Now Featuring: third-party software updates

third-party software update

In a continuing effort to offer the best remote monitoring & maintenance available and to enhance the security of our clients even more, we are now offering updates to several of the most popular third-party software packages. This is in addition to the Windows patching, system health checks, system maintenance, managed antivirus (included for free), and website blacklist monitoring that now come standard with our remote monitoring & maintenance service. Here is a summation:

Third-Party Software Updates

Google Chrome: web browser made by Google.

Firefox: web browser made by the Mozilla Foundation.

CCleaner: system cleaning utility (now owned by AVG).

Adobe Acrobat Reader: PDF viewer made by Adobe.

Adobe Flash Player: website animation plugin made by Adobe.

Java Runtime: website programming plugin made by Oracle.

There is a long list of other software that we can update for you automatically, but have chosen these in particular to update as they are the most likely to be exploited and least likely to be updated regularly.

If your company has software that needs to be automatically updated or would like to sign-up for remote monitoring and maintenance, then contact us for assistance.

Quick Look at PCI Compliance Regulations

PCI Compliance RegulationsJust got done cleaning up after a security breach (aka hacking) of one of my client’s accounting workstation. They had an older method of remote access called Microsoft Remote Desktop that has known vulnerabilities without additional security measures in place. The hacker did not touch their Quickbooks data (super surprising), but installed software to send SPAM, mine bitcoin crypto-currency, and running fraudulent credit card transactions. Since there was no compromises of Primary Account Numbers (PAN) or customer data there was no need for notifying customers, but the FBI Cyber Crime division was still notified to help share with them the intelligence from the breach. This then lead to me reading through the PCI DSS regulations again and making the requisite recommendations to mitigate the current issues with the client’s network and protect against future attempts. Here is a list of applicable PCI Compliance Regulations:

Requirement 1.1.2 – Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.
Requirement 1.2 – Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
Requirement 1.3 – Prohibit direct public access between the Internet and any system component in the cardholder data environment.
Requirement 4.1 – Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
•    Only trusted keys and certificates are accepted
•    The protocol in use only supports secure versions or configurations
•    The encryption strength is appropriate for the encryption methodology in use
Requirement 5.1 – Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Requirement 5.2 – Ensure that all anti-virus mechanisms are maintained as follows:
•    Are kept current,
•    Perform periodic scans
•    Generate audit logs
Requirement 5.3 – Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period
Requirement 6.2 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Requirement 8.2.3 – Passwords/passphrases must meet the following:
•    Require a minimum length of at least seven characters.
•    Contain both numeric and alphabetic characters.
Requirement 8.2.4 – Change user password/passphrases at least once every 90 days.

If your company has PCI Compliance Regulations that you need consulting for, then contact us for assistance.

CyberSecurity Month – Internet of Things Tips

Internet of ThingsThe Internet of Things refers to any object or device that sends and/or receives data automatically via the Internet. This rapidly-expanding set of “things” includes tags (also known as labels or chips that automatically track objects), sensors, and devices that interact with people and share information machine to machine.

WHY SHOULD WE CARE?

• Cars, appliances, wearables, lighting, healthcare, and home security all contain sensing devices that can talk to another machine and trigger other actions. Examples include: devices that direct your car to an open spot in a parking lot; mechanisms that control energy use in your home; and other tools that track your eating, sleeping, and exercise habits.

• This technology provides a level of convenience to our lives, but it requires that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed.

• Though many security and resilience risks are not new, the scale of interconnectedness created by the Internet of Things increases the consequences of known risks and creates new ones.

SIMPLE TIPS

Without a doubt, the Internet of Things makes our lives easier and has many benefits; but we can only reap these benefits if our Internet-enabled devices are secure and trusted. Here are some tips to increase the security of your Internet-enabled devices:

1. Keep a clean machine.
Like your smartphone or PC, keep any device that connects to the Internet free from viruses and malware. Update the software regularly on the device itself as well as the apps you use to control the device.

2. Think twice about your device.
Have a solid understanding of how a device works, the nature of its connection to the Internet, and the type of information it stores and transmits.

3. Secure your network.
Properly secure the wireless network you use to connect Internet-enabled devices.If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

CyberSecurity Month – Mobile Device

CyberSecurity Mobile DeviceMobile devices enable Americans to get online wherever they are. Although mobile devices — from smart watches to phones and tables — can be extremely useful and convenient, there are also potential threats users may face with such technology. It’s important to understand how to protect yourself when connecting on the go.

DID YOU KNOW?

• 56 percent of American adults own a smartphone.
• More than half of mobile application (app) users  have uninstalled or decided not to install an app due to concerns about their personal information.

SIMPLE TIPS

1. Use strong passwords.

Change any default passwords on your mobile device to ones that would be difficult for someone to guess. Use different passwords for different programs and devices. Do not choose options that allow your device to remember your passwords. (We recommend LastPass Mobile App to keep track of password, encryption of the phone and fingerprint scanning for unlocking your device.)

2. Keep software up to date.

Install updates for apps and your device’s operating system as soon as they are available. Keeping the software on your mobile device up to date will prevent attackers from being able to take advantage of known vulnerabilities. (Unfortunately the carrier that you choose is in charge of the OS updates on the phones, but allow auto updates on all other apps.)

3. Disable remote connectivity.

Some mobile devices are equipped with wireless technologies, such as Bluetooth, that can connect to other devices. Disable these features when they are not in use. (Look out for NFC also as this will allow access based on how close someone gets to your phone – think crowded elevator.)

4. Be careful what you post and when.

Wait to post pictures from trips and events so that people do not know where to find you. Posting where you are also reminds others that your house is empty.

5. Guard your mobile device.

In order to prevent theft and unauthorized access, never leave your mobile device unattended in a public place and lock your device when it is not in use.

6. Know your apps.

Be sure to review and understand the details of an app before downloading and installing it. Be aware that apps may request access to your location and personal information. Delete any apps that you do not use regularly to increase your security. (Also do not root your phone or install apps from any place platforms app store.)

7. Know the available resources.

Use the Federal Communications Commission’s Smartphone Security Checker at www.fcc.gov/smartphone-security.

If your company is concerned about cybersecurity and wants to take the needed steps to protect yourselves, then contact us for assistance.

CyberSecurity Month – Small Business Tips

CyberSecurityBroadband and information technology are powerful tools for small businesses to reach new markets and increase sales and productivity. However, cybersecurity threats are real and businesses must implement the best tools and tactics to protect themselves, their customers, and their data. Visit www.fcc.gov/cyberplanner to create a free customized Cyber Security Planning guide for your small business and visit www.dhs.gov/stopthinkconnect to download resources on cyber security awareness for your business. Here are ten key cybersecurity tips to protect your small business:

1. Train employees in security principles.

Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines, that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

2. Protect information, computers, and networks from cyber attacks.

Keep clean machines by having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available. (Our managed monthly service contract customers already have this taken care of.)

3. Provide firewall security for your Internet connection.

A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall. (We don’t recommend the free stuff as you always get what you pay for.)

4. Create a mobile device action plan.

Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

5. Make backup copies of important business data and information.

Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud. (We recommend backup copies in both)

6. Control physical access to your computers and create user accounts for each employee.

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel. (Definitely agree with the separate users and least

7. Secure your Wi-Fi networks.

If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi- Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router. (Also make sure to segregate public guest traffic from private traffic.)

8. Employ best practices on payment cards.

Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

9. Limit employee access to data and information, and limit authority to install software.

Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10. Passwords and authentication.

Require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain
entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account. (Multifactor should be implemented on all web based applications from third party vendors.)

If your company is concerned about cybersecurity and wants to take the needed steps to protect yourselves, then contact us for assistance.

CyberSecurity Month – Entrepreneur Tips

cybersecurityEntrepreneurs face the same cybersecurity challenges and threats that larger businesses face but with limited resources, capacity, and personnel. Cybersecurity is especially important for entrepreneurs because they have the unique opportunity to integrate cybersecurity practices at the onset of their investments and business development.

DID YOU KNOW?

  • Approximately 77 percent of small firms believe their company is safe from a cyber attack, even though 83 percent  of those firms do not have a written security policy in place.
  • Unlike larger firms that can absorb the cost of a cyber attack, the consequences can be catastrophic for smaller ventures and entrepreneurs.

SIMPLE TIPS

  1. Use and regularly update anti-virus software and anti-spyware on all computers. Automate patch deployments to protect against vulnerabilities. (Our monthly maintenance takse care of this.)
  2. Secure your Internet connection by using a firewall, password protecting your Wi-Fi network, and changing default passwords for your wireless network and router. (Most businesses who buy a router from a local office supply store don’t take the time to change the default password and don’t know these devices are rarely updated by vendors.)
  3. Establish security policies and practices (e.g., using encryption technology) to protect sensitive data, including customer information and intellectual property.
  4. Use strong passwords and change them regularly. (Minimum recommended password length is 10 characters with upper and lower letters, numbers and symbols. Changing passwords should be monthly or quarterly if possible.)
  5. Protect all pages on your public-facing websites, not just the sign-up and checkout pages.
  6. Invest in data loss prevention software and use encryption technology to protect data that is transmitted over the Internet.If your company is concerned about cybersecurity and wants to take the needed steps to protect yourselves, then contact us for assistance.

Received Hacker Email

Hacker Email

Here is a recent email that I received from a “hacker” that was threatening to expose some secrets. It was an obvious fake email, but I wanted to take the time to educate on how to know a fake when you receive one:

Hacker Email Exposed

Strange Email Address: This email comes from “auf@cesco.com.br” which is an address unknown to me and the domain itself ends in BR which stands for Brazil which again I don’t do business in Brazil so why would someone from there be emailing me.

Poor English: It starts out with the over-friendly greeting and continues with “I hack your computer” then just doesn’t stop. This was likely something typed into Google Translate then pasted into an email.

They Have Everything: Unless you really have something to hide, then this should not scare you. You need to assume that anything that you post online is public information anyways – there are no secrets on Facebook.

Invalid Help: They offer to help with acquiring Bitcoin to pay them in then offer a site to find local ATMs that have this feature. They have no understanding of the area or what local banking services are available. If they know everything about me then they know where I live and could easily look up the local economic structure.

Internet Extortion: They are using extortion tactics to try and scare me into action. They are trying to “sell” me information security for $120, but if I gave into their demands then my email address would become an even more valuable asset as they would have someone they could regularly extort for funds.

What To Do

  1. Unless you have something to hide, ignore the threats. If you do have something to hide then I suggest you quit so that no one can have anything against you.
  2. Forward these emails to me. Include the “header” information by copying it from the File > Properties menu in Outlook as this will help to track down where they are from.
  3. Farmhouse Networking will alert the proper authorities about the malicious activity to help shut these scammers down.

If your company is receiving tons of SPAM or hacker email, then contact us for assistance.

Carbonite Removes Local Backups

carbonite

“Carbonite is ending support for the Mirror Image feature on October 15, 2018. Starting October 16, 2017, Carbonite will remove the Mirror Image feature from Plus and Prime accounts on a rolling basis, upon renewal. Mirror Image will be removed from all remaining accounts on the end-of-support date of October 15, 2018. ”

Local Backups

This revelation from Carbonite and the recent one from CrashPlan have left me worried about the future of backup for small business and home users. To have all files stored only in the cloud to me is just foolish. If I have tons of family photos and videos or store a bunch of music on my computer that I am relying on online only backups to keep safe – my recovery time will be weeks instead of hours. This is just not acceptable to me and I have a feeling it would not be to other people either.

If you  are using either Carbonite or CrashPlan for backup of your computer and the possibility of massive recovery times is unacceptable to you, then contact us for assistance.

Compliance Demands Managed Antivirus

computer virusIt continues to astound me how many businesses have a free version or home version of antivirus installed on their workstations at the office. There is no central management for the antivirus software to enforce the company security policy creates an infrastructure where each workstation can have a different level of protection or none at all. Leaving security up to the end-user is never a good idea that could easily lead to a virus infection. For those effected by HIPAA or PCI compliance having managed antivirus is a must.

PCI Compliance Regulations

Section 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

Section 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.

Section 5.2 Ensure that all anti-virus mechanisms are maintained as follows:

  • Are kept current,
  • Perform periodic scans
  • Generate audit logs which are retained per PCI DSS Requirement 10.7

Section 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period

In order to comply with all of these regulations there is no other choice than to use managed antivirus as it automatically updates, regularly scans and keeps logs in a central place.

HIPAA Compliance Regulations

45 C.F.R § 164.306 (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

45 C.F.R § 164.308 (a)(5)(ii)(B) Protection from malicious software. Procedures for guarding against, detecting, and reporting malicious software.

These regulations are a bit more cryptic, but they do require antivirus to be installed, fully capable of protection and able to report. The best way to achieve this is to use managed antivirus.

If your company is using standard or free antivirus to protect your business workstations, then contact us for assistance.

CrashPlan for Home is No More

CrashPlan for Home

Effective August 22, 2017, Code42 will no longer offer new – or renew – CrashPlan for Home subscriptions, and we will begin to sunset the product over several months. CrashPlan for Home will no longer be available for use starting October 23, 2018.

What alternatives exist?

CrashPlan itself is suggesting that customers move to Carbonite for their personal computer backups. In order to get the same great combination of onsite & offsite backup that CrashPlan users are used to, Farmhouse Networking recommends using Plus package that includes the backup to an external drive. This package is on sale for $25 off the normal yearly cost. Small businesses with only one computer will also find this package to be the most secure way of backing up their important files for the least out-of-pocket costs.

If your business has more than one computer or a server, Farmhouse Networking recommends upgrading to a full business class Backup & Disaster Recovery (BDR) solution with Datto. This provides both the speed of on-site recovery with the resilience of off-site recovery via the cloud. On-site recovery is much simpler with this BDR solution as the device becomes a copy of the main computer or server in the case of failure. This takes recovery time down to minutes instead of days.

If your company is using CrashPlan for backups and are not ready for the move, then contact us for assistance.