People are the weakest link

People are the most vulnerable layer of network security for most businesses. Employees at nearly all levels play important roles in protecting companies’ critical assets. That’s why responsible businesses train and test their employees, and then repeat the process with updated instructional material.

Threats change. So to be effective, training must be constantly updated too. It’s not enough to do it once. It’s such an ever-evolving threat vector. Continuing to refresh is critical. Once good, human safeguards are in place, a company can put more attention on the mechanical means of protecting a network.

Protecting a company’s electronic assets can be especially challenging for small and midsized companies because they often lack the security staff and other resources larger enterprises can afford.

Viewing potential targets from the perspective of a hacker might help smaller businesses devise or improve their strategy for protecting a network from outside threats. Over time I have identified general areas cyber thieves are likely to examine in attempts to penetrate a company’s security.

Below, you’ll find five possible vulnerabilities cyber thieves commonly exploit. Businesses should keep these targets and solutions in mind while formulating or reviewing a protective strategy.

1. Outdated software. Apply patches and updates promptly. The fact that software is reported as outdated is an indicator of potential problems.
2. Open ports. Install a firewall if there isn’t one in place already and have it programmed to close ports that are open unnecessarily. Open ports can be pathways for intruders.
3. Social engineering. This is a key area in which the need for continuous employee training comes into play. Beware of phishing, for example. Phishing is when hackers use email or some other means of communication to try to acquire sensitive information or infiltrate a network.
4. Compromised credentials. Data breaches at many organizations have provided hackers access to all sorts of potentially useful information, including personal information, user names and passwords. A lot of that type of information is available on the dark web. Data breaches have increased the need for computer users to use unique and strong passwords for every account they have. In addition, they should change passwords often. Using an online password-management service can help users remember their passwords and stay organized.
5. System exposure. Be careful what parts of your network are accessible to the public. The public might not need access to a company’s customer relationship management strategy, for example. Limit employees’ network access to only what they need to do their jobs.

It is important for companies to have a layered approach to providing security. Viewing security strategy as a series of rings encircling mission-critical assets might help. The rings start at the outer perimeter and include layers of network, endpoint, application and data security. Precautions should be implemented at every layer, not just sprinkled about here and there.

Why You Should Consider Cyber Insurance Coverage

We have all heard it’s not a matter of if your organization will face a data breach, but when. Why? People. Many people with bad intentions across the globe are looking for ways to get rich quick by defrauding organizations. Meanwhile, an organization’s most valuable assets, its people, fall prey to these bad actors.

 

Information and Related Costs at Risk

 

What are these bad actors interested in? Almost everything. A recent study of insurance claims for incidents indicates the following data was at risk

 

●     Payment Card Industry (PCI) - 14%

●     Protected Health Information (PHI) - 15%

●     Critical files - 15%

●     Personally Identifiable Information (PII) - 26%

●     All others - 30%

 

As reflected, personal information such as social security numbers, birth dates, bank account information, credit card information and addresses tend to be highly sought after. Identity theft of individuals and businesses is the goal for the bad actors.

 

The average breach cost was $604,000. These costs were spent on crisis services ($307,000), legal defense ($106,000) and legal settlements ($224,000). Crisis services consisted of forensics, credit monitoring, notifications, legal guidance/breach coaches, and other related expenses.

 

A sample data breach calculator is available online through eRiskHub for you to perform your own calculation of a potential breach to your company’s data.

 

Industries at Risk

 

Small businesses and large businesses are all at risk. These bad actors see the value in attacking small companies with thousands of dollars available just as much as penetrating a large businesses with millions of dollars. The insurance claims study identified businesses with revenue under $50 million to be the targets 49% of the time. Companies with less than $2 billion in revenue accounted for 85% of the insurance claims.

 

The following industries reported the most incidents for insurance claim purposes:

 

●     Professional services - 20%

●     Healthcare - 17%

●     Financial services - 12%

●     All others - 12%

●     Retail - 10%

●     Education - 7%

●     Nonprofit - 6%

●     Technology - 6%

●     Manufacturing - 4%

●     Hospitality - 3%

●     Public entities - 3%

 

Data Breach Mitigation Tools

 

These criminals have stepped up their phishing, spoofing and social engineering game making it more difficult to detect fraud from reality. Through nefarious business email addresses posing as business owners to ransomware, these bad actors are working hard to deceive others. External threats are trying to penetrate your organization on a daily basis. Their plan? Compromise your people and your computer networks. Knowing this, you should be considering how to mitigate your cyber risks.

 

Many organizations of various sizes have been considering the following mitigation tools over the past several years:

 

●     Improved, secure hardware and software

●     Network security vulnerability and penetration testing

●     Pre-breach consultation

●     Incident response plan assessments

●     Cybersecurity awareness training for employees

●     Cyber crime insurance coverage

 

Proactive cybersecurity assessments are important in identify weaknesses and opportunities to strengthen your organization’s weakest links. In addition, it’s helpful for organizations to have a formal incident response plan in place should an incident occur. Why? Because when an incident occurs, you don’t want to have a third party come in blind. Being responsive to an incident is critical and clearly documented plans help skip the information technology background needed.

 

Doing something with mitigating cyber liability risks is better than doing nothing. In a perfect world, your organization would implement and execute proactive and reactive cybersecurity plans. However, resource limitations are a factor and organizations must consider insurance products to offset accepted risks.

 

Cyber Coverage Insurance

 

Odds are, if you have cyber coverage insurance, you may not know what is and isn’t covered. For example, do you have cyber liability business interruption coverage? In a 2018 survey of cyber insurance market trends, businesses are most interested in purchasing cyber business interruption insurance. Business interruption insurance covers the loss of income as a result of a disaster such as a data breach. It is important to note that not all cyber insurances include coverage for related business interruption.

 

The same can be said for extra expense coverage. This is commercial property insurance coverage allows for covering additional expenses incurred above and beyond normal operating expenses. This type of coverage is critical when an incident occurs as your organization will incur additional investigative, legal and crisis management expenses.

 

Other cyber specific coverages can include:

 

●     Funds transfer/social engineering

●     Cyber extortion/ransomware

●     Regulatory fines/penalties

●     System failure coverage

●     Data restoration

●     Reputational harm

●     Cyber-related bodily injury and/or property damage

●     Internet media liability

 

You will also want to ensure your errors and omissions insurance covers data breaches to protect you from third party lawsuits.

 

In addition to what your cyber insurance may or may not cover, you will want to have discussions with your insurance contact regarding:

 

●     Potential reduction in the premiums you pay for cyber insurance by having pre-breach consultations performed to assess your cybersecurity posture;

●     Listing your preferred third party of choice to be your incident response provider should an incident occur; and

●     Listing your preferred attorney with specialized cyber law knowledge.

 

By further understanding your insurance coverage, possible premium reductions and having your incident team assembled, your organization will be positioned to immediately address an incident.

 

Businesses Purchasing Cyber Coverage Insurance

 

The 2018 survey of cyber insurance market trends identified small (less than $50 million in revenue) to medium size businesses ($50 million to $1 billion in revenue) were driving the growth of cyber insurance. The following industries represented the majority of the new purchasers of cyber insurance:

 

●     Healthcare - 42%

●     Manufacturing/Industrials - 40%

●     Financial Services/Insurance - 38%

●     Retail/Point of Sale - 24%

●     Government and Nonprofit - 18%

●     Energy/Utilities - 18%

●     Education - 16%

●     Other - 8%

 

Drivers for Purchasing Cyber Coverage Insurance

 

Motivation for purchasing cyber coverage insurance is like fashion, buyers make decisions based on what they see in the news. The 2018 survey found news of cyber-related losses being the number one drive of businesses purchasing cyber insurance. Other motivating factors included experiences of cyber-related losses and requirements by third parties such as a customer.

 

Holistic Approach to Mitigating Data Breaches

 

Your business produces and runs off data. It’s imperative that you keep this information secure. The goal of your organization should be to identify, implement, and execute methods to protect this data at all times. This strategy should include proactive, reactive and insurance to mitigate the inevitable.

 

Secure your home network

Several years ago, creating a cybersecure home was simple; most homes consisted of nothing more than a wireless network and several computers. Today, technology has become far more complex and is integrated into every part of our lives, from mobile devices and gaming consoles to your home thermostat and your refrigerator. Here are four simple steps for creating a cybersecure home.

Your Wireless Network

Almost every home network starts with a wireless (or Wi-Fi) network. This is what enables all your devices to connect to the Internet. Most home wireless networks are controlled by your Internet router or a separate, dedicated wireless access point. They both work the same way: by broadcasting wireless signals. The devices in your house can then connect via these signals. This means securing your wireless network is a key part of protecting your home. We recommend the following steps to secure it:

• Change the default administrator password to your Internet router or wireless access point. (Whichever one is controlling your wireless network.) The admin account is what allows you to configure the settings for your wireless network.
• Ensure that only people you trust can connect to your wireless network. Do this by enabling strong security. Currently, the best option is to use the security mechanism called WPA2. By enabling this, a password is required for people to connect to your home network, and once connected, their online activities are encrypted.
• Ensure the password used to connect to your wireless network is strong and that it is different from the admin password. Remember, you only need to enter the password once for each of your devices, as they store and remember the password.
• Many wireless networks support what is called a Guest Network. This allows visitors to connect to the Internet, but protects your home network, as they cannot connect to any of the other devices on your home network. If you add a guest network, be sure to enable WPA2 and a unique password for the network.

Not sure how to do these steps? Ask your Internet Service Provider or check their website, check the documentation that came with your Internet router or wireless access point, or refer to their respective website.

Your Devices

The next step is knowing what devices are connected to your wireless home network and making sure all of those devices are secure. This used to be simple when you had just a computer or two. However, almost anything can connect to your home network today, including your smartphones, TVs, gaming consoles, baby monitors, speakers, or perhaps even your car. Once you have identified all the devices on your home network, ensure that each one of them is secure. The best way to do this is ensure you have automatic updating enabled on them wherever possible. Cyber attackers are constantly finding new weaknesses in different devices and operating systems. By enabling automatic updates, your computer and devices are always running the most current software, which makes them much harder for anyone to hack into.

Passwords

The next step is to use a strong, unique password for each of your devices and online accounts. The key words here are strong and unique. Tired of complex passwords that are hard to remember and difficult to type? So are we. Use a passphrase instead. This is a type of password that uses a series of words that is easy to remember, such as “Where is my coffee?” or “sunshine-doughnuts-happy-lost”. The longer your passphrase is, the stronger. A unique password means using a different password for each device and online account. This way, if one password is compromised, all your other accounts and devices are still safe. Can’t remember all those strong, unique passwords? Don’t worry, neither can we. That is why we recommend you use a password manager, which is a special security program that securely stores all your passwords for you in an encrypted, virtual safe.

Finally, enable two-step verification whenever available, especially for your online accounts. Two-step verification is much stronger. It uses your password, but also adds a second step, such as a code sent to your smartphone or an app on your smartphone that generates the code for you. Two-step verification is probably the most important step you can take to protect yourself online, and it’s much easier than you think.

Backups

Sometimes, no matter how careful you are, you may be hacked. If that is the case, often the only way you can recover your personal information is to restore from backup. Make sure you are doing regular backups of any important information and verify that you can restore from them. Most mobile devices support automatic backups to the Cloud. For most computers, you may have to purchase some type of backup software or service, which are relatively low- priced and simple to use.

Patch Tuesday Feb 2019

Microsoft on Tuesday issued numerous patches to correct at least 70 distinct security vulnerabilities in Windows and software designed to interact with various flavors of the operating system. This month’s patch batch tackles some notable threats to enterprises — including multiple flaws that were publicly disclosed prior to Patch Tuesday. It also bundles fixes to quash threats relevant to end users, including critical updates for Adobe Flash Player and Microsoft Office, as well as a zero-day bug in Internet Explorer.

Some 20 of the flaws addressed in February’s update bundle are weaknesses labeled “critical,” meaning Microsoft believes that attackers or malware could exploit them to fully compromise systems through little or no help from users — save from convincing a user to visit a malicious or hacked Web site.

Microsoft patched a bug in Internet Explorer (CVE-2019-0676) discovered by Google that attackers already are using to target vulnerable systems. This flaw could allow malware or miscreants to check for the presence of specific files on the target’s hard drive.

Another critical vulnerability that impacts both end users and enterprises is a weakness in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”). That flaw, CVE-2019-0626, could let an attacker execute malcode of his choice just by sending the target a specially crafted DHCP request.

At the top of the list of patch concerns mainly for companies is a publicly disclosed issue with Microsoft Exchange services (CVE-2019-0686) that could allow an attacker on the same network as the target to access the inbox of other users. Microsoft said it has not seen active exploitation of this bug yet, but considers it likely to be exploited soon.

Security experts are fond of saying “patch now!” when it comes to Windows bugs, but in general it can’t hurt for regular users to wait a day or two after Microsoft releases monthly security updates before installing the fixes. That’s because occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out.

Just don’t put off the task too long. And bear in mind it’s a good idea to get in the habit of backing up your data before installing Windows updates, to hedge against the odd case in which a wonky patch ends up rendering your system unusable until you can work out how to reverse the changes.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

Microsoft also included fixes to address a single vulnerability in Adobe Flash Player. Microsoft and Adobe disagree on the severity of this flaw, according to security firm Qualys. Adobe labels it an “important” bug, while Microsoft tags it with a far more severe “critical” label. Regardless, Flash flaws are favorite targets of attackers. If you browse the Web with IE or Edge, this month’s patch batch from Microsoft has you covered.

Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

Adobe also released updates for Adobe Acrobat and Reader that plug at least 70 security holes in these applications, so if you have either installed please be sure to update those.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Microsoft to end support for Windows 7 in Jan 2019

A new reminder for those who are still holding on to the Windows 7 operating system you have less than one year left until Microsoft ends support for its 9-year-old operating system. So it's time for you to upgrade your OS and say goodbye to Windows 7, as its five years of extended support will end on January 14, 2020.


After that date, the tech giant will no longer release free security updates, bug fixes and new functionalities for the operating system that's still widely used by people, which could eventually leave a significant number of users more susceptible to malware attacks.

However, the end of free support doesn't end Windows 7 support for big business and enterprise customers. As always, Microsoft does make exceptions for certain companies that are willing to pay a lot of money to continue their support.

According to a 'Death of Windows 7' report from content delivery firm Kollective, as many as 43% of enterprises are still running the nine-year-old operating system, of which 17% didn't know when Microsoft's end of support deadline hit.

Millions of Users Are Still Using Windows 7
Want to know how popular Windows 7 is among users? Even after aggressively pushing Windows 10 installations since its release in 2015, its market share finally managed to overtake the user-favorite Windows 7 just by the end of last year.

Windows 7 was released in 2009 and, according to December 2018 stats from Netmarketshare, is currently running on about 37 percent of the world's PC fleet, which is far ahead of its radically redesigned successor Windows 8 and 8.1 combined.

Microsoft stopped the mainstream support for Windows 7 in January 2015, but Windows users have continued to receive security updates and patches for known security issues as part of the company's extended support, which runs for at least five years.

In March 2017, Microsoft also started blocking new security patches and updates for Windows 7 and Windows 8.1 users running the latest processors from Intel, AMD, Qualcomm, and others.

"For Windows 7 to run on any modern silicon, device drivers and firmware need to emulate Windows 7's expectations for interrupt processing, bus support, and power states- which is challenging for WiFi, graphics, security, and more," the company said.

"The lifecycle begins when a product is released and ends when it’s no longer supported. Knowing key dates in this lifecycle helps you make informed decisions about when to update, upgrade or make other changes to your software."

Besides ending support for Windows 7 next year, Microsoft will also end support for MS Office 2010, Windows Server 2008/2008 R2, SQL Server 2008/2008 R2, Exchange 2010 and Windows Embedded 7 in 2020.

As for Windows 8, the operating system's extended support is set to end on January 10, 2023.