DHS Emergency Directive For DNS Management

Standard

DHS-CISAThe Department of Homeland Security has issued an emergency directive regarding the management of DNS files in response to what is believed to be aggressive hacking originating in Iran.

Malicious actors tracked to that country have been aggressively targeting DNS management sites, obtaining user credentials and then editing DNS records to point unsuspecting web site visitors to a malicious web site.  Here is what takes place:

  • Hackers gain access to the site that manages a company’s DNS records.  These are the records that translate IP addresses to more common text.  For example, www.company.com correlates to an IP address on the Internet where that web site lives.  The hackers repoint www to another IP address, where they are hosting a malicous site that looks like the original site.  This allows the hackers to steal your identity or other information, depending what details you enter in to that site.
  • Once the hackers have done their work, the revert the DNS record back to the original web site and move on.  It’s possible you may not even know this has taken place.

The DHS emergency directive recommends putting two factor authentication (2FA) in front of the account through which you manage your DNS records.  2FA requires an additional step, in addition to entering your username and password to login to the site.  Most will offer a few options, the most common being a text message with a one time code that you need to enter, or the use of an authenticator app like Google Authenticator or Microsoft Authenticator, which generate random codes you have to enter to complete the login process.  Both of these are available in your app store.

As an example, GoDaddy is a very popular company that hosts DNS records for their customers.  GoDaddy allows 2FA to be enabled on your login that you use to manage DNS if you host it with them.  If you do, you should enable this immediately as it is the best defense against this threat.  Other popular organizations that host DNS are companies like Network Solutions, Rackspace, Web.com and more.  You should enable 2FA where ever your DNS is hosted and if the company you host with does not support 2FA, you should move your domain to company that does.

If you would like to read the emergency directive, click here for a PDF of the directive or click here for the online directive.

The Clock Starts Ticking Today

Standard

As I posted a few days ago, Windows 7/Server 2008 End of Support happens one year from today on January 14, 2020.

2020EOLDon’t sit back and relax, thinking you’ve got a year.  You don’t.  If you are like many companies, you may still have a substantial number of computers running Windows 7 and some servers running Server 2008 and 2008R2.  It takes time to plan for widescale replacements like this and if you don’t start planning now, you will be in a pinch come this time next year, scrambling to get your replacements done.  Don’t be that company.

Start planning now and make a plan to methodically replace the necessary systems throughout 2019 so come this time next year, your users will be well settled in with the new operating systems.  Most importantly, you will be safe from the hackers who will be waiting at the gates to exploit any organization who has not completed these necessary upgrades.

What 2019 May Hold For Tech

Standard

The following was published in today’s Foster’s and Seacoast Sunday.

2019TechIn my last column, I wrote about how technology evolved and influenced our lives in 2018. Now that we are in the New Year, it’s time to look forward to what 2019 may have in store for us.

Cybersecurity will remain one of, if not the most active area of technology in 2019. Some are predicting a distinct increase in cyberattacks. There is no question cyberattacks are happening more frequently than ever and penetrating further than they ever have. The rise of state-sponsored attacks is alarming, as is the number of groups attributed to attacks being funded by governments.

As we move deeper in to 2019 and the 2020 election draws closer, concerns about cyberattacks on campaigns, voting and social media platforms are expected to reach unprecedented levels. The development and deployment of proactive defenses against these anticipated attacks will be closely watched to insure the integrity of this election cycle.

Come January 2020, both Windows 7 and Windows Server 2008 will be out of support, meaning they will no longer receive security updates and become vulnerable to hackers. Many businesses are still running both operating systems extensively and the time to plan for replacement is now. Before you know it, we will be deep into the New Year and there will not be sufficient time to plan for and implement necessary upgrades or replacements to be sure these are not in place at this time next year. Hackers will be ready to attack systems still in place. If you are not already planning to replace all systems running these versions, you are putting yourself at unnecessary risk.

Artificial intelligence, AI, will continue to evolve and become more ubiquitous this year. From monitoring financial networks to combating cyberthreats, AI will become an important aspect of how we leverage technology for good. As an example, most security operations centers, the mission control like centers that monitor massive amounts of security logs for threats, can’t function without AI. AI allows security analysts to sift through massive amounts of data to identity patters of activity that could represent a real-time risk to a network. Once identified, the risk can be clearly communicated to appropriate resources for response. AI represents perhaps the only way we can effectively develop cyberdefenses to keep ourselves safely connected.

Smarthome technology will become even more pervasive in 2019. Walk in to any electronics or home improvement store and you will see ever larger displays of smarthome technology. From video doorbells, to garage door control to temperature sensors, alarm systems, lighting control and more the connected home is here. As is voice control. Alexa is everywhere and Google and others are nipping at her heels. The ability to talk to your home and have it intelligently respond is here. There are a lot of privacy concerns around this technology, but the benefits have so far outweighed the risk.

Speaking of privacy, privacy will remain a hot topic due to the amount of personal and sensitive information that lives within our technical infrastructures. From legislation, to technical controls to auditing capabilities to monitor the flow of data in real time, concerns about privacy will remain front and center in 2019.

Personal health technology will also become more prevalent this year. As an example, the latest version of the Apple Watch allows you to take on demand ECG’s and detect heart anomalies. While this is innovative and potential transformation, it’s not without concern. Some medical professionals have expressed concern that people will place too much faith in personal health technology and put themselves at unnecessary risk. The concern is that someone may not seek out professional medical assistance and instead rely on technology to self-diagnose and treat.

Technology is a wonderful enabler of our human evolution. Like any significant progress throughout history, it’s not without risk and tradeoffs. Being in the business, I obviously favor the positive over the negative, but not without proper understanding and respect for the concerns. It’s up to all of us to use technology wisely and for good. Really not much different from any other aspects of our lives. Happy New Year.

Windows 7/Server 2008 End of Support

Standard

Are you still running Windows 7 or Windows Server 2008 in your business?  If so, are you aware that support is coming to an end is just 12 months?

End of Support

On January 14, 2020 Microsoft will stop supporting these desktop and server operating systems.  No further security updates will be released and any organizations still running these versions after this date are at serious risk.  You can be sure that hackers will have plenty of offensive weapons ready to exploit any computer running these Windows versions once security updates and support expire.  There are ample examples of this happening with prior versions, be it Windows XP or Windows Server 2003 to name just two.

Don’t wait and think that a year is plenty of time to plan.  The time will fly by faster than you realize.  How many times do you find yourself saying, how did we get to 2019 so quickly?  I can’t believe it’s already April?  It goes on and on.  Take action now!

Make a plan, set a budget and establish a timeline to be sure that come New Year’s 2020, you no longer have any computers running Windows 7 or servers running Windows Server 2008 or 2008R2.  Be sure you are on current operating systems like Windows 10 and Windows Server 2019.

Talk with your internal IT or outsourced IT partner and start working on your plan now.  Have things in place by the end of the first quarter, to ensure that by the end of 2019, you are all set and running on the most stable and secure platforms available.  You’ll be glad you did!

What is HCM Technology?

Standard

Simply put, it’s Human Capital Management Technology.  This is the technology used by employers to plan their workforce strategy, including attracting, hiring and managing the best talent possible.

Progressive and innovative companies leverage HCM Technology to give them a competitive advantage in a tight labor market.  It allows HR professionals and the executive teams that work with them to craft effective business and personnel strategy to reach their corporate goals.

HCM Technology is a hot and rapidly evolving field.  The technology itself continues to mature as do the product offerings available to organizations of all sizes.

HCM-3If HCM Technology is an area of interest for you, I recommend subscribing to the HCM Technology Report.  The HCM Technology Report is rapidly becoming the defacto standard in the HR industry as a comprehensive resource hub to help you keep up with news, products, technology, white papers and more.  I hope you find this a valuable resource.  I do.

Ohio’s Data Protection Act Sets A Practical Standard

Standard

The question is, will other States and even the Federal government follow?  I hope so.

Ohio.png

The Ohio Data Protection Act, which became law in November of 2018, establishes a cybersecurity safe harbor for companies that adopt an applicable cybersecurity framework.

In simple terms, here is what this means.  If a business has shown good faith in putting appropriate cybersecurity defenses and protections in place, it may not be able to be held liable for any damages should they experience a data breach.  The Act does not create a standard that companies must comply with, rather it references several established cybersecurity frameworks that are compliant in the eyes of the law.  These frameworks are:

Further, this law allows business to determine which framework applies to them.  Companies are allowed to consider their size, type of information that needs to be protected and other factors in making this determination.

For small business, this is good news as this may represent the first cybersecurity law that a small business can actually comply with.  While large enterprises are complying with laws that impact them, this has been a challenge for small business.  The scope of compliance requirements, the costs of complying and the uncertainty of whether they can properly protect themselves have kept many from even trying.

By offering a safe harbor, to protect the busines as long as it can show compliance with one of the listed frameworks, this law may actually encourage businesses of all sizes to do the right thing.  This would be a great development and I’m hoping all other states follow Ohio’s lead.  We will all be safer if they do.

A Nice Quote

Standard

QuoteI received this quote in an email subscription today and thought it was worth sharing:

The secret of joy in work is contained in one word — excellence. To know how to do something well is to enjoy it.

Pearl S. Buck, writer

Happy 2019, Here Come The Hackers

Standard

As the holidays were in full swing and we said goodbye to 2018, hackers were busy at work putting their latest and greatest threats into the wild.

business computer desk finance

From new phishing threats to a targeted malware attack on the newspaper industry that crippled the printing of the LA Times, NY Times, Chicago Tribune, Wall Street Journal and others.

These particular threats are not necessarily attributed to the holidays, it’s just when new of these new threats hit.  The FBI has issued the following reminders, which are worth republishing here.  If you make one New Years Resolution, be it to read and take action on these recommendations.

The FBI suggests precautionary measures to mitigate the threat, such as:

  • Conduct end user education and training on the threat of phishing emails.
  • Continue to educate employees on scrutinizing links contained in emails, and not opening attachments included in unsolicited emails.
  • Consider adding an email banner alerting when an email comes from outside your organization, so that it is easily noticed.
  • Implement application whitelisting to block execution of malware, or at least block execution of files from TEMP directories, from which most phishing malware attempts to execute.
  • Recommend stripping .iqy binary attachments from inbound email at the gateway.
  • Implement procedures to detect suspicious activity and process patterns, such as remote scripts, and block this behavior before it can download any payloads. For example, Excel attempting to launch the Command Prompt (cmd.exe) and PowerShell in an attempt to download something from the Internet.
  • Utilize threat intelligence sharing to stay informed of advanced threats.
  • Continuously monitor security industry reporting pertaining to third-party or free software used by your organization. This reporting can often identify when this software has been incorporated in a malicious scheme.

A Look Back At 2018 In Tech

Standard

The following was published in yesterday’s edition of Foster’s and Seacoast Sunday.

2018 has been quite a year for technology. While mostly good, there was also some pretty bad press for technology this past year.

Data breaches, privacy concerns and infiltration of social media platforms certainlypexels-photo-273011 highlighted the bad. Facebook, Google and others have been repeatedly grilled on Capitol Hill this year, mostly for good reason. Facebook has had perhaps their worst year since their meteoric rise to the top of the social media ladder. Concerns about Facebook were worsened by revelations that nefarious influence campaigns took advantage of serious privacy shortcomings within the platform’s ecosystem.

2018 started with the revelation of the Meltdown and Spectre flaws in nearly all of the chips that power computers. While the concern was valid, the impact was quickly contained and patched. As the new year took hold, more concerns came to light about potential foreign influence across the technology industry. From the before mentioned social media issues to concerns that companies like Huawei, ZTE and others could be embedding spy technology within their products, the year was off to a rocky start for tech.

Two of the biggest tech stories of the year are the arrival of GDPR, the strict European data privacy law and the reversal of net neutrality rules by the Federal Communications Commission. Europe’s GDPR or General Data Privacy Regulation, places the most stringent requirements yet on the protection of personal information. It reaches across borders and continents so that even if a company exists outside the European Union, if they employ just one citizen of the EU, they must comply.

With the number of households cutting the cable cord and moving to online only live TV and streaming services, the repeal of net neutrality rules raised a huge red flag. The concern is that high speed Internet providers would make deals with content providers and make some content available quickly and smoothly and other content painstakingly slow to frustrate the consumer into using the preferred content. There are some real concerns that some of this may be playing out, but so far, it does not seem to be so blatant as to draw legal attention. Time will tell, but the intersection of regulation and technology is front and center.

Hands free technology improved dramatically this year. Smartphones are safer than ever, provided you take advantage of their handsfree capabilities, especially in the car. Wireless power has also come on strong this year, allowing you to charge your favorite tech just by playing it on a charging pad. Maybe the battle for the charger will finally be over.

Collaboration tools really took off in 2018. Platforms such as Slack and Microsoft Teams have redefined the collaborative workplace. The ability to communicate in real time, whether in or out of the office and share content, have never been easier or more productive.

Personal devices continued to mature this year. The Apple Watch, now in its fourth iteration, has become the smart watch of choice. The capabilities and battery life continue to get better with every release. Similarly, smartphones like the iPhone or Galaxy Note are so powerful they may be the only device you need. Smartphones, tablets, wearable and portable PC’s continue to get smaller, lighter, more powerful and more capable, allowing you to do nearly anything that you can imagine almost anywhere at any time.

With all this technology comes the need for an ever more skilled technology workforce. We need the skilled labor force to continue to design, develop and support the technologies of today and what’s yet to come. Our schools need to rethink current curriculums to be sure that we are grooming the workforce of the future before the future passes us by.

It’s been a great year for technology, despite the high-profile headlines that expose the inevitable dangers that these same technologies may bring. In my next article, I’ll look forward into what 2019 may hold for technology developments. In the meantime, my best wishes for a Happy and Healthy New Year.

Today’s Emergency Alert

Standard

Did today’s emergency 911 alert concern you?  I hope it did.  As a result of a nationwide problem with one of the larger telecommunications and Internet providers, 911 services were down in many parts of the country.  Cell phone callers were the most impacted.

The outage effected areas from New York to California.  Washington State was hit particularly hard.  Cell phone users in many parts of the country received a government issued emergency alert today like the one below:

Key to this alert is the critical question, do you know the local 10-digit number for your police and fire department?  You should.

I have my local dispatch center number stored in my phone.  This next statement may upset some emergency officials, but several years ago, shortly after the implementation of the statewide 911 system in New Hampshire, a police officer that I know recommended that I never call 911 and instead call local dispatch.  Why?  This persons opinion was that the statewide system slowed emergency response.  When you call in to a 911 center, the operators ask information to both qualify the emergency and to offer immediate phone based help, when appropriate.  The 911 operator then calls the local dispatch center to send help.  Some feel this introduces unnecessary delays to the response.  Others say it helps avoid unnecessary dispatches and offers more immediate help, especially for health related emergencies while the caller waits for first responders to arrive.

I suspect there is a heated debate around this topic.  As it relates to todays emergency alert, I was feeling fine about it, as I have my local dispatch numbers.  If I were in an out of state location or somewhere else locally that I did not, I would need to depend on 911 and this would certainly concern me.

If you have not already, I recommend you put the local dispatch numbers for places you frequent.  Places like your home, place of work, family members you visit often, etc.  By storing them in your phone, hopefully you will never need them.  You don’t ever want to find yourself in a position of needing them and not having them.

With regard to the cause of today’s alert, the FCC is investigating the CenturyLink outage to determine why it took down one of the most important emergency communications netqorks we have.  The national 911 system was thought to be one of the most highly redundant communications systems in existence.  Today’s outage, which actually began yesterday afternoon, says otherwise.