5 Steps Your Business MUST Take If Infected With Ransomware
A ransomware attack is probably the LAST thing you’d want to happen to your business. Way behind a tornado or flood (which insurance will cover without doubt), cyberattacks—especially ransomware attacks—are often far out of sight (and out of mind) until they strike.
I wouldn’t wish a ransom attack on anyone and hope that Philadelphia-area businesses are doing their due diligence to protect themselves from a cyberattack, though the cold hard facts are that most businesses are unprepared to pick up the pieces after a cyber event hits their offices.
Today I want to go through the basic steps your business should be thinking about (and preparing for) in the event of a cyberattack.
5 Steps Your Business MUST Take If Infected With Ransomware
As in any security breach or disaster, the most important thing to keep in mind is to stay calm. You have already should have a plan to deal with most of the nitty gritty details in the event a cyber breach or attack occurred.
[Note: if you are unsure if your plan is adequate or if you have overlooked creating a business disaster recovery plan, you should really consider a 3rd party network security assessment as a safety net in the event your business was unfortunate enough to join the growing number of businesses around Philadelphia falling for cyberattacks.]
But for a refresher, I want to walk through the basic 5 steps in dealing with a ransom infection in case you need to update your business continuity plan.
Step 1: Isolate the infected machines—just as the CDC would recommend with someone infected with a potent virus or bacterial infection, IT Security experts recommend isolation as one of the first steps in overcoming a ransom attack. Disconnect ALL infected machines from your network—unplug their Ethernet cables, turn off wireless access and consider unplugging the machines altogether if in doubt. Your primary goal is to lock down shared network drives and protect your network from further infection.
With ransomware, you are really against the clock. Unlike other cyberattacks, ransom attacks stealthily move through your network looking for valuable files. These ransomware viruses prioritize encrypting as much as it can as fast as it can.
Keep in mind that some ransomware variants are able to spread through shared network drives, so you may also want to temporarily lock those down as well. Check your file servers to see if they are infected as well. As a precaution, you may want to completely disconnect every machine on your network to be safe that even the ones that appear to be uninfected stay that way.
The bottom line for this first step is to react quickly. As soon as someone gets a pop up screen, blue screen, or ransom note on their desktop, make sure they disconnect their computer. My recommendation would be to routinely remind folks about this. Inaction will only create more headaches.
Remind your staff that your business HAS regular successful backups of their data (disconnecting their machine won’t be the end of the world and they should be up and running in no time).
[Note: your business should expect minimal downtime from a minor ransom attack IF your IT Support has been regularly backing up your network. The problem we see most often is they say they are backing everything up (i.e., a report tells them your backups are going), BUT when someone needs to recover from backup, the backup doesn’t work or the needed files weren’t getting backed up! Consider a 3rd party security assessment to ensure your backups are working the way they should be!]
Step 2: Investigate what type of ransomware you have—the next step (once you’ve protected your network from spread of the virus) is to specifically investigate what type of infection you have. The reason why identifying the virus is so critical is that ransomware variants may behave quite differently.
Just as a flu virus is quite different and often more potent than the common cold, the consequences of a misdiagnosis may be fatal. Misdiagnosing a ransom virus may mislead you into taking unnecessary or harmful steps that might risk your business security.
The file extension type of the encrypted files will give you a good key into what specific type of ransomware you’re dealing with. Likewise, information on the ransom note, may also clue you into what specific variant of ransomware you have.
If the variant has been around for a while (at least a month), you are likely to see similar reports of the virus and how it presents on screen online. Simple googling for the file extension and ransom note message will elucidate what type of virus you have, and often will explain how mean or conniving the hackers are that have crawled your network (some have a history of delivering a decryption key 100% of the time when a ransom is paid, while many are less than 80% responsive after businesses have made payment).
[Note: ransom payments are NOT a recommended way of dealing with an attack. Paying a ransom (1) emboldens more attacks on your business—you are a proven victim that will pay (cyber criminals are taking note of folks that pay) and (2) you never know if the $35K payment to an unmarked account will actually pay off with your files. The cybersecurity experts all discourage from shelling over hard earned for ransom payments.]
Step 3: Determine the spread of the ransomware infection—the majority of ransomware variants will encrypt all of your file names and change all of your file extensions. For a recent example, see our discussion on the Samsam variant that has hit the Philadelphia-metro with force in recent weeks.
Many of these ransom variants also leave a README.txt or README.html file on the desktop with ransom instruction.
Your second step in curing your network from infection is to identify the extent of the infection. If you notice a README file on the desktop OR encrypted files with a weird extension, you certainly have a computer with ransomware on your hands.
But sometimes, the virus may not encrypt everything. If you were able to find information online on the virus, you likely can find key signatures of where it infects first or places it always infects. Since ransom viruses are looking to encrypt valuable data, they often target your C drive, but specific ransomware variants may encrypt specific files within your operating system. I am just talking about Windows machines here, but Macs are also vulnerable to attacks!
If you can’t find specific information on where to look to see if an apparently uninfected machine is infected, you should follow the following procedure:
[Note: this procedure can sometimes be tedious (taking days to weeks for some IT Support teams depending on the size of your network!). Many IT Support teams fail to implement or effectively monitor networks for suspicious activity. If you are unsure whether your IT Support team is securing your network with a smart firewall or that they are adequately monitoring your network, consider a 3rd party network security assessment.]
Step 4: Determine the cause of infection—there are innumerable reasons how a network gets infected with a ransomware virus. By identifying a patient zero (i.e., the first machine to get infected on your network), you’ll be able to understand the cause of infection.
While in some cases, the person that clicked on a malicious link or email attachment self-identifies as being the cause of a ransomware attack, more often, you will end up infect with no clue of why.
Keep in mind, that while users often contribute to an attack, they are by no means the only way a cybercriminal can break into your network.
If you’ve identified a ransomware attack to a specific user, ask that user to retrace their steps before a ransom screen popped up.
Did they open a new document?
Did they click on a link or file attachment in an email?
Did they visit a website they normally don’t visit?
Knowing theses specifics should help your team identify how the infection happened and to warn other users of the event—keeping cybersecurity top of mind includes continual communications about terror stories to your team so that they (1) recognize attacks and (2) are able to help your business prevent getting hit by the next one.
If a user wasn’t specifically the seeming cause for an infection, hackers may have entered your network because IT Support failed to patch your network—maybe a software vulnerability or operating system patch. Often hackers look for low hanging fruit—easy security vulnerabilities that have been published—to get easy access in.
[Note: Zog customers should be assured that we regularly check AND test patches to ensure your business is protected from unwarranted attacks.]
Step 5: Network recovery—because you’ve heeded warnings of ransom attacks and other disasters, your IT Support should have all (or at least most) of your files for complete recovery without relying on a ransom payment.
Unfortunately, encrypted files from a ransom attack will stay encrypted (these encrypted files are often use encryption techniques far more sophisticated than current enterprise encryption methods). Restoring your files from backup is likely your best bet to a quick and full recovery.
The problem? Only 42% of businesses are able to completely recover from backups because their IT Support FAILED to adequately back up and test their backups. And over 75% of businesses are not able to recover quickly from data loss because they lacked a business continuity plan!
My recommendation: figure out what your backup and disaster recovery plan should look like and make sure you have a solid plan to deal with any pending disaster in 2018. Test your backups and ensure that your IT Support is keeping backups a regular priority (as I said before, you cannot be too careful when it comes to backups. If you’re at all in doubt about whether and how your IT Support is backing your network’s data, consider a 3rd party security assessment).
My question to you: are you prepared for the next ransom attack? Will you be able to recover from it (if your business becomes a target)? Contact us today for a FREE security assessment to put together your 2018 security roadmap.
I’m sure by now someone has underscored why you need to protect yourself getting the nasty flu bug circulating this year. Countless news articles, school notices, and even YouTubers are joining the fight against spread of this nasty flu strain. Their message: prevention. “Wash your dirty hands” was the viral message from one nurse last week. Many reminders of good hygiene, particularly in flu season help us keep on track to stay healthy and avoid getting sick.
My question today: why aren’t businesses taking the same simple precautions to protect themselves against ransomware?
We all agree that the way we can keep ourselves and our families healthy this flu season rely on primarily simple and easy to follow principles of hand washing, getting a full night’s rest and eating nutritious food. If we are infected, we know not to spread the virus by limiting the amount of time we are in contact with others until we feel better.
Protecting your business against ransomware and other malicious viruses can be just as simple as adhering to similar standards of prevention. The problem is: most of us mistakenly feel that something like a cyberattack “would never happen to me” until it’s too late!
To help you continue to address your IT Security issues—those vulnerabilities that really should have been addressed months (or even years ago!)—I want to walk through 5 ways to prevent ransomware infections.
Here are 5 ways to avoid being a ransomware target and having to pay ransoming criminals:
I can’t emphasize this one enough. Once your files are encrypted, you practically have no options for recovery other than rolling the dice with paying the ransom (which nowadays will be at least $35,000) if you have no backup of your files.
Unfortunately, most businesses I’ve worked with in and around the Philadelphia metro (and elsewhere in the United States) think they have good backups but actually don’t. CEOs are told that backups are working when they’re not (and only find out when they’re confronted with serious data loss).
IT Support is so accustomed to simply clicking on a button to start the backup, but never actually checks that the backups are working. Instead of validating your backups, your IT guy is probably just telling you they are ok without even looking (their automated report says they’re okay, so everything must be fine).
Make sure you have functional backups of your network that routinely back up (a 3rd party network security assessment certainly can help here).
Testing your backups will make sure you actually have something to go back to instead of paying a hacker to create more innovative ways to get into your network, but it isn’t the only thing you should be thinking about your backed up data.
Even though many businesses DO back up their data, they fail to realize where their backups are being stored.
If your backups are kept on your network, realize that those files likely will get targeted in a ransom attack (you’ll be stuck in the same situation as if you never backed up your files at all!).
[Note: if you are a Zog client, your backups are regular, tested and offsite.]
Be sure to back up your network off of your network (offsite) to ensure that if an attack occurs (or some other disaster hits your network), you assuredly can recover quickly without a hiccup AND without having to pay hefty ransoms which may bolster more attacks on your business in the future (lightning DOES strike twice when it comes to being targeted and infected by ransomware).
Another broken record here. I say this over and over again, but with recent attacks hitting business large and small, I’m astonished how many IT Support teams fail to update and patch security vulnerabilities, many of which have been around for weeks, months, and (in some instances) even years.
Some of the most recent ransom attacks—including this recent Samsam virus— scour networks looking for old vulnerabilities on servers and workstations, infecting any that aren’t updated or patched.
Once in your system, these viruses spread like wildfire throughout the network. Normally, when a ransom attack hits, it takes a full week to get your team up and working. That means you’re losing costs in W-2s for 40 hours of work PER employee in addition to any work lost from the ransom attack (encrypted files that you had not yet backed up).
If you were diligently testing and backing up your network, you may be lucky to have just lost a day’s worth of work. But if you add up a full week and an extra day just to get you back to where you were before the ransom attack, you’re talking about big bucks!
To demonstrate the costs of an unpatched network, here’s a back of the envelope calculation of some of the obvious costs of being attacked:
Let’s say you have 10 team members and their average hourly rate is around 50 bucks per person.
5 days where they cannot work because your network is down = 40 hours x 50 dollars an hour x 10 employees.
You end up wasting $20,000 in downtime for that one week!
Plus the day (here I’m being really conservative) of lost work materials. Add another 4 grand for each day’s worth of work lost and your minimum costs from a ransom attack is at least $24,000!
Not to mention dealing with unhappy clients who aren’t getting their work delivered, exposure of sensitive data that might lead to identity theft, security compliance fines (PCI or HIPAA for example) and missed opportunities.
Your actually costs—even with full offsite backups—may end up being in the hundreds of thousands of dollars for one unpatched machine on your network letting one of these viruses in.
While many of the most recent viruses have gone undetected on a variety of antivirus software, having an updated antivirus on your network is still a critical defense to containing a lot of the bad crud hitting your network on a daily basis.
Realize that as these new strains of viruses get detected and documented, an updated antivirus will be able to detect their signature. While there are a few masterminds reinventing and redesigning virus code, the majority of these criminals are using older virus strains because they are working (making them big cash returns)! This means one thing—businesses aren’t monitoring their networks with up-to-date antivirus.
Many businesses fail to even keep antivirus updated—updates that could quarantine or minimize the spread of infection across your network. Instead of infecting your whole network, with a good antivirus that is regularly updated, you may only have one or a couple machines impacted. Not sure if you have the right antivirus software? Ask us about a free security assessment to find how to best recognize viruses before they become a huge problem.
Most IT Support teams fail to communicate—in real understandable English—how to prevent getting scammed, phished or hacked. While many vulnerabilities for ransom attacks lie in the hands of problems related to specifically things IT Support should have done in the first place, many attacks can be stopped if users recognize and think about their actions.
This is where proper internet hygiene comes into play. Just like hand washing prevents spread of the flu virus, phishing scam recognition and data security practices can prevent users from handing out credentials to sensitive areas of your network or even preventing viruses from accessing the network all together.
Being able to (1) have team members identify what email scams look like, (2) report anything that looks unusual on their computers (files opening on their own, pointer moving without touching the mouse, windows opening without their control) to your IT team, and most importantly (3) ensure that that your team has a good working relationship with IT Support so that suspicions or problems don’t hold them (and your business) from preventing disasters (something the Zog team does every day).
Many businesses have no idea what to do when they get infected with a ransomware virus. Some try to restart their computers, hoping that a refresh will rid them of the problem. Many will keep their computers linked to the internet—searching for answers about this virus.
If infected, the first step to recovery—as a precautionary measure—is to disconnect. Hackers sometimes rely on computers being connected so that they can actively interact with your hacked network. The problem with keeping computers online is that sensitive data may be leaving your network (and you likely won’t even know it).
Start by disconnecting infected computers from your network and turning off and disconnecting other computers that might not yet have been infected as a precaution to prevent the virus’ spread. You may actually have a chance of saving workstations (or servers) on the network if they were not originally part of the infection.
Some ransomware viruses will actually demand that you not disconnect computers—but don’t be fooled! They DON’T have your best interest at heart and are trying to get you to emotionally react to their demands.
If your files are locked or encrypted and the ransom asks you to pay the demand, consider the consequences. By paying the ransom, you aren’t guaranteeing anything. In fact, recently paid ransoms have only been 80% effective at getting an encryption key. Also, paying the ransom may actually make you a bigger target as bigger and more virulent viruses get made (criminals on the Dark Web are actually tracking when ransoms are paid and have started re-targeting these businesses!).
If you have good backups—which, after reading this article, I hope you are seriously thinking about (remember, you can always get a second opinion on whether your security can defend against ransom attacks)—you will be in a relatively good spot to recover from any sized ransom attack.
If you don’t have backups, you may be able to piece together data from your network to hobble together critical business data (a cybersecurity or forensics team may be needed depending on the extent of ransom infection).
The quicker you react to the ransom attack, the more data you’ll likely preserve free from encryption.
The bottom line: make sure your IT Support team takes simple actions to prevent a ransomware outbreak on your network. If you are at all questioning whether your business—like many in the Philadelphia metro—are NOT backing up their data securely, are NOT patching their machines and risking infections attacking their networks, are NOT informing users to recognize common attacks and do NOT have a plan to immediately respond to a ransom attack, contact us TODAY for a free security roadmap meeting.
With data breaches and cyberattacks on the rise last year (and with no sign of stopping in 2018), many business owners are making hard decisions on how to mitigate their risks in the event of a cyber incident occurs.
(Note: most cyberattacks and data breaches are preventable if you keep to solid security practices).
The problem with dealing with a cyberattack or breach of sensitive information is that there are enormous costs that many of us don’t consider. In addition to business downtime (from ransomware or data loss), your business will need to confront mandatory steps to mitigate damages from the cyber event. These costs may include legal fees, cyber forensic investigations, press releases, fines, and worst of all, a negative reputation in the marketplace that has led many businesses to close their doors.
While cyber insurance can alleviate a lot of your business’ financial responsibility—which seems like a very nice safety blanket if you are unfortunate enough to be in a cybercriminal’s cross hairs—if you are not taking precautions to limit your chances of cyberattacks or breaches, your cyber insurance may not cover you.
And even when a cyber event is covered by your policy, you’ll probably have to shell out quite a bit of dough—normally around $50K—as a deductible to get coverage.
Since cybersecurity insurance is a relatively new type of business insurance coverage and because cyberattacks have been getting worse since the start of the year (for one example, see our recent discussion on the latest Samsam attacks crippling businesses and municipalities large and small), I thought it necessary to briefly walk you through cyber insurance and considerations you’ll need to make to decide whether it’s a good option for you.
But first, what exactly is cyber insurance?
Cyber insurance essentially is a standalone policy that can help your business recover from data loss resulting from either a cyber security breach or other event, such as a network outage or interruption to your business service.
The scope of policies vary considerably in what they cover, costs of insurance and exclusions, so you will likely need to read all of the fine print to determine whether the policy is actually going to give you sufficient coverage to survive an attack.
Why consider cyber insurance for your business?
While choosing between different cyber insurance policies may seem complicated—in that there is no one standard policy—it may be a good addition to your business strategy for security risk management and response. As I mentioned above, there are a LOT of expenses incurred during a cyberattack. And picking the right coverage that makes sense may take reading pages of fine print.
How can you lower your cyber insurance costs or ensure you are covered in a cyber event?
Think of cyber insurance like automobile insurance. Auto insurance does not give you a green light to drive drunk. And cyber insurance certainly doesn’t give you a green light to overlook important cyber security responsibilities. Your insurance provider will expect that you preserve a certain level of cyber security within your network to be eligible for cyber insurance benefits in the event something happens.
The more risks you take on from having poor IT Security practices, the more you’ll probably have to shell out for coverage.
How can you prevent or mitigate cyberattacks through proper IT implementation?
Patch your machines— I know you might be thinking that I’m a broken record here, but you’d be surprised how many businesses around Philadelphia forget to update their networks with security patches. The most recent ransomware viruses (such as the Samsam virus) actually move with network vulnerability scanning software. If you haven’t patches that workstation or server recently and it still has an open back door, be assured that the latest ransomware variants may find their way in your network unnoticed. Applying patches is critical to prevent disasters from occurring (and ensuring in the event of an attack, you can provide evidence to your insurance company that you followed good security hygiene).
Train your staff— while network vulnerabilities might be the latest way many hackers are breaking into business networks, phishing scams and social engineering is definitely a close second! Scammers are more sophisticated in how they are reaching out to team members.
Often posing as you—the CEO—scammers are requesting sensitive info be sent to email accounts that almost look like yours. In many instances, scammers have added a second email notifying staff that the first email was a scam, but to send information to a private (more secure) account. Be sure your team understands how to recognize scams as they evolve and question sending out sensitive information via email. Make sure they confirm (by phone) with the person requesting money or sensitive data before giving it away. Since tax season is upon us, make sure your accounting team is especially suspicious about requests for information or funds (because scammers are targeting tax returns hoping to cash in).
Backup your network— many companies don’t realize how important backups are if they end up getting a ransomware virus. If you don’t have a working backup, you might be left with no data (paying a ransom for encrypted data is simply rolling the dice. In recent ransom attacks, even when a ransom was paid, the likelihood of data recovery was close to 70%).
And even when businesses have backups, many keep their backups on network. For most modern viruses, your entire network is vulnerable to an attack—if your backups are connected to your primary network, they most definitely will also be encrypted or (in some cases) permanently deleted. Make sure you have a recent, working offsite backup to ensure data recovery and minimize downtime to hours (opposed to weeks or months before data is recovered, if ever).
Have a recovery plan— just as you have a strategy for implementing you 2018 business goals, you need to have a strategy that meets 2018 security concerns. As viruses become more virulent or create more damage on a network, you need to be thinking about what your response will be. Having a comprehensive backup and disaster recovery plan that incorporates cyberattacks, data loss and data breaches is a crucial component to mitigating risks from an attack efficiently and quickly.
Understand your risks—the biggest problem with most business security is that their team doesn’t see security problems until it’s too late. Most of us won’t call a lawyer until they have a lawsuit or uphill legal battle. Likewise, the majority of businesses don’t think about their IT security and infrastructure until they’re faced with dire ransoms and data breaches (all of which may completely risk their business continuity).
By performing an annual security network assessment and understanding where your risks lie, you can be empowered to shore up your security and plan in advance for initiatives to keep you, your team and your clients safe from growing cyberattacks.
Take home: prevention is key to keeping your business safe. Insurance will help minimize the effects of an event, but having adequate IT Security measures in place at your office will significantly minimize your risk of ever needing to pay for a policy (and will likely reduce your insurance costs long term).
Are you considering cyber insurance but don’t have the slightest clue whether your IT Security meets your insurance policy’s standards? Are you concerned about keeping your business safe from ransomware? Contact us TODAY for a free security network assessment.
Ransomware variants are probing for your unpatched networks!
The Samsam virus, a CryptoWall derivative, has been around for almost 2 years, but recently it has been creating havoc on small to large businesses across the country. Local governments, law offices, hospitals—you name it— have been victims of this malicious ransom attack.
When you get infected, the virus crawls your network sniffing out all of your important files—it looks for specific file types on the C Drive and encrypts the entirety of the contents.
Samsam also deletes anything it thinks may be a backup to your files (that is, if you keep backups on your network).
Here is a recent example of what Samsam did to the MSSQL server of a local business that wasn’t up-to-date on their patching:
The criminals leave you with a message all over your machine, with instructions on how to pay up to gain access to your files again. This is just a snippet of what the ransom looks like.
The going rate for decryption is about 33,000 American Dollars (hopefully you keep that kind of cash on hand).
But another problem is that paying the ransom is a gamble. If you pay the Samsam ransom, you may not even get your data back! After doing a little research on the group behind these attacks, we found that once the ransom is paid, you may not even get the decryption key. In fact, nearly half of businesses that paid the hefty $33,000 ransom never got a single file decrypted (money down the drain!).
What’s even harder with this virus is that there is no easy way to decrypt files yourself or eradicate the virus off of servers or workstations without reimaging the machine. The FBI is currently investigating options to recover files infected by Samsam, but so far no one has found a good method of decrypting files left in the path of the virus.
If you haven’t been infected, what should you do to make sure you don’t get an infection?
I feel like a broken record, but the same steps that I’ve mentioned time and time again will keep your business safe from Samsam:
Are you willing to roll the dice with paying ransoms? Are you sure you’re taking appropriate steps to keep your business from falling to Samsam? Contact us today for a free network security assessment to see if you are Samsam-proofed.
Sometimes IT Security can be overwhelming.
Overwhelming to the point that there are just too many components to keep track of. Too many recommended security projects to get completed. Too many new hacks and ransoms that make it seem like security is never really working for your business.
As we are starting 2018, I want to go through a way for you to prioritize your IT Security to focus on the most important stuff first.
Before you start worrying about specific information security projects that need to be done—for instance, installing a secure firewall or upgrading your operating system, you should have a well-defined security plan focusing on what is most important to keeping your business safe.
Just like any other business process, your IT Security process addressing security issues should start with planning. Define specifically what needs to be accomplished. If you don’t do this, you might have no way to tell if your security is actually improving.
Your plan should first identify your business’ imminent security concerns. Are you vulnerable to ransomware? Are your users susceptible to phishing scams? Are you using out-of-date and unsupported software? Have you overlooked applying security patches? (If you aren’t sure how to start a plan, consider consulting security experts to help define a business security plan.
Make a list of all of the outstanding issues and plan to address each. Your plan to resolve each issue should include the following:
Define your security concerns—outline each problem with a clear explanation why your business security is at risk. For the majority of business owners, security experts often advice an initial 3rd party security audit to understand what exactly are your major security vulnerabilities before doing anything with any business Security improvements.
Identify what each security concern affects—is the security vulnerability related to an update for an accounting program? Will it compromise your entire staff’s Social Security Numbers? Or do you have a vulnerability that will merely impact your office supply orders? Understanding who is impacted and what the implications mean for your business operations is critical to understanding how pressing the issue is.
Have a defined plan to address each issue—your IT Support team should be able to address each concern with actionable tasks. Maybe they need to patch specific software, maybe they need to upgrade your server, perhaps they need to better train your users on how to safely use technology. Whatever the resolution, your IT Support team should document the specific process they will need to undergo to reconfigure issues on your network, and should be able to accurately determine the amount of time and other costs involved in the fix.
Define how complicated each task is—based on the resolution plan for each security concern, your IT Support team should determine how long or complicated a fix would be to better protect your business. Come up with a simple designation (Easy, Medium, or Hard) or predict the number of man hours each resolution would take to help decide what to tackle first.
Fixes or projects that address the highest risks to your business should be given highest priority!
Just because specific fixes address known security risks doesn’t mean that you should automatically prioritize them at the top of your list. Your IT Support should ideally be identifying the biggest problems—those that severely impact management of your business security or drastically reduce the costs of security—first.
Pro TIP: Make sure that your IT Support isn’t wasting money and time on repetitive security tasks. Often, separate security concerns may be related to the same core security vulnerability.
Here’s one example: You may decide that you want to create a security policy so that users change their passwords every 90 days. Your IT Support team proposes to enforce a policy to monitor and enforce password changing 4 times a year.
BUT your support may also be working on a project related to authentication between your Windows domain and server. This project includes a way to automatically enforce incremental user password changes, resulting in less complaints about expired passwords and greater user independences.
If you hadn’t listed out your projects or concerns and identified how projects or security issues relate, you may have wasted time and money implementing two redundant projects to address one core problem. Clean up your list to remove any redundant issues prior to implementing your 2018 security initiatives.
Determine which concerns are most pressing—not all security risks are created equal. For instance, your unpatched security vulnerability that allows a hacker to get into your client billing data is likely much more important than a vulnerability that may allow access to your marketing opportunity database.
While all of the security concerns may be important, there are likely some that have bigger impact on your compliance (remember that PCI Compliance requirements are changing next month!) and overall business security.
Implementing what’s most important first—after making sure security issues aren’t repeated on your list, come up with a timeline when your IT Support can implement each security concern. Be sure to understand costs involved with each project to best know how to budget for
Most businesses often define this list of concerns along with a remediation plan by seeking a 3rd party security assessment.
While there is no absolute right or wrong way to prioritize your security projects, there are certainly concerns that arguably would have the most bang for your investment. Contact us TODAY to figure out how to best secure your business for 2018.
Are you ready for a February deadline for new Payment Card Industry data security standards?
February 1, 2018. That’s the day PCI DSS (Payment Card Industry Data Security Standards) will require your business to upgrade its security standards. Version 3.2 of PCI DSS changes previous “best practices” to stricter required business security standards.
Today I want to walk through what Philadelphia area businesses should be planning for in the coming weeks to prepare for the change to heightened data security standards if you rely at all on credit card processing.
Below are seven current best practices that will become security standard requirements beginning February 1st:
Requirement 3.5.1—how are you protecting your cardholder data? PCI DSS wants to know.
As part of the updated data security requirements, your business will need to provide documentation on the procedures you take to make sure credit card information is safe. Specifically, you will need to describe your methods, such as security architecture, any algorithms or encryption methods, protocols and security keys that you use in your IT Security to protect cardholder data.
Requirement 10.8—are you detecting and reporting any data breaches or security system failures? You now will need prompt detection and response to any form of data breach.
As part of the upgraded security standards outlined in Requirement 10.8, you will be expected to report any data security system failure or data breach in a timely manner.
You will also need to report any failures in your critical security control systems (if you aren’t sure what these are in your organizations, consider a 3rd party security assessment to better grasp what security controls are needed for PCI compliance).
As part of reporting any failures, you are expected to document a process for detecting failures, identify personnel on your team responsible for implementing your security process along with outlining alerting processes and procedures in the even your security process fails to protect cardholder data.
Requirement 10.8.1—Are you detecting and reporting security breaches fast enough?
Improved security standards outlined in Requirement 10.8.1 expect your business to timely report any critical security failures (again, consider a security assessment if you are unsure what critical security features you need for PCI). You will need to provide descriptions of your response process, including your security controls (for example: firewalls, monitoring, antivirus and audit logging).
Along with 10.8.1, you will have to describe your process of responding to security control failures and document the cause(s) and duration of a failure. PCI DSS will now require you to perform a security risk assessment to identify any on-going issues with your security process and take any additional actions needed to remediate security vulnerabilities, along with restoring and monitoring your existing security controls to prevent any further security failures.
Requirement 126.96.36.199—are you regularly monitoring and testing your network security?
The new requirement outlined in 188.8.131.52 will require mandatory penetration testing on your network every 6 months. Penetration testing is a way for security experts to evaluate how easy cybercriminals will be able to breach your network and access your protected data (in this case, cardholder data). Think of a penetration test as exhibiting how robust your security measures actually are.
Security experts often try to break through your firewall, phish employees to obtain critical information or passwords and decrypt or hack into areas on your network containing sensitive information (information that actually is worth big bucks on the Dark Web!) in order to see how vulnerable your business is to an attack. If someone attempting to penetrate your network actually is able to get through, PCI requires that the exposed vulnerabilities from the test be remediated.
By August 1, 2018, you will need to demonstrate your two most recent tests for 2018 to be in compliance with PCI DSS.
Requirement 12.4.1—are you maintaining your PCI DSS compliance?
Requirement 12.4.1 holds you accountable for maintaining PCI DSS compliance. To make sure that you have an appropriate PCI DSS compliance program in place, this new regulation will hold you accountable for actually complying to the regulations.
What does an appropriate compliance program look like?
Your PCI DSS compliance program should be equipped with an accountability chart that identifies every role in your organization you are holding accountable to fulfill security responsibilities.
Note: if you have reliable outsourced IT Support, your IT Support team will likely be named responsible for many of your compliance tasks, although you may still have someone on staff holding that team accountable (the person responsible for bridging your relationship with IT Support and your organization).
Security responsibilities outlined in your program should be communicated to your entire executive management team (a specific requirement of the new regulation).
Requirement 12.11—are your staff familiar with PCI DSS standards?
As part of the new Requirement 12.11, you are expected to review and confirm that all personnel are following PCI DSS security policies and procedures.
To make sure that your security policies and processes are taken seriously throughout your organization, PCI DSS requires confirmation from all personnel that everyone is abiding by your standard security procedures.
In fact, you will be required to periodically present information on security activities throughout the year to demonstrate that everyone is abiding by security standards. You may even have to present daily log reviews, firewall rule-set reviews, appropriate application configuration standards, responses to security alerts, or change management procedures to show an on-going effort to secure cardholder data.
Requirement 12.11.1—have you documented your quarterly review process?
As part of Requirement 12.11.1, PCI DSS requires you to document your quarterly review process. You are expected to document that you are undergoing quarterly reviews and archive all reviews in case you are audited.
Are you prepared for February 1st 2018?
There are a lot of changes popping up and many of them require tedious tracking and documentation? Is your business prepared for these changes? Do you even know which ones you will have to focus on? Will you meet the February 1st deadline?
Contact Us TODAY for a free network security assessment to understand where to prepare for your PCI compliance changes.
Every security pro should know this number: 20 minutes.
On average it takes 24 hours to break into a heavy duty modern safe. But it only takes 20 minutes to break into an unpatched computer connected to the internet.
That’s not very long at all. You might not even be able to brew a good pot of coffee under 20 minutes. Its less time than your average lunch break. Truth be told, 20 minutes is all it might take for someone to break into your network if you aren’t careful!
The average unprotected PC that is either running legacy (i.e. outdated) operating system software (maybe you still have computers running Windows XP?) or unpatched or outdated software are red flags to hackers scanning the web for vulnerable systems.
First off, an unprotected machine with common vulnerabilities won’t take very long to identify as a hacker scans for long hanging fruit online… And after he or she has found a good target, the task of breaking in gets even easier (they already know how to crack unpatched environments). In total, the time it usually takes to find and infect your unprotected network is under 3 days.
And what’s more worrisome about neglecting your IT Security?
The statistics that I’m reporting are a year old. Experts expect the time to infection for unpatched, unprotected or legacy-wielding machines will decrease going forward. In fact, the average infection time for known patches has decreased dramatically (nearly 300%) over the past 5 years.
Why are criminals getting better at hacking into computers?
Hackers are sharing their information on the Dark Web. Plain and simple, more hackers are collaborating, communicating and selling their code to exploit specific vulnerabilities (many of which take advantage of unpatched machines that are missing recent Microsoft security patches).
And most users are not simply visiting protected websites. As your coffee is brewing in the morning, maybe you look at some of the latest headlines on your favorite news channel, maybe you’re taking a look at social media (maybe even tempted to click on a few links from your Facebook page… maybe landing on a compromised website (recent studies show that nearly 13% of websites are compromised!).
Normal day to day activity. Even stopping into a coffee shop to work for an hour between meetings—may lead to an infected computer if you’re not careful and don’t have appropriate security updates applied.
And all it takes is 20 minutes (or less) to get infected.
We’ve been talking about unprotected computers that are getting targeted for network breaches. But we haven’t even mentioned the many other ways hackers are getting onto your network to ransom or exploit your sensitive data. Here are some of the cybersecurity cautions for 2018:
Uptick in ransomware—because many businesses fail to have adequate backups of their networks, when infected by ransom malware, many are forced to shell out big bucks to pay off ransoms. At one point, hackers were asking for small amounts of bitcoin, but as bitcoin values have surged, so have the ransom demands! If you’re not careful backing up your machines, you may be rolling the dice paying a ransom and hoping you’ll be able to restore your files.
Phishing their way in—even though phishing scams have become more common in the past few years, users are generally none the wiser. Scammers have developed more elaborate and more credible stories to get unsuspecting users to click links or open attached files, all leading to network infections that may fester for weeks or months (while collecting and transmitting sensitive data in the process). Without security focused IT Support teams communicating risks and new tactics to your users, how can you expect them to do the right thing and avoid being scammed?
Improper disposal of old machines—many IT Support teams fail to erase sensitive data from computers when they are decommissioned. Maybe they toss them out or rely on a recycling service to dispose of them. The problem is many criminals are on the lookout for old machines in hopes to find sensitive data. If your IT Support team isn’t vigilantly erasing information from old computers before they are discarded, it is very likely that someone is accessing sensitive information you were (and still are) responsible for keeping protected!
Distributed Denial of Service Attacks— security experts believe that distributed denial of service attacks (referred to as DDoS attacks in the industry) are likely to increase. The DDoS attacks are cyberattacks where the criminal seeks to make a machine or network resource unavailable to users either temporarily or indefinitely. You can think of it as if the criminal placed a crowd of people in front of a doorway, preventing you from going out. Often, DDoS attacks easily expose vulnerabilities in your network. Experts believe that DDoS attacks will expose and exploit more vulnerabilities across many types of devices (desktop, laptop, phones and tablets), giving criminals easy access to more lucrative sensitive data.
Okay, you’re concerned about your IT Security. What are some next steps?
Make sure your machines are well-patched—as I mentioned above, unpatched machines are easy to exploit. Making sure your network is regularly patched is critically important to shoring up vulnerabilities.
Update your operating system—if you still are using legacy operating systems or software on your network, it might be easy targets to attack. If you need to use legacy systems for some reason, consider removing these machines from internet access.
Use a smart firewall—most hackers are able to break through legacy firewalls. Consider upgrading your firewall to a heuristic firewall that is able to best detect when suspicious traffic is going or coming from your network.
Use updated anti-virus—most folks don’t realize that their antivirus doesn’t update on its own. If you have an old un-updated antivirus monitoring your network, you’re likely not detecting the viruses that are currently creating havoc.
Regularly monitor your computers—even with prevention and detection, if your IT Support is not routinely monitoring your network for suspicious activity or testing that patches and updates were successful, you are likely still vulnerable to hacks. Good IT Support monitor for suspicious activity and investigate to make sure your network is safe.
Regularly back up your data—most businesses that I’ve assessed fail to have regular backups. That means if they were to get hacked or even lose power, they may lose hundreds of hours’ worth of work. Having routine backups helps you recover from a ransom attack with little problems.
Consider a second opinion from a 3rd party security expert—many of the mediation steps to secure your network take time and often it’s hard for someone not fluent in IT Security to assuredly know that their network is adequately securing your business data. Many businesses opt for a 3rd party security assessment to make sure that all of their ducks are in a row.
Are you concerned about the security of your business in 2018? Not sure what to do next? Contact us today for some free advice.
As we’re rounding into 2018, one of the scariest facts is that 83% of businesses are unprepared for cyberattacks (and even worse: 90% of those business never recover from the attack!).
Today I want to review 5 of the big eye opening problems with business cybersecurity and how simple persistent changes to how your IT Support runs can keep you safe long term.
Keeping an “every company is hacked” mentality helps your IT Support team focus on the fact that cyberattacks are serious and that they need to not only protect your infrastructure, but inform users on best practices to avoid getting tied up in phishing schemes and opening doors to hackers.
Often times, hackers get in because a critical software patch was overlooked or was misapplied. Your IT Support needs to look around and find easy to fix weaknesses first. If they’re thinking about cyberattacks being real and likely affecting your business, they should be on the lookout and plug up any vulnerabilities that might make your business more vulnerable to attack.
After spending tens of thousands to even millions of dollars, even large companies may overlook what are the most successful ways that cybercriminals breach business networks.
While long hanging fruit like unpatched computers and networks are some of the fastest ways hackers penetrate a network, there really is no one way to get in. Just as often as scanning a network and penetrating it through a gaping vulnerability like an unpatched system, is the foot in the door through an unsuspecting user. Your IT Support team should recognize that attacks aren’t coming from just one place, aren’t targeting just one thing. If their approach to protection is checking a security box after running a virus scan or after applying a security patch, they aren’t doing their due diligence.
Let’s say your IT Support scanned your network and found 20 different potential threats on it. On average, only a couple of these threats could be handled at a time, resulting in a need to understand how to identify and prioritize the most likely threats first.
IT Support should understand how to fix the critical security issues that are causing most damage on your network environment today, followed by the most likely culprits to cause the most damage in the future.
If you had two vulnerabilities on your network.
The first was an unpatched piece of software that monitored your office supplies (which was not associated with any sensitive data). This unpatched software was quite easy for anyone with a computer and a bit of coding to get into.
The second was a more challenging hack into your accounting server. Only experienced hackers with some specific knowledge could get into information containing credit card numbers, social security numbers and client data. This hack was much less likely to occur, but if it did, could result in much greater consequences (severe data breach that might get broadcast on the news, result in multiple lawsuits and the possibility of ruining your business).
Which of these fixes should your IT Support prioritize?
Some of your team might say, go for the easy one first. The most vulnerable system should be fixed before any other. But in fixing your office supply software, you’re risking real harm to your business in the event some crafty hacker were to break into your accounting server!
IT Support should understand not only what vulnerabilities are, but also know where risks lie. If there are high risk vulnerabilities present on your network, these should be addressed first (if you’re unsure whether you have high risk vulnerabilities, consider a 3rd party security assessment).
In many cases of recent data breaches, end users have initiated cyber threats. Once a threat is confronting an end user, there is very little a firewall can do to protect from a breach.
I am NOT saying that firewalls are valuable—in fact, there are countless reasons your IT Support should be maintaining and supporting modern “smart” firewalls, but they also need to keep users aware of how to prevent security incidents by keeping them in the loop.
What your IT Support should be thinking is that nothing can protect your business with 100% certainty. Using a multi-pronged approach with firewalls and antivirus, but also having users understand and modify their behaviors, your team can more effective protect against cyberattacks.
My last observation about cybersecurity is that while there is no one golden key to get into your network, there are two likely problems resulting in an attack on your network.
Patching—I’ve said this before, but cannot stop the importance of having updated patched machines. Patching is one of the easiest ways for criminals to get on your network. Period.
In fact, an unpatched machine that is on the internet gets infected, on average, within 20 hours! Multiply that by the 10 machines on your network. How many infections might you have (and not be aware of!). Not all malware encrypts your data. Some malware lays dormant for weeks to years. Some malware simply observes user keystrokes in effort to steal even more data or money from your company. What if every keystroke from your accountant was recorded by a thief?
Think of how much sensitive information you may have lost simply by leaving your network unpatched!
Social Engineering—the ever growing popularity of social networking resulted in equally effective social engineering campaigns. Phishing campaigns targeting email, phone calls, Facebook or other social media platforms all lead to triggering behaviors in your users. Criminals anticipate to snag at least a few percent of their targets.
If your users don’t understand the latest schemes, they may shell over money or information (including sensitive data!) to criminal masterminds.
Answer this simple question: Is my business secure?
If you have any hesitation, consider a third party security assessment to prevent leaving your network open to more risk than you can handle!