CNN recently ran articles on the increasing number, sophistication, and severity of cyber-attacks occurring in the United States. After reading the articles, you quickly realize how this threat has evolved from impacting individual users to now our national corporations and the government.
At its basic level, personal identity theft and financial loss are the primary concerns of a cyber-attack. This threat has existed for years. More recently, US corporations are now facing cyber-attacks, where loss of client data and intellectual property are the main concerns. In addition to the corporate world, US government agencies are experiencing attacks aimed at various components of US infrastructure and institutions. Because many of the attacks are initiated by not only criminals, but also nation states, the US government views these actions as “cyber warfare” and a threat to national security. The goal of these attacks is to steal business knowledge and negatively impact US infrastructure such as telecommunications, power, and water. They have increased exponentially in number and severity and have the US government very concerned.
The Obama administration has taken steps to address these growing concerns to national and business security by signing an executive order initiated to stop or slow cyber-attacks. US government agencies are being tasked with assisting more in the defense and prosecution of attacks, providing corporations with information to enhance their own security, and enlisting the help of foreign countries in controlling attacks.
Corporations who were once slow to accept the government’s advice and offers of partnering in the cyber warfare fight, are now realizing its impact and importance. They are applying more resources and effort toward developing strategies to minimize their exposure.
In light of this rapid evolution, everyone should consider and question how safe they are as an individual or business entity.
Hard drive encryption is one of those tools that administrators have a love/hate relationship with. In its simplest terms, it is a way to secure data so that it is inaccessible to those that are not authorized to have access. There are different ways to encrypt a hard drive, depending on how secure you want to make the information and how easily or difficult you want to make access to that data.
First off is the basic hardware encryption. This typically requires a simple password to unlock the drive for use. As soon as the computer is booted, a password is requested in order to be able to use the drive. If the incorrect password is entered a certain number of times (typically three), the system needs to be either rebooted or power cycled to be able to try again. If the password is not known, the drive is not accessible.
Secondly, there is software encryption. This is a program either installed on or integrated with the Operating System that can use any combination of ways to unlock the information encrypted. It could range from a simple password like the hardware encryption technique described above, to requiring a security certificate and password combination, to one that requires a specific hardware aspect (such as a specialized flash drive inserted into the system) and one or more software measures (password, security certificate, and/or biometric reader) that are all required for access.
So why do administrators have a love/hate relationship with it? The good part about encryption is that if a drive or system is either lost, stolen, or somehow ends up in the wrong hands, it is difficult or impossible to break the encryption to access the information. Obviously, the more secure the measures to encrypt the data, the more difficult it is for any would-be hackers to access the information that they are not authorized to have.
The bad part about encryption is if the access method to the data by those authorized to have access is not available (password forgotten, specialized flash drive left in the office when the laptop is taken home, etc.), the data is not available when it is needed. This typically is only a nuisance, as the password can be retrieved if either a Master Password or some other password-recovery method is utilized or the specialized flash drive can be retrieved from the office the following business day.
The ugly part comes in when something out of the ordinary occurs. Most of the time, this is something along the lines of a particular person having the encryption password with no Master Password created, and then that particular person leaves the company. Or it is the specialized flash drive that gets broken or is unreadable by the system. Some of these types of risks can be mitigated by having a recovery measure implemented, like a Master Password or a secondary flash drive with the decryption information stored on it. However, not all risks in regard to hard drive encryption can always be avoided, as sometimes information is encrypted and should only be accessed by one person for security reasons.
So should you use hard drive encryption? The answer: it depends. How secure do you need your data to be so that if it does fall into the wrong hands, it won’t be easily accessible? What steps are you able and willing to implement to mitigate the risks imposed if the primary access method is permanently lost? What is the risk of the data being lost/stolen versus the inability to access that data?
If you need help with a disk encrypytion solution, please contact Trigon today!
Concerned about social media and its impact to your corporate security? If not, you ought to be. Proliferation of social media has made it a fact of life. It’s everywhere and everyone’s using it. Companies leverage it, users depend on it, and hackers try to exploit it.
So what’s the risk, why all the fuss? Well for starters, the exposure. The majority of your employees will likely check their personal social media webpages multiple times a day and may be spending far more time doing so than you’d feel comfortable with as a business owner or IT manager. Additionally, your Marketing and HR departments are probably doing the same, albeit for useful purposes with the company’s best interest in mind. The number of people and times they are accessing social media only add to your company’s exposure level.
With all this exposure, what are the actual security risks? They vary and run the gamut from individual identity theft to network breaches. They may include:
- Legal Ramifications – This includes individual postings or activities performed while at work and may expose the company to potential liability. Activities may involve sexual harassment and cyber bullying.
- Malware Attacks – Social media websites provide a gateway for malware. Exposure grows significantly with the combined use of standard workstation computers, smartphones, and tablets. Malware, viruses, and spyware are all potential risks.
- Reputation Damage – Posting derogatory messages or inappropriate photos that may jeopardize a company’s reputation. Damage of this nature may cause varying long term issues for a company to resolve and move beyond.
- Identity Theft – Besides stealing an individual’s personal identification information, hackers may also target individual’s business identities. This information may be used to falsely represent one’s self as a business representative or to gain access to a business property.
- Proprietary Information/Intellectual Property Theft – This may include a user’s reference to a company project or providing detailed information about an upcoming new company product or development strategy. Critical aspects concerning jobs, products, and strategies are all business-owned elements that must be protected.
Now that you have a feel for the exposure and risks levels, what can you do to mitigate the risk to your company? The first option may be to simply block all social media on your network, but that of course would mean your company can’t utilize the benefits and opportunities social media offers at the business level. A second option may be to restrict who in your organization has access, but again you’re losing benefits of social media by limiting who may access it. A third, and now more widely accepted option, is access and education. Many companies now realize social media offers too many business advantages not to fully leverage it. These include improved communication, enhanced marketing, and increased business awareness.
What are some of the primary considerations in implementing an employee access and education program? First, develop and implement a Social Media Policy for your employees, which includes a clearly defined set of guidelines with examples. At a high level, this policy should cover all business data, employee, and webpage classifications/restrictions. Your employees need to understand which elements of company information may be used, for what, and where. Second, start educating your employees on the policy itself and a “best practices” approach to the use of social media. This combined focus should cover both your defined guidelines and general common sense use to avoid risks. Provide periodic refresher sessions for reinforcement and coverage of any new threats or risks. A detailed Social Media Policy coupled with a continuing education plan will help ensure your corporate security from the potential perils of social media.
If you have any questions, Trigon presents Security Awareness Training on this topic for clients of all sizes in the Central Pennsylvania and Philadelphia region. Please feel free to contact us if you have any questions!
With more people bringing their own mobile devices such as tablets or personal smartphones into the workplace, mobile device management becomes more important than ever.
Blackberrys used to be the king of all mobile devices, and they were all company issued and managed. Email would be pushed to them through company policy, and certain restrictions such as passwords and encryption would be required. This required a costly investment in Blackberry Enterprise Server as well as on site email services.
Many people don’t know that these options are also available on Apple, Windows, and Android smartphones and tablets as well. Most businesses these days use Exchange for email, either hosted online or on their own servers. ActiveSync is a fantastic technology included with Exchange, and it provides many of the same features that Blackberry Enterprise Server offers.
Once someone configures their mobile device for email in an organization, it is now linked the Exchange and ActiveSync in that organization. Administrators now have several options they can configure on the personal mobile device.
- Require device encryption
- Require a password (can be simple 4 digit number, or complex)
- Wipe a device after a certain number of incorrect password attempts
- Wipe a device remotely after it’s been lost or stolen
- Disable Camera/Texting/Wi-Fi
- Limit Email size
- Disable downloading of attachments
There are many considerations when allowing users to bring in mobile devices to the workplace, but luckily the tools exist to reduce the security impact of allowing these additional devices. This will make employees happier as they can now use whatever device they feel most comfortable with, and it will make executives happy knowing that confidential information can stay confidential on these mobile devices.
With hosting services such as Office 365, Blackberry still offers these features for free now with Business Cloud Services.
With security enhancements in the most recent Windows operating systems and browsers, it’s hard to believe that viruses and spyware are still as rampant as ever. According to recent statistics, over 6,000 new viruses are released every month! The impact of a virus can range from simply annoying to having a severe impact on business productivity and profitability. For instance, some viruses and spyware will pop up advertisements or install toolbars in the browser. The impact is usually limited to one person and can be removed relatively easily in most cases. However, we’ve witnessed widespread viruses that have caused a company-wide shut down. All PCs needed to be completely rebuilt and data had to be restored from a backup vault. The financial impact of closing the doors for business for several days could threaten the existence of a company.
Many organizations install anti-virus and anti-spyware software, which is absolutely necessary. However, after the initial installation, there is usually no configuration, management or monitoring of the software. Anti-virus definitions are not updated, the solution may not be centrally managed and version upgrades do not take place. This is the worst case scenario as the expense is incurred but the solution is not effective at all. In order to counter this issue, Trigon offers Managed Endpoint Protection to its clients in the Central Pennsylvania and Philadelphia region. Some of the benefits of having Trigon install, manage and update your security software are as follows:
- Integrated alerts can be generated if any events arise
- Centrally managed and updated by Trigon
- No expiration date or lapse in service
- No application to install, upgrade or support
- Month to month billing based on actual usage
- Robust reports can be easily presented
- Cost effective – in most cases, it costs the same or less than purchasing your own software
If you’d like to discuss a Managed Endpoint Protection solution, please contact us and we can assess if your company would benefit from our offering.
Building a robust, secure, scalable and reliable IT infrastructure can be very costly. Conversely, not being prepared for an incident that could bring down the entire company for an extended period of time could be devastating and even more costly.
IT Risk Management is the process of defining and understanding the possibility of risk and the potential damage it could have on an organization. IT Risk Management is usually comprised of one of the following four areas:
- Security – Ensuring that corporate data is protected from both external and internal threats
- Availability – Making sure that systems are able to be accessed at all times. Or, in the case of an outage, that the impact can me limited and the systems can be recovered quickly
- Performance – Baselines are established and this metric is monitored regularly
- Compliance – Proper policies should be enabled to ensure that regulatory agency requirements are strictly adhered to
These identified risk areas are not the sole responsibility of the IT department. While there are technical components and business processes that must be managed by IT, employee training is extremely important. Even the most stringent security policies cannot prevent a security breach. The end users must abide to the policies accordingly and work within established guidelines on a consistent and daily basis. Security is a shared responsibility.
If you have not trained your employees on how to recognize and report possible risk or security concerns, Trigon Technology Group has a proven Security Awareness Program that can help your workforce make better decisions and, ultimately, lower your IT risk portfolio.
For more information..
Is your infrastructure secure and scalable enough to support the massive influx of mobile devices?
If your company has 50 employees, it’s very possible that you are supporting over 100 devices connecting to your network. Most employee are carrying some type of mobile device (smart phones, iPads, and other tablets are the most popular) and, in addition, every laptop has wireless capability.
The increasing capabilities and low cost of mobile devices has changed the way employees are conducting business on a daily basis. More and more users are using personal devices for remote connectivity to company data. The advantage of this fast growing “Bring Your Own Device” or “BYOD” strategy is that it improves employee productivity and ultimately leads to better customer satisfaction. The obvious risks of a BYOD strategy involve security and the maintaining the integrity of sensitive data that should be protected on the corporate network.
- Do you have control of the mobile devices accessing your corporate data?
To counter this risk, Trigon has the ability to remotely wipe devices with corporate data, enforce password policies, encrypt data and restrict app access on Apple and Android devices. If you have questions or concerns about the best way to manage or secure mobile devices, ask Trigon about their full lifecycle Mobile Device Management solution.
One thing that Windows gets a lot of flak for is the fact that there are so many viruses and other malware out there that can infect a Windows machine. Something that not many people realize is that Microsoft does try to take steps that ensure Windows is more secure. While there are exploits and security holes within the Windows operating system, the larger issue lies with 3rd party applications such as Adobe Flash, and Java which are used more often by attackers to infect a computer. Microsoft realizing this had created several protective features that can be used by 3rd party software manufacturers. These features are, Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP), and Address Space Layout Randomization (ASLR).
DEP, SEHOP, and ASLR were designed to reduce an attacker’s ability to use an exploit in a 3rd party application to install malware on the computer. Microsoft has included this functionality in Visual Basic and requires an application to be recompiled to include these features. For many well established software manufacturers this isn’t always an easy or worthwhile task to complete. For that reason Microsoft has created the Enhanced Mitigation Experience Toolkit (EMET). When installed and configured it will allow applications to use these features without needing to be recompiled. There is a warning that not all applications will function properly when using EMET, but if that is the case the application can be removed from the list.
I’ve installed EMET on my own computer and can report that so far none of my commonly used applications such as Chrome, Outlook, Word are functioning any differently and have confirmed in EMET that these applications are using the emet.dll file. I would definitely recommend this application for people who are concerned about the security of their Windows computing devices.
If you own or run a business and you would like more information on computer security or Microsoft products, then give us a call and let us assist you.
Google’s web browser Chrome has been praised as one of the most secure web browsers available due to the security features that were built into the browser. One such feature is sandboxing which allows a piece of code the ability to run in a restricted environment but does not allow it any I/O access such as the ability to write to the hard disk. Sandboxing has played a huge part in making Chrome as secure as it is. For three years Google participated in an event called Pwn2own which is a competition to find security holes in popular web browsers in the hopes of learning if there were any holes in Chrome that need to be addressed. Pwn2own has laptops setup running fully patched versions of Mac OS X and Windows 7 with Internet Explorer, Safari, Firefox and Chrome. Each year Chrome came through unscathed. This year though Google opted not to take part in Pwn2own and instead created their own competition named Pwnium. Here they have offered contestants money for finding and exploiting security holes. At Pwnium a full exploit was discovered by Sergey Glazunov. The details of the exploit have not been released yet but what is known is that Sergey managed to bypass the sandbox and gain full control of the computer using the access rights of the currently logged on user. Google has quickly patched the exploit and released it via Chrome’s automatic update feature.
I personally have to applaud the efforts of the software companies who take part in Pwn2own and Google with their Pwnium competition in trying to make the web a safer place for everyone. If you’re reading this and have questions in regards to security for your network then contact us and find out how we can assist you.
Every company has data leaks.
It is impossible to plug every one of them. It is possible to manage them though. The data leak doesn’t have to be access to the network by nefarious individuals. Most likely it is your own employees taking action without really thinking of the consequences. Like the domain admin giving a domain level account and password over the cell phone in a crowded elevator -- He was trying to solve an issue, but missed the environmental conditions he was in. So now everyone in that elevator knew a domain level admin credentials for that company. But you don't know which company he works for you say...sure we do, just look at his ID badge clipped for convenience to his clothing. It’s the little things that get you in trouble too.
Some sources of data leakage are:
- Allowing access to personal email, staff can send out data without you tracking it.
- Allowing USB usage, staff can put in a USB drive, phone, and even IPods that can sip the data.
- Sensitive papers lying about on desks unsecured to be viewed by anyone.
- Talking about sensitive information in public spaces
How to manage this? Well there are several ways. The most successful way is to institute policies for your staff. Having the staff aware there are guidelines and consequences is addressing most of the issues. You will need to have a training schedule for new hires and reviews for user. Having the user acknowledge the policies with a signed document will provide you foundation for maintaining the security. These policies can be as simple as the clean desk policy which dictates what can be left out when a user is not at their desk, to technology policies which dictates what devices are allowed into the site and how they are used.
To support the policies you can leverage technology. Using Active Directory Group Policies to control access to resources on the network, device usage such as turning off USB ports, all this is possible. You can use third party applications to control web access to email, track access, and allow access.
This may seem draconian, and it can be if misused. But the trick is to apply the right amount of restrictions to protect the company and balance the access given for work. So you can't access Facebook on your work computer, big deal, you’re working. Odds are you have it on your phone anyway. Using technology to enforce the policies will enable you to maintained standards consistently all day to all staff. It is auditable and can be changed as the environment changes.
So keep you staff informed, your policies current, and use your technology to simplify and standardize, and revisit both often for review and updates.