Loading ...

Category: Compliance

Revised DOJ Compliance Guidance

Compliance Checklist - Grants Pass, OR

On June 1st, the Department of Justice (DoJ) release further guidance about compliance programs which could effect the way PCI and HIPAA compliance breaches are handled in court.

https://www.justice.gov/criminal-fraud/page/file/937501/download

They state that compliance programs aren’t merely one-and-done snapshots in time, but are instead dynamic programs that get updated regularly to fit changing circumstances.

An article about it states, “the latest guidance issued by DOJ is premised almost entirely on the adequacy of the organization’s risk assessment efforts, an approach well-known and particularly applicable to cybersecurity professionals. Prosecutors are urged to evaluate the quality and effectiveness of an organization’s risk assessment program by examining:

  1. The risk management process, particularly the methodology used to identify, analyze and address the risks an organization faces
  2. Risk-tailored resource allocation, namely whether the organization devotes enough resources to managing risks
  3. Updates and revisions, specifically whether the risk assessment is subject to periodic dynamic reviews
  4. Lessons learned, determining whether the company has a process for tracking and coordinating changes in its risk management program based on its experience

The DOJ also stressed the importance of risk-based training and communications about misconduct as essential parts of how it determines whether the organization’s compliance programs are up to snuff. Finally, the guidance highlights the importance of management support of the organization’s compliance initiatives and the value of extending compliance due diligence to third-party providers.”

If your company is unsure about their compliance program or risk assessment process, then contact us for assistance.

Vulnerability Scans & Penetration Testing

Vulnerability Prevention - Grants Pass, OR

Many industries we serve are under some sort of compliance requirements – HIPAA, PCI, GDPR, etc. and several of these require some sort of vulnerability scans or penetration testing:

HIPAA Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

PCI DSS Requirement 11.3:

The scope of a penetration test, as defined in PCI DSS Requirement 11.3, must include the entire CDE perimeter and any critical systems that may impact the security of the CDE as well as the environment in scope for PCI DSS. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (LAN-LAN attack surfaces).

GDPR Article 32 states:

A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

Farmhouse Networking has begun offering both internal and external network vulnerability scans and penetration testing for clients who fall under compliance requirements. We also provide remediation planning and implementation for any issues found during the scans. 

If your company is has compliance requirements for internal or external vulnerability scans or penetration testing, then contact us for assistance.

Work From Home Checklist

remote worker - Grants Pass, OR

In this unprecedented time that we are currently experiencing, you have had to set your team up to work remotely, often without thinking about how they might actually get work done, let alone security of all things. Our employee checklist and no-cost cybersecurity training course will provide your team with the tools they need to ensure that they are safe and productive – right out of the gate.  These free resources are part of our initiative to keep our community safe and working during this time of crisis, without the additional disruption and financial impact of a breach.
 
Don’t let a change in circumstance allow for a change in cybersecurity standards.

Can Passwords Be Strong & Easy To Remember

The COVID-19 scare and ensuing rush to remote access has us thinking security. What is more basic to security than passwords. In an effort to find a way to make passwords both secure and easy to remember, I have found a website that seems to fit the bill:

https://xkpasswd.net/

A Secure Memorable Password Generator

The concept is surprisingly simple and is said to be based on a cartoon:

XKCD - Password Strength

I have played with the settings and found the following to generate some good password settings. Here they are for those who are interested:


The only other option would be to use random passwords stored in a password keeper. This also allows secure sharing of passwords throughout the organization. 

If your company is using remote access, then contact us for assistance to make it secure.

FBI Cyber Defense Best Practices

A recent briefing from the FBI’s Internet Internet Crime Complaint Center (IC3) detailed current best practices and industry standards for cyber defense. Here is a summation:

Cyber Defense Best Practices

  • Backups – Regularly back up data and verify its integrity. Backups are critical in ransomware; if you are infected, backups may be the only way to recover your critical data.
  • Training – Employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
  • Patching – All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.
  • Antivirus – Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted. Centrally managed is even better.
  • File Permissions – If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Configure access controls with least privilege in mind.
  • Macros – Disable macro scripts from Office files transmitted via email.
  • Program Execution Restrictions – Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs.
  • Remote Desktop Protocol – Employ best practices for use of RDP, including use of VPN, auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
  • Software Whitelisting – Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy. This one takes careful planning.
  • Virtualization – Use virtualized environments to execute operating system environments or specific programs. No physical access to servers makes hacking harder.
  • Network Segmentation – Implement physical and logical separation of networks and data for different organizational units. Keep guest traffic out of your business network.
  • No Saved Passwords – Require users to type information or enter a password when their system communicates with a website. Better yet use a password management tool.

If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

Modernize Your IT infrastructure to Optimize Costs

Support from Microsoft for Windows Server 2008 R2 ended January 14th 2020, while SQL Server 2008 R2 support ends July 9th 2019. By this time you may find maintenance costs quickly spiral with the need to continually manage your aging hardware. In addition, if your company is growing or has fluctuating capacity needs, you need the kind of flexibility that allows you to scale IT resources up or down quickly – and cost-effectively.

Use Windows Server and SQL Server end of support as an opportunity to modernize your application stack and optimize costs. Migrate your SQL Server and Windows Server 2008 to Microsoft cloud, and realize the benefits of extended support at no cost. As well as extra security updates you get a scalable solution with a price plan to suit your business needs, with peace of mind that your applications are always up to date.

To discover how modernizing your Windows or SQL server can help you on your path to digital transformation, get in touch with us today.

Keep Your Business Secure & Compliant

Keep your business running smoothly, improve security, and facilitate compliance with GDPR or other regulatory standards


Support from Microsoft for SQL Server 2008 R2 ended July 9th 2019, while Windows Server 2008 R2 ends January 14th 2020

End of support means the end of security updates, which can cause security and compliance issues along with the potential for business interruptions. Worse still, you may find it impossible to guarantee protection against hackers and malware. Without these updates you face the threat of losing precious data because of potential weaknesses in your environment – putting both your reputation and your business at risk.

By modernizing your infrastructure, you equip your business for the most advanced security, performance, and machine-learning innovations. With the largest portfolio for security and compliance certifications than any other cloud provider, modernizing with Microsoft offers secure data environments along with support for regulatory compliance.

To find out how to keep your business compliant and strengthen your customers’ trust , get in touch with us today.

Help Enable Digital Transformation & Stay Competitive

From start-ups to small businesses, companies who embrace digital transformation are well placed to outperform the competition


Focus more on your business and spend less time worrying about maintenance, with hassle-free upgrades that save time and optimize costs.

On July 9th 2019, support from Microsoft for SQL Server ended, followed by support from Windows Server 2008 R2 on January 14th 2020. Many businesses are seizing this as a chance to modernise their IT infrastructure and integrate their Windows or SQL upgrade into their wider digital transformation strategy.

Companies that strive to integrate the latest most advanced technology to solve real business challenges often realize higher revenue margins. Without embracing innovation, they risk failure to evolve as a business, and losing out to competitors.

Updating your Windows Server or SQL Server enables you to embrace digital transformation and stay ahead of the curve. By breaking down the migration and modernization process into three steps—Assess, Migrate, and Optimize—you can solve the most pressing migration challenges and deliver the reliability, performance, and security your business stakeholders expect.

To discover how modernizing your Windows or SQL server can help you on your path to digital transformation, get in touch with us today.

Where do you keep your passwords?

Farmhouse Networking has had a long standing policy that we do not keep a record of client passwords (except when needed for device administration). That is about to change, but before we talk about our new password policy let’s talk password storage:

Common Password Storage

Here are some popular places where many businesses store their passwords that make them very vulnerable to being stolen.

Passwords written on paper (that are not under lock and key):

  • On your desk under your keyboard (or taped underneath)
  • Under your stapler or desk decorations
  • On sticky notes stuck to your monitor or desk
  • On a scrap of paper on your desk or in a drawer
  • In a notebook or address book
  • In a old-fashioned Rolodex file
  • Paper printouts or photocopies of your passwords

Anyone with access to your office could easily find and steal passwords stored like this.

Passwords stored in your computer (without using encryption):

  • Remembered in your web browser
  • A document called “Passwords” that you’ve created anywhere on your computer, perhaps using Microsoft Word or Excel
  • A document with any other name on your computer (including the password as the name)
  • Email drafts that you’ve created (but not sent) containing password information

Anyone with access to your computer could easily find and steal passwords stored like this, including both a person with physical access to it as well as a virus or hacker gaining access via the internet, or scamming you into granting them access, even once.

Passwords stored in your smartphone or tablet (without using encryption):

  • Electronic “Notes” containing password information
  • Other documents or emails similar to the ones listed in computer storage above

Anyone with access to your device could easily find and steal passwords stored like this.

Passwords sent via regular (insecure) email:

  • Emails that you have sent to yourself containing password information
  • Emails that you have sent to anyone else containing password information

Any information that you send using regular (unencrypted) email puts that information at risk of being stolen. Email is neither private nor secure. Sending an email is like mailing a postcard, and hackers and thieves can easily read the contents. You should never send passwords (or any other confidential or sensitive data) via regular email.

Secure Password Storage

Now for the discussion of Farmhouse Networking’s new password policy. We are partnering with a company to provide a storage of passwords and other client documentation with military grade encryption. This partnership also allows us to address the dangers that common password storage present by offering our clients this same encrypted password storage service. Here are some of the benefits of this service:

  • Unlimited users
  • Unlimited passwords
  • Each user has a personal password vault
  • Shared company password vault
  • Security groups to manage access
  • Auditing & reporting (Compliance)
  • Secure password sharing
  • 1-Click Login Tool (for all major browsers)
  • Mobile Device Access
  • Only $15 per month (Compared to Lastpass Business at $4 per user per month)

If your company is using common password storage of any kind do yourself a security favor and contact us to upgrade to secure password storage.

VPN for the Win

Remote User VPN - Grants Pass, OR

In reviewing compliance documentation, we found it necessary to talk about Virtual Private Network (VPN) technology for both privacy and secure remote access. A VPN is a connection to a private network over the internet through an encrypted tunnel – think smuggling information across a secret passageway between two places.

Why use VPN?

Privacy: There has been a huge buzz lately about using VPN technology to help mask you browsing habits from the likes of the NSA or Google. VPN services offer connections that regularly change your external IP address so that a profile (marketing or otherwise) is harder to build. It also makes hacking of your information harder when these services providers offer anti-virus and anti-spam filtering as part of the VPN service.

What are the trade-offs? These VPN service providers will now be the sole owner of your browsing habits – they can sell targeted profiles to marketing companies – so read those terms of service. There will also be a performance hit to your internet speed, so if you are working from a slow network already this may not be an option. Then there is the added cost of an extra $5 to $15 per month for these services on top of your internet bill each month.

Secure Remote Access: This was the original intent of VPN technology and where it really shines. Either from remote workers using coffee shop wifi or remote offices connecting to the main office, VPN tunnels are used to securely access data, servers, and other network resources. This technology is required by all major compliance agencies so that all data transmitted is encrypted during transport. In the past servers would open ports to the internet to allow access, but it was found that this practice allowed hackers the same opportunity to gain access. With VPN tunnels there is another layer of protection from unexpected access. There is also the benefit that no outside provider gets access to your browsing habits.

What are the trade-offs? This will require a router at the main office that is business grade and capable of handling the traffic. It will then require setup of remote workers laptops or remote offices with similar business grade routers.

If your company is concerned about privacy on the internet or secure remote access, then contact us for assistance.

Categories

Plant a Seed 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2020- Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

Something went wrong, try refreshing and submitting the form again.