Network

Online Shopping and IT Security

Black Friday and Cyber Monday are melding into a whole week or more of shopping opportunities. Retailers are changing the way they handle Black Friday during a pandemic. The biggest change is most large retailers will not be open on Thanksgiving this year. Instead, national retail chains are pushing consumers online and releasing deals throughout the month. According to blackfriday.com, most retailers are playing down or not releasing their Black Friday deals in an attempt to encourage consumers to shop online.

These steps are an absolute necessity with COVID cases on the rise, but they present an open season for hackers to do damage online. Below are some tips to avoid getting scammed in this online buying atmosphere.

Beware of Phishing emails

A good, general rule is do not click on links in emails. If the deal is genuine, you should see the same information when you log into the retailer with your username and password. Hackers can make phishing emails look extremely authentic, even mirroring an email sent out by the retailer. If you see a deal you are interested in, go to the retailer’s website and look for it there.

Update Retailer Passwords

We understand the password for your Lowes account that you used one time may not be a 13+ character high quality password. Criminals are looking for easy accounts to log into and steal any information they can. This is a good time to update weak passwords, and turn on Multi-Factor Authentication (MFA), or Two-Factor Authentication (2FA) if the service offers them as an option.

Use a Credit Card Instead of a Debit Card

Most credit cards offer protection for charges against a stolen card or information. Debit cards do not have the same protection and are typically linked to a bank account. Your credit card information could be stolen from a company breach, even though you took every precaution. If card information is stolen, you have more protection from a credit card than a debit card.

Remember hackers are watching the news just like we are. The latest phishing scams we have been tracking were based on information about a COVID vaccine. Criminals are now shifting their focus to Black Friday and Cyber Monday scams as retailers begin to send out deals. Now is the time to be a smart shopper. If a deal sounds too good to be true, it probably is. Keep your IT hat on while shopping online this holiday season.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Physical Security, Recent Posts, Small Business, Virtualization

Password Study

A new study published last month by security.org illustrates how Americans choose passwords, and the issues with the patterns they found. Click here to read the study in its entirety. The publication highlights three issues they see as trends with American passwords right off the top:

45% of Americans use passwords that are eight characters or less.

25% of Americans share their passwords with others.

Only 15% of Americans use a password generator to create a strong password for them.

The study also analyzed the types of words Americans used to create their passwords. 20% used curse words, 14% used ‘COVID’, and 12% used ‘Trump’ in their passwords this year. They also found the most common password is still ‘123456’, which would be cracked instantly by any brute force hacking tools.

Additionally, the study asked how Americans remember their passwords. Almost 37% of respondents said they only use their memory, about 20% said they use a physical notebook, and only about 12% said they use a password manager to remember their passwords for them.

Big picture, the issues we see with passwords are they are too short, and easy to guess. The study shows Americans use words that can be found in the dictionary, as well as pet names, or parent/ child names that could be found on social media.

At Quanexus we recommend a 13+ character password that does not include words that can be found in the dictionary. We also recommend a password manager that can create a strong password, and store that password for you. As we can see from the study, only 12% of Americans use one of these tools.

This is a topic we will go more in depth on in an upcoming Podcast, but until then use this as an opportunity to think about how you create and manage passwords. This study is well put together, easily digestible, and would be a good resource to share with your employees.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Small Business, Virtualization

Business Email Compromise Attacks on the Rise

A business email compromise (BEC) occurs when a criminal gains control of a business email account and is able to send and receive emails. Often a hacker will gain access to a business email account and just observe email traffic for weeks looking for a vulnerability. A common form of BEC attack is to change or spoof an invoice of a known client or vendor. The criminal may use an existing invoice and change the wire transfer number, so the money goes to them instead of the trusted vendor. The Wisconsin Republican party was just hit by an attack very similar to this and paid a criminal $2.3 million. They thought they were paying a trusted vendor, but the invoice had been altered, and the money went to a criminal.

In addition to common BEC attacks, we are also seeing an increase in criminals targeting group email boxes. Hackers are targeting these shared email accounts because there is a higher likelihood someone will click on the request or attachment. Also, if the request is forwarded around within the company it gains credibility. A recent study shows an increase in BEC attacks, up 155% in Q3 2020. Part of the increase is the new attack vector of targeting group email boxes.

Employee education is the key to preventing these kinds of attacks, especially in Finance and HR departments as they are normally targeted first. If your team uses group email boxes, educate them on this new attack vector. Criminals are taking advantage of the fact that many industries are working remotely and are not as likely to walk across the office to double check an invoice. Employees should be encouraged to confirm requests for money, especially if they are out of the ordinary.

Most email clients offer two-factor authentication, but this feature is not always turned on by default. With the increase in BEC attacks we saw over the summer, and now criminals targeting group email boxes, the threat is not slowing down. Two-factor authentication is a good first step in defending your business email against increased interested from hackers.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

 

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business

Data Security vs Information Privacy

Over the past several years, regulators have made a clear distinction between data security and information privacy. Data security focuses on the system controls that limit the access to data. Information privacy is focused on the data elements that are stored on a system. These data elements are generally defined as personally identifiable information (PII) or may be industry specific such as protected healthcare information (PHI).

Key Definitions:

  • Identity: The identity is typically the user ID
  • Authorized Users: These are the users that have been given permission to access files, data, etc.
  • Authentication: Authentication is the mechanism used by the user to prove they are who they say they are. Authentication is typically a password, but can and should include two factor, or multifactor authentication (2FA/MFA). Ideally, the authentication mechanism should prove non-repudiation, assurance that someone cannot deny the validity of something.
  • Data Owner: The data owner defines who is permitted  access to the data elements, how long data is to be retained, etc.
  • Data Custodian: The data custodian implements the system (IT) controls that only allow authorized users to access the data

Principle of “Least Privilege”

Least privilege is a basic security concept that limits the amount of information made available to a user. Users should only be provided the minimum amount of access that is needed for them to perform their job function. Data owners define who and how much data is to be provided to the user.

Key Concept:

Highly Privileged Accounts (HPA): HPA are network administrative accounts and should only be used when network support or maintenance is being performed. Any user that has an HPA should also have a regular user ID that should be used to perform their daily tasks. HPA access should be monitored and logged.

Information Privacy is focused on the rights of the individual, while Data Security is focused on protecting data from unauthorized access. At Quanexus, we focus on both, Information Privacy and Data Security.  It is important to understand the difference when building a secure network environment.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business, Virtualization