Select Page
How You Can Strengthen Your Network and Security with Passwords

How You Can Strengthen Your Network and Security with Passwords

We’ve all done it, at least once. Some of us maybe more than a couple of times, and I know there’s few that are repeat offenders. You know what I’m talking about – the bane of the security admin’s existence – default passwords.

Those are the usernames and passwords that come with every device. Even in this day and age, most systems don’t REQUIRE you to change the credentials that get you system admin rights. The bad guys know that and use it to their advantage.

When most of our business and personal systems are protected with just a name and a basic password (and maybe a trusted network range?), that’s pretty easy pickings for someone with a brute force tool or a sniffer to find out your secrets. And once the bad guys have your credentials, then what? Well after that is when the real dangers begin.

When’s the last time you changed your voicemail PIN from 0000? Perhaps your home router is still admin/password even though the FBI issued a warning for everyone to change it? And how many ERP users keep system admin “manager” around with the default password of… you guessed it. And those accounts open the door wide to anyone wanting to get in; good and bad.

If you have systems exposed to the bad guys (and we all do!) then this post is for you. STOP IT! Even if you told me “Well, none of those systems are internet exposed”, I’d ask “where are the bad actors in your network?”. If you said “outside the firewall”, I’d respond with something like “I dare you to create a share/folder called “payroll” and see how long some curious netizen (aka employee) fell into that folder looking for something juicy.

Imagine splaying your entire infrastructure wide open to someone who just happened to know that Netgear uses admin/password for all their routers? Or that your company name is NOT a good password?

So what’s a concerned system admin gonna do? It’s easy in theory and hard in practice. Here are some digital security tips that will create a stronger password security strategy:

1. Change the default username and change the default password.

2. Start using stronger passwords, not [email protected] We recommend pass phrases, or a sentence that you can remember but the bag guys will have a hard time guessing.

3. Enable account lockout so that if “x” bad passwords are guessed in a row, the account is locked FOREVER (not reset after 10 minutes, thank you Microsoft). Helpdesk notification of such a lockout will put you in the know.

4. Remove admin credentials from being used on untrusted networks. Yes, your users are untrusted! Create a management VLAN, or a specific set of IP’s that can RDP, or shutdown the access from outside devices altogether.

5. Enable multi-factor authentication. This can easily be enabled in Office 365 and Active Directory, and if your devices leverage that directory then they automatically get that 2FA protection as well.

6. Hack yourself! Run a network scanner, or hire an outsourced IT firm to investigate for you, find the unsecured devices and fix them before the bad guys do.

7. Let us help you! We can run an ethical scan IT Assessment Detective scan of your systems, attempt to break into your systems, and give you a full reporting of your IT weaknesses. As “they say” knowledge is power.

So, don’t let your next phone call to the EstesGroup be “help me, I got hacked!” And let our managed IT services company help you run your business better with a strong password security strategy – before the bad guys teach you a lesson.

Interested in Outsourcing your IT? Or have a question on data security? Ask us, we would love to chat.

Ransomware is getting mean!

Ransomware is getting mean!

As you might have heard, or possibly experienced, ransomware is a particularly nasty form of malware that holds your files hostage. In fact, DC webcams were hacked by ransomware before the inauguration! In the past, the ransom was usually just under $2,000 and, if you paid it, you probably got your files back. Those days are passing quickly.

Lately, one of the biggest dangers of ransomware is that they’ve figured if you’ve paid once, you’ll probably pay again, so paying actually sets you up to get hit again! “Fool me once, shame on you, fool me twice…” In fact, we recommend against paying the ransom at all!. If infected, you can contact the FBI and while they won’t get your files back, they will open a case. I suggest you have a strategy for ransomware prevention implemented BEFORE you get hit.

To add injury to insult, when you do come up with the Bitcoin to pay (no, they don’t take American Express), there’s a possibility that you WON’T get your files back! The unlock key simply doesn’t work, and the bad guys no longer are interested in you at all. They got what they wanted,they might even ask for MORE money! Another danger of ransomware is that ewer variants will also start randomly deleting files until you pay up! Ouch!

Paying $600-$1,800 might not seem like a lot, but I am preparing for the day when the hackers don’t just demand money to return your files, they’ll start demanding MORE money to stop deleting your files, or worse yet, sell your files to your competitors! Can you afford a $20,000 ransom or risk your confidential data appearing in your competitors inbox?

Do you have a rock-solid backup policy? Have you been hit with ransomware and don’t want to fall prey again? Contact us today and let’s talk about ransomware prevention. EstesCloud has the vaccine for ransomware!

________________________________________
Click here to schedule a meeting to let us help you make your technology a no-brainer!

Healthcare Cyber Attack Protection

Healthcare Cyber Attack Protection

Are your electronic medical records safe from healthcare cyber attack?

Researchers at Microsoft are warning that several encrypted databases of medical records are vulnerable to attacks and information loss. With the increased use of cloud computing, data breaches on encrypted databases has increased, so healthcare industry cybersecurity is more important than ever. They identify the threats in multiple ways, but one is individual and aggregate. Individual attacks are designed to gather information about a specific person where aggregate attacks are meant to recover statistical information about the entire database. These can both be very malicious.

It is still common practice to use encryption to protect against cyberattacks, and it is still one of the best defenses, however, using encryption only, is not the best solution for healthcare cyber attack prevention. Encrypted information is unscrambled in a computer’s memory, so if a cyber terrorist is able to access that, it is dangerous. In order to be useful, encryption needs to be continual to prevent progressive decoding to occur.

Heathcare cyber attacks, like the ones most notably against Anthem and UCLA Health System, are on the rise. The healthcare industry has become a target due to their lack of security. It also isn’t just medical records, attacks against the accounting databases, which store significant information, are also at risk. To date, over 90 million patients have been affected by data breaches from such attacks on healthcare industry cybersecurity.

The largest concern with these attacks is the resulting identity theft. Due to privacy laws such as HIPAA, it is extremely difficult to remove misinformation on medical records, including something as simple as a blood type- which could result in the wrong blood transfusion in an emergency medical information.

The best solutions for healthcare cyber attack prevention include password protection strategies, encryption, firewalls, backup security, web filtering, and IT security action plans. These strategies for healthcare industry cybersecurity can all be created and implemented through IT Managed services and must comply with current HIPAA Security standards.

Protecting HIPAA Data On Mobile Devices

Protecting HIPAA Data On Mobile Devices

HIPAA stands for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996.

Essentially, HIPAA enshrines the means by which American workers and their dependents can keep their health insurance coverage should they change or lose their jobs.

HIPAA also sets industry-wide standards for electronic billing of health care services, and mandates the confidential handling of an individual’s medical information.

So what does this have to do with mobile devices?

Plenty.

Mobile devices have affected every industry sector. With each passing day, more and more professionals conduct their business using tablets, laptops, or Smart phones. This includes the medical industry where doctors, nurses, and physician’s assistants routinely send confidential data over satellite data plans and wifi.

In most cases, the medical industry’s use of mobile devices translates into better patient care. But it also opens personal medical data to the threat of cyber theft.

To maintain HIPAA compliance, health care professionals and IT managers should implement the following best practices when handling health care data on mobile devices:

Obtain Written Permission Before Operating via Mobile

Make sure to document the fact that your patients have signed off on communicating with your office via email or any other electronic means. Documented consent is critical to HIPAA compliance. It’s also one of the simplest and best ways to avoid embarrassing misunderstandings and potential legal suits down the line.

Stick to Proper Professional Jargon

The ease and speed of mobile devices often results in users relying on abbreviations, emoticons, and other forms of Internet vernacular. Put simply: DON’T DO THIS. Remember that communications, notes, and files that appear unprofessional can subject health care practitioners to confusion at best and malpractice suits at worst. Treat every character you type on behalf of your job as the valuable work product it is. Your company and the patients you treat depend on accurate communications scripted in proper industry vocabulary.

Everything Goes Into the File

Remember that every email you send or receive, every file you upload or download, every conversation you have by phone is part of your patient’s official medical record. Text messages, phone calls, and conversational asides might not seem important in the moment, but they all form a piece of the overall puzzle a patient’s profile presents. Be sure to record every instance of communication diligently to prevent confusion and delays in treatment, as well as to maintain HIPAA compliance.

Encrypt Your Transmissions

No one leaves for work each day while the door to his house stands open wide. That’s just common sense. By the same token, no one using a mobile device in the 21st century should send any transmission without securing that message via data encryption. User passwords activate but one tier of proper data security. DON’T STOP THERE! Add as many layers as you can in the form of personal questions, icons, PINs, and other challenge-response tests. Remember that there’s no such thing as too much security.

Our ComplianceCare service from EstesCloud can help you solve all of your HIPAA IT issues.

How To Reduce Email And Website Spam

How To Reduce Email And Website Spam

How to reduce SPAM on your website and in your mailbox

SPAM can be time consuming, frustrating and lead to additional problems on your website and email. It becomes increasingly frustrating when it seems to grow like uncontrollable mold. To prevent SPAM, it is important to know how it is defined, how it comes about and finally, how to reduce SPAM or stop it altogether.

What is SPAM?

Spam can be defined as:

Posts and links that go to a spammer website

Inappropriate messages sent to a large number of people

Electronic “junk mail”

Mass commercial advertising

How does SPAM happen?

“Spammers harvest recipient addresses from publicly accessible sources, use programs to collect addresses on the web, and simply use dictionaries to make automated guesses at common usernames at a given domain.” SOURCE: Reducing Spam

Limit the damage spam can cause

  1. Because SPAM is one way to carry a virus, using a good anti-virus is important for all internet and e-mail users. Because SPAM can come from a known domain, because they are becoming more sophisticated in obtaining e-mail address, it is important to know the sender and even verify the information before opening suspicious links. Most mail systems already filter email, but those that are aware of your ‘safe senders’ are more accurate and effective in reducing spam email.
  2. Use strong passwords to protect your accounts from being forged. A strong password typically includes a mix of 8 or more characters including upper and lower case letters, number and special characters. Change your passwords regularly to prevent hacking. Once your email address is compromised, it can be used to send out SPAM to your entire contact list, and those messages will be coming from a legitimate source- you!
  3. If you get an attachment from an unexpected sender, or you weren’t expecting an attachment from a known sender, chances are good it’s malware.  Don’t open it!
  4. Hover over links and analyse the “from” address before clicking any links to see where they will be directing you. Also, be aware of changes to your accounts and always call if there is a question. For example, if Chase Bank sends an email telling you of an issue with your account, they will have you login to your Chase account or ask you to contact a representative. They will not ask you to respond to the email with sensitive information such as your name, birthdate or social security number.  If I’m interested in the product, I’ll type the URL rather than risk clicking the link with the trackers embedded.
  5. Keep a web filter running to prevent the unaware user from clicking the phishing link and being taken to the wrong site.

How to Reduce SPAM: Tools and Tricks

  1. In addition to an anti-virus programs, use an anti-spam filter. These filters will look for certain known “tricks” spammers will use including phishing schemes. Phishing scams are when the request is being made for personal or private information.
  2. Use throw-away email addresses.  If you need to use your email address to post or publish online, use an email address specifically for that purpose, but keeping your ‘real’ email address safe and secure. To reduce spam email, be careful when using your email address to sign up for items online, making sure to uncheck any boxes giving authorization to third parties to contact you and that there is a “won’t sell your email” policy.
  3. Don’t publish your email address on-line, including on your website. If you do, disguise it in a way that human readers will understand but programs trolling for email addresses won’t, such at “example at hotmail.com”.  Some use a graphic to show an email address, and not HTML text that’s easily harvested, effectively reducing spam email.
  4. Disabling user generated content is another way to prevent SPAM on websites. These are automatically created comments that are usually submitted to blog pages. The negative side of this is when an actual customer or potential client is interested in offering feedback, they can’t immediately post. Having them complete a contact form is a better way of getting information from them than having them leave a comment.  If you need them to post live content, post-process the data to ensure it’s not spam or worse!
  5. Use a CAPTCHA form to cause someone to enter information to prove they are indeed human and not automated. These are images with text that is unreadable by computers, thus limiting what can be submitted.
  6. One user reported having great results with reducing spam on their website by creating a form with a field invisible to human readers, but that automated systems couldn’t resist. When this invisible field was populated with an answer, it was automatically discarded as spam.

See SANS for a sample email policy here https://www.sans.org/security-resources/policies/general#email-policy

 

We can help you limit spam and keep your inbox clean.  Deploy EstesCloud ClientCare and let us help you get IT together!

EstesCloud // Explore our Managed Services Solution:

CompleteCare: Maintaining your own IT infrastructure is expensive and frustrating. EstesCloud CompleteCare combines the benefits of our ServerCare and ClientCare programs into one comprehensive program that protects your entire IT infrastructure at a predictable fixed cost.  Let the EstesCloud team become your Trusted IT Advisor, so you can get back to growing your business.
Let’s start the conversation!


ServerCare: A proactive approach to IT that includes regular scheduled maintenance and monitoring is essential to maintaining a healthy network and a productive staff.
EstesCloud ServerCare will give you peace of mind knowing that our team is continually watching and caring for your servers.
Discover the Benefits of ServerCare.


ClientCare: Proactive support for your desktops, laptops, and mobile devices.  We provide all of the monitoring, patching, and security tools for your systems, plus full access to our help desk services 24/7/365.
EstesCloud ClientCare will ensure your valuable data is secure whenever and wherever it is needed.

Take control of your systems today.


ComplianceCare: Are you a medical provider under HIPAA or HITECH regulatory compliance? Are government auditors keeping you up at night? Our HIPPA IT Management Service will ensure you are HIPPA compliant.

For the health of your IT Enterprise.

Take the first step to reduce cost and increase the productivity of your business. Give us a call at 888.300.2340, and

HIPAA Technical Safeguards

HIPAA Technical Safeguards

HIPAA Technical safeguards are designed to decrease the possibility of a security issue or data breach in an organization.

Businesses handling protected health information (PHI) must have current and comprehensive technical safeguards in place to remain secure from any threats, whether internal or external. Organizations that require HIPAA technical safeguard compliance must determine the extent of their security measures and if they are reasonable and appropriately suited for the size of the organization. For example, internet filtering and full disk encryption may be appropriate and cost effective for entities with tens of thousands of records managed by multiple users, while a smaller organization may be sufficiently protected with a less complex antivirus, file encryption or simple firewalls.

What are HIPAA technical safeguards?

HIPAA technical safeguards are simply the policies and procedures for the use of technology put in place to protect patient health information. It includes the technology, software, hardware, administration and more. There are four main components:

HIPAA Access Control

This is a policy or procedure that controls who can access information. Only authorized people should be able to access certain information and all activity must be able to be tracked to a specific user. User verification and automatic log-off after times of inactivity, as well as emergency access procedures are addressed here.

HIPAA Audit Control

These controls are designed to record and examine activity where patient information is accessed or stored. The procedure should include a process that outlines the frequency, methods and scope of the audit, as well as processes for violations.

HIPAA Integrity Control

This control is in place to ensure patient data is not destroyed or altered. This typically begins with a risk assessment to determine how outside sources may be able to access the information and then addressing those areas of weakness. Protection for external storage of information is also included here. It can also include procedures, processes or software that authenticates information.

HIPAA Transmission Security

This technical HIPAA security safeguard addresses the concern of unauthorized access to patient information being transmitted over a network. The use of electronic medical records which allow medical personnel to access patient data inside an office or on the other side of the country, must be secure. Encryption is the key tool here.

Any technical safeguards will change as technology and threat landscape changes. But with HIPAA security safeguard components in place, the opportunities for cyber attacks and data loss can be reduced significantly. While medical providers are required to follow HIPAA regulations, any network can be made more secure with the very same guidelines. EstesCloud ComplianceCare offers the best-of-breed HIPAA compliance services, making sure your practice will pass any audit that might come your way!

Take the first step to reduce cost and increase the productivity of your business. Give us a call at 888.300.2340, and