The fear of the click!

We dont think of clicking on a link as social engineering but it is. The number one cause of breaches today still is someone being tricked into clicking on a link which launches malware and compromises a system. Yes, even I have fallen into that trap in my years of computing but it was due to me not paying close enough attention to what I was clicking on. I , as many IT professionals use free tools to get certain tasks done and there are a great many dangers lurking out there when you are downloading ANYTHING for free.

Today the FBI put out a bulletin about the bad guys putting up web sites that look much like the government sites they mimic. If you are not paying attention you find yourself on a site that is going to nab you like a spider nabbing a mosquito in its web and eating it. Poof... Identity stolen.

A perfect example I keep running across is when someone lands on a site and it prompts them to "Update your Java". OMG!!  Better do that!! So they click on that link and ... you guessed it. I am in there cleaning up a system again. If you really think Java needs to be updated then go to JAVA.COM and update it. That little extra step can save you a ton of grief, pain and money but I still run into companies where people just don't get it yet. And guess what? The bad guys are not getting dumber! Every time there is a major event the fake emails with a link roll out again. Its like shooting fish in a barrel.

The numbers are all over the board as far as what this information is worth. I have heard as high as $15 per identity down to $.10. The key is volume. Back in 2013 the number of DAILY spam was 100 BILLION.. YES!  Billion! Even at $.10 per identity it doesn't take a huge amount of hits to make a profit.

Recently we have hear about the breaches for medical records. Why? Medical records go for almost 10 times what a regular record goes for. 2014 seemed to be the year for retail to get hit and now we see Blue Cross and others getting hit. I am thinking that we will not really see a drop in these attacks. Many attacks in that industry are not even reported and what few people realize is that attacks are just a part of daily life in that industry.

So why? Why go after them in the first place? I get asked that question all of the time. Just replace the credit card and everything will be OK and you move on with your life. Right? In the case of medical records the bad guys use the record to buy things such as prescription drugs they can sell on the street, medical supplies or commit Medicare fraud. In the last two years Medicare fraud totaled around $6 billion according to the Medical Identity Fraud Alliance. Making matters worse is records in the health care industry are among the easiest to obtain. Think about a hospital. Are they going to spend more on that new piece of medical equipment or new technology to prevent theft. I think we know the answer.

I have not even touched on PCI-DSS compliance for businesses which is a whole subject in itself. I am amazed at how many businesses do not realize that the banks took huge hits last year because of breaches. Do you think banks will continue to eat all of those costs? Ya.. I don't think so either. They are no saying you better have in place the 12 areas of PCI-DSS or you the business owner will wind up eating those costs. In many cases small businesses will not survive a breach because those costs will probably be minimum of $250000. PCI-DSS 3.1 comes out in the middle of April and it will get even more complicated because they are not allowing some technology anymore that is really common to be used for encryption (SSL). That is because of big holes discovered last year in the technology.

I will go into further detail on PCI-DSS in future blogs and go through step by step what that requirement is. The bottom line is costs will increase to do businesses because of these breaches so the time is now to understand what can be done in your corner of the world. It is more vital to your business now than ever. That importance will only increase moving forward so don't get so far behind and poof!!!  GONE!!

When you have a Cyber attack.. Who are you going to call?

It is not if. It is when. When you have a cyber attack do you have a plan? If your a small business you probably have not even thought of it. Your network suddenly grinds to a halt (Denial of Service attack). How do you handle that? Who to call? Is it bad enough you call the authorities? (believe me they do want to know). Do you have a qualified person on your speed dial that you know can come in to mitigate it? How about a major virus attack? My guess is no because there are not a lot of qualified individuals in the market place.

I have been called in after an attack has happened and someone tried to fix it. Forensically it was much more difficult than if I was first on site. I am finding more an more these days that I am usually cleaning up a virus that is half gone. If your professional is not understanding you have to eradicate these things completely then you are still vulnerable. This is why I put tools in place to see what traffic is going across that network and where it is coming from. I can pin point issues pretty fast but it has been done by a lot of experience.

Gone are the days of run a little bit of Malwarebytes and just think that everything is clean on the machine. Things are much more complicated then that. Your run of the mill "IT PERSON" is getting outgunned these days. So where does a business get help?

My answer is there are far and few between really good security professionals available to small businesses. Most are sucked up immediately in the market by large companies. The smaller IT shops have so many other things going on just keeping businesses running these days.

So where is that threshold? How do you recognize when to call authorities. I have called my Friends at the FBI on several occasions when a client calls and there is an active attack going on but general public probably would not have such great luck with it. So here are my quick and very high level guidelines.

If you are getting a Denial of Service attack (basically so much traffic hits your network from a virus you cant use it) certainly call local authorities and they may and probably will refer you to someone like IC3 (www.ic3.gov) which is frankly where I would start. They can and will help you.

If it is some type of fraud or you think data is stolen then call the FBI. You should have a local Field office somewhere near you. You can find one by going to (www.FBI.gov).

Don't be afraid to call anyone. I think that is one of the big mistakes is businesses just deal with the problem. If it isn't reported then the authorities can not get a good picture of what really is going on. I personally have a portal I go to where I report any type of malicious behavior.


The more we can let the right people know how many attacks, of what type and when the better we can defend ourselves. Its getting tougher each day so call someone. If it is an IT person try to find one with a certification. If not get anyone you can to at least try to knock it down. We have to do this together!!

Security by Obscurity

Businesses all over the nation go through each day with security in the back of their mind. WAY back in their mind because they think it will never happen to them. They remain out of the spotlight. They are not a Target or Home Depot. They may have 10, 20 or even 100 employees and think "why would anyone want my information?"

The fact is that the bad guys are figuring out quickly that small businesses lack even basic security practices. Not patching a system makes is easy even for the not so proficient hacker to get into a system. I deal with a lot of small businesses. In most, but not all cases convincing them to take some precautions like putting in a good router, patching systems and even changing passwords is not very difficult. There are a few that will not listen.

I know of a recent case. A company refused to patch and put some simple security procedures in place. They were an escrow company. HUH??? So they are wiring millions of dollars all over the place but securing the network, not such a big deal because they were small enough that nobody would even bother with them and they barely had a web site so they were hidden.

Um... news for you. The bad guys scan the Internet every day for servers out there and can do that very easily courtesy of tools developed by a University (I am not saying which). The tool goes out every week and scans the entire Internet to find every server out there, what software it runs and will an addition of some other tools can tell you what ports (doors are open) and even what flawed software they are running. A little research. A little social engineering and bingo.

A few days later their accountant is trying pay some bills. Errors. Keeps saying there is a login error to their bank account. Once they finally reset the password (the hackers reset it that's why they could not get in) the find that $100,000's of dollars were sent to Russia and even more to China. Some of the money was recovered... but I can not say the same thing for the company itself. They don't exist. They were not big. They didn't do a ton of business like a Target. They didn't bother paying a professional a few thousand dollars to harden the defenses. Instead.. they thought they were invisible.

Well they are now!! The thing is that frankly nothing is bullet proof. Just like I cant keep someone from getting into my house if they really want to get into my house but I sure am going to put a bunch of roadblocks in their way. The longer any bad guy spends trying to get in the more chance there is he will give up. That is reality. I can not protect any business 100%.

As I say to my clients and anyone who asks. At least lock the door. By not patching (patching is the updates that Microsoft diligently puts out every 2nd Tuesday of every month to fix all of the holes they find) or putting some better equipment in you might at well hang a sign on the door saying "Come on in. Have a look around. Take what you like. I will never know you were here."

Hopefully as I write this some businesses will at least consider looking at things but if you don't know where to start, Google it. Otherwise call a qualified security professional. I have see a lot of bad security practices folks. (More on that later). Do something. It is better than nothing..!!

That bad feeling you get in your stomach. Can I restore my files?

The first thing I check when talking with a potential clients is if I can restore a file from their backup. Notice I did not say I check to see if they do backups because most do. Or they think they do. We go to test and.. that tape failed (74% eventually do). Panic!

This morning started with a phone call at 6:45. "Our system is down!" Where does your mind go? Immediately mine goes to "Did the backup run last night?" Can I trust it? Do I know for a fact that I can restore from it?

That is a sick feeling, even though just a week ago I did indeed test it to make sure I could restore. Worst case scenario I just lost a week of data. Not catastrophic but its not going to be a good day if that's the case.I still was not quite sure. No need for caffeine this morning. I am awake.

First step is to VPN in to the client's system to see what I can see. Can I ping it? (A ping is like throwing a ball as something you can not see in the dark. If it returns you know its there. If it doesn't.. YA)  YES!!  I can ping it so that means at least it is breathing. I can not log into it though.. (I guess I can breath a little..very little). 

I get on the phone with person who discovered our barely breathing system. The client is 45 minutes away. They open in about 6 minutes. HMMMMM....  Quickly I verify that the backup ran the night before. YES, but with errors. I can see when it lost communication. I am now in a state of elation and horror.. and it's Friday of course! Seems to always happen on a Friday...

I tell the client to PUSH and hold that power button and till it dies... I can hear the fans shut down.  Let it rest for a little bit. He hits the power button again and the server comes back to life.

At this point I know I there will not be an answer for about 8 -10 minutes (it is an old server). I jump in the shower thinking of all of the good, bad and ugly this day may turn into. When I get out I check my phone.. Nothing. I get dressed and go into my office. VPN, connect... AND!! Bingo.. All systems go and running like a champ. Test functions.. All look happy. Client says "THANK YOU"

I have had enough cases in my career similar to this where I wasn't quite sure if I needed a full restore I could do it. Major projects were never a problem because we did full backups and multiple test restores so confidence was there. I did have one case of a client get hit hard with a RansomWare virus (Encrypted half the network). The restore started OK but would die after 15 minutes. It was brutal but I did get it back because there was an additional layer of protection where it was backed up to a cloud server. It was a much longer time frame but it came back.

So the moral of this story is how much faith do you have in your backups AND your restores? My typical disaster recovery plan for clients is an on site storage system coupled with an upload to a cloud repository each night. I will probably never be 100% sure I can get everything back. That queasy little feeling will be there no matter how much I test. When it comes to security nothing is 100% but at least I know I am doing everything I can to give it a fighting chance. 

Is Your Biggest Cyber Threat Inside Your Own Company?

This afternoon I was at an Infragard meeting (I am a member of Infragrad which is a partnership with the FBI to protect the US infrastructure https://www.infragard.org/ and there was a presentation on insiders threats for Cyber Security. Truly eye opening with some of the stats given. One of which was the estimated 73% of breaches are done intentionally or unintentionally from the inside.

The unintentional ones are when an employee will click on a link that loads some malware, spyware or other harmful ware which is used by the bad guys to get inside. It is like someone unknowingly letting an intruder in by unlocking the door and walking away. In the meantime the intruder quietly strolls in to have a look around and to do what he pleases, undetected. I have seen examples of this myself. Though this can be a significant event the examples of other ways were shocking how huge of an impact they will have.

One example was of a company called Sinovel.  http://www.bostonglobe.com/business/2013/06/27/feds-charge-chinese-firm-with-stealing-technology-mass-company-amsc/CTE66TzhtD19qvEfU35RQN/story.html

AMSC made software for this company and suddenly its orders dropped. The long and the short of it is that the software was stolen by Sinovel and AMSC sued them for 1.2billion dollars. Why? One person stole proprietary information and gave it to Sinovel. The result was devastating and jobs were lost, families affected and ripples felt throughout industries. Proper measures were not in place to protect the intellectual property.

In another case presented today an individual stole information from the Medical College of Wisconsin.  http://www.scmp.com/news/world/article/1280109/chinese-researcher-pleads-guilty-stealing-drug-us-medical-school  In this case the individual downloaded 2.4 million files to a personal hardrive and sold the information.

I myself have been involved in aftermaths of employees who were disgruntled and tried to either destroy or steal information from employers. How devastating would this be if your client list, information about business dealings or blueprint for your product walked out the door and was sold to your competitor?  Yet I do not see companies taking this seriously. How much is going on that we don’t know about?

So how can you stop this? It is critical that you put in place policy and procedure which will first of all make it harder for this to happen and second of all detect when it does happen. I hear so many times from business owners how much they trust their employees. I also have seen multiple cases that those same employees are robbing them blind. We are trusting especially here in the Midwest. There is a difference between trusting and being aware.

I have seen one company get put out of businesses and destroyed because of this scenario. They trusted everyone only to have an employee turn on them and within 8 months they were done. Lives destroyed and a business ruined.

IF your gut is telling you to look into things that do not seem right then follow it. The worst that is going to happen is you are wrong.  I am not saying to be paranoid. I am saying you need to be aware.

It’s your business. I do everything I can to protect mine. Sometimes it’s not comfortable… but it is necessary. Don’t be your own worst enemy.

BYOD. Bring Your Own Device or Bring Your Own Disaster!

I was at one of my regular clients this morning working through my list of maintenance tasks etc. I had a complaint about the network being slow for most people. I started to investigate and as I looked at my statistics and logs I found something that disturbed me a little. There was a device on the network that was using a very healthy amount of the bandwidth. Think of bandwidth as a 4 lane highway. The more cars that are on it, the more the congestion, the slower the speeds. This morning’s example was like one very large truck taking up all 4 lanes slowing everyone else down.

Anyway. My software told me the MAC address (this is alpha numeric number assigned to the actual hardware whether it is a phone, computer or tablet). It also gave me the IP address (network address) that was assigned to that device. As I traced it I found the traffic was flowing out, not in. What that means is the device was sending large amounts of data. It was not downloading an update or anything like that.

It was identified as an IPHONE by the router. With a network full of devices to sift through and several people in training on site I decided to simply block that device from sending anything out of the network. The congestion cleared and things returned to a normal state making me friends with many of the users again.

From a technical standpoint I you should realize that the software could be wrong, the address can be faked and I could be chasing a ghost if the person goes off site so I didn’t chase. The point to all of this is how one device (if it was indeed an Iphone) can literally bring a network to its knees. This client I have advised several times to not leave the wireless open due to the fact this can so easily happen.

It did get me thinking as to how do you as a business control this yet provide access needed? More and more Androids and Iphones are being infected and many times the users will not know. They stick on the network and BANG. Problems!

The question to ask is why allow the access? Why let people use their own device? It may be cheaper up front or more convenient but in the long run you may sacrifice functionality of your entire network. I equate it to if you owned a race track where high performance cars are running but then you let your neighbor take his SUV on the track it will eventually catch up with you and slow everyone else down.

Many companies have a BYOD policy of what people can use and connect to the network. Policy and procedure is really the key to being successful. Without out it you open up your network to the wild west of devices. People don’t even know most of the time when their device is infected and then it turns out to be the time spent by the IT department looking for that device. Even at that what do you do once you find it. Clean it for the individual? How do you prevent it from coming back on your network?

Control what can go on your network. Make sure you understand the safety concern and why. It really doesn’t take much to do to ensure that network is running at peak efficiency. Most data breaches and viruses happen from within. Introducing devices you are cannot control can open you up to a world of pain as well as a major headache.

So what would a BYOD policy look like? First ask yourself the question why allow external devices. The only reason should be a business purpose. Not because you want people to be able to surf the net at lunch break. I see the mistake made by business owners where they are trying to keep employees happy by offering the ability to jump on the network. My question is how unhappy you will be when people cannot do their work because of the scenario above?

Get Serious about Cyber Security

Is Your Business Serious about Cyber Security?

Most of my clients are small businesses and as with any size business IT spending comes down to ROI (Return on Investment). Recently I had a client ask me to stop doing monthly updates. My response was that is pretty much the rule today is to do those updates on a regular basis. His reasoning was that he is trying to cut expenses and it “Wasn’t Necessary”.

Security is not a sometime thing. It is an all of the time thing. We really need to be more vigilant now than ever. I remember a client who did not renew the virus scanning software for the $300 it would of cost in order to save money. It caught up with him. A virus snuck by that would have been caught by current signature files and his network was infected.  This wound up costing him thousands in the long run and that was just the measurable impact. The loss of production, people not able to do the work, the ticked off customers can literally destroy businesses these days to what is the ROI on that virus scanning software? You can never predict what might have happened if you didn’t have it but in this case the effects were brutal.

I was talking to another business man the other day and he put it quite bluntly. He said not keeping the security portion of IT invested is like not putting oil in a car. It will run for a while but eventually you get burned.

I guess it is what I have seen for years. The “Why would anyone want to attack my network “ syndrome. Well, identity, financial and ransom are just a few I can name.  If businesses do not have a good security plan I believe the odds will continue to grow that they will be hit.

So how serious is your businesses about it? How much have you invested in your security and where is that investment? Too many companies invest in some good hardware and security measures and then leave them. Hoping they are protected.  Hardware alone will not do it folks. It has to be planned and watched. It’s like setting up video cameras and never looking at the monitor or recordings to see if anything happened.

Lastly, I had a new client I interviewed last week. They were getting prices from several places on how they can secure their systems better. As I was going through the process I asked if anyone talked to them about PCI compliance. (They are a retail store). They said none of the bidders had done that. SHOCKING!!  IT professionals with or without a security background need to understand things like PCI compliance or they are doing their customer a dis service. I am still amazed at how many businesses are not even aware of the 12 areas of PCI-DSS. Everyone needs to understand how important it is, what it is and how to become complaint no matter the cost. If not now when?

And by the way. I wasn’t the lowest price but I did get the job J