Cloud Security

Happy #$%@ New Year’s!! My Money is Gone!

HoodedHackerThis scam is downright scary!

Time is of the essence on this blog, so I tried to find a title that will grab your attention. I hope it did. I don’t get overly dramatic in my blogs, but this one is warranted for how bad it is. I also try to use graphics to break things up a bit, but I didn’t want to spend more time trying to make things “artsy”.

If you’re going to read anything, please read this. It might just save you thousands of dollars.

A small business owner and close friend of mine, we’ll refer to as “Joe”, texted me on December 22nd, (yes, right before Christmas), livid he had been conned out of thousands of dollars by a very elaborate and well executed scam. Now Joe is no dummy and pulling one over on him is no small task, but the detail these scammers deployed was no match for even an astute businessman.

So what happened?

The target, Joe, uses Chase Bank for his business and personal finances, which becomes important later.  All the money in both his personal and business accounts was stolen within minutes! How?... Joe gave the hackers the information they needed to steal it.

The chain of events.

Joe received a call from Chase Bank’s “Fraud Department” stating there was suspicious activity on his account, and transactions were made in a foreign country. Joe then explained that had recently been to Mexico on vacation – a common destination when you live in Texas.

Being a diligent and rightfully cautious person, Joe checked the number calling him and it matched the phone number on the back of his Chase credit card. The hook was set!!

The “Chase representative” stated because there were fraudulent attempts on his account, he needed to close both accounts, personal and business, and transfer the money to new, “safe” accounts. Then, the representative said he would text Joe a code for him to read back, which once again came from a legitimate number.  A two-factor authentication, using texted codes, to a mobile number is common practice, and no cause for alarm.  The representative then used this code to access both accounts and change the real password, one the hacker could then use.

In real time, the hacker used the common online payment app, Zelle, to clean out both personal and business accounts. It should also be noted that the scammer on the phone spoke excellent English and sounded legitimate, which is another well thought out tactic and different from the obvious “rich uncle” accents from Eastern Europe or other countries.

Worst nightmare!

Now being suspicious, Joe went into a Chase branch location and they verified that it was, in fact, NOT Chase. The real Chase representative mentioned this was the second time in a few days they have dealt with this same scam.  Panic now set in!

Pain and no gain.

While in the branch location, Joe had to immediately close all his accounts, open new accounts, while simultaneously working with the bank’s fraud department to try and reverse the transfers to get his money back.

When the Chase fraud department did their initial forensics, they discovered the transfer was made using a relative’s name.  This means the hackers gained full access to the account information, including the list of approved people and accounts to transfer money to and from.  Because the hackers chose a relative as the person receiving the funds, Chase would not escalate until Joe could confirm and ‘prove’ funds were not transferred to the family member as a legitimate transfer. The hackers purposely chose a family member knowing it wouldn’t get escalated.

It’s important to note that the phone number showing on Joe's caller ID matched the number on his Chase credit card.  At one point, Joe hit ‘call back’ feature on his phone to automatically dial the Chase number, which was directed back to the fraudsters (a tactic called number spoofing). The Chase fraud department advised Joe to always manually dial the number and not use the automatic call back feature on your mobile phone to ensure that you’re calling the correct number. In addition to closing his accounts and opening new accounts, Joe also has to identify and contact the numerous legitimate personal and business vendors and payers he works with to update their new account information.  More pain.

At the time of this blog, the success of reversing the scam is unknown. The bank stated it would take up to 30 days to determine if Joe would get the money back. To add insult to injury, Joe is also now locked out of online banking for 60 days.

This is one of the most elaborate and well thought out cons I’ve ever seen, requiring multiple people who know exactly how people use banking, and more importantly, people who know exactly how banks and their fraud departments work.  They were always one step ahead of the victim and I’m certain there are more to come!  So be diligent, be doubtful, beware.

Cybersecurity - "You can't handle the truth!"

I’m a guy who likes sports and movies, and my wife tells me that I’m constantly quoting sports analogies and movie tag lines. Guilty as charged.  So, why do I do that???  Because I can quickly state a movie quote or sports reference to explain a situation to someone, without having to spend an hour doing so. If I tell someone “you just fumbled”, knowing this person likes or understands American football, he or she will immediately know they made a mistake.  Notice how I stated ‘American football’ lest I confuse it with the round ball version and defeat the very purpose of my analogy.

ManYelling

The problem is, if I use my linguistic mojo on people who don’t follow sports or movies (yes, those people do exist), I not only don’t get my point across, I confuse them.  Many times, I get that tilt-of-the-head puppy look and then a nod, never asking me to clarify what I meant.  It’s surprising how many people never ask the question – I don’t understand, what do you mean?

This can be very frustrating and even a cause for escalating arguments and disagreement later.

To clarify, here’s an example of a recent conversation when discussing a company project…

Me: “We’re at the one-yard line!  It’s time to punch it across the goal line!” Colleague: “Got it!  You can count on me!”

A week later…

Me: “So that project was completed, right?” Colleague: “No, I’m still working on it.  I need to add some more detail." Me: “What!  I thought I told you and we agreed this needed to be done asap!? Like yesterday.” Colleague: “Oh, I’m sorry.  You didn’t tell me it was urgent.” Me: “I did tell you it was urgent.  Remember ‘the one-yard line’, ‘the goal line’?” Colleague: “Yeah I kind of recall something like that.” Me: “Then why didn’t you get it done??” Colleague: “Why are you yelling at me?  I have no idea what you meant.” Me: “Why didn’t you ask?

And the downward spiral continues.  The frustration level for everyone is extreme.  Worse yet, the project was not completed, and the company suffers.

I see this same scenario over and over again as it relates to technology and business – especially with cybersecurity.

Get serious about cybersecurity SecurityGuard

Articles are published every day stating how businesses aren’t taking cybersecurity seriously enough only to be completely ignored.

I constantly come across articles that give real statistics showing how businesses think they are secure, yet they have recently been breached or compromised!  How is that possible?  Why do businesses, led by extremely smart people, continue to ignore the very real threat that cybersecurity breaches and hackers can easily compromise their business’ livelihood?  Why do they continue to have incidents, and not learn from them?

Some studies show, many business owners rely on their insurance policy to save them instead of protecting their assets proactively.  I believe some of that is true, but I believe the real issue is a complete disconnect in communication.

The danger of miscommunication

MiscommunicationThere is a very real and dangerous disconnect in communication between business and IT!

I read an article recently that was trying to get businesses to understand the importance of cybersecurity and the importance of communication between IT and business.  Here is how the article begins…

 

ArguingDigital transformation is happening rapidly in every industry. As companies move toward software-defined infrastructures (SDI) connected to powerful cloud ecosystems, they can tap into the near-real-time intelligence from the data gathered from every edge of their business, helping to drive faster business decisions and changing the way they serve their customers.

Rapid transformation, however, without a solid plan, can produce cybersecurity vulnerabilities. As infrastructures go virtual, security models need to shift. To avoid serious risks and security management issues, companies need to identify challenges, strategize, collaborate, pilot, test, and evangelize. *

 

Did you have to read it twice?  Did you understand even part of it?  What exactly is ‘every edge of their business’?

“Trust me, Greg, when you start having little Fockers running around, you'll feel the need for this type of security.” Meet the Parents, 2000

Yes, I did it, I used a movie line from the great film “Meet the Parents” to make my point.  If you haven’t seen the movie, you have no clue what I’m talking about.  Business leaders have not seen the cybersecurity movie!!  They don’t understand a word coming out of your mouth (another movie reference).

Don’t allow technology to get lost in translation

LostTranslation

In all seriousness, business leaders have not taken the time and do not have the time to learn all the parlance of cybersecurity.  Yet, we keep pummeling them to death with cyber techno-speak.

The reality is, both business and technology leaders have a responsibility to their companies, their employees, and themselves to learn enough about each other to make the conversation relevant.  I can keep showing business owners all statistics. But, most of them still don’t properly plan for or budget for cybersecurity, and most will only do so after they’re hit with ransomware or have a breach.  But what is ransomware?  What is a breach?  What do they look like? What is the actual cost to the business now and in the future?

This is not a one-sided issue. IT professionals also need to learn how to translate technology jargon into terms that business owners can understand.

The same case can be made for IT experts making an effort to understand the language of business and understand the impact they are having.  When business owners and leadership speak in terms of EBITDA, CAPEX, OPEX, Life Time Value, Gross Margins, Net Margins, Cash Management, etc., they are speaking a language immediately understood within the group, but many times foreign to the IT group.

At some point, business owners, leadership, and even board members must work with IT experts to start taking cybersecurity more seriously.  Both parties must be willing to have an open dialog where each is not afraid to ask questions, educate and translate into terms each party can understand, to make better business decisions.

If you want to have a discussion regarding your business and how the cybersecurity landscape impacts your company now and in the future in a language you can understand, contact us! We will be happy to advise and educate you in this increasingly complex space.

May the force be with you!

 

* AT&T Cybersecurity Insights Vol 7

Security Breaches: The Kiss of Death for Small Business

For romantics, a kiss signifies love, affection, or respect. Unless you receive the kiss of death, which signifies that your days are numbered. For small business, a cyber-security breach is the dreaded kiss of death. security metrics 2.0Here are some stats that’ll start your heart from recent studies from Property Casualty 360 and Small Business Trends:

- 62% of cyber-attacks are focused on small to medium businesses - Only 14% of these businesses rating their ability to mitigate an attack as highly effective - Average cost of a breach for a small business, including damage or theft of assets and disruption of normal operations is slightly over $1.8M - 60% of small companies will go out of business within six months after an attack

While it may be surprising that 60% of SMBs attacked will be out of business, once you understand the typical cost of a successful attack, it’s far less surprising.

So do small business owners just give up in the face of these threats? Nah, that’s not the way entrepreneurs roll. Most small businesses can outsource the mitigation of this risk for less than $1K per month, offloading both the risk and the time that it takes to manage a security solution. For a small business, this can be the difference between life or death, much like an insurance policy.

In the world today, it’s no longer a matter of IF your company will be hit by a cyber-attack, it is a matter of WHEN. The question that you should ask yourself is, “Do I have almost 2 million dollars to handle it retroactively, or does it make more sense to spend $1,000 per month to proactively protect my livelihood and my customers?”

For a frank discussion on cyber-security and ways to mitigate these risk, reach out to Fluid. We can help.

[gravityform id="1" title="true" description="true"]

IT Security Framework for Accounting Firms

The AICPA released two sets of criteria for public comment this week (Sept 2016) regarding cyber security. Both focus on different elements, but the common theme is the AICPA trying to develop a common framework for audit firms to evaluate the cyber security of their clients (risks and compliance). While this will prove to be very helpful, it got us thinking at Fluid: Do CPA firms themselves have a framework for their own security? Are CPA firms adequately protected from data breaches of their client’s financial information? Are accounting firms prepared to react to and recover from a malicious threat that may cause data loss or temporarily impact the productivity of the team?

Data security is a pressing issue for CPA firms given the rising level of attacks and the sensitive financial data accountants work with. A few data points –

  • Over ½ a billion personal records were stolen in 2015
  • Phishing campaigns targeting employees rose 55% in 2015
  • Ransomware increased by 35% in 2015 (362K reported cases)
  • 1 in 220 emails sent contain malware (431M new malware variants found)

While developing your own cyber security framework may seem daunting given the rapidly shifting threats, the task at hand can be greatly simplified if you break it down into the components parts (and work with professionals). At Fluid, we support our clients in 4 primary areas that each firm must address to have a comprehensive security plan.

1) Compliance Management:Fluid Security Framework

Does your firm understand all levels of compliance required given the data your firm interacts with? This can range from data retention compliance standards to data-center configuration standards. Often great compliance management starts with proper documentation, but rely on staff training and monthly monitoring to ensure/validate compliance.

2) Perimeter Management:

Think of your IT perimeter like the physical perimeter of a secure building. Are all entries and exits secured and guarded? Firewalls, cloud services, and email are major vulnerability points that should be managed and monitored for security purposes. BYOD and the proliferation of mobile devices has extended this perimeter, but these additional problem have solutions if they are approached systematically.

3) Vulnerability Monitoring and Threat Response:

You may know your weaknesses today, but that will change tomorrow; you need to monitor for attacks and have an active response if any attacks are detected. Much of this can be automated, but some expert oversight can make sure you don’t have any unintended gaps.

4) Cloud Backup and Disaster Recovery:

Even the best-run IT Departments may run into an occasional problem, ranging from accidental data loss to a malicious breach. We’ve found from our experience with clients that having a robust, offsite backup in a secure cloud environment can minimize the impact of most problems and greatly improve recovery times.

 

Whether you know it or not, your firm has ongoing IT activities in each of these 4 areas, which require ongoing focus and continual improvement – security is never ‘one and done’.

If you want to review your security practices, give us a call. We can help.

DNC That Coming! Email Security for Your Business

I was sitting down to write a blog on security, focused on some of the latest data published regarding how IT security impacts small to medium businesses and before I could begin I was lobbed a softball by the Democratic National Convention – a leak (breach) of Democratic Party emails last weekend allegedly conducted, or at least backed, by Russia.

So what happened?

“On Sunday, Hillary Clinton’s campaign manager, Robby Mook, accused Russia of working through hackers to access 19,000 emails at the Democratic National Committee that were dumped into the public domain last Friday by WikiLeaks. The emails showed DNC staffers working to help Clinton’s campaign during her primary fight against Bernie Sanders, despite the DNC’s publicly neutral stance,”*

Why is it important?

We’re an IT Services and IT Security Company, so we’ll try to leave politics aside for this blog. In that spirit, what can we learn from an IT perspective from the leak?

 

Email isn’t just communication, its valuable personal and corporate data

Sometimes we separate email from other corporate data, but that’s a mistake. In a typical company email system, hackers could potentially find information on corporate strategy, personally identifying information, financial information, IT system passwords, and other information that could help in further attacks through phishing, etc. Our email isn’t just communication, it’s data that needs to be protected.

While these hackers weren’t looking for credit card numbers in the DNC email, they did learn (and expose) a lot of information about strategy, tactics, and plans that were certainly not intended for the public. In the 19,000 emails, how much personally identifiable information (PII) was present? PII in security speak, within the thousands of emails there could be the need for risk mitigation and damage control, not to mention the potential for law suits and other fines.

 

Not all email is secure, use encrypted email for sensitive information

Many people still “trust” email as a secure communication method and willingly share private information such as credit card numbers, social security numbers, healthcare information to name a few. In the hands of the wrong people that can be very dangerous and costly many people. Email is not secure by default and must be encrypted prior to sending to have proper security for sharing any private information. If you’ve ever received an email from your doctor or financial institution that sends you to a website to login to read your email, that is a secure, encrypted email.

 

Security experts are giving you plenty of warning. The time to listen is now.

Security experts have been beating the drum for a while now – cyber attacks are growing at an alarming rate and frequently the target is shifting to small businesses. Another troubling aspect of this breach is that “Federal investigators tried to warn the Democratic National Committee about a potential intrusion in their computer network months before the party moved to try to fix the problem, U.S. officials briefed on the probe tell CNN.” If true, and the FBI warned the DNC and they did not act, it creates a massive problem for the DNC leadership and their credibility. Action in fact was swift as the DNC Chairwoman, Debbie Wasserman Schultz, announced her resignation on Sunday. Further evidence showed “The DNC brought in consultants from the private security firm CrowdStrike in April. And by the time suspected Russian hackers were kicked out of the DNC network in June, the hackers had been inside for about a year.”**

A year! That is a long time to be gathering data and suggests more is likely to be leaked. In fact, WikiLeaks founder Julian Assange virtually has already stated as much. All those emails, all that data is still out on the public domain where anyone with access to the internet can see them.

Federal Investigators may not be calling you with warnings about your small business, Security experts have been beating the drum for a while now – cyber attacks are growing at an alarming rate and frequently the target is shifting to small businesses. It’s time to listen to the experts and take basic steps to protect your company.

 

Borders don’t protect your company in cyber attacks

It’s being reported that these attacks came from Russia. Borders can’t protect us from the rest of the world when it comes to cyber attacks. Prosecution and restitution for damages caused by an attack is not going to happen. As an example, once funds are extorted into a foreign country through ransomware, consider it gone with no recourse.

For your business, the foreign nature of attacks is alarming due to the lack of accountability and prosecution, for the DNC breach, the motivation and ability to influence our country’s political process is very alarming.

It’s been stated that the intent was to expose DNC members that used email to sway people to one candidate over the other, something that fundamentally against the DNC charter. Was this done to just embarrass the DNC or was it a wider sweeping intent to impact our actual Presidential election process in November? If it was in fact Russia, did they do this to make the DNC look unscrupulous in hopes to sway voters to the other Party? The repercussions are HUGE – potentially impacting the outcome of who will be our next President!

Protect yourself!

Some simple steps could have avoided this disaster or at least mitigated it. Just a few things to consider as you run your business –

  1. Robust IT security monitoring and management to proactively detect malicious attacks
  2. Defined governance process and procedures to define what is and is not acceptable
  3. Employee training programs on what to look for, what to NOT put in email
  4. A defined Security Response Procedure to act quickly and decidedly if attacked
  5. Take any warnings seriously and address them now

If you can’t check each one of these off your list, call us and we’ll make sure you can. And don’t be surprised when a new wave of hacked emails is made public.

 

*https://www.yahoo.com/news/chris-van-hollen-russian-dnc-000000889.html

**http://www.cnn.com/2016/07/25/politics/democratic-convention-dnc-emails-russia/index.html

Are Cloud Services Lulling You Into A Security Breach Nightmare?

Are Cloud Services Lulling You Into A Security Breach Nightmare?More companies are turning to cloud services to host their servers and software. In fact, Cisco is predicting that by 2018, 28% of the total cloud workloads will be Infrastructure-as-a-Service (IaaS). IaaS allows companies to move the burden of server and software management out of their offices and into the cloud. Such a move lets businesses focus more time and effort on their core business strategies.

However, cloud services don’t lessen the need for tightly integrated and coordinated security plans. Knowing who to call at any given time and which teams will be involved, should any type of data breach occur, now has elevated importance.

As one of our clients discovered not too long ago, a data breach can be a “near death experience” for any business. Here’s how to prepare your business to handle a data security breach quickly and less painfully.

The Key Players

When server and software management are done in-house, there is a convenience of knowing everyone needed is on location when security issues arise. Speed of putting teams together usually isn’t an issue given the proximity of team members.

Once server and software management become more distributed (e.g. cloud services) and more teams become involved, though, resolving problems can become more complex and time consuming without proper coordination.

It’s important to know who the key players are. Some might include the following:

  • Server hosting company
  • Backup service company
  • Software service company
  • Security management/analysis company

 

The number of players will depend on how distributed your systems are.

Once any type of security problem arises, having one or two people available to coordinate multiple distributed teams will become critical. An overall team leader can mean the difference between a few hours of work to resolve data breach issues, or a few days.

Backup Validation - One of the Most Critical Tests You Can Perform

Consistently running backups is a great practice. But without periodic validation, they’re just a black box. When you need them most, you might reach for your backups only to find they don’t restore or that you haven’t been creating the right backups (full vs. incremental, file vs. OS, etc.).

Just as consistent backing up is good practice, consistent backup validation should be part of that practice.

Backup validation does require more work. Backups are automatic and require little human interaction. On the other hand, backup validation is a manual, labor-intensive process. But the time invested can far outweigh the surprise of incorrect or non-functional backups.

Your Response Plan

We’ve seen that several teams might need to be involved in the case of any cloud-based data breach. To create a robust response plan, having a coordinator who can quickly route information between teams and contact people as needed is critical. Additionally, periodic validation of backups to determine what exactly is being backed up fills another potential hole in any response plan.

Creating a checklist ahead of time will help with workflow as you progress through any security issue. Certain teams can have their own checklist for their specific tasks. A coordinator checklist will help in orchestrating overall progress of teams.

To summarize, your plan should look similar to the following:

  1. Decide on an overall multi-team coordinator
  2. Conduct a periodic validation of backups
  3. Create checklists for each team
  4. Create a checklist for the coordinator to help orchestrate all teams

 

If you’d to read more about data protection, 5 Simple Yet Powerful Ways to Protect Your Data is well worth the read.

A response plan for a data breach scenario involves constantly looking for any point of potential breakdown and providing suggestions for possible solutions. While a data breach can be a time-consuming endeavor to resolve, being prepared lessens the chance of data or revenue loss.

Is Your Company Prepared?

Your managers and your IT team need to work together to make sure your whole company is as secure as possible. If you have any concerns at all about your data security, don’t hesitate to contact us here at Fluid IT Services.

What Your Business DOESN’T Know About the Cloud

Cloud Computing Fluid IT ServicesThe Most Critical Thing Your Business DOESN’T Know About the Cloud This is a tricky topic because what you don’t know, by definition, is something you are not aware of and thus is not part of your consciousness. The other variable complicating this topic is that defining what is “critical” to your business often depends on factors out of your control.

Coming at the cloud from a business perspective, “critical things you don’t know” can get complicated – fast. But in all my years of experience helping businesses with their cloud computing, I see two very important things that businesses in every vertical just don’t know.

Small Companies Are Dependent On Outsiders – “Trust Me… I’m Your Doctor.”

Small businesses do not typically have in-house IT staff. They are dependent on others to provide everything from a high-level technology strategy to tactical direction on what equipment they need, as well as the specifications and configurations of that equipment.

Small businesses are not in a position to know what to ask for with cloud solutions to meet their business needs (nor should they be). Typically there is not a technical person in the company to build out the specifications for what they need in cloud services. It’s hard to imagine a small business telling a cloud provider exactly how much storage, processing power, memory and bandwidth they require to run each of their software applications.

Even with those cloud solutions that are more defined to meet a specific need, such as SalesForce for customer relationship management (CRM) or Dropbox for file storage and sharing, there are still technical specifications to consider that a small business will need guidance on to ensure they get the right amount of services and that those services align to their business needs.

For the small business, the most critical thing they do not know about the cloud is how to provision the various cloud solutions to meet their business needs. They must rely on outside assistance from either the cloud vendor or a technology partner to help ensure they align cloud solutions to actual business needs now and going forward.

Mid-Sized Companies Are Dependent on Insiders – “Trust Me… I Know This Stuff Like the Back of My Hand.”

For mid-sized businesses, it is a very different landscape. Most mid-sized businesses (approximately 200 to 1,000 employees) will typically have some in-house IT staff; the larger the company, the more staff. The business will look to their in-house IT staff to advise and guide them in procuring the cloud services that meet their business needs. Mid-sized businesses will typically ask the internal staff to assist with cloud vendor identification, vetting and selection of a final solution.

For the internal IT staff to be successful, they need to understand the business well enough to ensure the cloud solution not only meets technical requirements, but also compliance, privacy, and regulatory requirements.

One problem I’ve seen is that there is a tendency for internal IT staff at mid-sized companies to become “stale” in their technical skill set over time. This is not their fault – it’s just a byproduct of working in a mid-sized company. There is often not enough time or formal processes to ensure that internal IT staff stay current in all technologies. The technology ocean is too big and too deep for internal IT staff to keep up and still meet the daily demands on the business. When you add the sheer volume of cloud alternatives, which are changing and growing every day, along with the number of industry-specific cloud solutions, it becomes daunting and intimidating to even attempt to keep up.

For the mid-sized business, the most critical thing they do not know about the cloud is how their own dependency and reliance on their internal IT staff may not translate to the best cloud solutions for the business, and can in fact create serious business risk if the wrong solutions are deployed. Using the wrong solution can result in unwise investment (lost $$$), lost productivity and decreased customer service, all of which can be enough to be a business ending event.

Reinventing Law Practice with the Cloud

When Len Musgrove started his own law practice, IT was just another frustration and expense. He was all-ears when Wade Yeaman said, “The cloud would be an easier, more cost-effective solution.”