Should You Dump Facebook?


Probably not.

I’ve been holding off on posting about the Facebook/Cambridge Analytica mess.socialspread  Clearly it’s a mess and both firms are struggling to explain themselves.  Should users be surprised?  Absolutely, positively not.  This was bound to happen.  If not with these two, with other companies.  The amount of users, data and activity on social media platforms is massive and it was only a matter of time for it to be misused like this.  Was Facebook complicit?  It doesn’t sound that way, but as we learn more, it’s certainly possible.  Was Cambridge Analytica in the wrong?  That looks far more likely, but it’s still early and this is a very charged topic, so theories are rampant and varied.  Here’s what is known at this moment.

Facebook has allowed outside developers to create apps, games and quizes on it’s site.  These all use your personal Facebook data to identify who you are and some, pass a lot of your profile data back to the developer.  Have you ever answered a quiz asking you to name all the States in the US you have visited?  To rank your favorite movies or used the “Login with Facebook” button to log in to another site or app, so you didn’t have to take the time to setup a new account?  If you have, you’ve exposed your Facebook profile, the entire thing, to some of these apps, developers and sites.  That’s why I have previously posted a caution”Those Fun Facebook Lists Could Pose Risk.”

This is how Cambridge Analytica hosted Facebook user data.  A personality test was developed on the Facebook platform and 270,000 users granted permission to this app to view and gather data from their profiles.  From that, data was also grabbed from 50 million users who were friends of the 270,000 who took the profile.  This is because when those original 270,000 users allowed the personality test to access their profile data, they also allowed it to access their friends.  This is the root of the problem.  It spread like wildfire, jumping from profile to profile, gathering data that we now believe was used to influence the 2016 Presidential Election.

It has taken Facebook several days to more fully respond to this.  Rightly or wrongly, they took time to understand the nature and scope of the issue before making official comments, which came over the last 24 hours.  Facebook acknowledges they failed to protect their users privacy.  As early as 2014, Facebook implemented controls to prevent something like this from happened, but this event predated those enhancements.  Facebook has promised to audit all entities that had access to data before these new controls were in place.  Any entity that does not comply with the audit will be banned from Facebook.  That’s a good start to make things right and restore users confidence in their privacy.

Love it or hate it, Facebook does serve positive purposes.  While there is no doubt there is a lot of negativity on Facebook in many forms, the vast majority of users use it for good, whether keeping in touch with friends and family far and wide, or sharing useful information like this blog post.  The good outweighs the bad and Facebook will be better moving forward.  Many challenges lie ahead, not the least of which is an investigation by the Federal Trade Commission (FTC) and a class-action lawsuit alleging that Facebook did not adequately protect user data.

If you want to stay on Facebook, here are some things you should do to better safeguard your Facebook profile.

  1. Check how many apps have access to your Facebook data.
    1. Click the drop down arrow next to the help question mark and go to Settings.
    2. Click on Apps in the left hand column.  Be sure you click Show All.  I bet you’ll be surprised to see how many apps have access to your profile.
    3. Hover over each app and click the x to remove it or the pencil to edit permissions.  If an app says Only me, you’re in pretty good shape.  If an app says Friends, it can grab their data through you.  That’s not good.
  2. If you don’t want any apps to have access to your profile at all, scroll down a bit and click the Edit button under Apps, Websites and Plugins and click the Disable Platform button.  Before you do, be sure you read what this will change, as your online experience will change, not just on Facebook.
  3. Scroll a bit further and click the Edit button under Apps Others Use and here you can really restrict what apps can see about you.

These few simple steps will secure your data and allow you to continue to use Facebook with less risk of others getting more information on you and your friends than you intend.

Don’t Get Fouled Out by March Sadness


March Madness is here and the brackets were busted up pretty well by the early upsets. With the Sweet 16 set, March Madness is in full swing and so are the hackers who want to take advantage of it.


Be on the lookout for phishing email tryingMarch-Madness-sadness to get you to go to fake web sites that are copies of the legitimate ones.  These are sites that cover the brackets and stream the games.  The phishing is all designed to get you to expose your username and password so the hackers can use it to gain access to your network or other sites where you use the same credentials.


Be aware of how many of your users are going to March Madness web sites during this time of year.  It’s not uncommon to hear complaints about the network being slow being tied to numerous users streaming games at work.  This is exactly what the hackers are hoping to find, so be cautious.  Only use sites you can guarantee are real.  Be skeptical of apps that you are encouraged to install to follow the madness.  Be sure these are legitimate as well.  Otherwise March Madness will turn into March Sadness in the time it takes to dribble the ball and get fouled.

Why Default Spam Filters Are Not Enough


The following was published in today’s Foster’s and Seacoast Sunday.

Whether you connect to an on-premise email server or use Cloud-based email servicesspam-mail like G Suite or Office 365, if you rely on the built-in spam filtering that comes with your mail service, you are leaving yourself exposed to email borne threats.

Microsoft Outlook users who rely on the built-in junk mail features face the same lack of truly robust spam filtering. Here’s why.

Most built-in spam filtering technologies use basic methods to identify what may be spam. This often leads to legitimate email messages being missed or outright deleted. An effective corporate spam filter layers in multiple techniques and technologies to keep you safe from email borne threats of all types, not just spam. These systems also layer in additional security features that are not part of built-in spam filtering solutions.

A robust corporate spam filtering solution should block the majority of spam destined for your inbox, preventing it from reaching your mailbox, as opposed to simply moving it to a junk folder within your mailbox. The key concept here is in preventing the spam from even getting to your email server, whether on-premise or hosted. It should provide a daily report of everything it captured as spam, so you are able to release anything legitimate that was caught. Most will even allow you to get a notification in real time whenever your spam filter traps a spam email. It should also provide inbound and outbound spam protection to alert your IT team should someone on the corporate email system become infected with malware that tries to send spam from a corporate email account. It happens.

Other features of a robust corporate spam filtering solution include detailed logging and reporting, the ability for users to tune their personal settings for optimal protection. One size does not fit all when it comes to spam filtering. Most email administrators will setup a default filtering level that will work for most people, but allow individual users to fine tune settings to their needs.

Continuity and disaster recovery are another set of features. The key to effective continuity is to ensure email flows even if internet access is lost, or if your corporate email system is down. Effective email continuity allows you to continue to send and receive email, which prevents any sender from receiving a bounce message that your mailbox is unreachable. Another key to this type of service is that it is seamless to the user, available via a web portal or within the mailbox they work with daily.

Disaster recovery extends the continuity service to maintain email communication through some form of disaster that would otherwise take these services offline. By leveraging geographically dispersed data centers to run these services, providers of these services can maintain their services through local internet, power or other outages, including something as extreme as a fire that destroys an office. Once normal services are restored, the disaster recovery service will seamlessly switch back and deliver all email received during the outage back to the primary system.

A concept often referred to as sandboxing is another advanced feature. In effect, when a user receives an email with an attachment, that attachment is removed from the message, moved to a sandbox and tested for any threats. If the attachment is safe, it is moved back to the original message and that message is delivered to the intended recipient. If the attachment is not safe, it is stripped from the message and the recipient is notified of the threat. This is an effective defense against malware and ransomware, where an attachment carries a malicious program or link that when opened, infects the user’s computer. This type of active, inline testing is the best known defense against this type of threat.

Finally, email encryption and archiving are integral parts of a complete solution. So much communication takes place via email that it is easy to email protected information, be it personal, health related or financial. Email encryption can prevent this information from being sent via email, or automatically encrypt it, when found, to protect the information. If you are a regulated entity in the health care or financial space, this is critical to have in place. Regulators are continually cracking down on this and fines are becoming quite steep for violations.

Email archiving keeps a copy of every message sent and received. This may be for convenience, as in not maintaining a large mailbox of everything you send and receive, or for compliance. In the case of convenience, it is far easier to search an email archive for older messages than it is to maintain them within your day-to-day email program. For compliance, archiving retains messages for defined period of time to meet regulatory requirements around reproducing communication threads. This is often referred to as eDiscovery. If you are regulated by the SEC, NASD, IDA, HIPAA, SOX, FRCP or others, you are required to have this in place.

Hopefully, this will help you ensure you more than just a basic spam filtering solution in place. It’s important to understand everything that a solution like this should encompass, not just to keep you safe, but also to keep you compliant.


Recap: CyberSecure My Business Webinar



Last week, I posted about a Free CyberSecure My Business Webinar that took place this past Tuesday, March 13th.  I wanted to follow up that post with a quick summary of what was presented on the webinar.

The webinar was presented by the National Cyber Security Alliance.  Presenters were from the National Institute of Standards and Technology, security vendor Trend Micro, the Small Business Administration and the Michigan Small Business Development Center.

The presented from NIST focused on the five major functions of the NIST Cybersecurity Framework.  The NIST framework is the defacto standard for defining cybersecurity needs.  The five functions are as follows:

  1. IDENTIFY assets you need to protect.
  2. PROTECT assets and limit impact.
  3. DETECT security problems.
  4. RESPOND to an incident.
  5. RECOVER from an incident.

The presented from Trend Micro talked about a new phenomenon they have termed the “Double Whammy.”  Esentially, this is when one cyberattack actually masks another and the second attack is the one that is designed to do the actual damage.  Another key point the presenter made was that if you get infected with malware, you can’t be confident that you’ve removed it all.  Your best bet is to replace the machine.  The presenter almost pointed to the website where some of the major cybersecurity companies have collaborated to publish decryption keys for known ransomware outbreaks.  Of course, the bad guys develop new ransomware faster than the site can keep up with, but this is a good start at what amounts to a crowdsourced defense.

The presented from the SBA shared the wealth of cybersecurity resources that the agency makes available to businesses.  He made a point to reference the SBA’s Social Media Cyber-Vandalism Toolkit, to help people maintain a safe social media presence for themselves and their businesses.

The presenter from the Michigan Small Business Development Center showed a web site they have put together to help their constituents address cybersecurity concerns.  This is part of local outreach activities that the SBA supports.

He also shared the following bullets, which are great reminders for any response to a cybersecurity incident.

Process to Follow:

  • Identify
  • Contain
  • Investigate
  • Remediate
  • Communicate
  • Review Lessons Learned

People to Notify:

  • Cyber Security Expert & IT
  • Employees
  • Customers
  • Partners
  • Vendors
  • Attorney
  • Law Enforcement

Technologies to Help Mitigate Risk:

  • Encryption (full disk, files, folders, email, VPN)
  • Mutli-Factor Authentication (MFA, 2FA)
  • Mobile Device Management (MDM)
  • Data Loss Prevention (DLP)
  • Security Information and Event Management (SIEM)
  • Intrusion Prevention/Intrusion Detection Systems (IPS/IDS)

Key Takeaways:

  • Have a Business Continuity Plan
    • Incident Response Plan
    • Disaster Recovery Plan
  • Identify Key Assets
  • Choose Protection Considering Based On:
    • Budget
    • Industry Requirements
    • Capacity
    • Legal Restrictions

I know there is a lot of information in this post.  If you were not able to make this webinar, I wanted to share a good summary to help you review your own cybersecurity posture.  Please check the links and leverage this great content to help improve your cybersecurity.  Stay Safe Online.

Staying Connected When Winter Weather Hits


With the snow still coming down, it reminded me that Onepath published a great blog post about today’s storm.  You can check out the post on Onepath’s website here or read on below for a copy of the post.


New Englanders faced yet another major winter storm just days after Quinn left three feet of snow in some areas. As folks in the northeast continue digging cars out of snow drifts, many are still trying to figure out how they can get their work done (or keep their business running) while stuck at home. In fact, most of our Onepath colleagues working out of our Massachusetts, Rhode Island, and New Hampshire offices already had to work remotely last week, and many are stuck at home and away from their physical office again this week.

Fortunately, Onepath has tools in place to keep all our employees connected to each other, to our clients, and to the systems and data they need to stay productive. The evolution of the cloud and the ecosystem of platforms and apps that developed around it, gives organizations the ability to build robust networks that can be utilized anywhere. It’s no longer just email and messaging apps; it’s a complete system allowing people to engage their coworkers and clients in just as meaningful a way as if they were in the office.

When planning our IT infrastructure, we identified areas that are mission critical for our teams to continue working without interruption. For us that was the ability to remotely access client data, use all our software, share files, receive or forward phone calls to our computers or cellular phones, message one another on the fly, and have face-to-face or screen-sharing meetings. While we can’t turn around in our chair or walk down the hall to have a meeting or conversation, we can get pretty close with all our collaborative tools.

Here’s a look at a few of the things that Onepath is using to stay connected during this storm without missing a beat.

Tools We’re Using to Successfully Work From Home

CRM. All of our client data sits in a cloud-based CRM system. It functions as a great deal more than just a database, though. Our clients use the system as well, so we can quickly and easily share information and communicate with each other.

Office365No remote workforce would be complete without cloud-based office productivity software! We’ve got the full suite of Microsoft’s ubiquitous apps. And everything is backed by OneDrive, which not only keeps our files stored in the cloud, but also allows for easy sharing and collaboration with other users.

SharePoint. We utilize SharePoint as a file server in that we have file versioning, uploads, security groups, and a single place where we can upload, store and share files, templates, and documentation.

VoIP System. Our phone system operates over the Internet, so no one is tied to a physical phone device. Employees can make and receive calls from their laptops and mobile devices, so we are reachable just about everywhere. Helpdesk or support phone calls coming in our main numbers are rerouted to the support teams on their computers or cell phones at home.

Skype for BusinessWe use Skype primarily as an instant messaging tool, but it also works for video chats. And like our phone system, Skype works on a variety of devices.

WebExSkype works well for video chatting with small groups. If we have a lot of people or are doing a presentation, though, we use the web conferencing tool WebEx. We can share PowerPoints or our screens as if our colleagues were looking at a screen over our shoulder.

This is just a handful of the tools we leverage to keep us connected, and there is an ever-growing list of alternatives to each of them, all with various pros/cons and price points. The key for our New England IT team’s ability to temporarily transition from an onsite workforce to an offsite one, was preparedness. When planning for the future of your IT infrastructure, be sure to select flexible and cloud-based technology solutions that allow for at-home workers to be productive and keep your business running — whether your staff is working from home by choice or by storm.

OK Waze!


As you may know, I’m a big fan of Waze.  I use it every day and use it instead of my OKWazevehicles built in navigation as it’s more up to date and reliable, not to mention offers a wealth of additional features that I value.

Recently, the Google team updated Waze to respond to voice commands.  If you go into “Settings” and then click on “Sound & voice” and then “Talk to Waze” and enable “Say “OK Waze”” you can speak to Waze in a completely hands free experience.

When this was first released, it was flawed.  When your smartphone is connected to your in-car Bluetooth and this feature is enabled, the first time you say “OK Waze,” Waze took over your in-car audio system.  Once you issued that verbal command, your in-car microphone remained engaged so that you were no longer able to use any of your in-car entertainment options.  This was not good.

I’m pleased to see that Waze has released an update so that this no longer takes place.  Waze now uses the smartphone microphone to listen for your “OK Waze” command and then allows you to speak to Waze through your in-car Bluetooth, as if you are on a phone call.  Once you are done, control is passed back to your in-car entertainment system and Waze returns to listening via your smartphone microphone.  This is perfect!

Here is how this works.  I’m driving with Waze up on my smartphone and the radio on.  I see a car stopped on the side of the road.  I say “OK Waze” and the radio goes silent and Waze goes into listening mode.  I say “Report vehicle stopped on shoulder” and Waze repeats my request and asks me to approve.  I say “yes” and Waze notes my report on the map at the point I first said “OK Waze.”  This contrasts with no less than 5 taps on the screen to accomplish the same thing, which is not at all safe and a violation of many states hands free laws.

To be fair, there is also a setting you can enable so that when you tap with three fingers on the screen Waze would listen for voice commands.  However, not having to touch or look at the smartphone at all is the best and safest method.

Well done Waze!  Keep up the innovation with a constant focus on user safety.

Free CyberSecure My Business Webinar


I received the below message today and wanted to share it on my blog.  The National Cyber Security Alliance does a great job putting free educational material out to the public.  This free webinar covers a very important and timely topic:  “Know What Recovery Looks Like.”  In light of the strong winter nor’easters that have hit hard along the eastern seaboard this week, a lot of businesses will benefit from this webinar.

I encourage you to sign up for this webinar.


Boy Scouts get Kudos Too!


After my post Kudos to the Girl Scouts! yesterday, I got a few messages letting me CyberChip Patchknow that the Boy Scouts have a similar program.  I was aware of the Cyber Chip program, but did not realize it also includes a badge.

Kudos to the Boy Scouts for also having a good cyber-citizen program to educate their members about the importance of cybersecurity and being safe online.  Like the Girl Scouts, the Boy Scouts also have a partner helping them with this program.  They have partnered with NetSmartz, a program of the National Center for Missing & Exploited Children.

These program are so important to our younger generations.  These kids are growing up in a digital world that is interconnected and always on.  Whether we are talking about cyber-bullying, hacking, identity theft or interference with nation states, education around these and emerging cyber risk is critical to protecting everyone and everything.

I’m thrilled to see these program out there.  They set a great example for schools and other organizations, for innovative and engaging ways to ensure our youth our equiped to deal with the new realities of the digital future.

Kudos to the Girl Scouts!


Girl Scouts around the country are now able to earn a Cybersecurity Badge.  So much for camping and cooking over an open fire.  These are not your mother’s Girl Scouts!

GSThe new badges are the result of requests from Girl Scouts themselves.  The Girl Scouts partnered with security company Palo Alto Networks to create the new badge.  Maybe they are concerned about protecting the famous Girl Scout cookie orders, though probably not.  In all seriousness, the girls have expressed concern for everything from protecting their identity online to protecting the family’s home networks from being hacked.  This is the new face of the Girl Scouts, adapting to the times we live in.

This is a great STEM initiative by the Girl Scouts and exactly what we need to see more of.  Especially because women are unrepresented in high tech.  It’s so important to expose kids to opportunities in technology and cybersecurity is certainly a hot topic.  The girls are learning about coding and how computer networks work.  It’s truly an innovative program.

Sylvia Acevedo, the CEO of the Girl Scouts of the USA has been quoted as saying “Cybersecurity is vital to protect our financial systems, our voting systems, you know, our defense systems. So we absolutely need to have the rising generation interested and prepared in cyber security.”  She could not be more right.

Creative initiatives like this are just what we need and great feeder to other initiatives like CompTIA‘s Advancing Women in IT (AWIT) Community.  From CompTIA’s website, “Advancing Women in Technology (AWIT) believes diversity is good for business and helps companies create inclusive and supportive work environments for all people. The community also provides networking opportunities, develops member-driven initiatives involving women and careers. AWIT supports women working in information technology and helps women and girls discover ways they can play important roles in the industry.”

Again, kudos to the Girl Scouts on being forward thinking and helping their members prepare for the future.

Onepath InfoSec Top 5: Meltdown-Spectre, Cyber Risk and More


The following is a very informative email that we put out at Onepath last week.  Wanted to share it here…

Onepath Banner.jpgTop 5

Stay on top of the latest cybersecurity news with these five hand-picked articles from around the web.

Meltdown-SpectreMeltdown-Spectre: Now the Class Action Suits Against Intel Are Starting to Mount Up

Intel faces 32 class action lawsuits over its processor flaws and says more may be in the pipeline.


2018: Companies Will Make Major 2018 Cyber RiskEnterprise-Wide Changes to Address Cyber Risk


As cyber attacks increasingly threaten every aspect of business, companies will be forced to address cybersecurity risk holistically. (Security Magazine)


Ransomware ReportReport: Ransomware Attacks Against Healthcare Orgs Increased 89 Percent in 2017

The number of reported major IT/hacking events attributed to ransomware by health care institutions increased by 89 percent.
(Healthcare Informatics)


Industrial Cyber Security Improving, Industrial CyberBut Needs Work

Cyber attacks on industrial and critical infrastructure systems are increasing, but more attention is being paid to security.
(Computer Weekly)


Malicious AndroidMalicious Android Apps Secretly Tracking User Data

Cybersecurity researchers recently discovered a series of malicious Android apps that secretly track and send user data.


At Onepath, we take a comprehensive approach to continually analyze, monitor and alert on data breach activities and vulnerabilities. We have a highly qualified Information Security and Risk Management team with CISSP, CSA, GIAC, and CISM certifications, and can help ensureompliance with a wide range of regulatory mandates (PCI DSS, SOX, HIPAA, GLBA, etc.). For more information, please visit our website.

Copyright © 2018 Onepath, All rights reserved.


%d bloggers like this: