Takeaways from the 2017 CyberEdge Report

Standard

The CyberEdge Group has released their 2017 Cyberthreat Defense Report CyberEdge 2017 CDR - 3D-Leftand the takeaways are pretty interesting.  The CyberEdge Group is an award-winning research, marketing and publishing firm serving the needs of information security vendor and service providers.

This report is based on responses from 1,100 IT security professionals from larger enterprise companies with more than 500 employees.  These companies represent 19 industries and 15 countries.  Some of these key takeaways apply to all businesses and provide good reference points of focus.  Of particular interest are the following:

  • Attacks are on the rise.  Nearly four out of five respondents had a successful cyberattack last year.  One third experienced six or more successful attacks over the course of the year.
  • There is optimism in the market.  Though this is not a good trend.  Too many organizations do not think they we will be the victim of a cyberattack.  This concerns me that businesses are not taking the threat seriously enough.
  • Mobile devices are the weakest link.  Not enough companies are deploying mobile device management.  This is not just about finding a lost device or erasing it, this is about appropriate control over company data…what is allowed on the device and what apps on the device can access that data.
  • Need to focus on secure apps.  This is especially true for organizations that develop their own apps.  There needs to be a renewed focus on security for these apps, as well as user training on cyber risk.
  • Failure to monitor privileged users.  Very few organizations have the right tools in place to monitor the activity of users with administrative rights.
  • Patch management concerns.  This was validated by the recent WannaCry outbreak.  Companies need to do a better job keeping their systems updated.  Known and unaddressed vulnerabilities are the most common attack vector.
  • Cyber insurance pulls its weight.  Seventy five percent of organizations feel they have a good level of cyber insurance.  The insurance industry has done a good job addressing this need, which also helps drive awareness and action.

A few other key findings that are worth noting are that ransomware remains the largest concern.  Most companies feel they are most likely to be attacked through malware like ransomware.  This again points to need for user education, to understand the risk and their role in protecting the business.  As more systems move to Cloud hosted options, like Microsoft Office 365, concerns about the security of these systems grows.

In many organizations, security budgets are getting the most resources.  I know one large organization that allocates more to their cyber security budget than to the entire IT budget.  Another concern lies with the massive volume of security related data that even the smallest business generates.  Parsing this information for actionable intelligence can be a daunting task.  In addition, the volume of data requires ample and adaptive storage capacity that most business do not have.  This leads to the deletion of data that could be critical in identifying the validity of an attack and it’s potential source or method.

You can read the entire report on the CyberEdge Group web site at https://www.cyber-edge.com/cdr.

Source: 2017 Cyberthreat Defense Report, CyberEdge Group, LLC.

New Day, New Office, Bright Future

Standard

Today, we opened for business at our new state-of-the-art Network Operations Center in North Andover, MA.  Internet & Telephone‘s Merrimack Valley Network Operations Center (MVNOC) v3.0 is up and running!

It was a great team effort to get this move completed ahead of schedule.  We are now located in the renovated West Mill complex, the former home of the world headquarters for Converse, before they moved to downtown Boston.  That’s why we have the cool Converse sign in our new kitchen.

The office is open concept with all glass interior walls.  Our conference rooms are separated by an overhead glass door that can be lowered to split into two rooms, one large, one small, right next to our server room, which is next to our main entryway.  Downstairs we have an extensive secure lab and storage area with access to multiple loading docks.

Here are some pictures of the new office in action, including the proud project lead for our move, our own co-founder and VP of Sales, Pete Peterson.  Pete is clearly and justifiably proud of his great work conceiving, designing and overseeing the construction of our new headquarters.  Awesome Job Pete!…

There is a bright future ahead for our team and our clients…

Pete

A Proud Pete Peterson Welcomes You to our New Office!

Sales

Sales & Marketing Area

Engineering

Engineering Area

Server Room

Server & Conference Rooms

Bobble Heads

Bobble Head Showcase

NOC

Network Operations Center

FinOps

Finance & Operations Area

 

Kitchen

Chef Doreen is a Happy Lady!

 

Kitchen2

Kitchen Eating Area

It’s Moving Day at I&T!

Standard

The big day has finally arrived.  Internet & Telephone, LLC is relocating into our new, state-of-the-art Network Operations Center (NOC) at our new New England headquarters in North Andover, Massachusetts.

This will be the nerve center of the company, supporting our other offices, strategically located in Boston and Portsmouth, New Hampshire, to best serve our client base.

This has been in the works for quite some time and thanks to the incredible vision and guidance of I&T co-founder and VP Pete Peterson, our expanding team will enjoy this new facility.

Our new NOC will rival the best that NASA has to offer.  We light it up for the first time Monday morning and everyone is excited to see the NOC come online.  For now, here are a couple of photos, just before the move in kicks in to high gear.

IMG_1601  IMG_1600

The design is sleek and clean to showcase our paperless operations (except of course for our finance and ops team.  They love their paper).  Our new conference rooms, collaboration rooms and phone booths provide all departments the resources they need to continue our growth and the delivery of First Class Service to our clients.

We will be officially unveiling the new office at our Open House on Thursday, June 15th at 5 PM.  I hope you will come and see the new and improved I&T then.  We’ll have plenty of refreshments and snacks.  See you then.

Better Email Subjects Improve Efficiency

Standard

If you are like most people, you get tens, if not hundreds of email messages a day.  How do you keep them organized or easily know what to do with them?

One of the strategies we employ at Internet & Telephone, LLC is to use better subject good-bad-subject-line-exampleslines, so recipients immediately know what is required of them in relation to the message they just received.  We are also very deliberate about who to put in the “To” field and who to put in the “Cc” field.

Here are some examples to help you craft your own improved email strategy:

  • When sending an email message, only put the people that need to act on the message in the “To” field.  Put everyone else in the “Cc” field.  Recipients in the “Cc” field should not be expected to reply and are include only for informational purposes.
  • Use more meaningful subjects.  Here are some examples:
    • FYI; Lead the subject line with “FYI” if your message is purely information and you do not expect a response.  For example, “FYI: Revised time for upcoming event.”
    • Response Required; Lead the subject line with “Response Required” when you need a response from recipients in the “To” field.  For example, “Response Required: Sign-Up Times for New Benefit Plan.”
    • Decision Needed; Lead the subject with the line “Decision Needed” when you need a decision from recipients in the “To” field.  For example, “Decision Needed: New Paint Color for Conference Room.”
    • Use Client Names when messages relate to a client.  For example, “Ajax Cleaning: Update on office cleaning contract.”

When appropriate, you might also have more that one of these in the same subject line, for example when you need a decision related to a client.  In that case, you would have “Decision Needed; Ajax Cleaning,” etc.  Hopefully you get the idea.

Simple tricks like this will help you be more efficient with your email and perhaps most importantly, with the messages you send to others.

What does your company do for strategies like this?  Post your comments below and share your email best practices and learn from others.

 

 

Self Service Password Resets Save Time and Aggravation

Standard

You know the drill.  IT has implemented another security policy that requires you to change your password every 90 days.  The password must be complex, 12 or more characters and contain upper and lower case letters, at least one number and a symbol, a character like !@#$%&*.  Your password needs to be something like this, fU&s43jm#@l0, to be valid.  You are also not allowed to resuse a password you have used in the past year.  Will you remember it?  Hopefully.  Will you mistype it, almost certainly.  What will you do if you can’t remember it?  Call the Help Desk and have them reset your password.  It stresses you out, doesn’t it?

What if you could easily reset your password, right from your mobile phone without having to call the Help Desk?  You can!  An innovative company named Passportal from Alberta, Canada has what may be the easiest and best solution to the password reset problem.  Their solution is available through partner like Internet & Telephone, LLC and can make the password management problem go away for you and all the computers users in your company.

Here’s how it works:

  1. You get the dreaded message that your password has expired and you need to set a new one.
  2. You create your new password; ih0p3!r3m3mber@.
  3. You return to the login screen and type it in, but it says it’s invalid.  DejaVu sets in and your blood pressure begins to rise.
  4. In the old days, you would call the Help Desk and ask them to reset your password for you.  You wait for the friendly and empathetic technician to login to your network, open your users account and reset your password.  Back to work you go.
  5. Instead of #4, what if this happened:
    1. You pick up your mobile phone and text a keyword to a Blink_Chat_Animationpre-defined number you have saved as a contact.
    2. You immediately get a reply letting you know your password is about to be reset.
    3. Within 60 seconds, you receive another text with a new password.  Something like: 8Fx%$Gsjh3*7.
    4. You return to your login prompt and enter 8Fx%$Gsjh3*7 as your password.
    5. You are asked to set a new password that you will remember this time, right?

That’s how easy it could be to reset your password if you forget it, lock out your account or let it expire and mistype your new password.

This is also how easy it is to make password changes and resets less hassle for your users and less timely to complete.  The user has complete control and the ability to instantly help themselves through this efficient self service password reset system.

If you’re not using self service password reset now, you should be.  Your users will thank you.  So will your Help Desk team.

Honoring Memorial Day

Standard

MemorialDay2017

When I was kid Memorial Day was always a long weekend to look forward to.  A trip to the lake to open the camp for the summer, parades and cookouts.  While the meaning of the day was known, it didn’t really resonate in the mind of a child.

As an adult, Memorial Day takes on its true significance.  While I have never had the honor to serve my country, I have the utmost respect for those who have and understand that today is about remembering those who have served and paid the ultimate sacrifice, whether in combat or years later as a result of their service.

A friend of mine, who is a veteran, posted a very heartfelt comment on his Facebook timeline this morning that sums up the day well.  He said that today is not a “Thank you for your service day.”  Rather, he contends, “It’s a day of remembrance and mourning.”  As I think back on all the years of parades and taps being played at the local cemetery, I understand and appreciate his words.

I know veterans of almost all the conflicts from World War II to the present.  I know veterans who have survived and veterans who have not.  I know veterans who have died decades later from disease caused by combat exposure.  I know veteran’s who survived the Allied invasion of Europe and I know their children, in some cases named after their friend and brother in arms, who died beside them in what could only have seemed like hell on earth.

My Dad was a humble member of the greatest generation and a veteran of WW II.  He served in the Pacific theatre with the US Army Air Corp, though he did not see direct combat.  I have aunts and uncles who served in that same war, as well as the Korean War.  I have cousins and nephews who are veterans and actively serving.  My father-in-law and his father before him, are career US Army officers, serving in WW II and the Vietnam War.  the legacy of service is strong on all sides of my family and I am grateful to each and every one of them, as well as to all veterans, who served to defend this great nation and all that it stands for.

I also can’t help but think how disheartened many of them must be with the current state of affairs in these United States of America.  I am not piling on to the popular political narrative, rather I am talking about the deep divides that dig at the very soul of our country.  After all that these brave veterans have fought for, I will never understand how it is acceptable to attack one another, physically or verbally, the way it is today.  The only comment I will make about politics, is my disgust with both parties, at how they put party and personal gain ahead of what is best for the people that elected them.  On this Memorial Day, I hope all of our elected officials will take pause and consider what these veterans, whom we have lost, would think of their actions and their rhetoric, when contrasted with these veterans service and sacrifice to the ideals of this great nation.

Today, I think about all of them with my most humble gratitude and respect.  The pride I feel for those I know who have served, is not easily communicated in words.  My sense of loss for those who are no longer with us is felt most for my family members, though not without equal compassion for those who are mourning their own losses today.

So as my friend closed his post today, “Either way stop and take a moment to remember the men and women that gave their lives so you could enjoy yours.”

Take Latest Ransomware Outbreak as a Warning

Standard

The following article was published in today’s Seacoast Online and Foster’s.

If you have read or listened to the news the last couple of weeks, or read my blog at mjshoer.com, you know there was a massive ransomware outbreak May 12. This has been widely reported as the WannaCry outbreak, this being the name of the ransomware that spread around the world, hitting companies in 150 countries, impacting hundreds of thousands of computers.

This was described as possibly being a cyber weapon of mass destruction, due to the speed and scope of the attack.

First and foremost, understand what ransomware is. It is a form of malware, malicious software hackers install on your computer to carry out a larger task. In the case of ransomware, this larger task is to encrypt all the data your computer has access to. Encrypted data is unreadable unless you have the decryption code. Encrypted files appear as an ongoing string of random characters, scrambled to protect the data it has encrypted. Without the corresponding decryption key, the data is useless. Ransomware holds your data hostage by encrypting it and withholding the decryption key until you pay a ransom to the hacker, commonly paid using the virtual and untraceable currency Bitcoin. This makes it extremely difficult, if not impossible, to track the attack to its source.

The WannaCry outbreak was unique for several reasons. Perhaps of most concern, it appears to have been based on a top secret hacking tool developed by the National Security Agency to spy on adversaries of the United States. The code for this tool was supposedly stolen by a hacking group and posted online, allowing hackers all over the world to see how the tool was designed and how it works. A phishing email was then crafted, targeting users of computers with a specific known vulnerability that had been discovered in March of this year. By scanning the Internet for computers with the vulnerability left unrepaired, the hackers had a rich set of targets.

Users were tricked into opening an attachment or clicking a link, which downloaded the malware onto their computer and began encrypting their data. Another unique element of this attack was that it also acted as a worm, spreading itself from one computer to the next within the same network without any other user needing to do a thing. This contributed to the rapid rate of infection seen that day.

In other words, one person inside a company needed to fall for the phishing email and click the bad attachment or link. Once they did, the hacker’s malware was installed on their computer and installed itself on any other computer with the same vulnerability on the company network.

This is why organizations like England’s National Health Service, FedEx and Spain’s Telefonica saw massive infection that required them to shut down computers in some cases for multiple days until the infection could be purged.

What’s worse is that it was preventable. The flaw this hack took advantage of was fixed March 14, yet nearly two months later, the impact was massive. Interestingly, the impact was worst outside the United States. What this says, which is a good thing, is that in the U.S., most companies regularly update their computers with important updates. This contrasts with the rest of the world, where updating computers is not nearly a high enough priority. This attack proves this.

Ransomware succeeds by tricking a user to open an unsolicited email containing an attachment or link. It amazes me we are still combating this today, as this is a well-known attack vector and perhaps, the easiest to defeat. Education and a little patience is all that is required.

The European Cybercrime Centre has a list of do’s and don’ts related to keeping yourself self:

Do’s

  • Update your software regularly. At the very least, install all critical and security updates. If in doubt, install all available updates to keep your computer’s operating system up to date and safe
  • Use Anti-Virus and Anti-Malware software. You should also be sure to keep your computers software firewall enabled at all times.
  • Browse and download software only from trusted websites. Avoid sites that offer paid-for software for free, including driver update sites not run by the actual hardware manufacturer.
  • If you keep any data on your local computer hard drive, be sure it is regularly backed up, ideally to the Cloud.
  • If you become a victim of ransomware, report it to the FBI. This helps it track outbreaks and when the opportunity presents itself, get the bad guys.
  • Check www.nomoreransom.org if you get hit. This free site, supported by various law enforcement agencies and private industry, may help you recover from an infection.

Don’ts

  • Don’t click on attachments, banners and links without knowing their true origin. What may look like legitimate files, banners or links, may not be what they appear to be. Hovering over the link is one way to check the URL to see if it is legitimate, but it’s far better to manually type in a link to your browser, instead of clicking a link in an email.
  • Don’t install mobile apps from unknown sources. If someone sends you a link to a mobile app for your phone or tablet, don’t click it. Go to the app store and search for the app there to check its legitimacy and install it. And don’t install or run unknown software.
  • Don’t take anything for granted. Verify everything. Confirm with senders they meant to send you any attachment or link. Verify SSL connections by checking the padlock icon to be sure it’s issued to the site you are on. When in doubt, make a phone call before you act.
  • Have you installed software to get free TV or movies? Think twice. It may be stealing data from your computer. Kids fall victim to this far too easily.
  • Don’t pay out any money. This just encourages more hacks and does not guarantee you will get your data back. One of the positives from this latest outbreak was that not much was actually paid out, considering how large the impact was.

I hope this information helps clarify what happened, why and how. More importantly, I hope these do’s and don’ts will help keep you safe from any future outbreaks.

The following image shows a screen shot of the Norse attack map.  This map shows real time intelligence on active cyberattacks taking place around the world.

Norse Map

%d bloggers like this: