Category: Compliance

Wireless Security Upgrade

WPA3 Wireless Security - Grants Pass, OR

Strange to think that the current wireless security protocol has been in use for over a decade, but with the release of WPA3 certification today the Wi-Fi Alliance has made some serious strides towards a more secure wireless security standard.

Security Improvements

Offline Password Guessing – Attackers will now only get one guess per offline packet instead of unlimited. This will force them to interact with the wireless device directly which will make their attacks easier to detect and easier to shut them out.

Forward Secrecy – Even if the attacker is able to record a data stream and crack the current password, they will not be able to read the recorded data – only new data flowing over the network.

192-bit Encryption: – Enterprise users and tech savvy small businesses will be able to take advantage of deeper encryption for more secure connections

Wi-Fi Easy Connect – Simple to use, secure way for home users to connect their devices by scanning a QR code instead of entering a complex password.

This new security protocol mixed with the latest 802.11ax (that could bring 10 Gigabit speeds to wireless) will make 2019 a banner year for wireless technology.
If your company is interested better wireless security or faster wireless speeds, then contact us for assistance.

 

ESET Antivirus Troubles

Eset Antivirus - Grants Pass, OR

Working with a webhost to tighten their security settings to get PCI compliant. In doing so we ended up breaking many of their clients email access by turning off SSLv3 and TLSv1.0. I was given the task of helping all the clients fix this issue (see seperate blog post for the fix). One in particular ended up not having issues beyond the normal problems with TLS and it turned out being ESET Antivirus. Here is the story:

Unable to Access Website:

The client first mentioned that they could not access a particular website that they needed to submit government paperwork. The error was related to the certificate being out of date. I checked the site on my own computer and it came up just fine, so looked at their certificate and it was current with plenty of time left before expiring. Cleared the cache and all the normal troubleshooting steps to no avail, so had to dig deeper. Remembered that some antivirus programs scan HTTPS traffic by putting their own certificate in place of the actual certificate from the site. Looked inside ESET Antivirus and found the culprit. Under Internet Protection > Web Access Protection I turned off the HTTPS Scanner. Restarted the browser and was able to surf to the site without issues.

Hidden Messages Stuck in Outlook Outbox:

The client then mentioned that some messages weren’t sending, so looked into it and found a couple messages that were 2MB+ which I told them were too large to send. We got rid of those but then messages were still stuck but were now hidden from view. I used the typical fix for read receipts that are hidden using the MFCMAPI tool but found nothing there. Tried removing the account and re-adding it to Outlook. After the clients 8,000+ emails downloaded via IMAP the same problem began occurring again. Remembering the issues with ESET Antivirus web filtering, I decided to take a look at that again. Under Internet Protection > Email client protection I turned off all the Email Clients, Email Protocols, and Antispam Protection. Restarted Outlook and the problem persisted. Had to remove the account and re-add it to Outlook. After the clients 8,000+ emails downloaded via IMAP the problem was fixed.

All that being said, these kinds of problems are another reason that I recommend Webroot to my clients for their antivirus protection. I prefer to have the Website filtering happen at the DNS level via a company like DNSFilter.com and the SPAM / Email filtering to happen via the email provider or an email protection service like Mailprotector.com.

If your company is interested in using a real layered approach to security not just putting a software band-aid on it, then contact us for assistance.

Got everything backed up? You sure?

SaaS Protection - Grants Pass, ORAs companies increasingly move data into cloud-based applications, many administrators think traditional best practices such as data backup are outdated. After all, a Software-as-a-Service (SaaS) application is always available, accessible from anywhere, and highly redundant, so why is backup necessary?

1 in 3 companies report losing data stored in cloud-based applications. That means the permanent deletion of potentially hundreds of work hours.

The truth is that even data in cloud-based applications are vulnerable to:

  • Malware damage or ransomware attacks
  • Accidental end-user deletion
  • Malicious end-user activity
  • Operational errors such as accidental data overwrites
  • Lost data due to canceled user account subscriptions
  • Misconfigured application workflows

Datto SaaS Protection won’t let your critical data slip through the cracks. Engineered to be the leading, one stop shop for cloud-to-cloud SaaS application backup, SaaS Protection gives you consistently reliable granular backups, quick and easy restores and exports, secured data for compliance and regulatory needs, and world-class 24/7/365 support.

SaaS Protection Supports the Following Applications:

G-Suite – Protect emails, documents, calendars, sites, and contacts in Google’s G Suite.

There’s no such thing as too safe. Datto SaaS Protection goes above and beyond industry standards to make sure G-Suite data is secure, easily recoverable, and protected:

  • Automatic 3X daily backups of Google Mail, Drive, Calendar, Contacts, and Sites data
  • SOC2 Type II audited
  • Supports HIPAA compliance needs
  • Data encryption both in transit and at rest in the Datto Cloud
  • Advanced internal controls
  • Data controls and monitoring, including audit logs, uptime and availability SLAs, and export capabilities
  • Regular vulnerability management and testing

SaaS Protection saves you and your team time and stress with search filters that quickly locate backed up files and folders.. even if users can’t remember what they called them.

  • Easily track deleted items
  • Locate and browse any previous versions of documents
  • Lighten the help desk load: SaaS Protection lets users access their own backups

Office 365 – Protect Exchange Online, SharePoint Online, OneDrive, Contacts, and Calendars in Office 365.

There’s no such thing as too safe. Datto SaaS Protection goes above and beyond industry standards to make sure Office 365 data is secure, easily recoverable, and protected.

  • Microsoft Exchange, OneDrive, SharePoint, Calendar and Contacts are automatically backed up 3X a day
  • SOC 2 Type II audited
  • Supports HIPAA compliance needs
  • Data encryption both at rest and in transit
  • Data controls and monitoring tools, including audit logs, uptime and availability SLAs, and export capabilities

SaaS Protection saves your team time and stress with robust search filters that make it easy to quickly locate backed up files and folders.

  • Manage backups, view restores, and monitor activity across all of your customers from an easy-to-use dashboard
  • Zero in on emails, contacts, individual files and entire folders with our search function
  • Restore files directly to a user’s account or download them directly

If your company is G-Suite or Office 365 and want a complete disaster recovery solution, then contact us for assistance.

Now Featuring: third-party software updates

third-party software update

In a continuing effort to offer the best remote monitoring & maintenance available and to enhance the security of our clients even more, we are now offering updates to several of the most popular third-party software packages. This is in addition to the Windows patching, system health checks, system maintenance, managed antivirus (included for free), and website blacklist monitoring that now come standard with our remote monitoring & maintenance service. Here is a summation:

Third-Party Software Updates

Google Chrome: web browser made by Google.

Firefox: web browser made by the Mozilla Foundation.

CCleaner: system cleaning utility (now owned by AVG).

Adobe Acrobat Reader: PDF viewer made by Adobe.

Adobe Flash Player: website animation plugin made by Adobe.

Java Runtime: website programming plugin made by Oracle.

There is a long list of other software that we can update for you automatically, but have chosen these in particular to update as they are the most likely to be exploited and least likely to be updated regularly.

If your company has software that needs to be automatically updated or would like to sign-up for remote monitoring and maintenance, then contact us for assistance.

Quick Look at PCI Compliance Regulations

PCI Compliance Regulations

Just got done cleaning up after a security breach (aka hacking) of one of my client’s accounting workstation. They had an older method of remote access called Microsoft Remote Desktop that has known vulnerabilities without additional security measures in place. The hacker did not touch their Quickbooks data (super surprising), but installed software to send SPAM, mine bitcoin crypto-currency, and running fraudulent credit card transactions. Since there was no compromises of Primary Account Numbers (PAN) or customer data there was no need for notifying customers, but the FBI Cyber Crime division was still notified to help share with them the intelligence from the breach. This then lead to me reading through the PCI DSS regulations again and making the requisite recommendations to mitigate the current issues with the client’s network and protect against future attempts. Here is a list of applicable PCI Compliance Regulations:

Requirement 1.1.2 – Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.
Requirement 1.2 – Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
Requirement 1.3 – Prohibit direct public access between the Internet and any system component in the cardholder data environment.
Requirement 4.1 – Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
•    Only trusted keys and certificates are accepted
•    The protocol in use only supports secure versions or configurations
•    The encryption strength is appropriate for the encryption methodology in use
Requirement 5.1 – Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Requirement 5.2 – Ensure that all anti-virus mechanisms are maintained as follows:
•    Are kept current,
•    Perform periodic scans
•    Generate audit logs
Requirement 5.3 – Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period
Requirement 6.2 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Requirement 8.2.3 – Passwords/passphrases must meet the following:
•    Require a minimum length of at least seven characters.
•    Contain both numeric and alphabetic characters.
Requirement 8.2.4 – Change user password/passphrases at least once every 90 days.

If your company has PCI Compliance Regulations that you need consulting for, then contact us for assistance.

CyberSecurity Month – Small Business Tips

CyberSecurityBroadband and information technology are powerful tools for small businesses to reach new markets and increase sales and productivity. However, cybersecurity threats are real and businesses must implement the best tools and tactics to protect themselves, their customers, and their data. Visit www.fcc.gov/cyberplanner to create a free customized Cyber Security Planning guide for your small business and visit www.dhs.gov/stopthinkconnect to download resources on cyber security awareness for your business. Here are ten key cybersecurity tips to protect your small business:

1. Train employees in security principles.

Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines, that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

2. Protect information, computers, and networks from cyber attacks.

Keep clean machines by having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available. (Our managed monthly service contract customers already have this taken care of.)

3. Provide firewall security for your Internet connection.

A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall. (We don’t recommend the free stuff as you always get what you pay for.)

4. Create a mobile device action plan.

Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

5. Make backup copies of important business data and information.

Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud. (We recommend backup copies in both)

6. Control physical access to your computers and create user accounts for each employee.

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel. (Definitely agree with the separate users and least

7. Secure your Wi-Fi networks.

If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi- Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router. (Also make sure to segregate public guest traffic from private traffic.)

8. Employ best practices on payment cards.

Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

9. Limit employee access to data and information, and limit authority to install software.

Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10. Passwords and authentication.

Require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain
entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account. (Multifactor should be implemented on all web based applications from third party vendors.)

If your company is concerned about cybersecurity and wants to take the needed steps to protect yourselves, then contact us for assistance.

Compliance Demands Managed Antivirus

computer virusIt continues to astound me how many businesses have a free version or home version of antivirus installed on their workstations at the office. There is no central management for the antivirus software to enforce the company security policy creates an infrastructure where each workstation can have a different level of protection or none at all. Leaving security up to the end-user is never a good idea that could easily lead to a virus infection. For those effected by HIPAA or PCI compliance having managed antivirus is a must.

PCI Compliance Regulations

Section 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

Section 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.

Section 5.2 Ensure that all anti-virus mechanisms are maintained as follows:

  • Are kept current,
  • Perform periodic scans
  • Generate audit logs which are retained per PCI DSS Requirement 10.7

Section 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period

In order to comply with all of these regulations there is no other choice than to use managed antivirus as it automatically updates, regularly scans and keeps logs in a central place.

HIPAA Compliance Regulations

45 C.F.R § 164.306 (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

45 C.F.R § 164.308 (a)(5)(ii)(B) Protection from malicious software. Procedures for guarding against, detecting, and reporting malicious software.

These regulations are a bit more cryptic, but they do require antivirus to be installed, fully capable of protection and able to report. The best way to achieve this is to use managed antivirus.

If your company is using standard or free antivirus to protect your business workstations, then contact us for assistance.

Information Security while Traveling

The SANS Institute has been putting out the OUCH! newsletter for some time now in a project called Securing the Human. In the most recent Issue, they discuss some best practices and practical advice for traveling. Here are some highlights:

Minimize Possible Losses

Here are a few tips to protect information from the hazards of traveling and possible theft:

  • Remove any data that is not needed on the device
  • Use full disk encryption & strong passwords
  • Perform a complete backup before leaving
  • Install tracking software on the device
  • Update OSes and Antivirus

Lost/Stolen Devices

Although crime is more of a factor in some third world nations or those in active conflict, the human element of losing the device is 100x more likely. Keep inventory of your devices before, during and after transporting from one location to another. Do not leave your device in the hotel room, have the hotel front desk put it in their safe or locked administrative offices.

Public WiFi

If you have to connect to the internet in public spaces and/or cannot afford mobile data on your trip, then make sure to do the following:

  • Never use public computers for sensitive information, especially banking sites
  • When on public wifi, only surf to sites with HTTPS:// secure connections
  • Consider connecting to a VPN service to further encrypt communications

If your company is requires traveling or you are planning to remotely work while on vacation, then contact us for assistance. We would be happy to walk you through the full disk encryption process, update / secure your devices and configure a company VPN service to connect to on the go.

Oregon Cyber Task Force – Cyber Attack Mitigation

During a recent briefing from the FBI’s Oregon Cyber Task Force in Medford, OR they detailed best practices and industry standards for cyber attack mitigation. FBI special agents started with information and statistics about the most recent threats giving specifics of how the attacks were executed. Security Architect from the State of Oregon then outlined the specifics of how to mitigate these threats properly. Here is a summation:

Current Threat Landscape

Business Email Compromise (CEO Fraud): Involves cyber criminals posing as business executives at companies that regularly perform wire transfers. After compromising the executive’s email, the criminal requests employees to perform wire transfers to the criminal’s bank account. FBI Internet Crime Complaint Center (IC3) has reported over $3 billion of losses worldwide due to this threat.

Ransomware: Ransomware is a form of malware that targets weaknesses in networks to deny the availability of critical data by encrypting it and demanding a ransom for the encryption keys to decrypt the data. Ransomware is frequently delivered through spear phishing emails to end users.

Point of Sale (PoS) Malware: Cyber criminal steals payment card data by remotely infecting PoS systems with malware without the need to physically access the cards or the devices used to process them. This allows criminals to compromise PoS systems on a large scale with larger victim base.

Insider Threat: An insider is a current or former employee who has access to an organization’s network and intentionally misuses that access to negatively affect the company. IC3 has recorded business losses from insider threat to be between $5,000 to $3 million.

Internet Extortion: Victims are threatened by cyber criminal with Distributed Denial of Service (DDoS) attack that will make access to their e-commerce site severely degraded or impossible if they victim does not pay to appease them. These can be real or fake with price tags in the neighborhood of 50 bitcoin or about $30,000.

Cyber Attack Mitigation

Here is a list of items that will need to be addressed to comprise a complete mitigation plan:

  • Create company policy in regards to how wire transfers are handled that require verbal or in-person authorization from multiple company executives
  • Create company policy restricting details that can be shared  about job duties and company hierarchy on social media
  • Review National Institute of Standards and Technology (NIST) Cybersecurity Framework and  adopt risk management processes
  • Create, implement and keep up-to-date an incident response plan
  • Create company policy and implement lawful network monitoring
  • Have proactive relationships with law enforcement agencies – silence is letting cyber criminals win

Practical Security Best Practices

  • Network Segmentation – keep the guest wireless separate from the local network, keep payment processing in its own network and keep web servers in the Demilitarized Zone (DMZ) of the network.
  • Use firewall access rules, Active Directory Group Policy and physical security measures to limit unsecure access to every segment of your network.
  • Restrict usage of administrator level access by creating alternative accounts for these purposes that are not used for local login. Keep these accounts monitored.
  • Implement automated patching and managed virus scanning on all systems. Remove any unsupported / non-updateable software or sytems on the network.
  • Restrict remote access to the network to specific users and use only secure protocols like RDP through VPN
  • Conduct periodic testing of all security measures to identify weakness or failing procedures and adjust systems accordingly

Advanced Mitigation Processes

  • Use multi-factor authentication wherever possible
  • Establish baseline of applications used then implement application whitelisting
  • Standardize encryption for data both at-rest and in-transit
  • Conduct perimeter filtering via Intrusion Detection System (IDS)
  • Regularly backup system logs in a segregated portion of the network to prevent tampering

If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

Full Disk Encryption – Bitlocker vs. TrueCrypt

Recently had a financial planning firm contact me with their new compliance regulations which included full disk encryption on all workstations that accessed client data and on all thumb drives used. This led me on a search to find the best solution for their systems which boiled down to essentially two solutions – Bitlocker or TrueCrypt / VeraCrypt.

Full Disk Encryption w/ Bitlocker

This feature is built into the professional versions of Windows OS from version 7 and beyond. It is simple to use and can be implemented from the Properties on local drives. It works with the modern GUID partition table (GPT) and Unified Extensible Firmware Interface (UEFI) as well as the older MBR / BIOS model. It works best with a Trusted Platform Module chip but can also be setup to use an external USB device as the encryption key repository. There is also a “Bitlocker To Go” setup for thumb drives that will work easily on other Windows based devices.

Full Disk Encryption w/ TrueCrypt

TrueCrypt, and the more recent “fork” of the software VeraCrypt, are based on the same open source code and are compatible with all recent versions of Windows OS. These software packages are not for the faint of heart as they require following detailed instructions on their usage through a multi-stage process to perform the drive encryption. My testing has revealed that they do not work well with modern GPT or UEFI and instead the Master Boot Record (MBR) and Basic Input/Output System (BIOS) systems would have to have been implemented from the initial setup of the workstation to function properly. There is currently no support for TPM, so remember your password or else say goodbye to your data. There is the ability to create a portable drive via these software packages, but the process is not something an end-user could easily do themselves.

Based on the limitations of TrueCrypt and the steep learning curve. It will be my recommendation to use the more simple and up-to-date Bitlocker technology to protect their firm – even if the encryption algorithms available in the other software provide deeper security. If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2025 - Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

Error: Contact form not found.

And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10