Keeping Your WiFi Secure #CyberAware

Standard

Facebook ΓÇô WiFi Password.png

This theme is very timely this week as news broke of a wireless encryption vulnerability called KRACK, that could allow a hacker to infiltrate a secure wireless network.  It sounds bad, and it is.  However, for this vulnerability to work, the hacker needs to be in close proximity to both your wireless device and the wireless access point.  It also requires robust computing capabilities, but it could do serious damage if successful.

Most vendors have already released patches to protect against the KRACK vulnerability.  The question then becomes, have you installed those updates?  Hopefully you subscribe to a proactive Managed Services program like those that the company I work for, Onepath, delivers to our clients.  We proactively notified our clients of this vulnerability and fast tracked the testing and deployment of the updates to fix it.

The most important thing you can do to protect your wireless network is to choose a strong wireless password, or better yet, passphrase.  Secure your wireless network with a phrase like “We want to do everything possible to secure this network.” That is hard to crack as the longer the passphrase, the more computing power required to break it.  Most hackers are criminals of opportunity.  If it’s easy to break, they will come at you.  If it looks to be difficult to break, most will move on and look for an easier target.  These are also often lazy hackers in some respects.

Another consideration to keep in mind regarding wireless networks is understanding the risks of public wifi.  You should never do anything sensitive on a public wifi hotspot.  It is extremely easy for a hacker to create a “man in the middle” attack and sit on the public wifi and get in between your device and the network to snoop on your activity or steal your username, password or account numbers.

One way to protect yourself is to use a VPN, either provided by your company or one that you subscribe to.  These VPN’s will secure your activity on the wireless network by encrypting the traffic from your device, across the wireless network and online.  Another option is to use the personal hotspot feature on your smartphone.  Using the cellular data network is inherently safer than using public wifi.

Check out this tip sheet for more suggestions to keep your safe on wireless networks and more.

#CyberAware

 

Delete When Done #CyberAware

Standard

Facebook ΓÇô Delete When Done

A key message for this week of National Cyber Security Awareness Month is “Delete When Done.”  What does this mean?

It means clear out your digital clutter and remove unused software.  Nearly every software application you have installed on your computer gets an update from time to time.  If you leave unused software on your computer, you leave yourself exposed to vulnerabilities in these programs, especially if you are not keeping them up to date.

Many applications run in the background without you knowing it, so even if you are not actively using the software, a component of it may still be running on your PC.  This can expose you to vulnerabilities that a hacker could exploit without your knowledge because the software may not be updated to protect against a known issue.

The problem is compounded on our mobile devices.  These ease of installing apps has lead to mobile devices with far more apps installed than are actually used.  These apps could leave your device exposed as vulnerabilities are discovered.  Over time, you may not even remember that you have an app on your device that may pose a risk.

This is where “Delete When Done” comes from.  If you are no longer using an installed software application of mobile device app, remove it.  If you need it in the future, you can always reinstall it.  It’s a good practice to keep your computers and mobile devices as clean as you can.  It’s a simple step to help keep you safe.

Here is a link to a good tip sheet you may use and share with colleagues on this topic.

#CyberAware

Today’s Predictions for Tomorrow’s Internet – Week 3 #CyberAware

Standard

2017-10-16-national-cyber-security-awareness-month-week-3

This is Week 3 of National Cyber Security Awareness Month and the key messages this week are all about owning your online identity and being aware of various types of risks.

Here are some of the themes for Week 3:

  • Safeguarding your devices.  Before you purchase new devices, research how secure they are and what will be required to keep them secure moving forward.
  • Keep your WiFi secure.  This is especially timely as there are several news reports circulating yesterday and today about a wireless vulnerability called KRACK.  In short, you need to keep you wireless devices and access points updated to protect against new threats that are discovered.
  • Own your online presence.  Have you noticed that you will often see online ads about things you have recently talked about or researched online?  Do you understand how that happens?  You want to.
  • Delete when done.  Don’t keep unused software or apps on your devices.  If you don’t use it, get rid of it.  If you don’t keep it up to date, you could be vulnerable.
  • Usernames and passwords are not enough.  Understand the ways you can secure your login beyond a simple username and password.  This is critical to do.
  • Beware of public WiFi networks.  They are everywhere and they are easy to connect to, but are they safe?  Not necessarily.  Do you know what you can do to improve your safety when using a public WiFi network?  You should.
  • Devices are smart, you need to be smart as well.  With smart devices come a wealth of capability and it’s important you take smart, practical steps to keep yourself secure. when using smart devices.
  • Do you have the Internet of Things (IoT) in your home or workplace?  Is it secure?  If you have a WiFi connected anything, camera, thermostat, security system, these are all IoT devices and need to be kept up to date and secured from vulnerabilities.  You can’t just install them and forget about them.  You need a strategy for keeping them safe as well.

I’ll explore these topics throughout the week, so come back each day to see what’s new.

Be Cyber-Aware and Help Protect Your Business

Standard

The following was published in the October 15, 2017 editions of Seacoast Online and Fosters.

NCSAM-Week2-Theme

The title of this column is the theme for this week during National Cyber Security Awareness Month. In my last column, I wrote about National Cyber Security Awareness Month and its importance.

Each week has a different theme and I’ve been blogging about it daily on my blog at www.mjshoer.com.

The fundamental premise of this theme is understanding the NIST Cybersecurity Framework. NIST is the National Institute of Standards and Technology. The Cybersecurity Framework is the closest we have to a national standard for cybersecurity. The framework contains five steps to manage the risk. They are 1. Identify, 2. Protect, 3. Detect, 4. Respond and 5. Recover.

Identify focuses on assessing the cybersecurity risks to your business. Key to this is identifying the “crown jewels” of your business. This is the data associated with your employees, customers and other intellectual property. Identifying and documenting this data is one step. Another is to know where this data is stored and who has access to it. It’s important to consider the principal of least privileged access, only providing access to this data to those employees that require it to do their jobs.

Protect is about safeguarding the digital assets you identified in the first step, Identify. Protection involves securing the network from both external and internal threats. In addition to hardware and software security solutions and services, proper protection also involves training. It’s imperative to make sure your staff is educated about the cyber risk your business faces every day. Another key concept of protection is cyber hygiene. This encompasses using strong passwords, not reusing passwords, using multifactor authentication and more.

Detect is about knowing if you have a problem as quickly as possible. If you have been reading about many of the recent high profile data breaches, you know that many of them had vulnerabilities that existed for months before the company became aware. To properly detect these vulnerabilities you need to understand the threats that apply to your business. You also need to have the right tools and services to detect these threats and having appropriately skilled personnel who can interpret the warning signs.

Respond is all about how you address a threat when you detect it. In today’s world, even with appropriate controls in place, incidents still happen. When they do, you need a well thought out plan to respond to it. This includes resolving the incident as quickly as possible, identifying what data has been impacted and keeping the business functional throughout the incident. Having a well thought out communication plan is critical. It should include notifications to employees, customers and the public, including who is authorized to communicate with these audiences. Finally, you need to know if you are covered by any laws and reporting requirements related to this type of incident.

Recover is the last step in the Framework. Recovery follows the incident response and also requires a well thought out plan. Recovery is about understanding what lead to the incident and preventing a recurrence. However, recovery goes well beyond these obvious steps. It involves making sure you have the right cyber education plan for your employees and implementing the right monitoring and metrics to measure your cybersecurity posture to ensure that your business maintains a cyber-aware culture to keep your digital “crown jewels” safe.

There are excellent resources available online to help you protect your business. Visit www.staysafeonline.org and www.stopthinkconnect.org and take advantage of the wealth of free resources available to help you get started. Be cyber-aware and help protect your business.

Cybersecure Your Business Wrap-up #CyberAware

Standard

Facebook ΓÇô #BYOD Security Policies.png

This week has been all about “Cybersecurity in the Workplace Is Everyone’s Business.”

To wrap up the week, I want talk about two thing; Bring Your Own Device (BYOD) and small and mid-size business resources to help you develop, maintain and improve your cyber security posture.

BYOD is a rapidly growing reality in all businesses, large and small.  My company, Onepath, has a BYOD policy for mobile devices and in certain cases, laptop computers as well.  What is BYOD?  Essentially it means that employees bring their personally owned devices to use in the workplace.  This saves businesses considerable hardware expense and saves employees from having to carry multiple devices with them.

I’m sure you’ve seen more than a few people carrying multiple smartphones, to keep their personal and work smartphones with them.  That is just not necessary and the rise of BYOD validates this.

Key to an effective implementation of BYOD is establishing the policy that governs the use of personal devices in the workplace.  This includes establishing what apps and data may be used for work related activities, as well as the ownership of data on the personal device.

The second wrap-up item I want to address are the wealth of resources available to small and mid-size businesses to help with cyber security plans.

The Department of Homeland Security has an excellent set of resources available at this link.

On this page are links to a Small and Midsize Business Toolkit,  Small Biz Cyber Planner 2.0 and links to resources from the United States Computer Emergency Readiness TeamFederal Trade Commission and National Cyber Security Alliance.

Explore these resources as well as the additional resources linked below, to help you maintain an appropriate cyber security posture for your business.

PDF icon Small Business Tip Card

PDF icon Small Business Presentation (PDF)

File Small Business Presentation (PPT)

PDF icon Entrepreneurs Tip Card

PDF icon FCC Cybersecurity Planning Guide

PDF icon FCC Small Business Tip Sheet

PDF icon DHS Cybersecurity Overview

PDF icon DHS Industry Resources

PDF icon Mobile Security Tip Card

PDF icon Mobile Security One Pager

PDF icon Social Media Guide

PDF icon Cybersecurity While Traveling Tip Card

PDF icon Internet of Things Tip Card

PDF icon Stop.Think.Connect. Campaign Backgrounder

Package icon Protect Your Workplace Materials

Package icon Stop.Think.Connect. Rollout Package

Next week, we will explore the future of the Internet as part of this years National Cyber Security Awareness Month.  Until then, have a good weekend. #CyberAware

 

Respond and Recover, Steps 4 & 5 #CyberAware

Standard

Facebook ΓÇô 4 Respond.png

Step 4 is Respond.

No matter how many defensive steps you take to protect your business, an incident may still happen.  Some would say it’s not a matter of if, but when.  Considering this point of view, when an incident happens are you prepared to properly respond?

There are several resources available at the link about to help you consider your response plan.  Key elements are as follows:

  • Resolve the incident as soon as possible.
  • Determine what data may have been lost and what individuals may have been impacted.
  • Keep the business functional while the incident is being addressed.
  • Activate a comprehensive communication plan internally & externally.
  • Determine if you need to comply with any laws related to the incident.
  • Report the incident in accordance with your internal plan and any regulatory requirements.

Facebook ΓÇô 5 Recover.png

Step 5 is Recover.

Recovery kicks in after the initial response to a cyber incident.  It goes beyond the initial steps identified in Step 4, above.

Recovery includes the complete return of business as usual, including any technical restoration required.  What people often forget about during the recovery phase, is preventing a recurrence and ensuring that the company is better educated and positioned for the future.

Recovery includes zeroing in on the type of company culture you want to have with regard to cyber security.  How will you monitor the ongoing position of the business and evaluate the effectiveness of both technical defenses and user education efforts to keep awareness of cyber threat foremost in every employees mind.

#CyberAware

iOS Password Risk

Standard

Reports are breaking today of a risk to iPhone and iPad users utilizing a very familiar prompt.

iOSPrompt.jpgAs this image shows, we are all used to seeing this prompt to login to the iTunes Store.  The problem is, that a mobile app developer has proved that this pop-up could be generated by an app that is simply attempting to capture your Apple ID password.

This appears to be the first risk that has surpassed Apple’s rigid App Store security.  A seemingly legitimate app could generate this pop-up.  One way to tell if this is a legitimate prompt for your Apple ID password is to press the home button on your phone.  If the prompt disappears, it could be an attempt to steal your password.  If the prompt remains on screen, it’s a legitimate prompt.  Another recommendation is to close this pop-up, go to the Settings app and to your Apple account and enter your password there, if prompted.

I’ll blog on this further if more details come to light.

Being National Cyber Security Awareness Month, I wanted to get this alert out right away.  #CyberAware