at praying on our whims and emotions. Trust me, you can be phished. Don’t put so much pressure on yourself. Implement multi-factor authentication (MFA) wherever possible to protect your accounts even if you are phished. This is so important that we put together a video to show you how. Watch this video. Please just give us a call if you want help or want to discuss additional configuration options to ease implementation for your business. We will be happy to help.
If you don’t know anything about Office 365 Multi-Factor Authentication please check out our blog and video from December 2017 for a complete overview https://www.gowestit.com/office-365-multi-factor-authentication.
Your business is vulnerable to cybercriminals, period. So, workforce security should be top of mind for you and your business.
Workforce security matters
The truth is that no business is fully “secure”. Rather, businesses assume various amounts of acceptable risk. Your responsibility is to figure out where your organization lies on the workforce security spectrum, how much cyber risk you are willing to comfortably assume, and continually act to reduce your risk to those levels.
We understand that most businesses, especially SMB’s, can’t and won’t do everything their IT provider may recommend. This is true for a myriad of reasons including operational efficiency, timing, focus on your core business, and of course budget considerations. We also believe that most businesses do not realize the amount of risk which they currently assume. If you did, you would likely already be doing more!
To this end, Go West IT has developed our “Top Ten Task to Mitigate Cyber Risk”
Review your workforce security posture with your current IT provider and discuss how to implement the next best thing you can do to reduce your risk (HINT: If you’ve done nothing to date, start with backups, patching, and multi-factor authentication). If you need help please give us a shout, our experts will help you recognize, plan, and take the steps to mitigate your risk.
Understand where you are today… know where you want to be tomorrow… build the roadmap to get you there. You can reduce your risk, get started today! Give us a call, email us, or contact our support. You can get secured today! You can check out more about our Go Managed Security Plans here. If you have any questions, please reach out to us.
President, Go West IT
Download the PDF: Top Ten Tasks to Mitigate Cyber Risk
Go West is providing this security alert as a cautionary measure for users with a consumer grade router or network attached storage device at their home or small business. Due to a recent malware attack known as VPNFilter, the FBI and US-CERT are encouraging users with home devices from Linksys, MikroTik, NetGear, TP-Link and QNAP to reboot the device. Users should also ensure device firmware is up-to-date and change passwords on these devices.
What Is It
VPNFilter targets small home and office routers and network attached storage devices. Once infected, the device allows criminals the ability to launch further attacks, collect personal website information, block network traffic, or they can render the device completely unusable.
Official US-CERT alert statement: https://www.us-cert.gov/ncas/alerts/TA18-145A
Manufacturers Linksys, MikroTik, Netgear, QNAP and TP-Link have posted instructions for users to follow to update their device software.
How Does It Impact Me
There is very little risk associated with this malware attack for commercial organizations utilizing business grade devices. However, it is vital that organizations be aware of the vulnerability for remote users connecting from a home office. Those users are more likely to be using a consumer grade router and should follow the recommended procedures.
If you have concerns or questions regarding a potential consumer grade router at your business please reach out to Go West support at email@example.com.
I recall a time when IT professionals adopted the “if it’s not broken, don’t fix it” approach to patching. To be sure, there was a time when patching firmware and software might have introduced more problems. That time is long gone. Aggressive patching is the new normal. Gone too are the days when a diligent IT person might go around to all the computers, servers, firewalls, switches, and other network attached devices and get them patched. That manual approach is no longer feasible and adhering to a manual patching plan is foolish. The nature of the modern cybersecurity landscape requires a platform which identifies patches that are needed, facilitates automated patching, and provides reporting & alerting to uncover anomalies.
Look no further than the Intel chip security vulnerabilities (Meltdown & Spectre) publicized this first week of 2018 for evidence of this new norm. When Operating System patches are released to mitigate this newly divulged flaw it will be critical that the patches are applied as quickly as possible.
Go West IT offers managed service plans that utilize state of the art remote monitoring and management platforms designed to keep systems updated and rapidly apply patches when new vulnerabilities are divulged. Stand on our shoulders and use the systems we have already built to keep your business ahead of the curve. Please contact us today at 303.795.2200 or firstname.lastname@example.org.
David Lewien – President