What We Learned From Equifax

What We Learned from EquifaxMonday, February 10th, the US government charged four members of China’s People’s Liberation Army who they say are responsible for the attack on Equifax in September 2017. With these charges the event is categorized as one of the largest state-sponsored thefts of personal identifiable data on record. The charging documents also give us more information on the attack than we had before. There are basic IT security steps we can now see were not followed by Equifax in the lead up to the breach. As small business owners we can learn a lot from the way customers’ data was mishandled, and how it was stolen.

Lessons we can learn from Equifax Update:

The original breach occurred because Equifax did not keep up with patches and updates. Apache Software Foundation found a vulnerability in its software which gave hackers the opportunity to access systems from anywhere in the world. As part of the announcement, Apache released a patch and instructions on how to fix the issue. Equifax ignored the announcement, did not patch their systems, and the Chinese hackers were inside Equifax’s systems within weeks, the DOJ report states.

Once inside Equifax’s systems, the hackers explored the databases looking for sensitive material. The investigation also revealed Equifax was storing personal information, including social security numbers, in an unencrypted manor. The DOJ report shows clients’ personal information stored in plaintext format. This means once the hackers were able to breach the systems, there were no other obstacles in their way once they found the data they wanted.

Along with these two blunders are a laundry list of missteps by Equifax making the data easier for the hackers to access. The FTC found Equifax stored administrative credentials on their servers in plaintext format, easily accessible if found. They were using long expired security certificates, another offense going back to patching and updating. They also failed to segment the databases, which would have limited the damage in the event they were hacked.

Once inside the database, the hackers had no trouble finding the data in easy to access formats, break it into small packages so it wouldn’t be noticed by network security, and extricate the data from the servers.

Equifax was a very large hacking event with a lot of publicity, but it follows the same pattern we see in the small to medium sized business world. It normally takes more than one thing to go wrong for hackers to be able to access private data. Adhering to a simple security framework would have prevented the attack altogether. At Quanexus, we use our Q-Stack as our security framework. As you can see, Patches and Updates are the second level in the security framework.

We released the first in a video series on ‘Getting Started in IT Security.’ The video series covers some of this basic framework to secure your company’s and customers’ data. Please subscribe and follow along to understand the first steps in securing your business data.

Quanexus IT Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business, Virtualization

Getting Started with IT Security

How secure is your customers’ data? Today we start a four part series on the basics of IT Security. Often the task of data security seems overwhelming, and business owners end up doing nothing to improve their resistance to an attack. This video series will help to break that stigma, and give actionable tasks to get started. Subscribe to our Youtube channel to stay up-to-date with new IT Security information!

 

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business, Wireless

Annual Security Awareness Training

Security Awareness TrainingWe just completed our annual Security Awareness Training here at Quanexus. This is an important reminder for all our employees of the security standards we maintain to keep our data, and in turn, our clients’ data safe. Even though we work in this industry every day, we follow our layered security approach and conduct an annual training. Below are some high level points to think about in IT Security this year. As always, users can be your biggest asset or your biggest liability when keeping data safe.

  1. Hacking: In the small to medium sized business sector, hackers are not seeking out companies to attack. Instead, they have automated tools scanning the web looking for vulnerabilities. When a vulnerability is found by one of these tools, the hacker is notified and gets to work on stealing data. Our job is to put tools in place to not be the low hanging fruit for these hackers.
  1. Connectivity: We are experiencing many aspects of our life connected to the internet in some way. Computers in cars, wireless power meters, and in home virtual assistants like Amazon Alexa or Google Home. These tools are making it easier to access information, but they are also creating new vulnerabilities that we haven’t had to deal with before. We need to continue to be aware of the risks this new technology presents to keep our data safe.
  1. Passwords: Password management has never been more important. Passwords should be 25 characters long and contain at least one letter, one number, and one symbol. The words used in passwords should not be in the dictionary. Users should not re-use passwords for other platforms. We know password management is a pain and, in some cases, can reduce productivity in companies. There are password management tools we can advise you on to help.
  1. Phishing: This year we saw some high profile data breaches that originated from Phishing. We also saw the rise of Spear Phishing, the act of targeting a single user instead of blanketed email attacks. As always, we remind users not to click on links in emails. Instead go to the source of the email by typing the site into your web browser, call the person on the phone, or talk to them in person if they work in your office. Issues to look for in a Phishing email are bad grammar, a call to action that plays on your emotions, and the senders email address. If it is coming from a free email address, or something that looks suspect, it’s probably a Phishing email.

Security Awareness Training is one of the layers in our Q-Stack. Quanexus uses a layered security approach to protect our clients’ data. We abide by our own system and conduct training annually as we advise our clients to do. Contact us today if you have questions on how you can implement our layered security approach.

Quanexus IT Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business, Virtualization

Google Suspends Paid Chrome Extensions

Google Suspends Paid Chrome ExtensionsGoogle announced Friday they would temporarily suspend publishing or updating paid Chrome extensions. Developers started to notice updates were being rejected last week before the announcement and took to twitter. The rejection notice is a blanket “Spam and Placement in the Store” message to any paid extension developers trying to update their extension software.

Chrome extensions are small pieces of software that run within the internet browser. Extensions let the user customize their browser experience. Some popular extensions block ads from being displayed, optimize memory usage, or manage online passwords.

“Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users.” Simeon Vincent, developer advocate for Chrome Extensions at Google, posted Friday. “Due to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse.”

Google has not gone into detail as to the method of the fraud, and have not committed publicly to a timeline to resolve the issue. “We are working to resolve this as quickly as possible, but we do not have a resolution timeline at the moment. Apologies for the inconvenience.” Vincent concluded.

Other Google engineers said the fraudulent activity started early in the month, and was increasing rapidly causing Google to act.

The ban is only on paid chrome extensions and their updates. The existing paid extensions can still be downloaded, but will not be updated until the suspension is lifted. “items that do not use the Chrome Web Store payments are not affected by this issue.” Vincent added on Monday.

Google Chrome was introduced ten years ago and now dominates the browser marketplace with a 69% market share against its competitors.

Quanexus IT Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business