Jack Gerbs

Don’t Make it Easy for Criminals to Attack You!

Don’t Make it Easy for CriminalsHacker Reconnaissance 101:

Oversharing information is a huge issue for every organization. The oversharing of information can make your organization an easy target to hack.

Hackers are constantly monitoring all forms of social media as part of their mission. To illustrate this problem, I’ll use a “fictitious example”.

Suppose you work for a bank, and you are excited about a new software platform that the bank will soon be installing. You post on your Facebook and LinkedIn page all the great features that the bank will now be able to offer, and how it will benefit the bank’s clients. This type of information is interesting to your friends and clients, however it is very exciting to a criminal.

A hacker with this knowledge will now start stalking you and others in the company. The criminal now has several goals. First, they want to find out who is working on this project and then learn as much as they can about each person. The second step is to learn as much as they can about the project and the details of the installation and migration process.

Next, the criminal will likely reach out to you and some coworkers using a fictitious identity and attempt to join your LinkedIn network and possibly friend you on Facebook. Creating a fictitious identity that would tempt you to accept a friend request is an easy task. The criminal’s goal at this point, is to determine who most likely will fall for a social engineering attack. (Social engineering is getting someone to do something they would not normally do).

With all the acquired information, the criminal is now ready for the attack. The most likely attack vector the criminal will choose, is to call the victim during the installation or data migration phase of the project. They will impersonate a team member of the company performing the project ask for help with getting access to the system. Sometimes to make it appear more legitimate, they may send an email or call ahead of time to schedule an appointment to work on the project.

Companies need to be aware of and have polices that limit the amount of company information that employees are allowed to share on their personal social media sites. Employees also need to understand that by oversharing personal information makes them and the company they work for more likely to a potential attack.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Jack Gerbs in Cybersecurity, Information Security, Small Business, Virtualization

Cyber Insurance – More Expensive and Harder to Get

Getting cyber insurance used to be very easy for small and medium size companies. A few years ago, there was virtually very little or no serious underwriting activity and applications were just being accepted. With all the big breaches in the world and small companies constantly being hit (typically by ransomware), insurance companies are tightening up their underwriting requirements and appropriately pricing risk.

We often get requests from clients to assist with completing their cyber insurance applications. I always caution clients to be forthcoming with information. Insurance applications are legal documents, and it is fraud to provide false information. Additionally, if you provide false information on your application, there may be grounds for an insurance company to deny your claim. In the last few years, regardless of how the applications were answered, the client was always granted the insurance. I never saw any company denied coverage.

We are now starting to see applications asking for specific IT security and privacy controls. They are asking for details on products that are being used, and what third parties have access to the network, including outside support vendors. On a few applications we have seen specific required controls that must be implemented to be eligible for cyber insurance. The most common required control we see is the requirement for multi-factor authentication (MFA).  Specifically, MFA is being required for the following:

  • Web access to email.
  • User remote access to network.
  • Admin access to servers and workstations (no local admin permitted).
  • Third parties including service providers.
  • Network backup environment.

We suggest, as time and budget permits, every organization should be implementing MFA on as many systems as possible.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Jack Gerbs in Cybersecurity, Information Security, Recent Posts, Small Business

Cyber Insurance

While cyber insurance policies have been around since 1997, only recently have they become popular. Many companies have started offering cyber policies. Because of the explosive growth of this industry and the diversity in policy coverages, it can be difficult to understand what you are buying. While there are professional agents that have taken the time to understand cyber policies, there many more out there offering policies without understanding what the polices cover. I will be doing a webinar on this topic later this month, but here is a brief summary of some key areas.

Policies typically contain 4 to 5 sections. They are the declarations, insurance agreement, conditions, exclusions and definitions. Knowing what is covered is just as important as knowing what is not covered. I can share many sad stories of companies that had cyber insurance, thought they were covered, but were unable to collect.

To help understand coverage, or lack of coverage, here is a brief summary of one of those sad stories that happened here in the Miami Valley.

The owner of a small business had his email password compromised. The criminals continued to monitor his email account for a while. The criminals were able intercept an invoice that included wire instructions. The criminals modified the invoice and changed the account number for the wire transfer. The business typically pays their vendors via wire and everything looked like business as usual. The business paid (wired funds to the criminals account) the invoice as instructed.

The company didn’t learn of the issue until their vendor asked for payment because they had not received it. By this time, it was too late, the money was gone.

The company notified the police, and their insurance company. They were not covered for this incident because it was not considered a theft. The owner of the company authorized the payment to the criminal. The language of the policy was specific on what would be covered and not covered. Because this was an authorized payment, they were denied coverage.

I can’t stress this enough, when shopping for cyber insurance, ask lots of questions and make sure you understand your coverage. It is always best to work with a professional!

Quanexus IT Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Jack Gerbs in Cybersecurity, Information Security, Recent Posts

Preparing for the Unexpected and Risk Management

Risk ManagementHow Much is Enough? (COVID-19)

Our economy has been devastated by the COVID-19 Pandemic. What could businesses and individuals have done differently to be more prepared?

The risk management process typically includes:

  • Identifying threats
  • Classifying risk based on threats
  • Determine the likelihood of a threat occurrence
  • Determine impact of the threat

Two approaches can then be taken for managing risk: low water mark or high watermark. The low watermark model states that if any part of the classification is low, then very limited resources should be spent to protect against the risk. An example, the likelihood is low, but the impact is high, the overall risk rating should be treated as a low.

The high watermark model states that if any part of the classification is high, then appropriate resources should be spent to protect against the risk. Based on the low and high watermark models, companies also add an amount of subjective input into the equation.

The biggest challenge with risk management is limited budgets. With limited budgets, companies spend most of their resources and incident planning based on scenarios that are likely to occur. Examples of this include recovering from ransomware, recovering from and management of breaches, etc. It is easy to second guess any organization once an incident occurs. Sad examples of second guessing include:

  • How many ventilators are reasonable for a hospital or the government to stockpile?
  • How much personal protection equipment (PPE) is reasonable to stockpile?
  • When borders should be shut down and travel restricted?

What about personal responsibility? How much should individuals be responsible for? Is it reasonable to expect individuals to always have:

  • A 60-day supply of toilet paper?
  • A 60-day supply of hand sanitizer?
  • Protective masks?
  • How much savings is reasonable for every family?

From a personal perspective, three months ago some of this might have sounded silly, but not now. When it comes to risk management, businesses make decisions like individuals do. Decisions are based on the likelihood and impact of potential events and limited resources, budget and money.

To exacerbate things, our memories are short. It will be interesting to see what really changes over the next five years, if there are no further outbreaks.

Stay Safe!

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Jack Gerbs in Cybersecurity, Information Security, Small Business, Virtualization