Cyber Security

Microsoft Windows: End of the World (Support)

EndOfSupport.png

Companies like yours need to keep up with strict business, compliance and industry regulations. New threats have made it harder than ever to secure data and applications. With end of support for Windows Server 2008 (including R2) and Windows 7 operating systems approaching, the time to prepare is now, not in December.  Waiting will not make it go away.

Although you can certainly make logical arguments upgrading and modernizing applications should and will lead to improved capabilities and efficiencies for end-users, in this case not upgrading introduces significant risks to the company.

End of support means the end of critical security updates, opening the potential for business interruptions. Worse still, without regular security bulletins it is impossible to guarantee protection against hackers or malware.

Unfortunately, the technology world still communicates in technical terms not easily understood by the business community.  This is still the case with Microsoft’s announcement regarding the end of support for products.  Simply stating an end of support date looming for Windows Server 2008 (including R2) and Windows 7 doesn’t mean it resonates with the business community using those software applications.

The first question often is…

What do I need to do about the end of support?

… when the first questions should be:

What products are impacted by end of support?

What do these products do?

Do we currently run or use any of these products?

So let’s take a step back and answer those questions.

What products are impacted by end of support?

  1. Windows Server 2008/R2 January 2020

  2. Windows 7 January 2020

  3. SQL Server 2008/R2  July 2019

What do these products do?

  1. Windows Server 2008/R2 – is the foundational software used by most companies to manage their users, assign security permissions to users and groups, and support other software sitting on top of this foundation.  The scope and impact is company-wide.

  2. Windows 7 – is the operating system software used by end users on their individual desktops/laptops and support other software sitting on top of this foundation, for example, Outlook, Microsoft Office.  The scope and impact is the end user.

  3. SQL Server 2008/R2 – is the database software other software uses for database functionality, for example, Great Plains, industry specific software.  The scope and impact is company-wide.

Do we currently run or use any of these products?

To know if you are using any of the solutions impacted by end of support, you should rely on your technology department or provider to conduct an assessment of all the systems currently in use and provide a report showing the current versions and usage of those products.

Once you have a report, whether you have 1 or 100 systems impacted, you should then use the information to develop a plan for addressing each one.  Some systems may take months to address, so having a plan sooner than later will save management potential stress and sticker shock.

What to expect.

Let’s assume you’ve had an assessment done and determine you have 4 servers running Windows Server 2008 R2 and 25 workstations/laptops running Windows 7 Professional.  Developing a plan for addressing them should be tailored to your specific business, budget and system use.  Workstations may be replaced quickly, where servers may take months.

Cost is not the only factor.

Using our example, a ‘refresh plan’ should be defined for every workstation running Windows 7 Professional.  If the workstations are 4 years or older, it may make more fiscal sense to replace them with new machines running the latest Windows 10 operating system.  If the machines are still acceptable from a performance specification standpoint, it may make sense to upgrade the machines to Windows 10 Pro from Windows 7 Professional.  Aside from the costs related to these options, consideration should be given to how employees are using those machines and what potential improvements might be gained from a machine replacement versus upgrading only the software.  To avoid a large capital expenditure (CAPEX) cost at the last minute in December, you may want to spread out the purchase of replacement machines over the next 5-6 months.  A simple method is to take the number of machines, 25 in our example, and divide by the number of months remaining before you want them all replaced.  It is now June, so assuming replacement needs to be completed by January 1, 2020, purchasing 4 machines a month July through November and 5 in December would have them all replaced by year end, spreading the cost over time.

Migrating servers from Windows Server 2008 R2 requires more analysis and planning because typically servers are running mission critical software applications for the business.  It is not best practice to upgrade a Windows Server operating system as you typically would with a Windows end-user operating system and in most cases, it would be recommended to migrate to a new installation.  Some standard questions to consider during planning include –

  1. What business software is running on the server?  Will that software run ‘as-is’ on a new version of Windows Server 2016 or will it require an upgrade as well?

  2. Is business software running on Windows Server 2008 R2 that is NOT supported by later versions of Windows Server and will not run on later versions?  Should the business software be replaced with software more current and supported?  Should we continue to run the software on Windows Server 2008 R2 knowing the significant security risks?

  3. What impact will downtime have on the business related to migrating servers?

  4. Can they all be migrated during a single timeframe (likely a weekend) or does it need to be a phased approach?

  5. Does the server hardware need to be replaced along with the Windows Server software?  If so, what are the options now available that may not have been available 2-5 years ago?

  6. Will our customers and vendors be impacted by any of these changes?  What notices should be sent prior to the changes?

Don’t wait.  Get help.

If all this seems overwhelming, you’re not alone.  Many companies read the headlines and do nothing about it because it’s just too much to contemplate and is a major distraction to normal business duties.  Because of the very real security risks, this is one of those times procrastination can really hurt the business exponentially more than the cost associated with addressing the issue. 

You don’t have to do it alone.  Fluid has been working all year and will continue to through the end of the year to do the heavy lifting for companies.  From the assessment, planning, recommendations, obtaining necessary quotes, working with third-party vendors, and implementation, we try to do as much as possible to keep the business running.  We will take on the tasks management and operational staff don’t have time to deal with.  The additional benefit is knowing it will be done with technology proficiency and discipline many companies simply don’t have in-house.

If you do not know if ‘end of support’ will impact your company, you are at risk.  At a minimum, knowing your exposure should be a top priority.  Waiting until December may make the holiday season more stressful than it needs to be.  If you need help, we’re here to do so. 

You can reach Fluid at 866-802-9848 or via email at secure@fluiditservices.com

 

Understanding the Cloud

WhatTheCloud.png

In 2019 you would think the business community would have a good understanding of cloud computing. Reality is much different.  As I speak with business owners, management, and users, the “cloud” is still a nebulous concept more than a solution.  It’s certainly not understood well enough to know how to maximize the value of the cloud based on specific business use cases.  This knowledge gap is a source of business risk as well as lost potential business value.

I’ve written many blogs on cloud computing the past 5 + years and “hosted servers and software”, the stepping stone to the cloud, prior to that.  We have learned a great deal during that time, but one constant remains – there is always more to learn because the technology changes so rapidly.

At Fluid, we have a “cloud first” philosophy where any solutions kept on premise in the office requires a valid business case; a 180 degree change in philosophy from 7 to 8 years ago.  Today, it’s not just about determining if the cloud is a good fit, it’s about selecting the best type of cloud solution with the most optimal deployment.  This requires a deep technical understanding of cloud solutions, well beyond the glossy sales brochures.  Just keeping up with current technology is a full-time job, add the need to understand new disruptive technologies and how they impact the value proposition and you quickly realize it takes a disciplined commitment and process involving many people with varying skill sets.

The barrage of marketing buzzwords around cloud attempting to clarify things actually add to the confusion – public cloud, private cloud, hybrid cloud, software-as-a-service, platform-as-a-service, infrastructure-as-a-service, cloud disaster recovery; the list goes on.

To simplify things, let’s look at a few types.  These definitions and descriptions can be scrutinized and argued among vendors, experts and engineers, but that is not the audience.  The ones needing the most help in understanding the cloud are the business buyers and users.

Public Cloud

These are the big ‘logo’ guys: Microsoft Azure, Amazon AWS, Google Cloud, etc.  These companies, as you would expect, have behemoth cloud infrastructures and solutions that literally span the globe.  These are typically shared environments that are highly complex requiring senior engineers and architects to properly design and deploy.  Their sheer size can provide benefits in cost and deployment with geographical flexibility.  Each have their own rules to abide by.

Private Cloud

These are typically smaller players that have their own cloud infrastructure in smaller geographical areas.  The advantage of private clouds is greater flexibility and control.  Because they aren’t aligned to the major public cloud companies, which are also ‘product’ companies, they have the ability to host solutions that may not be a good fit for the public cloud.  In addition, some companies prefer the private aspect of knowing more about where their information is stored, how it’s managed and, in many cases, more secure.

Hybrid Cloud

The hybrid cloud is just that, a hybrid that utilize more than one solution.  This can include hosting components in the public cloud and others in the private cloud.  It can also be a mix of hosting some solutions onsite with others in the public or private cloud.  Hybrid cloud solutions are typically very ‘business use case’ specific.  For example, an engineering company with very high processing requirements for CAD drawings may use solutions on premise and back up the data to a private or public cloud.

Software-as-a-service (SaaS) should also be mentioned because a vast majority of companies use SaaS solutions alongside others.  For example, if using Dropbox for file sharing and hosting accounting systems in Microsoft Azure is using SaaS for Dropbox and public cloud for the accounting system.

Licensing is a beast!

Invariably, when companies evaluate cloud solutions they focus primarily on the core of the solutions: what will run in the cloud, how much processing power do we need, how much storage is required, how can remote users access it easily from anywhere.  What is often glossed over is the software licensing requirements.  Abusing software licensing rules even unintentionally is not something to take trivially.  The volumes of rules, requirements, and options is literally a wormhole requiring multiple jobs in itself. 

Be wary the sales rep that says licensing is ‘all included’ or ‘nothing to worry about’.  The costs associated with licensing can double the cost of a cloud solution and more if not done properly.  Every software solution has licensing rules and regulations, many of which are specific to usage not just in the cloud but the type of cloud. 

We have a half dozen different licensing programs and certifications just to cover Microsoft licensing in the cloud.  Just multiply that by the number of software providers and it’s a book no one wants to read.  But someone must read it and understand how to weave all the various licensing options into the blanket that best covers your business.  Make sure your provider understands licensing and make sure you understand licensing enough to be comfortable your business is properly covered.  It’s too good to be true is a cautionary motto to follow.

As I was writing this blog, I received an email from a cloud customer, who is the business owner of a food manufacturing business.  In his email, he forwarded dialog with his ‘local tech provider’ questioning every aspect of the cloud setup, software licensing, etc.  It was clear the customer provided the invoice detail to the tech to be a second set of eyes to confirm he had a good solution, which is never a problem.  Transparency with customers should always be the standard protocol.  Interestingly, every line item the tech questioned and provided feedback on was incorrect.  If the end customer followed this advice they would be woefully non-compliant and given dangerously bad information.  This exchange of information proves the entire point of this blog.  Even technical people providing advice don’t understand the cloud technologies with dire consequences. 

Choosing the wrong provider and partner can be disastrous to the business.

The challenges businesses face today is not if a cloud solution will be a good fit but finding the expertise to determine the best solutions available to the business and, more importantly, the ability to execute and implement the solutions.  There are hundreds if not thousands of IT companies, managed service providers (MSPs), etc. happy to sell cloud solutions without the in-house knowledge required to design, implement and support the services properly. 

The problem is exacerbated because the typical business ‘buyer’ does not have the knowledge to ask the right questions to confirm the ‘seller’ has the skills required to meet business needs.  Migrating to the cloud is not an easy task, regardless of what the sales pitch says.  A vendor skilled in doing migrations will have a defined, disciplined migration process and experience to make the migration as painless as possible.  Every flawless plan has unexpected issues to be addressed.  This is where your vendor earns their keep.  If the vendor doesn’t have migration experience and skills, the wheels can shoot off well beyond frustration and become a major disruption to the business with outages and downtime.

Public cloud is… well, public.  So what?

Microsoft Azure publishes its cloud pricing to the public, as well as a “pricing calculator” to use to estimate potential cloud costs.  Easy right?!  Think again.  You must know this stuff at so many deep technical levels and layers it will make the most tech savvy run for the hills.  As a Microsoft Cloud Solution Provider (CSP) we have dozens of “portals” we must navigate just to manage our customers Azure and Office365 accounts and environments, and we are the experts.  This scenario plays out for the other 800 pound gorillas as well.

Proceed with caution… it’s one thing to sell, quite another to advise, implement and support

What is the real implication?  The cloud has come a long way and continues to improve with better tools, automation, and solutions.  But notice I did not say support.  One major lagging necessity is good (not even great) support from cloud providers.  Every cloud provider will require you purchase support, even if it’s buried in the pricing.  What they don’t tell you is the quality of the support.  It’s only when you make that initial call for support that you realize it’s going to be very long day.  Again, this stems from a lack of skills and experience to deliver on both the technical side of the house and customer service.

It is very disheartening to witness how these powerful technologies can improve and enable business only to be poorly understood by those who position themselves as experts to support it.

No one becomes a cloud expert overnight.

We have invested over 10 years of countless hours, millions of dollars, and hundreds of deployments in the cloud.  It wasn’t and isn’t easy to do. It requires a different level of commitment I’m sorry to see many in our business not obligate themselves to.  We owe it to all those we serve not only to understand the technologies, but educate in business terms the value, the many options, and ultimately find the right solution for the situation.  There is an entire segment of business soured on the idea of the cloud because of poor advice, execution, and support.  I only hope with the right partner they can find their way back to today’s possibilities.  Cloud is definitely not a fit for everyone and never will be, but it shouldn’t be swept off the table because we didn’t do our jobs.

Destination Unknown – Cybersecurity without a defined objective is a path to disaster

TechMgmt.jpg

Destination Unknown – Cybersecurity without a defined objective is a path to disaster

Vacation time!

Let’s start this cybersecurity discussion by taking a little vacation – or at least pretend to take a vacation. Before going on vacation, people usually plan for the trip ahead of time.

Scenario 1: Planning for a vacation.

When planning a vacation, most people take the following steps:

  1. Determine the budget.

  2. Choose the destination.

  3. Decide when to go on vacation (busy season, hot, cold, vacation days available at work, etc.).

  4. Decide where to stay (choose hotel, condo, Airbnb, etc.).

  5. Choose mode of transportation (plane, car, boat, etc.).

  6. Book flights, rent car, plan your driving route, etc. 

  7. Book babysitter, dog sitter, house sitter, etc.

  8. Plan activities while on vacation.

  9. Begin the journey to the destination.

  10. Arrive at the destination.

  11. Have fun!

All the above has a cost element to be considered, which can cause the vacation plans to change.  Ideally, a budget would be created at the beginning of the process to help with planning the vacation and determining what is and is not doable. Although, a budget should be the first step in the planning process, people oftentimes choose a desired destination, and then adjust the budget accordingly.

Another important step when planning a vacation, is to do enough research to make informed decisions and properly budget for each part of the plan, especially if traveling to a new destination. People will often turn to friends and/or family for suggestions and input when planning a vacation, but friends and family may not be able to give the best advice. For example, how could they recommend a hotel if they’ve never been to the destination? 

Therefore, it’s also important to utilize outside resources for information and contact experts who are able provide information on destinations, price, pros and cons, hotels, activities, etc. The hard part is knowing who to trust. Some “experts” are more concerned with selling certain products or services even if they may not be the best option. So, it’s usually a good idea to gather information from various people and resources before making informed decisions.

Cybersecurity Time!

If the same logic is applied to businesses when choosing cybersecurity solutions, it reveals a dangerous tendency. 

Scenario 2: Choosing and implementing the best solution and level of cybersecurity

When planning for cybersecurity implementation, business leaders should take several steps:

  1. Determine the budget.

  2. Choose the level of security needed for the business.

  3. Analyze each security element to understand what it does and doesn’t do.

  4. Based on the analysis, determine the priority and order for implementing each element.

  5. Determine who will be responsible for assessing the solution options.

  6. Decide when to begin implementing the security solutions.

  7. Decide who will be involved in the implementation process.

  8. Plan the implementation process and any impact to the business (downtime, users, etc.).

  9. Ensure all relevant parties have been informed, then begin implementation.

  10. Implement the solution and test (sometime in phases or using pilot groups).

  11. Complete implementation and make the necessary adjustments.

  12. Conduct a post-review of the project to determine areas for future improvement.

Planning a Vacation vs. Planning Cybersecurity Implementation

While planning a vacation can be challenging, it is exponentially more difficult to plan and implement cybersecurity. 

When planning a trip, people usually have some sense of what the budget should be or at least know what they can and cannot spend.  Most businesses don’t even have a budget for cybersecurity, so there’s no starting point.  In fact, most companies don’t even have an IT budget, so they certainly don’t have a security budget.

While understanding the purpose for each part of a trip, the reason for it, and pros and cons is relatively easy, understanding the different levels of cybersecurity is not easy at all. Due to the technical nature and the complexity of cybersecurity, it’s difficult to educate CEO’s (buyers) on the different levels of cybersecurity. Translating technology and then articulating the risk/value can be extremely challenging.

Also, like the “experts” people may consult when planning a vacation, many “cybersecurity experts” try to sell solutions to businesses that may not be the appropriate solutions and/or security level. In addition, many IT professionals don’t know how to implement or even determine the best security solutions.

Start with Communication

CEO’s and C-level executives:

  • Cybersecurity is extremely complex, so it’s always wise to consult with multiple experts during the planning and implementation process.

  • When in doubt, ask: If you need more clarification, ask questions until you understand. Ask your IT resources to use analogies or imagery to help you understand.

  • Stay as involved as you possibly can before, during and after the implementation process.  

If you are an IT professional:

  • Before drowning the CEO with cybersecurity jargon, find a way to communicate and educate in terms that the management team can understand: Like the “vacation scenario”, try using analogies, imagery, etc. to explain technology.

  • Don’t be afraid to seek advice from external resources and/or other IT professionals. Technology is complex, and constantly evolving. So, it’s impossible to have all the answers.

Effective and consistent communication is imperative for businesses to appropriately address technology and cybersecurity risks. 

The following provides ways to help overcome this challenge in order to effectively plan and implement cybersecurity:

Define, Determine and Decide

As the diagram below illustrates, there are various levels of cybersecurity.

Step 1. Define and understand each level.

  • Because it includes technical jargon, this diagram may need to be explained in a way that business management and users can understand.

Step 2. Determine what level of security the company currently has.

  • None, Basic, Advance or Comprehensive

Step 3. Decide on which security level to target during implementation.

  • Keep in mind that it takes time and money for a company to start from “None” and move directly to “Advanced”.  So, when trying to decide on a level, remember 80% of all security incidents are due to employees. When in doubt, start with solutions that will address employee driven risks for prevention – AV, training, email ATP. 

SecurityLevels.png

Step 4. Implement, monitor and communicate

·         Once the desired level is agreed upon, begin implementation and continue to monitor and communicate the current state of risk as the company progresses towards the desired cybersecurity level.

·         Using a simple diagram, like the one below, is a helpful tool to use when explaining the progress of implementation to management. 

This diagram illustrates an example of an organization that has a “Yellow risk level” while also showing what has been completed and what has not.

SecurityStatus.png

Step 5. Update management on an ongoing basis

  • Once a communication method is in place, it’s important to update management on the cybersecurity status on an ongoing basis. 

The diagram below is another example of a helpful communication tool to use when explaining the cybersecurity status to management.

SecurityCommunication.png

Embrace the journey!

Effective cybersecurity management never ends. Therefore, if security solutions and levels are not proactively monitored, the risk level can move from Yellow to Green and then back down to Red.  Firewall failure, equipment beyond end-of-life, anti-virus expiration, etc. can cause immediate changes in risk levels.

Cybersecurity is about continuously mitigating risk and keeping businesses from going out of business.  But, in order to successfully mitigate risk, a disconnect between management and IT cannot exist. The IT industry continues to struggle with effective communication – especially when it comes to cybersecurity. Because of this, over 58% of all cyberattacks target small to mid-sized businesses and over 60% of businesses that are hit with a cyberattack go out of business.

Albert Einstein defined insanity as doing the same thing over and over again and expecting different results. It’s time for the technology industry to stop the insanity of ineffective and/or complete lack of communication with business owners and executives about cybersecurity. 

It’s important to take a step back to understand the ‘why’ then work on the ‘what’.  Create a communication method that works for the business, then begin focus on the ‘how’ and ‘when’ to take the appropriate action.

 

Is your business as safe as you think it is? What you need to know to keep your company secure.

With the increase in cyber threats, coupled with the confusion and lack of knowledge about cybersecurity, how do you know if your company is secure?  How do you know if you’re doing the right things at the right time?  The whole topic of cybersecurity is overwhelming and there’s not anything “fun” about it. So, it’s easy to avoid, but at what real risk to the company?

Monsters!

CyberMonsterDespite all the statistics that point to the fact that businesses, without the proper security measures, will likely suffer from a cyberattack, cyber threats are still being viewed as scary, but unlikely to occur. Most businesses still see a cyberattack as the monster under the bed, and cybersecurity as protection against the highly unrealistic possibility that there will ever actually be a monster under the bed. But unfortunately, these “monsters” are very real, and the number of attacks continues to escalate. It’s critical for businesses to have the correct security measures in place to keep the “monsters” from being able to even enter the front door.

One security solution does NOT fit all

Be cautious of cybersecurity providers who offer the same solution to every client. Every company is different, so expectations should be set based on many factors: size of the business, type of business, industry, etc. Also, no two businesses require the same IT solutions, support, software, or hardware. So, having tailored and specific IT security is crucial.

Is your business insecure?

If you’re reading this blog, then you’ve been warned! Now, what are you going to do about it? If you want to keep your business safe from cyber threats, knowing your risk level is a good first step to take before addressing each risk.

The following questionnaire addresses this by asking some basic questions that any business owner or management team should be able to answer.  While some of the topics are technical in nature, the questions are driven from a focus on the business itself.Questionnaire

Cybersecurity Preparedness Questionnaire

Answer each question below and tally your score. After completing the questionnaire, total your score to determine the level of risk for your company.

Yes: 0 points  No: 5 points  Unsure: 5 points

  1. Do you have a cybersecurity budget review annually?
  2. Do you have a written information security policy signed by every employee?
  3. Has your company reviewed its cybersecurity policies and procedures within the last year?
  4. Do you have a person designated as your security officer?
  5. Do you have a written incident response plan that is reviewed annually?
  6. Have you tested your incident response plan within the last 12 months?
  7. Do you know if you have any compliance or regulatory requirements?
  8. Have you defined the level of cybersecurity needs based on your business and compliance requirements?
  9. Have you provided security training to your employees in the past 12 months?
  10. Do you provide security training to employees on an annual basis?
  11. Can you employees identify sensitive information that could compromise the company if stolen?
  12. Do you know where your sensitive data is stored?
  13. Do you have cyber insurance that is reviewed annually?
  14. Are employees prevented from administrative privileges on your network or computers?
  15. Does your company have an acceptable use policy?
  16. Does your company consistently enforce policies around the acceptable use of computers, email, internet?
  17. Do employees regularly update passwords on company-issued computers/devices?
  18. Do your employees lock their computers when away from their desk, even for a few minutes?
  19. Do all your computers have anti-virus software that is regularly updated?
  20. Does your company have data backups onsite and offsite verified at least once a year?

Low Risk: 0-10 Moderate Risk: 15-25 High Risk: 30-50 Escalated Risk: 55-100

What now?

Once you’ve identified your risk level, what now?  If you answered “unsure” to any of the questions, do the necessary research to confirm the answer.  Once you have a “Yes” or “No” answer for every question, you will have a better idea of your true exposure and can begin prioritizing which areas to address first to mitigate the risk.

Don’t put your head in the sand!Headinsand

If you didn’t score a 10 or below, then getting to the green, (low risk range), won’t happen overnight. It takes time and, most importantly, full commitment and buy-in from ownership and senior leadership. But, as I mentioned, cyber threats are not imaginary monsters. So, don’t pretend they don’t exist and hope that nothing bad will happen. At Fluid, we understand the process can be overwhelming. Even determining the priority of what to do first can be a challenge. Luckily, we have a team of experts dedicated to cybersecurity. So, please feel free to reach out to us for help. Don’t wait until it’s too late!

Happy #$%@ New Year’s!! My Money is Gone!

HoodedHackerThis scam is downright scary!

Time is of the essence on this blog, so I tried to find a title that will grab your attention. I hope it did. I don’t get overly dramatic in my blogs, but this one is warranted for how bad it is. I also try to use graphics to break things up a bit, but I didn’t want to spend more time trying to make things “artsy”.

If you’re going to read anything, please read this. It might just save you thousands of dollars.

A small business owner and close friend of mine, we’ll refer to as “Joe”, texted me on December 22nd, (yes, right before Christmas), livid he had been conned out of thousands of dollars by a very elaborate and well executed scam. Now Joe is no dummy and pulling one over on him is no small task, but the detail these scammers deployed was no match for even an astute businessman.

So what happened?

The target, Joe, uses Chase Bank for his business and personal finances, which becomes important later.  All the money in both his personal and business accounts was stolen within minutes! How?... Joe gave the hackers the information they needed to steal it.

The chain of events.

Joe received a call from Chase Bank’s “Fraud Department” stating there was suspicious activity on his account, and transactions were made in a foreign country. Joe then explained that had recently been to Mexico on vacation – a common destination when you live in Texas.

Being a diligent and rightfully cautious person, Joe checked the number calling him and it matched the phone number on the back of his Chase credit card. The hook was set!!

The “Chase representative” stated because there were fraudulent attempts on his account, he needed to close both accounts, personal and business, and transfer the money to new, “safe” accounts. Then, the representative said he would text Joe a code for him to read back, which once again came from a legitimate number.  A two-factor authentication, using texted codes, to a mobile number is common practice, and no cause for alarm.  The representative then used this code to access both accounts and change the real password, one the hacker could then use.

In real time, the hacker used the common online payment app, Zelle, to clean out both personal and business accounts. It should also be noted that the scammer on the phone spoke excellent English and sounded legitimate, which is another well thought out tactic and different from the obvious “rich uncle” accents from Eastern Europe or other countries.

Worst nightmare!

Now being suspicious, Joe went into a Chase branch location and they verified that it was, in fact, NOT Chase. The real Chase representative mentioned this was the second time in a few days they have dealt with this same scam.  Panic now set in!

Pain and no gain.

While in the branch location, Joe had to immediately close all his accounts, open new accounts, while simultaneously working with the bank’s fraud department to try and reverse the transfers to get his money back.

When the Chase fraud department did their initial forensics, they discovered the transfer was made using a relative’s name.  This means the hackers gained full access to the account information, including the list of approved people and accounts to transfer money to and from.  Because the hackers chose a relative as the person receiving the funds, Chase would not escalate until Joe could confirm and ‘prove’ funds were not transferred to the family member as a legitimate transfer. The hackers purposely chose a family member knowing it wouldn’t get escalated.

It’s important to note that the phone number showing on Joe's caller ID matched the number on his Chase credit card.  At one point, Joe hit ‘call back’ feature on his phone to automatically dial the Chase number, which was directed back to the fraudsters (a tactic called number spoofing). The Chase fraud department advised Joe to always manually dial the number and not use the automatic call back feature on your mobile phone to ensure that you’re calling the correct number. In addition to closing his accounts and opening new accounts, Joe also has to identify and contact the numerous legitimate personal and business vendors and payers he works with to update their new account information.  More pain.

At the time of this blog, the success of reversing the scam is unknown. The bank stated it would take up to 30 days to determine if Joe would get the money back. To add insult to injury, Joe is also now locked out of online banking for 60 days.

This is one of the most elaborate and well thought out cons I’ve ever seen, requiring multiple people who know exactly how people use banking, and more importantly, people who know exactly how banks and their fraud departments work.  They were always one step ahead of the victim and I’m certain there are more to come!  So be diligent, be doubtful, beware.

Ho, Ho, Ho No! I've been hacked!!

With the holidays upon us, it's not only the kids getting excited.  Hackers also love the holidays and the gift of giving takes on a whole new meaning.  Increasing malicious activity during the holiday spending spree is no coincidence.  Don't be a victim!  Take some tips from this blog by IBM SecurityIntelligence to be more diligent.  Hacky Holidays?

Cybersecurity - "You can't handle the truth!"

I’m a guy who likes sports and movies, and my wife tells me that I’m constantly quoting sports analogies and movie tag lines. Guilty as charged.  So, why do I do that???  Because I can quickly state a movie quote or sports reference to explain a situation to someone, without having to spend an hour doing so. If I tell someone “you just fumbled”, knowing this person likes or understands American football, he or she will immediately know they made a mistake.  Notice how I stated ‘American football’ lest I confuse it with the round ball version and defeat the very purpose of my analogy.

ManYelling

The problem is, if I use my linguistic mojo on people who don’t follow sports or movies (yes, those people do exist), I not only don’t get my point across, I confuse them.  Many times, I get that tilt-of-the-head puppy look and then a nod, never asking me to clarify what I meant.  It’s surprising how many people never ask the question – I don’t understand, what do you mean?

This can be very frustrating and even a cause for escalating arguments and disagreement later.

To clarify, here’s an example of a recent conversation when discussing a company project…

Me: “We’re at the one-yard line!  It’s time to punch it across the goal line!” Colleague: “Got it!  You can count on me!”

A week later…

Me: “So that project was completed, right?” Colleague: “No, I’m still working on it.  I need to add some more detail." Me: “What!  I thought I told you and we agreed this needed to be done asap!? Like yesterday.” Colleague: “Oh, I’m sorry.  You didn’t tell me it was urgent.” Me: “I did tell you it was urgent.  Remember ‘the one-yard line’, ‘the goal line’?” Colleague: “Yeah I kind of recall something like that.” Me: “Then why didn’t you get it done??” Colleague: “Why are you yelling at me?  I have no idea what you meant.” Me: “Why didn’t you ask?

And the downward spiral continues.  The frustration level for everyone is extreme.  Worse yet, the project was not completed, and the company suffers.

I see this same scenario over and over again as it relates to technology and business – especially with cybersecurity.

Get serious about cybersecurity SecurityGuard

Articles are published every day stating how businesses aren’t taking cybersecurity seriously enough only to be completely ignored.

I constantly come across articles that give real statistics showing how businesses think they are secure, yet they have recently been breached or compromised!  How is that possible?  Why do businesses, led by extremely smart people, continue to ignore the very real threat that cybersecurity breaches and hackers can easily compromise their business’ livelihood?  Why do they continue to have incidents, and not learn from them?

Some studies show, many business owners rely on their insurance policy to save them instead of protecting their assets proactively.  I believe some of that is true, but I believe the real issue is a complete disconnect in communication.

The danger of miscommunication

MiscommunicationThere is a very real and dangerous disconnect in communication between business and IT!

I read an article recently that was trying to get businesses to understand the importance of cybersecurity and the importance of communication between IT and business.  Here is how the article begins…

 

ArguingDigital transformation is happening rapidly in every industry. As companies move toward software-defined infrastructures (SDI) connected to powerful cloud ecosystems, they can tap into the near-real-time intelligence from the data gathered from every edge of their business, helping to drive faster business decisions and changing the way they serve their customers.

Rapid transformation, however, without a solid plan, can produce cybersecurity vulnerabilities. As infrastructures go virtual, security models need to shift. To avoid serious risks and security management issues, companies need to identify challenges, strategize, collaborate, pilot, test, and evangelize. *

 

Did you have to read it twice?  Did you understand even part of it?  What exactly is ‘every edge of their business’?

“Trust me, Greg, when you start having little Fockers running around, you'll feel the need for this type of security.” Meet the Parents, 2000

Yes, I did it, I used a movie line from the great film “Meet the Parents” to make my point.  If you haven’t seen the movie, you have no clue what I’m talking about.  Business leaders have not seen the cybersecurity movie!!  They don’t understand a word coming out of your mouth (another movie reference).

Don’t allow technology to get lost in translation

LostTranslation

In all seriousness, business leaders have not taken the time and do not have the time to learn all the parlance of cybersecurity.  Yet, we keep pummeling them to death with cyber techno-speak.

The reality is, both business and technology leaders have a responsibility to their companies, their employees, and themselves to learn enough about each other to make the conversation relevant.  I can keep showing business owners all statistics. But, most of them still don’t properly plan for or budget for cybersecurity, and most will only do so after they’re hit with ransomware or have a breach.  But what is ransomware?  What is a breach?  What do they look like? What is the actual cost to the business now and in the future?

This is not a one-sided issue. IT professionals also need to learn how to translate technology jargon into terms that business owners can understand.

The same case can be made for IT experts making an effort to understand the language of business and understand the impact they are having.  When business owners and leadership speak in terms of EBITDA, CAPEX, OPEX, Life Time Value, Gross Margins, Net Margins, Cash Management, etc., they are speaking a language immediately understood within the group, but many times foreign to the IT group.

At some point, business owners, leadership, and even board members must work with IT experts to start taking cybersecurity more seriously.  Both parties must be willing to have an open dialog where each is not afraid to ask questions, educate and translate into terms each party can understand, to make better business decisions.

If you want to have a discussion regarding your business and how the cybersecurity landscape impacts your company now and in the future in a language you can understand, contact us! We will be happy to advise and educate you in this increasingly complex space.

May the force be with you!

 

* AT&T Cybersecurity Insights Vol 7

What you don't know CAN hurt you!

BlindMan Cybersecurity continues to be a real problem for small to mid-sized (SMB) companies because they honestly believe it will not happen to them.  To make matters worse, in a recent article by Dark Reading, 51% of SMB leaders are convinced their companies are not a target for cybercrime.  You can read the article here.  With the large number of security incidents we respond to within the SMB community, it is very surprising and discouraging businesses continue to ignore cyber threats.

Small to Mid-Sized Companies Do Not Act Until AFTER They Have Incurred Multiple Cyber Incidents

Unfortunately, what we find is that companies take preventative action only after they have been hit multiple times.  You read that last line correctly.  We see companies have an incident, incur very large unplanned expenses to deal with it, and continue to 'do nothing' until they are hit again and again.  I have to believe this is primarily due to the lack of understanding of the real risk of cyber threats at a business level, coupled with it being a blind spot in business management - I don't know what I don't know.

The Security Industry is Partly to Blame

The cybersecurity industry is partly to blame for the lack of understanding and visibility in the business community because, as an industry, cybersecurity continues to communicate in very technical jargon and terms business owners and management simply cannot understand and do not have time to try and figure out.  This creates a disconnect between the business and the very solutions available to proactively address mitigating the risk related to cyber attacks.

If business owners were armed with information showing what is actually occurring within their business on a regular basis, communicated in terms they can understand, not only would they enable the experts to help remediate issues proactively, they would have detailed information on employee behavior and actual traffic moving in and out of the business.  Security reports provide extremely valuable and powerful information which can be used not only to thwart cyber threats, but also create and enforce general company policies on how business assets are being used.

You can see sample report showing one month of actual data obtained from proactively deploying and monitoring security here Security Report

I believe if business owners could SEE what is actually happening, they would be much more likely to address the very real cyber threat risk.  At a minimum, they would have to decide to do nothing knowing bad things really are happening.

 

Your Cyber Security is Failing!

managed-security-services  

When you take a course in school or work and you get 100% on the test, it’s a great feeling.  Perfection!  How smart are you!  When you get 100% on every test, every time, you have truly mastered the subject and are clearly an expert.  It’s something you might even want to boast about to your friends; what an accomplishment!

But what if the scenario was turned 180 degrees and you received a 0% on every test.  Your feelings are completely opposite.  You are discouraged, frustrated, even embarrassed.  Your confidence is shot and you certainly don’t want to be bragging about it to your friends.

This is the scenario we see in cyber security.  When we deploy our cyber security solution for a new client, we have a very methodical process for the implementation and configuration of the solution based on the clients’ needs.  Part of the process includes continually capturing real-time data and then reporting those findings on a monthly basis.  We review these security reports with our clients so they can see and understand what is actually happening in their company.

Every company fails security 100% of the time!

What we have found interesting is that we find an issue or issues that need immediate remediation 100% of the time.  Think about that for a minute.  Every single time for every single client they fail.  This is not something the company wants to deal with, it is very frightening to them, and they certainly do not want to boast about it to others.

Often times we have already remediated issues in real-time as we are monitoring their security, but many times it takes working with the company management to determine what they want to do.  As an example, if we find a company computer suddenly is trying to broadcast malicious content out through the company’s internet connection, we will be immediately notified, shut-down and ‘clean’ the identified computer.  We certainly do not want to wait until the end of the month to address the issue.

Other issues are more dependent on what the company management team wants to do.  During our initial monthly review of the report, there are often issues related to how employees are using company systems.  For example, employees are accessing inappropriate websites, usage of social media sites such as YouTube, Facebook and Pandora are excessive and saturating internet bandwidth.  We also see attempts to access the company network from other countries, such as China, Romania, North Korea, etc.  In these cases, the company management almost always is shocked and says “We don’t do business with those countries!  Why are they trying to access our information!?”.

This is an example where we need to have a discussion with management to confirm what is legitimate and what is not.  Using our service, we can block websites and countries permanently and selectively, or the company may want to write and issue an Information Security Policy that states what the company policies are for appropriate use.  In the latter case, the issue is handled through policy and not technology.

You can’t address what you can’t see

In all these cases, the primary issue is that companies without proper security in place are in a state of being blissfully ignorant.  They do not see anything going on so they assume everything is good.  Once we shine a light on security, their eyes are wide open because they can now see what is actually happening.  Having the information allows us, working with the company, to address and remediate issues.

The larger implication is companies without proper security are playing with fire.  While some issues are not extremely damaging, it is only a matter of time when a malicious event becomes a major security incident the company must respond to.  Imagine you are a health provider, law firm or any company (since every company has sensitive and private information) and find you have a breach and private information has been leaking out of the company.  The status just went from green to red, requiring significant and immediate effort from many different people – the incident response plan.

The point is, in today’s world, it is better to know and have a planned response than to continue to be in the dark.  We know 100% of companies we work with will have issues to address, we also know most companies continue to operate in the dark believing it won’t happen to them.  As scary and uncomfortable as it may be, I would certainly rather operate from a position of knowing rather than taking the chance and hoping nothing will happen.  After all, we know from actual data, ‘nothing will happen’ actually never happens.

Security Delivered in a Box

With news of breaches occurring daily, cyber security has been forced to the forefront of every business.  The challenge is cyber security is a very complex subject to address with many layers using names confusing even to technical people.  Trying to decipher and understand all the layers and what is appropriate for your business is nearly impossible without a team of experts to guide you along the way.  Often the result is having multiple vendors provide different layers of security that do not work well together, are difficult to manage, and ultimately more expensive. For this reason, Fluid spent a year researching to find a better way.  What we found was very interesting.  There were many security companies offering specific pieces of an overall solution – one vendor offering a firewall, another offering anti-virus, and another offering cloud based security, and so on.  This was the very overly complex scenario we were trying to avoid.

Using this knowledge, Fluid developed a set of solutions to address each layer of security in a unified way that can be centrally managed, while in turn reducing the number of vendors involved and related cost.  The result is security in a box, a menu of security solutions to address each layer of security with options for increasing security levels to meet the specific needs of a business.

You are covered from the end user to the cloud!

SecurityInABox

The primary aspects in a consolidated solution had to include the following –

  1. Centralized management of all security devices and software
  2. Consistent ongoing management and monitoring of security events for remediation
  3. Proactive notification of threats
  4. Detailed monthly reports showing actual data related to the specific client environment and usage
  5. Inclusion all necessary hardware, software, and support renewals (firewalls, network switches, wireless access points, cloud based firewalls, etc.)

Whether it’s 3 devices or 3,000, Fluid can procure, configure, implement, and manage security using a single standardized process.

The results for our clients have been fantastic!

After implementation of the service, we review the initial monthly security report with our clients and without exception, the report shows activities they had no idea were occurring.  Not only do they have visibility to what is actually happening in their business, they now can do something about it.  Whether it is through creating a company policy or having Fluid systematically block certain traffic, the business is now in control.

In addition, because the service is all-inclusive and standardized, it can very easily scale as the company grows.  We have many clients that open new branch offices around the country and we can very quickly deploy the solution to those locations and add them to the overall solution.  In addition, each location receives its own monthly security report, so analysis and action items can be done at the location level.

The reports are an extremely valuable tool for ongoing cyber security monitoring and remediation.

SecRpt1

Visibility to outside attempts to infiltrate company systems allows specific geographic based controls.

SecRpt2

A primary role of any cyber security is to block malicious attacks and intrusions.  Monthly reports show details on specific attacks.

SecRpt3

If a deeper inspection is needed, we can even go to the user level to analyze what is occurring.  This has been especially helpful for situations where there may be one or two rogue users that need to be addressed.

SecRpt4

Unfortunately, employees are the number one source for security incidents.  Knowing what they are doing is necessary to continue to improve security training and make adjustments to security policies.

SecRpt5

Fluid’s Security-as-a-Service includes everything you need, out of the box, to secure your business!  Contact us now to learn how 214-245-4118 or wade.yeaman@fluiditservices.com.

Wanna Cry?

As you may know, on May 12, hackers launched a global ransomware campaign against tens of thousands of corporate and governmental targets. The ransomware encrypts files on an infected computer and asks the computer's administrator to pay a ransom in order to regain access.  

The ransomware attack is apparently spreading through a Microsoft Windows exploit called “EternalBlue,” for which Microsoft released a patch in March. That month Fortinet released an initial IPS signature to detect vulnerabilities against MS17-10. This signature specifically looks for SMB type vulnerabilities. Earlier this week, Fortinet updated their IPS signature to further enhance detection. It appears this update detects the ransomware. Today, they released an AV signature that detects and stops this attack. (Third-party testing has confirmed that Fortinet Anti-Virus and FortiSandbox are blocking the attacks.)

 

We strongly advise customers to take all of the following steps:

  • Apply the patch published by Microsoft on all nodes of the network.
  • Ensure that the Fortinet AV inspections as well as web filtering engines are turned on to prevent the malware being downloaded and to ensure that our web filtering is blocking communications back to the command and control servers.
  • Disable via GPO the execution of files with extension WNCRY.
  • Isolate communication to ports 137 / 138 UDP and ports 139 / 445 TCP in the networks of the organizations.

 

If you would like more information on how to protect your network, use the link below to register for the Fluid IT Services/Fortinet Security event on June 6, 2017 @12pm:

 

Register Now

 

Please feel free to read the latest posts on this subject, published by the FortiGuard Labs team:

https://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware

http://blog.fortinet.com/2017/05/15/wannacry-ransomware

 

 

Are You Prepared for a Cyberwar?

We make it our business to protect yours. Former white hat hacker Joshua Petty will be presenting the unexpected sources of security threats and how to defend yourself. In light of the recent global ransomware attacks, this information could prove invaluable. We think you should be there.

Fortinet is the largest security appliance vendor, and when partnered with Fluid IT Services you know that your information is protected. The topics over lunch will cover simple ways to harden your infrastructure, how to manage your security with minimal effort, and arming your staff to become more security conscious.

Space is limited, so register today to secure your place at the table. We look forward to your participation.

Tuesday, June 6, 2017 @12pm

Maggiano's Little Italy 6001 West Park Blvd.

What you can expect:
  • Security insights from the experts
  • Fine Italian dining
  • GOPRO giveaway with all the accessories to get you started

Register Now

Security Breaches: The Kiss of Death for Small Business

For romantics, a kiss signifies love, affection, or respect. Unless you receive the kiss of death, which signifies that your days are numbered. For small business, a cyber-security breach is the dreaded kiss of death. security metrics 2.0Here are some stats that’ll start your heart from recent studies from Property Casualty 360 and Small Business Trends:

- 62% of cyber-attacks are focused on small to medium businesses - Only 14% of these businesses rating their ability to mitigate an attack as highly effective - Average cost of a breach for a small business, including damage or theft of assets and disruption of normal operations is slightly over $1.8M - 60% of small companies will go out of business within six months after an attack

While it may be surprising that 60% of SMBs attacked will be out of business, once you understand the typical cost of a successful attack, it’s far less surprising.

So do small business owners just give up in the face of these threats? Nah, that’s not the way entrepreneurs roll. Most small businesses can outsource the mitigation of this risk for less than $1K per month, offloading both the risk and the time that it takes to manage a security solution. For a small business, this can be the difference between life or death, much like an insurance policy.

In the world today, it’s no longer a matter of IF your company will be hit by a cyber-attack, it is a matter of WHEN. The question that you should ask yourself is, “Do I have almost 2 million dollars to handle it retroactively, or does it make more sense to spend $1,000 per month to proactively protect my livelihood and my customers?”

For a frank discussion on cyber-security and ways to mitigate these risk, reach out to Fluid. We can help.

[gravityform id="1" title="true" description="true"]

Don't let bureaucracy slow down your cyber security program

Fluid Security FrameworkBusinesses don’t have the time, budget or skills to adequately cover and mitigate all the very real security risks that could take them out of business at any time.  Nor do companies want to hire full time staff just to manage security. In a new global report from the Center for Strategic and International Studies along with Intel Security, the importance of senior leadership supporting cyber security implementation is made crystal clear. Here's a great summary of the report from Help Net Security: Attackers thrive in a fluid market, while bureaucracy constrains defenders.

Fluid handles this by providing a comprehensive layered approach to security for the entire organization, creating a security fabric to cover it all – Security-as-a-Service.

It’s not a matter of if but when you will have a security incident.  Be prepared.  Be proactive. Be responsive.  Be responsible.  If you would like to learn more about Fluid’s Security-as-a-Service offering, please contact us.