#cybersecurity

Microsoft Windows: End of the World (Support)

EndOfSupport.png

Companies like yours need to keep up with strict business, compliance and industry regulations. New threats have made it harder than ever to secure data and applications. With end of support for Windows Server 2008 (including R2) and Windows 7 operating systems approaching, the time to prepare is now, not in December.  Waiting will not make it go away.

Although you can certainly make logical arguments upgrading and modernizing applications should and will lead to improved capabilities and efficiencies for end-users, in this case not upgrading introduces significant risks to the company.

End of support means the end of critical security updates, opening the potential for business interruptions. Worse still, without regular security bulletins it is impossible to guarantee protection against hackers or malware.

Unfortunately, the technology world still communicates in technical terms not easily understood by the business community.  This is still the case with Microsoft’s announcement regarding the end of support for products.  Simply stating an end of support date looming for Windows Server 2008 (including R2) and Windows 7 doesn’t mean it resonates with the business community using those software applications.

The first question often is…

What do I need to do about the end of support?

… when the first questions should be:

What products are impacted by end of support?

What do these products do?

Do we currently run or use any of these products?

So let’s take a step back and answer those questions.

What products are impacted by end of support?

  1. Windows Server 2008/R2 January 2020

  2. Windows 7 January 2020

  3. SQL Server 2008/R2  July 2019

What do these products do?

  1. Windows Server 2008/R2 – is the foundational software used by most companies to manage their users, assign security permissions to users and groups, and support other software sitting on top of this foundation.  The scope and impact is company-wide.

  2. Windows 7 – is the operating system software used by end users on their individual desktops/laptops and support other software sitting on top of this foundation, for example, Outlook, Microsoft Office.  The scope and impact is the end user.

  3. SQL Server 2008/R2 – is the database software other software uses for database functionality, for example, Great Plains, industry specific software.  The scope and impact is company-wide.

Do we currently run or use any of these products?

To know if you are using any of the solutions impacted by end of support, you should rely on your technology department or provider to conduct an assessment of all the systems currently in use and provide a report showing the current versions and usage of those products.

Once you have a report, whether you have 1 or 100 systems impacted, you should then use the information to develop a plan for addressing each one.  Some systems may take months to address, so having a plan sooner than later will save management potential stress and sticker shock.

What to expect.

Let’s assume you’ve had an assessment done and determine you have 4 servers running Windows Server 2008 R2 and 25 workstations/laptops running Windows 7 Professional.  Developing a plan for addressing them should be tailored to your specific business, budget and system use.  Workstations may be replaced quickly, where servers may take months.

Cost is not the only factor.

Using our example, a ‘refresh plan’ should be defined for every workstation running Windows 7 Professional.  If the workstations are 4 years or older, it may make more fiscal sense to replace them with new machines running the latest Windows 10 operating system.  If the machines are still acceptable from a performance specification standpoint, it may make sense to upgrade the machines to Windows 10 Pro from Windows 7 Professional.  Aside from the costs related to these options, consideration should be given to how employees are using those machines and what potential improvements might be gained from a machine replacement versus upgrading only the software.  To avoid a large capital expenditure (CAPEX) cost at the last minute in December, you may want to spread out the purchase of replacement machines over the next 5-6 months.  A simple method is to take the number of machines, 25 in our example, and divide by the number of months remaining before you want them all replaced.  It is now June, so assuming replacement needs to be completed by January 1, 2020, purchasing 4 machines a month July through November and 5 in December would have them all replaced by year end, spreading the cost over time.

Migrating servers from Windows Server 2008 R2 requires more analysis and planning because typically servers are running mission critical software applications for the business.  It is not best practice to upgrade a Windows Server operating system as you typically would with a Windows end-user operating system and in most cases, it would be recommended to migrate to a new installation.  Some standard questions to consider during planning include –

  1. What business software is running on the server?  Will that software run ‘as-is’ on a new version of Windows Server 2016 or will it require an upgrade as well?

  2. Is business software running on Windows Server 2008 R2 that is NOT supported by later versions of Windows Server and will not run on later versions?  Should the business software be replaced with software more current and supported?  Should we continue to run the software on Windows Server 2008 R2 knowing the significant security risks?

  3. What impact will downtime have on the business related to migrating servers?

  4. Can they all be migrated during a single timeframe (likely a weekend) or does it need to be a phased approach?

  5. Does the server hardware need to be replaced along with the Windows Server software?  If so, what are the options now available that may not have been available 2-5 years ago?

  6. Will our customers and vendors be impacted by any of these changes?  What notices should be sent prior to the changes?

Don’t wait.  Get help.

If all this seems overwhelming, you’re not alone.  Many companies read the headlines and do nothing about it because it’s just too much to contemplate and is a major distraction to normal business duties.  Because of the very real security risks, this is one of those times procrastination can really hurt the business exponentially more than the cost associated with addressing the issue. 

You don’t have to do it alone.  Fluid has been working all year and will continue to through the end of the year to do the heavy lifting for companies.  From the assessment, planning, recommendations, obtaining necessary quotes, working with third-party vendors, and implementation, we try to do as much as possible to keep the business running.  We will take on the tasks management and operational staff don’t have time to deal with.  The additional benefit is knowing it will be done with technology proficiency and discipline many companies simply don’t have in-house.

If you do not know if ‘end of support’ will impact your company, you are at risk.  At a minimum, knowing your exposure should be a top priority.  Waiting until December may make the holiday season more stressful than it needs to be.  If you need help, we’re here to do so. 

You can reach Fluid at 866-802-9848 or via email at secure@fluiditservices.com

 

Destination Unknown – Cybersecurity without a defined objective is a path to disaster

TechMgmt.jpg

Destination Unknown – Cybersecurity without a defined objective is a path to disaster

Vacation time!

Let’s start this cybersecurity discussion by taking a little vacation – or at least pretend to take a vacation. Before going on vacation, people usually plan for the trip ahead of time.

Scenario 1: Planning for a vacation.

When planning a vacation, most people take the following steps:

  1. Determine the budget.

  2. Choose the destination.

  3. Decide when to go on vacation (busy season, hot, cold, vacation days available at work, etc.).

  4. Decide where to stay (choose hotel, condo, Airbnb, etc.).

  5. Choose mode of transportation (plane, car, boat, etc.).

  6. Book flights, rent car, plan your driving route, etc. 

  7. Book babysitter, dog sitter, house sitter, etc.

  8. Plan activities while on vacation.

  9. Begin the journey to the destination.

  10. Arrive at the destination.

  11. Have fun!

All the above has a cost element to be considered, which can cause the vacation plans to change.  Ideally, a budget would be created at the beginning of the process to help with planning the vacation and determining what is and is not doable. Although, a budget should be the first step in the planning process, people oftentimes choose a desired destination, and then adjust the budget accordingly.

Another important step when planning a vacation, is to do enough research to make informed decisions and properly budget for each part of the plan, especially if traveling to a new destination. People will often turn to friends and/or family for suggestions and input when planning a vacation, but friends and family may not be able to give the best advice. For example, how could they recommend a hotel if they’ve never been to the destination? 

Therefore, it’s also important to utilize outside resources for information and contact experts who are able provide information on destinations, price, pros and cons, hotels, activities, etc. The hard part is knowing who to trust. Some “experts” are more concerned with selling certain products or services even if they may not be the best option. So, it’s usually a good idea to gather information from various people and resources before making informed decisions.

Cybersecurity Time!

If the same logic is applied to businesses when choosing cybersecurity solutions, it reveals a dangerous tendency. 

Scenario 2: Choosing and implementing the best solution and level of cybersecurity

When planning for cybersecurity implementation, business leaders should take several steps:

  1. Determine the budget.

  2. Choose the level of security needed for the business.

  3. Analyze each security element to understand what it does and doesn’t do.

  4. Based on the analysis, determine the priority and order for implementing each element.

  5. Determine who will be responsible for assessing the solution options.

  6. Decide when to begin implementing the security solutions.

  7. Decide who will be involved in the implementation process.

  8. Plan the implementation process and any impact to the business (downtime, users, etc.).

  9. Ensure all relevant parties have been informed, then begin implementation.

  10. Implement the solution and test (sometime in phases or using pilot groups).

  11. Complete implementation and make the necessary adjustments.

  12. Conduct a post-review of the project to determine areas for future improvement.

Planning a Vacation vs. Planning Cybersecurity Implementation

While planning a vacation can be challenging, it is exponentially more difficult to plan and implement cybersecurity. 

When planning a trip, people usually have some sense of what the budget should be or at least know what they can and cannot spend.  Most businesses don’t even have a budget for cybersecurity, so there’s no starting point.  In fact, most companies don’t even have an IT budget, so they certainly don’t have a security budget.

While understanding the purpose for each part of a trip, the reason for it, and pros and cons is relatively easy, understanding the different levels of cybersecurity is not easy at all. Due to the technical nature and the complexity of cybersecurity, it’s difficult to educate CEO’s (buyers) on the different levels of cybersecurity. Translating technology and then articulating the risk/value can be extremely challenging.

Also, like the “experts” people may consult when planning a vacation, many “cybersecurity experts” try to sell solutions to businesses that may not be the appropriate solutions and/or security level. In addition, many IT professionals don’t know how to implement or even determine the best security solutions.

Start with Communication

CEO’s and C-level executives:

  • Cybersecurity is extremely complex, so it’s always wise to consult with multiple experts during the planning and implementation process.

  • When in doubt, ask: If you need more clarification, ask questions until you understand. Ask your IT resources to use analogies or imagery to help you understand.

  • Stay as involved as you possibly can before, during and after the implementation process.  

If you are an IT professional:

  • Before drowning the CEO with cybersecurity jargon, find a way to communicate and educate in terms that the management team can understand: Like the “vacation scenario”, try using analogies, imagery, etc. to explain technology.

  • Don’t be afraid to seek advice from external resources and/or other IT professionals. Technology is complex, and constantly evolving. So, it’s impossible to have all the answers.

Effective and consistent communication is imperative for businesses to appropriately address technology and cybersecurity risks. 

The following provides ways to help overcome this challenge in order to effectively plan and implement cybersecurity:

Define, Determine and Decide

As the diagram below illustrates, there are various levels of cybersecurity.

Step 1. Define and understand each level.

  • Because it includes technical jargon, this diagram may need to be explained in a way that business management and users can understand.

Step 2. Determine what level of security the company currently has.

  • None, Basic, Advance or Comprehensive

Step 3. Decide on which security level to target during implementation.

  • Keep in mind that it takes time and money for a company to start from “None” and move directly to “Advanced”.  So, when trying to decide on a level, remember 80% of all security incidents are due to employees. When in doubt, start with solutions that will address employee driven risks for prevention – AV, training, email ATP. 

SecurityLevels.png

Step 4. Implement, monitor and communicate

·         Once the desired level is agreed upon, begin implementation and continue to monitor and communicate the current state of risk as the company progresses towards the desired cybersecurity level.

·         Using a simple diagram, like the one below, is a helpful tool to use when explaining the progress of implementation to management. 

This diagram illustrates an example of an organization that has a “Yellow risk level” while also showing what has been completed and what has not.

SecurityStatus.png

Step 5. Update management on an ongoing basis

  • Once a communication method is in place, it’s important to update management on the cybersecurity status on an ongoing basis. 

The diagram below is another example of a helpful communication tool to use when explaining the cybersecurity status to management.

SecurityCommunication.png

Embrace the journey!

Effective cybersecurity management never ends. Therefore, if security solutions and levels are not proactively monitored, the risk level can move from Yellow to Green and then back down to Red.  Firewall failure, equipment beyond end-of-life, anti-virus expiration, etc. can cause immediate changes in risk levels.

Cybersecurity is about continuously mitigating risk and keeping businesses from going out of business.  But, in order to successfully mitigate risk, a disconnect between management and IT cannot exist. The IT industry continues to struggle with effective communication – especially when it comes to cybersecurity. Because of this, over 58% of all cyberattacks target small to mid-sized businesses and over 60% of businesses that are hit with a cyberattack go out of business.

Albert Einstein defined insanity as doing the same thing over and over again and expecting different results. It’s time for the technology industry to stop the insanity of ineffective and/or complete lack of communication with business owners and executives about cybersecurity. 

It’s important to take a step back to understand the ‘why’ then work on the ‘what’.  Create a communication method that works for the business, then begin focus on the ‘how’ and ‘when’ to take the appropriate action.

 

Is your business as safe as you think it is? What you need to know to keep your company secure.

With the increase in cyber threats, coupled with the confusion and lack of knowledge about cybersecurity, how do you know if your company is secure?  How do you know if you’re doing the right things at the right time?  The whole topic of cybersecurity is overwhelming and there’s not anything “fun” about it. So, it’s easy to avoid, but at what real risk to the company?

Monsters!

CyberMonsterDespite all the statistics that point to the fact that businesses, without the proper security measures, will likely suffer from a cyberattack, cyber threats are still being viewed as scary, but unlikely to occur. Most businesses still see a cyberattack as the monster under the bed, and cybersecurity as protection against the highly unrealistic possibility that there will ever actually be a monster under the bed. But unfortunately, these “monsters” are very real, and the number of attacks continues to escalate. It’s critical for businesses to have the correct security measures in place to keep the “monsters” from being able to even enter the front door.

One security solution does NOT fit all

Be cautious of cybersecurity providers who offer the same solution to every client. Every company is different, so expectations should be set based on many factors: size of the business, type of business, industry, etc. Also, no two businesses require the same IT solutions, support, software, or hardware. So, having tailored and specific IT security is crucial.

Is your business insecure?

If you’re reading this blog, then you’ve been warned! Now, what are you going to do about it? If you want to keep your business safe from cyber threats, knowing your risk level is a good first step to take before addressing each risk.

The following questionnaire addresses this by asking some basic questions that any business owner or management team should be able to answer.  While some of the topics are technical in nature, the questions are driven from a focus on the business itself.Questionnaire

Cybersecurity Preparedness Questionnaire

Answer each question below and tally your score. After completing the questionnaire, total your score to determine the level of risk for your company.

Yes: 0 points  No: 5 points  Unsure: 5 points

  1. Do you have a cybersecurity budget review annually?
  2. Do you have a written information security policy signed by every employee?
  3. Has your company reviewed its cybersecurity policies and procedures within the last year?
  4. Do you have a person designated as your security officer?
  5. Do you have a written incident response plan that is reviewed annually?
  6. Have you tested your incident response plan within the last 12 months?
  7. Do you know if you have any compliance or regulatory requirements?
  8. Have you defined the level of cybersecurity needs based on your business and compliance requirements?
  9. Have you provided security training to your employees in the past 12 months?
  10. Do you provide security training to employees on an annual basis?
  11. Can you employees identify sensitive information that could compromise the company if stolen?
  12. Do you know where your sensitive data is stored?
  13. Do you have cyber insurance that is reviewed annually?
  14. Are employees prevented from administrative privileges on your network or computers?
  15. Does your company have an acceptable use policy?
  16. Does your company consistently enforce policies around the acceptable use of computers, email, internet?
  17. Do employees regularly update passwords on company-issued computers/devices?
  18. Do your employees lock their computers when away from their desk, even for a few minutes?
  19. Do all your computers have anti-virus software that is regularly updated?
  20. Does your company have data backups onsite and offsite verified at least once a year?

Low Risk: 0-10 Moderate Risk: 15-25 High Risk: 30-50 Escalated Risk: 55-100

What now?

Once you’ve identified your risk level, what now?  If you answered “unsure” to any of the questions, do the necessary research to confirm the answer.  Once you have a “Yes” or “No” answer for every question, you will have a better idea of your true exposure and can begin prioritizing which areas to address first to mitigate the risk.

Don’t put your head in the sand!Headinsand

If you didn’t score a 10 or below, then getting to the green, (low risk range), won’t happen overnight. It takes time and, most importantly, full commitment and buy-in from ownership and senior leadership. But, as I mentioned, cyber threats are not imaginary monsters. So, don’t pretend they don’t exist and hope that nothing bad will happen. At Fluid, we understand the process can be overwhelming. Even determining the priority of what to do first can be a challenge. Luckily, we have a team of experts dedicated to cybersecurity. So, please feel free to reach out to us for help. Don’t wait until it’s too late!

What you don't know CAN hurt you!

BlindMan Cybersecurity continues to be a real problem for small to mid-sized (SMB) companies because they honestly believe it will not happen to them.  To make matters worse, in a recent article by Dark Reading, 51% of SMB leaders are convinced their companies are not a target for cybercrime.  You can read the article here.  With the large number of security incidents we respond to within the SMB community, it is very surprising and discouraging businesses continue to ignore cyber threats.

Small to Mid-Sized Companies Do Not Act Until AFTER They Have Incurred Multiple Cyber Incidents

Unfortunately, what we find is that companies take preventative action only after they have been hit multiple times.  You read that last line correctly.  We see companies have an incident, incur very large unplanned expenses to deal with it, and continue to 'do nothing' until they are hit again and again.  I have to believe this is primarily due to the lack of understanding of the real risk of cyber threats at a business level, coupled with it being a blind spot in business management - I don't know what I don't know.

The Security Industry is Partly to Blame

The cybersecurity industry is partly to blame for the lack of understanding and visibility in the business community because, as an industry, cybersecurity continues to communicate in very technical jargon and terms business owners and management simply cannot understand and do not have time to try and figure out.  This creates a disconnect between the business and the very solutions available to proactively address mitigating the risk related to cyber attacks.

If business owners were armed with information showing what is actually occurring within their business on a regular basis, communicated in terms they can understand, not only would they enable the experts to help remediate issues proactively, they would have detailed information on employee behavior and actual traffic moving in and out of the business.  Security reports provide extremely valuable and powerful information which can be used not only to thwart cyber threats, but also create and enforce general company policies on how business assets are being used.

You can see sample report showing one month of actual data obtained from proactively deploying and monitoring security here Security Report

I believe if business owners could SEE what is actually happening, they would be much more likely to address the very real cyber threat risk.  At a minimum, they would have to decide to do nothing knowing bad things really are happening.

 

Your Cyber Security is Failing!

managed-security-services  

When you take a course in school or work and you get 100% on the test, it’s a great feeling.  Perfection!  How smart are you!  When you get 100% on every test, every time, you have truly mastered the subject and are clearly an expert.  It’s something you might even want to boast about to your friends; what an accomplishment!

But what if the scenario was turned 180 degrees and you received a 0% on every test.  Your feelings are completely opposite.  You are discouraged, frustrated, even embarrassed.  Your confidence is shot and you certainly don’t want to be bragging about it to your friends.

This is the scenario we see in cyber security.  When we deploy our cyber security solution for a new client, we have a very methodical process for the implementation and configuration of the solution based on the clients’ needs.  Part of the process includes continually capturing real-time data and then reporting those findings on a monthly basis.  We review these security reports with our clients so they can see and understand what is actually happening in their company.

Every company fails security 100% of the time!

What we have found interesting is that we find an issue or issues that need immediate remediation 100% of the time.  Think about that for a minute.  Every single time for every single client they fail.  This is not something the company wants to deal with, it is very frightening to them, and they certainly do not want to boast about it to others.

Often times we have already remediated issues in real-time as we are monitoring their security, but many times it takes working with the company management to determine what they want to do.  As an example, if we find a company computer suddenly is trying to broadcast malicious content out through the company’s internet connection, we will be immediately notified, shut-down and ‘clean’ the identified computer.  We certainly do not want to wait until the end of the month to address the issue.

Other issues are more dependent on what the company management team wants to do.  During our initial monthly review of the report, there are often issues related to how employees are using company systems.  For example, employees are accessing inappropriate websites, usage of social media sites such as YouTube, Facebook and Pandora are excessive and saturating internet bandwidth.  We also see attempts to access the company network from other countries, such as China, Romania, North Korea, etc.  In these cases, the company management almost always is shocked and says “We don’t do business with those countries!  Why are they trying to access our information!?”.

This is an example where we need to have a discussion with management to confirm what is legitimate and what is not.  Using our service, we can block websites and countries permanently and selectively, or the company may want to write and issue an Information Security Policy that states what the company policies are for appropriate use.  In the latter case, the issue is handled through policy and not technology.

You can’t address what you can’t see

In all these cases, the primary issue is that companies without proper security in place are in a state of being blissfully ignorant.  They do not see anything going on so they assume everything is good.  Once we shine a light on security, their eyes are wide open because they can now see what is actually happening.  Having the information allows us, working with the company, to address and remediate issues.

The larger implication is companies without proper security are playing with fire.  While some issues are not extremely damaging, it is only a matter of time when a malicious event becomes a major security incident the company must respond to.  Imagine you are a health provider, law firm or any company (since every company has sensitive and private information) and find you have a breach and private information has been leaking out of the company.  The status just went from green to red, requiring significant and immediate effort from many different people – the incident response plan.

The point is, in today’s world, it is better to know and have a planned response than to continue to be in the dark.  We know 100% of companies we work with will have issues to address, we also know most companies continue to operate in the dark believing it won’t happen to them.  As scary and uncomfortable as it may be, I would certainly rather operate from a position of knowing rather than taking the chance and hoping nothing will happen.  After all, we know from actual data, ‘nothing will happen’ actually never happens.

Security Delivered in a Box

With news of breaches occurring daily, cyber security has been forced to the forefront of every business.  The challenge is cyber security is a very complex subject to address with many layers using names confusing even to technical people.  Trying to decipher and understand all the layers and what is appropriate for your business is nearly impossible without a team of experts to guide you along the way.  Often the result is having multiple vendors provide different layers of security that do not work well together, are difficult to manage, and ultimately more expensive. For this reason, Fluid spent a year researching to find a better way.  What we found was very interesting.  There were many security companies offering specific pieces of an overall solution – one vendor offering a firewall, another offering anti-virus, and another offering cloud based security, and so on.  This was the very overly complex scenario we were trying to avoid.

Using this knowledge, Fluid developed a set of solutions to address each layer of security in a unified way that can be centrally managed, while in turn reducing the number of vendors involved and related cost.  The result is security in a box, a menu of security solutions to address each layer of security with options for increasing security levels to meet the specific needs of a business.

You are covered from the end user to the cloud!

SecurityInABox

The primary aspects in a consolidated solution had to include the following –

  1. Centralized management of all security devices and software
  2. Consistent ongoing management and monitoring of security events for remediation
  3. Proactive notification of threats
  4. Detailed monthly reports showing actual data related to the specific client environment and usage
  5. Inclusion all necessary hardware, software, and support renewals (firewalls, network switches, wireless access points, cloud based firewalls, etc.)

Whether it’s 3 devices or 3,000, Fluid can procure, configure, implement, and manage security using a single standardized process.

The results for our clients have been fantastic!

After implementation of the service, we review the initial monthly security report with our clients and without exception, the report shows activities they had no idea were occurring.  Not only do they have visibility to what is actually happening in their business, they now can do something about it.  Whether it is through creating a company policy or having Fluid systematically block certain traffic, the business is now in control.

In addition, because the service is all-inclusive and standardized, it can very easily scale as the company grows.  We have many clients that open new branch offices around the country and we can very quickly deploy the solution to those locations and add them to the overall solution.  In addition, each location receives its own monthly security report, so analysis and action items can be done at the location level.

The reports are an extremely valuable tool for ongoing cyber security monitoring and remediation.

SecRpt1

Visibility to outside attempts to infiltrate company systems allows specific geographic based controls.

SecRpt2

A primary role of any cyber security is to block malicious attacks and intrusions.  Monthly reports show details on specific attacks.

SecRpt3

If a deeper inspection is needed, we can even go to the user level to analyze what is occurring.  This has been especially helpful for situations where there may be one or two rogue users that need to be addressed.

SecRpt4

Unfortunately, employees are the number one source for security incidents.  Knowing what they are doing is necessary to continue to improve security training and make adjustments to security policies.

SecRpt5

Fluid’s Security-as-a-Service includes everything you need, out of the box, to secure your business!  Contact us now to learn how 214-245-4118 or wade.yeaman@fluiditservices.com.