Don’t Get Hooked by Vishing Attacks

by

Cybercriminals are motivated and creative, which is not a great pairing for their victims. Just when we think we know what to watch out for, there’s something new to worry about. Right now, voicemail phishing (vishing) attacks are on the rise. Find out more about vishing and what you can do about it.

First, a reminder: phishing refers to bad actors sending fraudulent emails. They use social engineering to get you to reveal personal or sensitive information. For example, employees might get an email that looks like it’s from your IT team. It might ask them to renew their access credentials in the next 24 hours, but they need to enter their existing credentials into an online form to make the change.

Vishing also relies on social engineering – it targets our impulse to trust or help – but, vishing does this using voicemail. Cybercriminals use this approach to attack individuals and businesses, and they aim to obtain the information they need to perpetrate further crimes.

How does vishing work?

Cybercriminals prepare in advance to make vishing more convincing. They’ll call from what looks like a local number, and you’ll be more likely to answer. They learn enough about their victim or the organization they claim to be from to appeal to human nature.

A vishing attempt will:

  • use urgency to encourage you to act;
  • leverage false credibility to convince you they’re legit (e.g. calling from the government, tax department, IT support, or HR);
  • employ persuasive language to make you want to help;
  • take a threatening tone so that your fear you will be arrested or have your bank accounts shut down to override your suspicions;
  • reference current events to tap into your worries (e.g. during the tax season, criminals might spoof tax collection agencies; or during COVID, people were promised testing kits for sharing their bank information).

Avoid falling victim to vishing

Make vishing awareness part of your security training for employees. Communicating how to avoid falling victim can help your business stay safe.

The number-one rule is to never provide or confirm personal information by phone. A bank, hospital, tax office, or the police are not going to call you on the phone to ask for personal details. And they are definitely not going to call and try to motivate you to act urgently.

It is also unlikely that your manager or human resources would call you at home to ask you to transfer funds, provide confidential data, or email documents from your personal account.

Always ask for proof that you can use to verify the caller is who they say they are and works where they claim to. If you’re given a number to call to confirm the caller is legit, look it up. Call on a different phone to check that it’s a real number.

Stay aware of the latest trends. For instance, a new take on vishing sends emails claiming to share links to voicemail messages on LinkedIn- or WhatsApp-type services. If the recipient clicks on the link, they go to a convincing page (complete with CAPTCHA for added legitimacy) where crooks try to capture their access credentials.

This latest iteration of vishing aims to evade your cybersecurity solutions. There’s always something to keep up with. Need help? Our experts can set your business up for network security success. Call us today at (515)422-1995.

Data Breaches Are Getting Worse: Know the Basics

by

The exposure of sensitive information can be disastrous for individuals, businesses, or governments. Yet data breaches aren’t going away. The first data breach compromised more than a million records in 2005. Since then, we’ve seen ongoing news of breaches. But there are some basic steps you can take to avoid falling victim to an attack.

Let’s look just at August 2022:

  • A breach at communications giant Twilio exposes 1900 users’ phone numbers and SMS verification codes.
  • Researchers discover at least 9000 virtual-network computing endpoints exposed online without a password.
  • CISCO confirms a ransomware gang has exfiltrated 2.8GB of data.
  • An American neurology practice notifies 363,833 individuals of a data breach.
  • 4 million Twitter users are thought to have been affected by a data breach at the social media firm.

And that’s all during a 10-day period!

In its annual Cost of a Data Breach study, IBM found the cost of a breach hit a record high this year, at nearly $4.4 million.

How does a data breach work?

A data breach involves any unauthorized access to confidential, sensitive, or protected information, and it can happen to anyone. Data breaches happen mainly when hackers can exploit user behavior or technology vulnerabilities.

The threat surface continues to grow exponentially. We are increasingly reliant on digital tools such as smartphones and laptops. With the Internet of Things (IoT), we’re adding even more endpoints that unauthorized users can access.

Popular methods for executing malicious data breaches include:

  • phishing – emails in which hackers persuade users to hand over access credentials or the data itself;
  • brute-force attacks – hackers use software and sometimes even hijacked devices to guess password combinations until they get in;
  • malware – infects the operating system, software, or hardware (often without the user knowing) and steals private data.

Disgruntled employees or political hacktivists can also be behind data breaches. However, more often than you would hope, the breach is due to human error.

Basic steps to avoid data breaches

Too many data breaches trace back to people using weak access credentials. Yes, there are still people out there using “password” or “123456” to log in at work! Thus, an important step to counter data breaches is enforcing strict password policies.

Multi-factor authentication can also help. This way, even if the employee uses a poor password, or their strong password is stolen, the hacker has to work to get access. They might need the user’s physical device to confirm a one-time-use code sent to verify identity.

It’s also important to patch and upgrade software as soon as asked to do so. Manufacturers support security by keeping abreast of hacker attacks throughout the world. They’ll also watch for bugs and any vulnerabilities. Disregarding that message to upgrade or patch could leave your computers at risk.

Encrypting all sensitive data can also cut the risks of a data breach. That way, if the bad guys do get inside your systems, they can’t do anything with the information they access.

With more people working remotely, the number of users doing business on their own devices is also up, which represents another data breach risk. Enforce strict Bring Your Own Device (BYOD) policies to minimize exposure. You might require virtual private networks and professional-grade antivirus protection.

Don’t risk data breach damage

Data breaches cause business downtime and can cost your reputation and bottom line. You may lose customers and also have to pay legal fees or compliance fines. Don’t let this happen to you. A managed services provider can install protection and take precautions against data breaches. Call us today at (515)422-1995.

How Secure is Cloud Data?

by

Data security is a common concern when migrating to the cloud. When data is on-premises, the business secures the sensitive data, and that feels safer. But that isn’t always the case. In fact, data can be safer in the cloud than on-site at your business.

When you put together your business infrastructure, you have many business priorities. Securely storing data is only one of your objectives and could even be one that you added on later.

A cloud services provider builds from the ground up with the goal of securing data online. Thus, cloud companies typically offer far more robust cybersecurity measures. After all, the success of Dropbox or Amazon Web Services depends on securing cloud data.

A hacker can use malware or phishing emails to target the data on your business devices. With ransomware, they make it impossible to reach your data unless you pay a ransom (or have a good data backup). Yet these cyberattacks don’t work in the cloud. Bad actors might access what’s stored on an individual user’s device, but they can’t get to the larger trove of data online.

Cloud servers are also safer because they’re in data warehouses most workers can’t physically access. Plus, the service providers will usually set up redundancies. So, for example, if a natural disaster hits one server site, they will offer continued access from another site.

Some cloud service vendors will also invest in third-party testing. To keep data safe, they hire external companies to test for vulnerabilities.

More reasons cloud data is safe

Cloud data is encrypted not only in storage but usually also in transit to and from the servers. This means your information is scrambled, and a bad actor getting between your business and its cloud data can’t understand it.

Cloud service providers also regularly monitor and maintain security. They spend more resources ensuring systems are up to date. They’re also more likely to use data analytics to identify trends or threats to their security. You might do the same, but you are unlikely to do so on the same scale.

Another advantage of keeping your data in the cloud? When you move to the cloud, you no longer have to store all that data on your own hardware. You still have access to your documents, media, or reports, but the third-party provider will likely have more storage space and processing speed. So, your on-site technology may function better, too.

You’re also cutting out common cybersecurity risks. You don’t have to risk storing data on laptops, which can get lost or stolen. You also end the need for thumb drives (or USB drives), which can also be stolen or lost. Plugging in these external devices can also expose you to viruses or other risks.

How to secure data in the cloud

First off, encrypt your data. Make sure you contract with a provider who will encrypt data in transit. This makes it more difficult for hackers to get at your information.

Enabling multi-factor authentication can also help secure data by adding layers of rigor. It moves your data security beyond just asking for a username and password. We know all too well that those are often compromised or guessed.

When you move your data to the cloud, you will need to pay attention to compliance regulations. Depending on your industry, there may be particular standards for data storage. Encryption is a common compliance expectation.

It’s also a good idea to train your employees on the importance of securing data. Engaging in ongoing security awareness training can help protect your endpoints. This is particularly important with people working remotely and connecting from off-site locations.

Help with securing your cloud data

Migrating to the cloud has its benefits. Still, that doesn’t make it a straightforward process. Work with our IT experts to move your data to the cloud with minimal disruption. We can help you find the right cloud service provider and assist with data backup processes. Contact us today at (515)422-1995.

Beyond the Ransom: Dealing with Ransomware’s Aftermath

by

Ransomware is on the rise. The estimated 304 million worldwide attacks in 2020 represented a 64% increase. These attacks are growing more costly, too. Ransomware payouts jumped 171% from 2019 to 2020. For businesses in any industry, ransomware is a real threat, and recovery is more taxing than you might think.

With ransomware, bad actors infiltrate your devices or systems and encrypt your files. They demand a ransom in exchange for the decryption key that lets you get back to work. This type of cyberattack is always evolving. If you haven’t been compromised yet, you may want to think of it as only a matter of time.

What to do About Ransomware

There are many ways to cut your risk of becoming a victim of a ransomware attack. These include:

  • educating your employees in security awareness;
  • securing email gateways;
  • limiting remote access;
  • using multi-factor authentication;
  • monitoring remote access points;
  • keeping up with cybersecurity to identify threats.

You’ll also want to install antivirus protection and keep your software patched and up to date.

Maintaining encrypted backups offline can also offer reassurance that you can recover from a ransomware attack.

Recovering from a Ransomware Attack

Protection is essential, but that’s not going to stop the attackers from trying to infect your systems. If your business is compromised, you’ll have to decide whether or not to pay the ransom to unlock your data.

Yet “to pay or not to pay” is not the only consideration when it comes to recovering from a ransomware attack.

First, you need to get to the bottom of the attack and learn how the malware was deployed. Attackers may have used a phishing strategy or exploited weak remote access controls. Find out where they got in and how they moved within your system.

You’ll want to report what you know about ransomware to law-enforcement agencies. If you are in an industry with compliance regulations, you may need to report there, as well. Acknowledging the ransomware may hurt your business reputation, you can at least help others learn about new threats.

You may also need to contact your clients, depending on the laws in your country. You will need to tell them about the hack and what data was released (if any). You might also warn them against opening emails from your business, as they could be compromised.

After the initial steps of recovery, you’ll also need to hunt for any malware remnants on your systems. The ransomware is the final payload, but the attackers would have used a delivery mechanism such as Trickbot, Emotet, or Qakbot. If you don’t discover this malware and get rid of it, you could be a victim of ransomware again.

MSPs Help Combat Ransomware

Managed service providers can support your cybersecurity efforts. They can monitor your systems and keep patches and antivirus software current. They can also manage the backups which are key to a successful recovery. Contact us today at (515)422-1995.

Say Goodbye to 100 Passwords with Passkey Sign-on

by

The average individual has 100 passwords to remember, according to a NordPass study. Apparently, no one has studied how many we actually remember versus how many we reset over and over. No matter. New developments could save us from having to remember passwords altogether, as major players are moving to a single passkey sign-on approach.

What is passkey sign-on?

Apple, Google, and Microsoft have joined forces to support “passwordless” sign-in across all their mobile, desktop, and browser platforms. The initiative, announced in May to coincide with World Password Day, is expected to roll out in 2022/23.

What does passkey login involve? Users choose a physical device to use to authenticate them on apps, websites, and other digital services. For many of us, this would be a mobile phone. You’d unlock the phone as you normally do. Then, you could enter a PIN, draw a pattern, or use your fingerprint to sign into the digital services you need.

To put it simply, it’s a four-stage process:

  1. You navigate to the site or app or service you want to use.
  2. You approve access using your passkey device.
  3. A public passkey (mirroring the private one on your device) is shared.
  4. Login is completed.

You don’t need a password, because the login is done using a cryptographic token (the passkey). Your selected device shares that passkey with the website, app, or other online services.

Advantages of the passkey

Using a passkey means you need to remember only the one PIN or pattern to unlock access … or have fingertips! And you don’t have to come up with a complicated passphrase either, which means no more frustrating upper and lowercase character, number, and symbol combo.

The passkey sign-in method is touted as more secure. Passwordless authentication makes it more difficult for hackers to compromise login details. After all, they would need access to the physical device you use to access digital services, apps, and websites.

You keep personal information safe and cut password vulnerabilities that plague us today:

  • Phishing attacks, which use fake websites to capture login details, won’t work.
  • Brute-force attacks, which use trial and error to guess credentials, won’t get anywhere.
  • Spoofing your device will no longer work, as the passkey device must be near the computer.

Another plus? Passkey security is being set up to offer multi-device authentication. You’ll be able to sign in to an app or service from almost any device, and it won’t matter what platform or browser you’re using. So, you could sign in to Google Chrome and run Microsoft Teams using your iPhone, for instance.

Making the most of multi-factor authentication

Passkey security will use a FIDO standard to authenticate you in different contexts. This is a passkey protocol already supported in some online environments, but major players are now coming together to make it more widespread.

With a passkey that is unique to you, you’ll no longer have to worry about keeping track of multiple passwords.

Still, until this technology is available, you’ll want to protect your online activity. Our experts can help secure your home networks and set you up with a password wallet. Contact us today at (515)422-1995.

Businesses Beware OF Fake Meeting Requests

by

Hi,

Important that we meet discuss speerfishing attacks over business comunicatons. We need to make plan about this IMMEDIATELY. Please click on the link [uurl.callender.com] to make an appointment with IT for quick tutorial.

Regards,

IT

There are several things wrong with this email, and hopefully, you noticed them. All are red flags you can look for to avoid fake meeting requests or calendar-invite scams.

Business Email Communication (BEC) scams are not new. For example:

  • Facebook and Google suffered a $121 million BEC scam.
  • Ubiquiti lost $46.7 million to an attack.
  • Toyota transferred $37 million to crooks in a BEC snafu.

In 2020, BEC attacks were the most lucrative scam. The US estimated cybercriminals made over $1.8 billion with this approach. Beyond money, falling victim to a BEC attack also costs your business time and reputation. Here’s what to look for and how to protect against BEC scammers.

How BEC Scams Work

With many more people working from home and meeting virtually, there’s been an uptick in BEC spearfishing attacks.

On Gmail, the bad actor needs only your email address to send an invite that adds to your calendar by default. Then, you might click on what appears to be a meeting link, which actually takes you to a malware site.

Zoom has also become an attack vector. You get an invite to a meeting that asks you to login into Microsoft Outlook. You’ve done it so many times before, except this is a fake login page, and it’s set up to steal your access credentials.

How to Protect Against BEC Scams

Educate your users. As with any other type of email scam, users need to learn to be careful about the links they click. Some indicators to look for, which you can see in our opening example, include:

  • spelling mistakes;
  • urgent appeals;
  • poor phrasing;
  • suspicious links.

Email addresses, links, and domain name inconsistencies are more bad signs. Plus, be wary if something seems too good to be true (a free laptop?) or is an unusual request (transfer $1 million from the CEO’s account).

Google Calendar users can go into General settings, then Event settings, and switch off “Automatically add invitations.” Instead, select “No, only show invitations to which I have responded.” Also, under Events from Gmail, you can stop calendar events auto-generating based on your inbox. Keep in mind, though, that you’ll also be blocking legitimate events.

In these days of the hybrid workforce, we’re used to clicking on links from Zoom, Google Docs, and Microsoft Office as part of our daily workflow. The cyber bad guys know this and are taking advantage of it. Unsubscribing from email lists, keeping your email private, and reporting spam to IT can all help.

Your business might also benefit from working with a managed service provider to use a third-party spam filter. Our experts can also review your cybersecurity posture and identify areas to improve your defenses.

Contact us today at (515)422-1995

SMBs Can Become a Weapon in Cyberwarfare

by

Headlines today highlight Ukrainian tragedy or North Korea testing missiles. It can seem far away from your business, yet battles are being fought online, too. Your small business’s IT systems could be weaponized for cyberwarfare.

That statement may surprise you. You’ve heard of cyber targets such as:

  • critical national infrastructure;
  • election and voting organizations;
  • military databases;
  • government communication outlets.

In the days preceding Russia’s attack, 70 Ukrainian governmental organizations were hacked. Messages in Ukrainian, Russian, and Polish warned people to be afraid and expect the worst.

But, why would someone want to target your small business as part of their cyberwarfare? You may be only a stepping stone to help the attackers achieve their larger goal.

How your business can become a target

You could be the victim of a supply-chain or leap-frog attack, or you might have a business partner who is also an accountant to a defense contractor, or your business might be providing heating and air conditioning maintenance to a utility. That connection makes you interesting to hackers.

Attackers use you as a pawn in digital warfare. They expect you have fewer defenses than the highly funded end target, so they infect your network to facilitate their attack. They might send a fake invoice from your business to the target, one that is laden with a malicious payload. The client, trusting your credibility, opens the malware. From there, the attacker has access to the information they were seeking from the outset.

How to shore up your defenses

Increase your cyber vigilance. Don’t think that you are too small to be a target. Instead, create and maintain a cybersecurity plan. Follow best practices to keep your systems resilient, and ensure you have the proper protection in place.

This type of attack often leverages software vulnerabilities, so make sure that all your systems are up to date and patched, leverage antivirus tools, and stay current on the latest threats you should protect against.

Also, remind your employees about the importance of good cyber hygiene, the humans who work for you are often the weakest link. They don’t mean to cause any damage, but they click on that phishing email or go to that website with malware downloads embedded.

Multifactor authentication can also help you combat hacker access. Even if the bad actor does get a user’s credentials, they still need an approved device to get in. This makes it much more difficult to compromise your network.

It’s also a good idea to establish ongoing monitoring of any security events and install remote access controls. Geo-fencing can restrict certain foreign IP addresses, and Certificates can validate trusted computers that remotely access your systems. Then, use the data from those tools to identify any suspicious activity.

A managed service provider (MSP) can help with any of these defense tactics. We don’t want to see you turned into an unwitting weapon in someone’s cyberwarfare. Contact us today to learn more about what we can do to help reduce your attack surface.

Reach to us today at (515)422-1995.

Think Before Sharing That Link

by

Learning to share is an important early-life skill. Now, you’ve mastered it, and you’re out in the workforce. Happily, digital technology makes it much easier to share business files, but that doesn’t mean you want to do so willy-nilly. Consider these best practices for sharing with both internal and external users.

Cloud sharing makes it simple to share presentations, spreadsheets, documents, and other files. In OneDrive, Dropbox, Google, you can simply click on that document and click “share.” The link is created, and you can copy it into an email, or you can use a pop-up email from the software you’re working in at that moment. That done, you can move on to your next “to do” without thinking about it any longer.

Maybe not.

Unless you’ve set that link to expire, you’ve shared endless access to that file. Plus, you may have set the file up so that anyone with the link can open the file. You may even have given everyone with the link editing permission for that file, which means they can change the data or delete it. That’s today, tomorrow, weeks, months, or even years from now.

Think about that link before you share it. You may not intend that external contractor to have continued access to that presentation. You may want only an internal team member’s input before a client pitch, not in perpetuity, even after they’re no longer involved in that project.

Best practices with shared links

The problem compounds if you share folders. You might start out with a few files in that folder – the ones you wanted to let your client contact see – but, as time goes on, you add more files to the same folder. Do you want that client to be able to see all those files? Forever? Think about this before sending a shared link with broad permissions.

Yes, “anyone with the link can view” links are useful. They can help when you don’t know everyone’s email, or you don’t know everyone (internal or external) who will need access to a file. Still, it’s best to take the permission-based route. Allow only people with emails you know to access that file. You might set the default in your link sharing to “only people in your organization.”

Think twice about whether you want to make them editors, too. Remember that gives them the right to modify and delete that file. You might want only their eyes on the content, so limit what they can do to viewing only.

It’s also a good plan to set your links to expire. This stops the other person from continuing to access the files long after they need to do so. For confidential, sensitive data, choose a shorter expiration date; otherwise, you might go with a month. If the person needs access again after the link expires, you’ll be able to let them in again, but you’ll know you’re doing so.

Worried about unauthenticated access to your files, folders, or software and systems? Work with a managed service provider to enhance your security posture. Our experts are here to help. Contact us today at (515)422-1995.

Psst… What’s Your Master Password?

by

All of us like to think we are unique. That thinking extends to our passwords too, right? We’re special and distinct, so no one could guess our chosen collection of letters, numbers and symbols. Well, it’s surprisingly easy for algorithms to determine passwords and to do so extremely quickly. So, a password manager is a smart move, as you’ll have more complex, different passwords stored. Still, it’s important that your master password for that manager be 100 percent original.

Sure, your password may be difficult for a human to guess – it would take forever. But, computers can run through the possible combinations in seconds. Password Depot found that a password consisting of five characters (three lowercase letters and two numbers) can be hacked in 0.03 seconds.

Add characters and the volume of possible configurations increases, and that adds time. A seven-character password (one capital letter, six lowercase letters) will take approximately nine minutes. At eight characters (four lowercase letters, two special characters, and two numbers) things get more complicated. Trying all the possible permutations will take 2.6 days.

That’s a data-driven argument for complex passwords with many letters and numbers. But the problem is that they are so much more difficult to remember, and that’s why it’s a good idea to use a password manager.

The power of a password manager

A password manager offers top-notch encryption to protect passwords. You can use a password manager as a vault for all your passwords. When you want to log in online from your desktop, it can prefill your username and password. Often, there is also an app that allows you to do the same on mobile devices.

Industry-leading password managers also notify you if credentials are weak or get compromised. They may also flag that you are repeating access credentials, which is not a good idea.

Don’t forget your master password

Part of the appeal of a password manager is its zero-knowledge approach. They are set up so that they can’t see your stored passwords. The password is encrypted before it reaches the manager’s server and can’t be deciphered.

This means you have to be careful not to forget your master password. The master password is the one you use to access the password manager. Without it, you’ll have to try to recover your account using several stages of authentication.

Make your master password unique, and don’t use it anywhere else. Repeating passwords, as mentioned above, increases your risk of getting hacked. If the other site is hacked, the bad guys could try that same password on other sites, too. It’s low-hanging fruit for them.

The current best practice as far as passwords go is to use a passphrase with a mix of alpha-numeric symbols. This gives you a length of between 20 and 30 characters. You can use a variety of uppercase and lowercase letters, numbers, and symbols. Some examples of passphrases include:

  • My_Fave_Person_is_My_Fish_761
  • Mytrip-2-Paris-Was-Magnifique
  • YouRemindMeoftheBabe!!

The passphrase means something to you, so it is more memorable. Yet it isn’t easy for hackers to crack. Also, you’re not using specific personal details that you may reveal on social media (unless you are constantly posting pics of your fish, and its name is actually 761).

Protecting your online identity

Want to know more about protecting your online identity? Need help with setting up security procedures for your home computer and network? Our tech experts are available to help. Call us today at (515) 422-1995!

Could the Business You Work for be More IT Savvy?

by

Working for a small business, you can be asked to wear many hats. Even if one of your many roles is not IT, you may need to speak up about your business technology or cybersecurity.

It’s easy to think cybersecurity is someone else’s responsibility, but IT may not be getting the attention it deserves, and that could be damaging to the business, your career, and your identity.

A data breach can destroy a business. Cybersecurity Ventures estimates that 60% of small businesses close within six months of a breach. It’s easy to calculate why. In Ponemon’s annual Cost of Data Breach report, the average cost was $161 per record. That adds up. If you’re at a business that can’t recover, you could be out looking for work again.

Of course you care about your customers. You don’t want their personally identifiable information (PII) getting out to criminals. But their information isn’t the only thing at risk. Your employer has a lot of PII about you, too. They’ll have your name, address, salary amount, and bank account details. Plus, they may have health information related to your benefits. They probably also have copies of your government identification.

Not only about protection, prevention

If your business tech is out of date, you’re at greater risk of cyber vulnerability. But improving IT isn’t only about protecting data and preventing downtime. Having the right technology to suit your business can also help you be more productive. Speaking up about IT could see the business improve, grow, and gain resiliency.

Working with a good MSP can help both you and your business:

  • If your company isn’t as protected, IT experts can help with data security or backup and disaster recovery.
  • Frustrated by network failures, lagging conference calls, or error messages? Trust the MSP to make sure the business technology is up to the task.
  • When the devices you’re working with aren’t doing what you want them to do, the MSP can suggest the right tools for the job.
  • Feel like you’re wasting time on repetitive or mundane tasks? An MSP partner could help you embrace automation. Allow machines to take on the routine and leave you free to focus on the more challenging and innovative work.

A slow system is painful to use. Having to wait even a few minutes for a computer adds up over a 40-hour work week. Worrying about the security of your data doesn’t help your focus at work either.

You don’t have to be an IT expert to understand that there is room for improvement with your technology. Connect us with your employer to schedule a consultation for your business needs!

Contact us at (515)422-1995.

Click to see our BBB Report

FOLLOW US

VISIT US

Privacy Policy