Category Archives: Cybersecurity

How to prevent phishing attacks

In 2018, phishing attacks are still thriving and relevant. Phishing is a fraudulent action of sending a deceptive email in order to get end users to reveal personal information. No matter how big or small your company is – attackers masquerade as a respectable entity that will trick employees into trusting the sources. So what are some ways to prevent phishing attacks within your organization?

Stay in the know

New phishing techniques are being adopted continually, it’s important to keep employees in the know of the latest scams. Staying up to date on email scams will reduce the chance of employees falling victim to phishing. Furthermore, employers and employees should take the time to meet with cyber security professionals to learn of the latest ways to keep their inbox secure and best practices when opening emails.

Think before you click

When an employee receives an email from a trusted site or trusted source, its much less likely to be a malicious email. It’s common to receive emails from a reputable companies on the daily basis, this is why phishing is so common. Scammers disguise emails as reputable companies to increase their chances of getting the end user to click.

End users should hover their cursor over a link prior to clicking, the actual link address will show up at the bottom of the page. It’s important to make this a habit among employees, reading the link will allow for the site identification. When in doubt, go directly to the source rather than clicking an unverified link.

Education is key

The biggest step an employer could take to prevent employees from exposing themselves to a phishing attack: education. As a general rule, no personal or financial information should be shared over the internet. Users should never input sensitive information into links they clicked on over email. No email sent or received should have sensitive information. All websites visited should https:// and link checking should become habit.

As malicious email behavior continues, it is crucial for businesses of all sizes to educate themselves on the latest in cybersecurity. To learn more about CompuOne’s cybersecurity training, contact us today.

Office 365: Security Best Practices

Microsoft Office 365 has become a common necessity for business and enterprises alike. As data loss and security breaches continue to grow, it is essential to use best practice to assure Office 365 security.

Multi-Factor Authentication

Multi-factor authentication (MFA) is a security system that has become increasingly essential in Office 365 security. MFA requires more than one method of authentication to verify employee identity and credentials.

Managed from the Office 365 admin center, enabling multi-factor authentication prior to deploying Office 365 to the end user is the most successful way of setting it up. Microsoft permits MFA in three separate ways depending on business preference:

  • Mobile app as a second authentication factor.
  • Text message as a second authentication factor.
  • Phone call as a second authentication factor.

Mobile Device Management

Companies may have a “bring your own device” policy, and some may have regulations against employees bring their own devices. Regardless, employees are capable of accessing Office 365 data with phones and tablets.

Education is key to make certain of mobile device management (MDM) security, i.e., employees not accessing files with sensitive information. Nevertheless, there are always circumstances that cannot be accounted for.

Fortunately, Office 365 has built in mobile device management that is available for both Office 365 for Business and Office 365 Enterprise.  If employees use company-owned devices, admins are able to manage and revoke access to important data when needed. Mobile device management for Office 365 is a proper way of enhancing business security.

Data Encryption

Another best practice for file protection in Office 365 is to safeguard with data encryption. To assure the security of information, admins must implement security protocols regarding data that is stored with Office 365. This is exceptionally important for companies who acquire and store sensitive information such as social security, banking information, and health records.

Office 365 offers multiple encryption capabilities to prevent from business content being read by unauthorized users. By default, encryption at the computer level on Windows OS is by Bitlocker. Files being shared on OneDrive for Business and Sharepoint online are encrypted by TLS connections.

Office 365 is a vital tool for business and enterprises alike, there is an enormous importance to secure information. As a Microsoft Gold Partner, CompuOne is well-versed in securing Office 365 subscriptions. To learn more about security best practice for Office 365, please contact us.

What is encryption?

Imagine sending an important file to a client without a safeguard protecting the information in the file. The likelihood of an unauthorized user accessing that data is much higher without encryption.

To understand what encryption is, you must also understand what plaintext and ciphertext is. Plaintext is data that is readable, plaintext is encrypted by creating an encoded version that is only readable with a decryption key, once plaintext is encrypted it becomes ciphertext. Encryption is used to safely transmit data across networks, it is created with a mathematical procedure otherwise known as cryptography.

There are two types of algorithms that are used to encrypt data today: symmetric and asymmetric.

Symmetric

Symmetric cryptography uses the same secret key to both encrypt plaintext and the decrypt of ciphertext, since it uses the same key that’s how the term symmetric was coined. The key can be a series of letters, a word, or numbers.

There are two types of symmetric-key encryption: stream ciphers or block ciphers.

  • Stream ciphers encrypt digits or letters of a message at once.
  • Block ciphers are a number of bits that are encrypted as a single unit.

Common symmetric-key algorithms include: Blowfish, Data Standard Encryption (DES), and Advanced Encryption Standard (AES).

Asymmetric

Asymmetric encryption is also known as public key cryptography. Simply put, it uses two different keys to transfer data safely. One key is public and is used to encrypt plaintext, the public key is allowed to be openly distributed without compromising data. The second key is private and used to decrypt the data, the private key can only be used by the receiver.

Since asymmetric encryption is very complex, it is usually only used for small amounts of data. There are two types of asymmetric-key encryption: public key encryption and digital signatures:

  • Public key encryption is where a message is encrypted with the recipient’s public key and cannot be decrypted without the matching private key.
  • Digital signature is a message that is signed with the senders’ private key and is verified by whomever has access to the senders’ public key.

Common asymmetric-key algorithms include: Rivest-Shamir-Adelman (RSA), Elliptic, Digital Signature Algorithm (DSA).

Hybrid Encryption

Hybrid encryption is encryption that is two or more encryption methods used together. With the speed of symmetric encryption and the security of asymmetric encryption, hybrid is considered highly secure and faster.

Data Security

IT systems today need modern encryption; it is vital for data security.  Depending on what industry your business is in, part of compliance is to ensure you have an encryption protocol in place. Encrypting data provides three elements of security:

  1. Data Integrity: Proof that the message hasn’t been alter.
  2. Authentication: Origin of the message is verified.
  3. Nonrepudiation: Sender can’t deny sending the message.

For information on data encryption, contact us today.

Ways to secure IoT devices in your workplace

The volume of IoT devices is booming, Statista forecasts that there will be almost 31 billion devices connected to the internet by 2020. So what is IoT and why does it matter? In the workplace, connected devices are becoming critical to various industries including healthcare, manufacturing, agriculture, and energy.

Connected devices rank very poor in regard to security. Lack of available updates, encryption, and negligence, creates vulnerability in a business network due to IoT devices.  “Unknown unknowns,” are devices that IT security teams aren’t even aware of that could potentially lead to network exposer.

So what steps can an IT department take to lessen IoT vulnerabilities?

You don’t have to connect everything

Odds are your workplace has multiple devices that have the availability to be connected. When it comes to the latest kitchen appliances (fridges, watercoolers, etc.), not everything needs to be connected. In fact, a majority of these types of devices don’t have standard update protocols. Leaving most connectable appliances vulnerable to attack.

Developing a companywide standard for wearables and other IoT devices may help business network security. Employees with personal IoT devices should be wary about what they are connecting to and must adhere to set security standards. In an ideal scenario, employees wouldn’t connect personal devices to the business network, however this is sometimes impossible.

Separate networks are key

Thankfully most WiFi access solutions have what is called a guest network. It is important to keep this network separate from your business network that which includes shared data files and workplace computers. A guest network could be used as a barrier to entry from unauthorized users and breaches from unmonitored IoT devices.

In an ideal environment, IT security teams would create an entire network for IoT devices alone. Separating IoT devices that have questionable security will prevent access of your data and devices that are connected to the business network.

Monitor devices and assess your network

Workplaces need to ensure they are tracking everything that connects to their network and monitor traffic flow. Every device that enters or will enter the network must be assessed to determine the level of access it should have. An example is an employee’s wearable, ideally it would not be connected, but if it is, the access level is minimal.

All devices that enter the network must be monitored to ensure they are fully patched and up to date when updates are available. Any unknowns should flag an alert to the IT security team. Security teams should take the time to actively look for unknown devices on their network. IoT devices are only increasing, it is crucial for businesses to secure their networks from unmonitored devices and vulnerable IoT devices.

To learn more about creating a secure business network, contact CompuOne.

Revamp Your Business Password Management

Let’s be honest, we use passwords for everything. From computer logins to retail sites, the use of passwords is so frequent it could potentially put professionals and consumers at risk. According to TechRepublic, 19% of business professionals use poor quality passwords or shared passwords, which could make accounts easily compromised.

It is in every organizations best interest to develop a password management plan to increase security and reduce the risk of data theft. Easy passwords simply won’t do any more. The following tips should be considered for business level password management:

Frequent password changes

Organizations must impose rules on frequent password changes. Password changes should be as frequent as 30 to 180 days; passwords should also never be repeated. Best practice is to ensure passwords have letters, numbers, and special characters.

Depending on the industry, this may already be a requirement under regulation. However, for smaller businesses, this could be a potential life-saver from security breaches. On a user level, frequent password changes may prevent unwanted access to personal information such as social media pages, bank accounts, etc.

Two factor authentication

Two factor authentication is used to confirm the end-user’s identity with a two-factor process. The first step in the process is the actual password, remember all decent passwords must have letters, numbers, and special characters. The second factor is something that the users will only know the answer to; such as a specific pin, answer to a question, or an association of an image.

Why should your business use two factor authentication? Simply because depending on your industry your password may not be enough. Passwords alone can be breakable by social engineering or brute force attacks, no matter how strong your password is. Implementing a two factor authentication can give an employer ease, knowing that employees or consumers have that added password protection.

How to store passwords

As mentioned previously, one user can have too many passwords to remember. There are many password management software’s out there, so many that it’s hard to determine what is considered the safest most reliable option. If choosing to go this route, remember that security mistakes can happen and be wary about what passwords you are storing.

Our recommendation to store passwords is to write them down with pen and paper.  Place your written password sheet in an area where you will remember it for safe storage. While this may sound tedious and paper theft is a concern, consider the fact that cyber crime is only increasing and a sheet of paper cannot be hacked.


For more information, contact us.

Is Your Email Secure?

In this day and age, one of the most commonly used forms of communication is email.  We use it at home, on our mobile devices, and in our workplace. This leads us to the question, what are workplaces doing to keep their email system secure from attacks? According to PhishMe, 91 percent of cyber-attacks start with an email. Email-based attacks come in various ways:

  • Phishing: Attempt to obtain personal information such as passwords and credit card details.
  • Spear Phishing: Personal and highly customized phishing attacks. This is a type of phishing that usually will come from a trusted source and seem legitimate. Spear phishing is highly personalized, attackers usually have done research on the victim.
  • Malware: Malicious software in the form of attachments, links, and drive-by downloads. Malware is usually delivered by spam emails. Spam emails can appear to be sent by legitimate sources, which then increases the chance of download.

Email security solutions

Undoubtedly, organizations must provide protection for their employee’s email communication. Determining the best solution for email security varies from business to business, you should carefully consider what will protect your email communications from attacks.

  1. Endpoint Security: Endpoint security is the process of securing various endpoints in a network, mostly end-user devices such as smartphones, desktops, laptops and tablets. Endpoint security systems can either be a software application or hardware that allows the system admin to manage and discover any devices trying to connect to the network. This will prevent from malware downloaded on the network, but will not prevent from phishing.
  2. Anti-Spam: Anti-spam is software, hardware, or even a process that combats spam by filtration. It is key to realize that not one anti-spam method is perfect, end users should be encouraged to be careful about providing corporate email address information. Anti-spamware can be installed to strengthen the security level of your businesses email provider by conducting screening prior to delivery.
  3. Secure Email Gateways: Secure email gateways come in many forms: public cloud-based, hybrid cloud based, hardware, virtual appliance, and email server based. Secure email gateways monitor emails being sent to a company and prevent unwanted content from being delivered. Secure email gateways prevent from malware, phishing, and spear phishing.
  4. Email Security Training: Human error is considered the biggest risk in email security. End users can click on malicious links, fail to keep their security solutions up to date, and divulge confidential information about the company. Training employees on cybersecurity and email best practices is crucial in preventing unwanted content and unauthorized users.

Email security takeaway

Email security approaches differ from organization to organization, not one single approach will work for all businesses. Every business has risks, issues, budget restrictions, and current security solutions to consider. With that said, a strong well-implemented system should have multiple solutions to cover every end of the organizations network. Businesses should also set up a reporting system, where employees are able to report all suspicious emails in a convenient way.

No email security system is completely secure, but implementing the right solutions can maximize efficiency and minimize risk.

 


Learn more on email security by contacting us. 

Is Private Browsing Considered Secure?

The Definition of Private Browsing

Private browsing otherwise known as “Privacy mode” or “Incognito” is a feature in most web browsers that disables web cache and browsing history. This allows users to browse the playground of the internet without being able to retrieve their local data at a later point in time. It also means that browsers are not storing data in cookies.

When is Going “Incognito” Useful?

Private browsing is handy for a number of reasons. Usually, authorized users are taking advantage of it to prevent people who have access to their machine from viewing their search history. Here are some ways to utilize private browsing:

  • Blocking sites that you visit from collecting your personal information. Notice that Amazon will show you products based on your search history? Private browsing prevents sites from gathering data based on your searches and cookie information. Sites like Amazon won’t show products based on past purchases. Google will not autofill a search with something you’ve searched for previously.
  • Getting the best price from an online purchase. Browsing on incognito can prevent from online retailers varying prices based on browsing history and location. Booking accommodations such as hotels and airfare are notorious for varying prices, going incognito may help prevent hiked prices based on search history.
  • Logging into multiple accounts on the same site. If you have more than one account for the same site, private browsing allows you to log into multiple accounts at once. This can be especially handy if you have two emails on one site – you would be able to pull them up side by side.
  • Bypass article limits. News and sites filled with articles may have free to read content to a certain extent. Once you reach their free article limit some sites will prompt you to either purchase the article you are reading or a subscription to their site content. Private browsing can bypass this if they are using cookies to remember when you have visited that site before.

Private Browsing Misconceptions

While people who have access to a user’s machine are unable to view search history when browsing privately, there is a common misconception that private browsing will prevent anyone from seeing search activity. Here is some information to take into account when proceeding to search incognito:

  • Private browsing is not a firewall. Whether or not you are choosing to browse publicly or privately, private browsing does not prevent from malware or other attacks such as spyware and key logging.
  • Private browsing doesn’t protect your data on public networks. Private browsing doesn’t stop an unauthorized user from stealing your data on public WiFi. Public WiFi may not be encrypted, or the user may willingly connect to a fake access point, allowing cybercriminals to gain access to the machine without their knowledge.

Some Tips On How to Browse Securely

Private browsing can help in terms of browsing history and preventing certain sites from viewing personal information about you. It can also be utilized if you are concerned about unauthorized users taking advantage of your machine to gain access to your history and online accounts. However, private browsing does not protect your data from cyber theft or other kinds of unwanted snooping.

  • Keep your OS and Firewall Updated: Attackers are more likely to target machines that are outdated, it is critical you keep your operating system up to date as developers are usually patching to cover up vulnerability. If you only have your machines built-in firewall, consider investing in a decent anti-virus program, but don’t forget to update!
  • Practice Safe Browsing Habits: Don’t download anything from a website you are not 100% sure of. A quick tip for downloading something off the internet is to hover your mouse over the download, a link will show up in your browser footer telling you exactly what the file name is.
  • Avoid public WiFi all together: If you choose to use it, then refrain from doing anything involving your personal information and sensitive data, including  accessing your email account.
  • Always Use HTTPS: The “S” stands for secure, the website is using SSL encryption. Using SSL technology ensures all data transmitted on that web server and browser remains encrypted. Check for the padlock icon or “https:” to verify that the site you are viewing is secure.
  • If Available, Use A VPN: VPN stands for “Virtual Private Network,” which is essentially a private solution within a public network. It creates a tunnel to browse in privacy online, which is helpful in preventing attackers from accessing your personal information.

Don’t Confuse Private Browsing with Browsing Securely

The key take away is to remember that private browsing SHOULD NOT be used a safeguard against cyber criminals. While is does prevent sites from seeing your history & cookies, it should not be used a preventive measure against hacking.

Cyber thieves can just as easily steal data while you are browsing privately. They can gain access to your machine in various ways to get ahold of your personal information.  Personal information can include: account names & passwords, information regarding finances & credit card information. It is important to differentiate between using a private browser and browsing securely.

For more information about VPN and safe browsing habits, please feel free to contact CompuOne at 858-404-7000 or send us an email at info@compuone.com.

Prevent Brute Force attacks by having a strong password or passphrase | IT Services San Diego

How you can prevent brute force attacks or dictionary attacks simply by using a strong password or passphrase.