Ransomware is like many other forms of malware  and usually makes its way into our systems by downloaded files or by a vulnerability in the system or network. Ransom is most often requested by the cyber criminals in the form bitcoin, a popular and mostly untraceable internet currency. A timeline is given (usually 4 days) to make a payment and if the demands are not met in time the price increases.

Here are some ways to prevent Ransomware on your systems:

• Ransomware can be distributed in Microsoft Office documents. Do not enable macros for Microsoft Office Documents received from emails. Microsoft has just released a new tool in Office 2016 that can limit the functionality of macros by preventing you from enabling them on documents downloaded from the internet.
• Alternatively, install Microsoft Office Viewers, these applications do not support macros and will allow you to view the files ithout actually opening them.
• Make sure you have anti-virus software in place and make sure that this software is always up to date. Home users can download Sophos for free.
• Make sure to regularly implement security patches to all software/applications on systems at the operating system level, MS Windows and Mac OSX both have an automatic update feature that can be enabled to force this to happen on a regular schedule.
• Do not download documents from  websites or from peer to peer applications. Stick with applications that have a good background and avoid downloading from 3rd parties.
• Beware of phishing attacks. Always take caution when clicking links in email, and be sure to check the email address of the sender to make sure that the address is exactly what you expect it to be. Don’t open unsolicited attachments sent to you via email.
• Make your best effort to keep your network secure by putting firewall, and intrusion detection systems in place. Close ports that are not necessary for systems to function.
• Conduct recurring IT Security training for employees to reinforce these concepts.

There are other things you and your company can do:

• Recurring backup of your data. Depending on how much you use your computer and its files, daily backups are typical in a business environment.
• Constant network monitoring can be costly but it can mitigate these types of attacks by detecting and preventing them. Many enterprise systems are protected by firewalls and Intrusion Detection Systems that can detect and block the outgoing “phone home” that starts the ransomware encryption. Keeping an eye on these systems in real time can help detect and prevent an attack.
• Show hidden file-extensions on your local computer if they are masked by default. This technique can help reveal files that are not supposed to be on the system. Your IT Service Desk can help you if you don’t know how to do that. Make sure the file extension matches the file type (MS Word documents end in .doc or .docx for instance)
• Your IT department can turn off USB ports and removable storage. This will cancel out the chance of someone downloading the software to your systems via and infected USB Flash Drive.

Overall you should take the same preventative precautions as you would to prevent any other virus. When in doubt, ask your IT or Information Security department for advice.

A few pitfalls in Access Control:

• Not adhering to a Least Privilege strategy – Simply put, personnel and workstations are granted the least privilege necessary to perform their responsibilities and no more.  A computer at a reception desk shouldn’t have access to critical organizational information.  The same is true for a vendor who may legitimately need access to some area of an organization’s resources.  Do not allow more access than is absolutely necessary.

• Excessive Privileges or Creeping Privileges – This can happen when a manager moves from one role to another and, through oversight, retains access to assets of the initial role.  Another example is where personnel have risen in an organization over time.  As one gains increased privileges within the system, it may be awkward to remove access a person no longer needs to perform regular duties.  Standing policies and regular reviews of access are good ways to reduce these vulnerabilities.

• Allowing personnel to access critical information in less secure environments or on less secure devices – An organization may allow a junior executive to retain access to systems and information while on vacation in a foreign country.  In all but the rarest circumstances, disabling such access reduces the risk of compromise.  Likewise, mobile devices, by definition, aren’t always protected by an organization’s firewall.  Train your personnel in what the organization requires, on site and off.

• Single Factor Authentication – An Identity which attempts to access systems and information must be Authenticated.  Authentication may be as simple as providing the right password for the Identity.  This is sometimes referred to as “something you know.”  A more secure Authentication strategy is Multifactor Authentication.  This may include a small device you carry, also referred to as “something you have.”  Also, biometrics is a growing factor in Authentication, using unique aspects of an Identity or ‘something you are.”  Multifactor Authentication provides more secure Access Control than a single factor alone.

• Ensuring that accounts, keys and devices assigned to personnel leaving the organization are suspended and collected before the person leaves the premises.  If the organization uses keyless entryways, change the codes at reasonable intervals and especially when someone leaves the organization.

These are but a few examples of comprehensive Access Control.  NESP can help you with your policies, procedures and training.  If you have any questions about reducing your risk from improper access, give us a call or send us email today. We are here to help!

Mobile devices allow workers to conveniently work in multiple locations which increases efficiency.  Unfortunately this convenience comes with security risks.  Mobile devices can easily be lost or stolen, connected to an unsecure network, and users may be tempted to download non secure apps that might conceal “malware” that could be used to steal confidential data. Since security is minimal for mobile devices, a thief can retrieve sensitive data directly from the device, or use the laptop, phone, or tablet to access an organization’s computer network remotely.

What to do?

• Centralized Device Management– Software technology that centralizes device management at the organization level to secure both agency-issued and personally owned devices. Centralized programs manage the configuration and security of mobile devices and provide secure access to an organization’s computer network. They are typically used to manage the mobile devices that many agencies issue to staff. Apple’s Find My iPhone helps with at least the device location and remote wipe.

• Information Security Awareness Training– Inform users who can potentially do harm to your network by visiting websites infected with malware, responding to phishing e-mails, storing their login information in an unsecured location, connecting to an unsecure location/device, or even giving out sensitive information over the phone when exposed to social engineering.

• Device Encryption and Passcodes– This is an easy fix to mitigate the risk of data breaches. Encryption is a reversible process which scrambles the data into cipher text (unreadable data). In order for the authorized person to access the device, the data can be reversed back to a readable format with the use of authentications i.e. password, token key (access card), fingerprint recognition etc. Additionally, mobile devices should be protected with a passcode that follows your company’s password guidelines and set to lock the user out if too many attempts are made. These things will make it much less likely that your mobile device will be abused by unauthorized use.

This is the first in a series of monthly information security awareness posts to help our clients stay ahead of security problems by informing their employees of common security best practices, recent trends and threats, and advice of what to do if the bad guys get you!

This month, Passwords.

Nobody likes them, we have too many of them, and its the sort of thing that we get lazy about, which can leave both us as individuals, as well as the companies we work for, vulnerable to all sorts of bad things. Identity theft, data loss, financial loss, reputation loss. you name it, you can lose it with bad password habits.

What can we do?

Strong Passwords and Passphrases

It starts with strong passwords. Strong passwords are those that contain multiple types of characters, a letter, a number, and a symbol. Different systems may restrict the use of special characters, and most (but not all) corporate logins will enforce this rule for you. Good passwords should be:

• 8 or more characters in length
• Contain an upper case letter (A-Z)
• Contain a lower case letter (a-z)
• Contain a number (0-9)
• Contain a special character (~!@#$%^*&;?.+_)
• Different for each system you access

Never use common things like your name, or your company name, and use different passwords for different functions, and avoid mixing your personal passwords with your work identities. If you lose one password, you only have to worry about one system.

That’s going to be a lot of passwords, so you may want ask your IT department to install a…

Password Management Software Package

To manage all these, we recommend you use a password manager such as Keepass its free, and a decent way to keep track of all these things i just told you you needed. Of course, make sure you protect it with a strong passphrase, constructed according to the above guidelines!

There are lots of packages that do this, your IT department may suggest a different one. They store your passwords safely, and give you the ability to recall them and automatically paste them into web sessions. They usually can generate secure passwords for you, which takes the guesswork out of good construction.

Keep it secret! Change them regularly!

Finally, don’t give your passwords to ANYONE! There are very few (some may argue zero) circumstances where someone other than you needs you password. If someone claims they need it, ask, and when in doubt, escalate to a manager, IT, or your local Information Security office. Don’t rely on the “Save Password” feature in your browsers. Don;t put it in an email. Don’t give it out on the phone.

Good password hygiene suggests you change your password at least every 60 – 90 days, and your IT department may force that change. If it doesn’t, change them every now and then. Don’t use a password that’s been around for more than a year. If you lose control of any of your passwords, change it immediately, and inform your IT department.

Keep it secret, keep it safe.

If you have any questions, ask your local IT resource, or email us. We are here to help!