Loading ...

Category: Encrypted Email

Oregon Cyber Task Force – Cyber Attack Mitigation

During a recent briefing from the FBI’s Oregon Cyber Task Force in Medford, OR they detailed best practices and industry standards for cyber attack mitigation. FBI special agents started with information and statistics about the most recent threats giving specifics of how the attacks were executed. Security Architect from the State of Oregon then outlined the specifics of how to mitigate these threats properly. Here is a summation:

Current Threat Landscape

Business Email Compromise (CEO Fraud): Involves cyber criminals posing as business executives at companies that regularly perform wire transfers. After compromising the executive’s email, the criminal requests employees to perform wire transfers to the criminal’s bank account. FBI Internet Crime Complaint Center (IC3) has reported over $3 billion of losses worldwide due to this threat.

Ransomware: Ransomware is a form of malware that targets weaknesses in networks to deny the availability of critical data by encrypting it and demanding a ransom for the encryption keys to decrypt the data. Ransomware is frequently delivered through spear phishing emails to end users.

Point of Sale (PoS) Malware: Cyber criminal steals payment card data by remotely infecting PoS systems with malware without the need to physically access the cards or the devices used to process them. This allows criminals to compromise PoS systems on a large scale with larger victim base.

Insider Threat: An insider is a current or former employee who has access to an organization’s network and intentionally misuses that access to negatively affect the company. IC3 has recorded business losses from insider threat to be between $5,000 to $3 million.

Internet Extortion: Victims are threatened by cyber criminal with Distributed Denial of Service (DDoS) attack that will make access to their e-commerce site severely degraded or impossible if they victim does not pay to appease them. These can be real or fake with price tags in the neighborhood of 50 bitcoin or about $30,000.

Cyber Attack Mitigation

Here is a list of items that will need to be addressed to comprise a complete mitigation plan:

  • Create company policy in regards to how wire transfers are handled that require verbal or in-person authorization from multiple company executives
  • Create company policy restricting details that can be shared  about job duties and company hierarchy on social media
  • Review National Institute of Standards and Technology (NIST) Cybersecurity Framework and  adopt risk management processes
  • Create, implement and keep up-to-date an incident response plan
  • Create company policy and implement lawful network monitoring
  • Have proactive relationships with law enforcement agencies – silence is letting cyber criminals win

Practical Security Best Practices

  • Network Segmentation – keep the guest wireless separate from the local network, keep payment processing in its own network and keep web servers in the Demilitarized Zone (DMZ) of the network.
  • Use firewall access rules, Active Directory Group Policy and physical security measures to limit unsecure access to every segment of your network.
  • Restrict usage of administrator level access by creating alternative accounts for these purposes that are not used for local login. Keep these accounts monitored.
  • Implement automated patching and managed virus scanning on all systems. Remove any unsupported / non-updateable software or sytems on the network.
  • Restrict remote access to the network to specific users and use only secure protocols like RDP through VPN
  • Conduct periodic testing of all security measures to identify weakness or failing procedures and adjust systems accordingly

Advanced Mitigation Processes

  • Use multi-factor authentication wherever possible
  • Establish baseline of applications used then implement application whitelisting
  • Standardize encryption for data both at-rest and in-transit
  • Conduct perimeter filtering via Intrusion Detection System (IDS)
  • Regularly backup system logs in a segregated portion of the network to prevent tampering

If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

HIPAA Compliant Analog Fax Transmissions

HIPAA Compliant Analog Fax

It never occurred to me that analog fax was still something used, but my kids’ optometrist asked me to fax in a copy of their insurance card. So I asked them if I could email it to them and they said that it would not be HIPAA compliant to do so to which I responded that I could send them an encrypted email – they were not amused. This interaction begged the question is HIPAA compliant analog fax possible. According to Frequently Asked Question (FAQ) section HHS.gov site:

Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?

Answer: Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.

The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.

So the short answer is a surprising yes they can do HIPAA compliant analog fax with a standard old facsimile machine with the numbers pre-programmed in. If they have moved on the digital fax technology then similar safeguards to email must be put in place for the storage and transmission of that data.

Basic Office 365 Encryption Setup

Businesses have been using email, a cloud-based service, for decades. The recent push for compliance and security have given rise to various technology and services to provide encryption for sending / receiving messages especially through email. For most users Office 365 Encryption is the easiest and best way of sending encrypted email. This is done by purchasing licenses / configuring Azure Rights Management either through Enterprise Mobility Suite or Microsoft Azure Rights Management Premium in their Office 365 account. Once licensed the following setup procedure is needed to setup basic email encryption for all users:

Basic Office 365 Encryption Setup

  1. Login to Office 365 portal as Global Administrator and click on the Admin tile.
  2. In the left hand menu select Service Settings > Rights Management then click on the Manage link to the right.
  3. On the Rights Management page click on the Activate button.
  4. Now it is time for the powershell portion, open Windows Azure Active Directory Module for Windows Powershell as Domain Administrator
  5. Type in the following to connect to Exchange Online via Powershell:

    Set-ExecutionPolicy RemoteSigned
    $creds = Get-Credential
    (Enter the Office 365 Administrator credentials then click “OK” button.)
    Import-Module MsOnline
    Connect-MsolService -Credential $creds
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $creds -Authentication Basic -AllowRedirection
    Import-PSSession $Session

  6. Now type in the following to configure the Rights Management Services (RMS) online key-sharing location in Exchange Online (This is North American companies only – all others see the following Microsoft KB Article.):

    Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc”

  7. Run the following command to import the Trusted Publishing Domain (TPD) from RMS Online:

    Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

  8. To verify that you successfully configured IRM in Exchange Online to use the Azure Rights Management service, run the following:

    Test-IRMConfiguration -RMSOnline

  9. Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption:
     

    • To disable IRM templates in OWA and Outlook:

      Set-IRMConfiguration -ClientAccessServerEnabled $false

    • To enable IRM for Office 365 Message Encryption:

      Set-IRMConfiguration -InternalLicensingEnabled $true

  10. This completes the powershell portion. Make sure that all users who will be using Encryption have been given a license for the purchased service in the Office 365 portal.
  11. In the Office 365 portal in the left hand menu click on Admin > Exchange.
  12. In the Exchange Admin Center in the right hand side under Mail Flow click on Rules.
  13. Click on the + symbol and choose “Create a New Rule…” option.
  14. Give the Rule a name like “Message Encryption” then click on “More Options…”
  15. Under “Apply this rule if…” select “The subject or body includes…” and add “Encrypt:” as the search term.
  16. Under “Do the following…” select “Modify the message security…” then select “Apply Office 365 Message Encryption”
  17. Leave the other options as default unless otherwise needed and click on Save button.

This then allows users of Outlook or OWA to add the work “Encrypt:” to the subject line of an email and have the message sent as encrypted. The recepient will receive and HTML document that details how to access the contents of the email securely via Microsoft login or one time access code sent to their email. If they are accessing email from their phones then there is an App for that too. If your organization needs any help with compliance of email encryption then don’t hesitate to contact us for support.

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2023- Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

[contact-form-7 id="452" title="Free Network Evaluation"]