Protect Yourself Archives - Third Rock

Travel Cyber Safe

Cathy Diehl — Tue, 26 Nov 2019 15:21:23 +0000

The holidays get busy. Traveling is stressful and we aren’t always as vigilant as we should be. In today’s world of data breaches, identity theft and cybercrime, there are many things we know to be cautious about. You wouldn’t give away your credit card number or let a stranger have access to your driver’s license. But are cyber safe with your phone? We have become so dependent on our phones to store sensitive and private data. Sometimes forget that we need to protect it too.

Let’s take a look at a scenario that could happen to any of us:

The morning was a rush and you made it to the airport on time, thankfully. After getting through security, there is a little time to breath. You grab some coffee, check your phone and realize you forgot to charge it. Ugh. Your phone needs to be charged to last the whole flight and still have juice when you land. You notice a charging station near your gate. There are even cords already plugged in, so you don’t have to dig yours out of your mess of a bag. Score!

You may not be as lucky as you feel. Cyber criminals are taking advantage of how dependent we are on our devices and their need to be charged. This new scam, known as “juice jacking” takes advantage of your connection to your phone.

How does it work?

Phone cords are designed for 2-way communication. Data can come in, but data also goes out. This can be seen every time you attach an iPhone to your computer and iTunes wants to download your data. Convenient when you want it, but bad when the criminals want it. Criminals download malware into the charging station or physically alter the charging station installing a cable connected to a virus laden device, and wait until you connect. They then have access to everything on your phone. What do you keep saved?

Passwords?
Credit card information?
Communications?
Photos?

Depending on the malware, they could download your data or install malware on your phone that will continue to monitor your usage. They might even lock you out of your phone completely. The biggest concern; you may never know. A week later you’re seeing fraudulent charges on an account and trying to figure out what happened. This is very similar to the card skimmers installed at gas stations.

What can you do?

Thankfully there are easy ways to avoid this scam.

Use your own AC adapter and cord
Plug into a wall outlet, not a charging station
Use a “charge only” cord at a charging station
Use personal car chargers
Use a portable charger

Be cyber safe this holiday season

Physical security is important and easy to remember. We see our wallet; we protect our wallet. This holiday season, let’s also remember our cyber safety.

The post Travel Cyber Safe appeared first on Third Rock.

Is WannaCry still a threat?

Clint Eschberger — Fri, 04 Oct 2019 16:45:54 +0000

If it’s not broke, don’t fix it

Many people think that as long as their computer is running at a good speed and everything is working, there is no need to upgrade. Why spend money when you don’t have to, right? Wrong! The technology world cannot run on the mantra “if it’s not broke, don’t fix it” because in reality, it is broken and you just don’t know it. The proof can be seen when WannaCry ransomware was unleashed on the world in May 2017.

It crippled over 300,000 machines in 150 countries by targeting vulnerabilities in Windows operating systems, hitting Windows 7 the most. While Windows patched many of these vulnerabilities, their focus was, and still is, on their active operating systems, primarily Windows 10. According to Windows “every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it’s no longer supported.”[1] What does this mean for your security?

Operating System	Availability Date	End of Life Date	End of Mainstream Support Date	End of Extended Support Date
Windows XP	October 25, 2001	January 9, 2007	April 14, 2009	April 8, 2014
Windows Vista	January 30, 2007	October 22, 2010	April 10, 2012	April 11, 2017
Windows 7	October 22, 2009	October 31, 2013	January 13, 2015	January 14, 2020
Windows 8	October 26, 2012	October 31, 2014	January 8, 2018	January 10, 2023
Windows 8.1	October 18, 2013	September 1, 2015	January 8, 2018	January 10, 2023

Windows Lifecycle

According to Windows’ lifecycle policy[2], a product is designed to have a 5 year mainstream support lifecycle followed by a 5 year extended support cycle. During the mainstream support, consumers have access to free incident support, security update support and the ability to request non-security updates. When a product moves to the extended support stage, security updates are still provided but no new features or design changes are available, and not all products are covered.

After the end of extended support, security updates greatly decrease. According to Microsoft, “the Extended Security Update (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. It includes Critical and/or Important security updates for a maximum of three years after the product’s End of Extended Support date.” Who determines what is critical and important? Microsoft of course. It would have to be a huge security breach, such as WannaCry, to justify the amount of money it would take to push out an update.

Image from Windows end of XP Support[3]

What’s the risk?

If you are running an antiquated system on your home computer, that is a risk to your security and your personal information. Not smart, but not a worldwide catastrophe. However, having one device on your work network running an old system could be devastating.

Though Windows created security updates to counter WannaCry, it is still active on over 145,000 devices worldwide according to a survey by Armis[4]. If even one device on your network is infected, it creates a gateway for hackers to breach your security.

Armis discovered that within the past 6 months, 60% of organization in the manufacturing industry and 40% in the healthcare industry experienced at least one WannaCry attack. Why? Because they tend to have older technology which makes them an easy target.

Percentage of old Windows OS versions by industry type (Retail, Technology, Healthcare, Manufacturing)4

What’s the cost?

It is estimated that the global effort to counter the original WannaCry attack in 2017 cost around $4 billion, including $325 million paid out in ransoms. The combined efforts to stop the attacks created the false sense of security that WannaCry is no longer a threat. This is just not true.

In the same way that tech companies develop better, faster and more efficient software, the criminals do too. Hackers do not stay docile. If one means to infiltrate your system fails, they look for a different back door. Having the most up to date software means that Windows is fighting those battles for you. Keeping an unsupported operating system is the same as lowering the drawbridge to the attacking army.

According to IBM’s Cost of a Breach Report 2019, the average cost of a breach in the United States is $8.2 million. With the average size of a breach being 25,575 records, that equates to $242 per record. Lost business was the biggest contributor to this total cost, with the average business losing $1.42 million[5]. It is hard to recover from the lack of trust a customer feels when their information was stolen on your watch.

Next steps

Where do you go from here? Even with these numbers, you may be asking yourself, can we really afford to find and update every device that is out of date? The bigger question is, can your business survive the cost of a breach if you don’t?

Start with our Cyber Quick Check to see what your cybersecurity score is. Our Security Risk Assessment includes multiple scans that pinpoint weak areas that are most vulnerable, including a full inventory of what is on your network. Don’t let your records be held ransom. Fight back with the right security. If you’re still running Windows XP, Windows 7 or Windows Vista start an upgrade program today. Replace your computers that have the oldest versions of Windows with new computers with the latest version of Windows as you can afford it.

Check your cyber score at here

[1] https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

[2] https://support.microsoft.com/en-us/help/14085

[3] https://www.microsoft.com/en-us/microsoft-365/windows/end-of-windows-xp-support

[4] https://armis.com/wannacry/

[5] IBM Security and Ponemon Institute. Cost of a Data Breach Report 2019. https://www.ibm.com/downloads/cas/ZBZLY7KL

The post Is WannaCry still a threat? appeared first on Third Rock.

Business Associates bad for business?

Ed Jones, PMP, CHSP — Tue, 21 May 2019 14:00:26 +0000

In January 2019, Spiceworks surveyed 600 IT and security decision makers over a wide variety of companies, all with one thing in common: their use of third-party vendors or Business Associates (BAs). Their findings should have everyone looking more closely at their BAs. Some of the key findings were:

90% of companies with third-party policies review them annually
81% consider their policies effective
44% of the companies experienced “a significant, business altering data breach caused by a vendor”
15% of breached companies were notified by the vendor of the breach

These statistics are startling, highlighting the chasm between the BA risk management process and the reality of vendor incident response. The most disturbing findings came after the breach. Almost 70% of the breached companies made no change to their obviously faulty risk policies and procedures, with only half of them discontinuing the vendor relationship! The negative, business altering consequences include a combination of increased operational cost and complexity, disrupted operations, financial loss and reputational damage. Reason would move to making changes, but many don’t know where to start.

Evaluate Your Vendors

Companies need to take decisive steps with their business associates to protect their customers’ data. At a minimum, a “trust by verify” approach is required, while many companies are moving to a “zero trust” model. Some options include:

Contractually obligate vendors to security and privacy practices
Review your vendors’ security and privacy policies and procedures including their risk management plan
Require security risk assessments be performed annually
Conduct a joint risk management review focusing on data exchange and management, prior to enabling the BA access to your data
Request historical review and references

Security should be a joint effort

It is essential to keep an inventory of all third-parties who can access and share your data, but that is not enough. This study found over two thirds of the companies were not confident that their vendors notify them when sharing data with other subcontractors. Properly vetting your BAs may increase the trust relationship, but additional steps should be taken.

Coordinate responsibilities between both parties
Require and review breach notification protocol
Require insurance and other forms of indemnification
Maintain regular communication of security expectations and execution

The need for vendors and BAs will always be present in our ever changing, collaborative world. Take the steps necessary to protect your company, your clients and your vendors.

Reference

Nearly half of firms suffer data breach at hands of vendors. Mark Sangster. 6 March 2019. https://www.esentire.com/blog/nearly-half-of-firms-suffer-data-breach-at-hands-of-vendors/

The post Business Associates bad for business? appeared first on Third Rock.

Security starts with knowing your weaknesses

Ed Jones, PMP, CHSP — Tue, 26 Mar 2019 14:00:58 +0000

One of the biggest challenges in data and information security is knowing your threat level. IBM security recently released their 2018 X-Force Threat Intelligence Index. They monitor daily security events in 130 countries throughout the year for a comprehensive understanding of trends in cyber threats.

One of the most prominent ways organizations were found to be inadvertently open to attacks was due to improper configuration of cloud services. Misconfigured cloud servers accounted for 43% of more than 2.7 billion compromised records. This is an increase of 20% over recorded incidents in 2017. According to the survey, “misconfiguration is now the single-biggest risk to cloud security, with 62% of surveyed IT and security professionals noting it as a problem”. While most of these breaches appear to be the result of inadvertent actions, it is possible for an insider to maliciously expose data and hide it as an accident.

No matter the style of attack, financial gain is almost always the motivation. Over the past few years, ransomware became a popular choice for cyber criminals. In 2018, however, we actually see a decrease in the use of ransomware by 45%. Why? Because cryptojacking is proving far more lucrative for criminals, thus increased in use by 450%! Without the need of any hardware of their own, a cyber criminal can install a cryptocurrency miner virtually undetected. Once installed, not only is the criminal gaining valuable coin at the owner’s expense, but they are also opening the door for other kinds of breaches.

The number of recorded vulnerabilities has exponentially increased in the last 3 years. This is due to the “ever-expanding attack surface as new players such as IoT devices, and other smart technologies enter the fray.” The attack surface references the span by which an organization has entry points for a cyber criminal to infiltrate. Finance and Insurance registered as the highest targeted industry, due to their access to Personal Identifiable Information (PII) links directly to bank account and credit card data that can be monetized quickly. Professional services, such as legal, CPAs and consulting, is the third most targeted industry with the second highest likelihood of a breach. Valuable customer data combined with limited security budgets and staff makes it “as vulnerable as it is lucrative”.

With all of this seemingly troubling news, you may be asking: what can we do to protect ourselves? As IBM states, we must “make security an integral part of culture and overall structure”. This is done by changing your threat landscape to reduce your risk of exposure. And that starts with knowing your risks. Our Cyber Quick Check is the first step to understanding your risk, and takes less than 5 minutes. Based on your Cyber score, discover the recommended next steps. With dedicated action and your part and the use of our automated cyber risk management system, CyberCompass™, we can increase your protection to 80% in only 90 days. The threats are real, but protection is available. Don’t wait in the dark any longer. Protect yourself and your business from threats today.

The post Security starts with knowing your weaknesses appeared first on Third Rock.

Are you Safe?

Ed Jones, PMP, CHSP — Fri, 17 Aug 2018 15:07:28 +0000

Safety. Such an important word with so many different connotations. We ask safety questions constantly. Is my family safe? Will my house be safe? Is this a safe neighborhood? Are our schools safe? Many technologies are designed to specifically pacify our desire to feel safe. We can track our child’s cellphone. We buy alarms for our homes and doorbells with cameras. Schools install cameras and specially locking doors to protect the children. But one area most people neglect, is cyber safety. Why? Because it is such an abstract issue. I check the locks on my doors each night before I go to bed. I can see and confirm they are locked. None of my physical senses will tell me if my PC is being hacked, until it’s too late and the ransomware notice covers the screen. As an executive, are you doing what it takes to keep your clients safe? Is their information secure within your care? Do you even know where to start looking? Take this short quiz to see if you are on the right path. We can help you answer “Yes” to all of your security questions.

Protect your Patients. Protect your Organization. Protect Yourself.™

The post Are you Safe? appeared first on Third Rock.

Protect Yourself – Don’t let Scrooge Cyber Sabotage Your Holiday Shopping Season!

Ed Jones, PMP, CHSP — Tue, 05 Dec 2017 15:00:03 +0000

We are into the Holiday Season and Cyber Scrooges – cyber criminals – are alive and well! Breaches seem to be a daily occurrence. In the area where I live, they even recommend paying for gas with cash and don’t use a credit card at the pump due to card skimmers. So, I’m out holiday shopping and I’m lucky if I have two dollars in my wallet. That means I have to stop at a cash machine to pay for gas. Wait, that cash machine could have a card skimmer attached to it! I guess I have to go into the bank to get cash as well! Bah humbug!

So, here’s some helpful advice to make you and your family a little cyber-safer during the Holiday Season.

Avoid using a debit card! A debit card provides direct access to your bank account. Most banks will return the funds if a theft occurs, but generally you have to detect it and report it. It may take time and effort to get the refund. Use a credit card and review all the charges before paying the bill. I use a credit card to buy gas!
Regularly review your bank accounts for unknown transactions, say twice a week. Set up alerts so you are notified when large withdrawals are made.
Set up two-factor authentication to access your bank account. This means your bank will text you a code as the final step to log into your bank account. It is a small pain, but the protection it provides is well worth the effort!
Keep your antivirus software up to date and use strong passwords. These are absolutely necessary if your device is connected to the Internet.
Finally, use caution when cyber-shopping. We just had a record setting Cyber Monday. The Internet allows us to shop anywhere with ease. Search engines can provide a wide range of “stores” that are selling the toy your son or daughter must find under the tree Christmas morning. The problem is you can’t easily tell if the seller is an honest business or a guy on his computer in the basement scamming people. Bad businesses can buy “likes” and positive reviews for a few dollars to make themselves appear legitimate. Here are a few cyber-shopping tips:

Don’t chase the lowest price. Shop with known and trusted companies. If something is too good to be true, it isn’t and it can cost you a lot! Companies that have the lowest price may not be investing in safeguards to protect your personal information.
Watch out for limited time offers. You click on a link for the item you want, and low and behold it is on sale at a ridiculous price for the next 90 seconds! Stop! It is designed to prevent you from fully reviewing the product and seller. It’s not worth the risk. There will be a legitimate “Black Friday” deal in a day or so!
Watch out for websites spelled close to well-established businesses. They can be common misspellings or have extensions on their names. Hover your mouse over the link and read the URL. If it reads differently than what you expect, don’t click on the link.
Don’t fall for free gifts via email. These are phishing emails designed to enable viruses to be loaded on to your computer to steal your personal data.
Never give out more information than is necessary. If a site asks you for your social security number or driver’s license number, etc., stop and decide if you need to provide additional personal data.

We here at Third Rock wish you and your family a very wonderful Holiday Season and a Happy New Year!

The post Protect Yourself – Don’t let Scrooge Cyber Sabotage Your Holiday Shopping Season! appeared first on Third Rock.

Too Many Passwords and Too Little “Personal” Memory!

Ed Jones, PMP, CHSP — Thu, 19 Oct 2017 14:00:55 +0000

I began my morning by starting up my PC and getting the message “Your password has expired. You must change it now!” Temporarily frozen at my keyboard, my mind is churning to think up a new password that I have a decent chance of remembering. Should I tweak the old password by a digit or create a new one? Luckily NIST has phased out the requirement to regularly change passwords. But every website seems to require a password. I have about 200 passwords to manage, what a pain! I can’t begin to remember them all. Most people create a spreadsheet or write them in a notebook.

When people have lots of passwords, they tend to reuse them or choose weak ones which are very dangerous. We have seen that when a PC is hacked, cybercriminals know how to gather account information and passwords to exploit everything they can as fast as possible. Common or weak passwords allow faster harvesting of your identity and funds!

How to securely deal with the ever-increasing number of passwords? Get a password manager app! A password manager encrypts your passwords and stores them in a virtual “vault”. It can be added to your browsers to automatically load and record accounts, user names and passwords. Then you can use complex passwords, without having to remember or record them. Most apps will even generate very complex passwords automatically if desired. All you have to do is remember ONE strong password to access your vault. Some apps can be accessed without passwords using biometric recognition or multi-factor authentication. Your vault can be accessed from multiple devices including smart phones. The good news is many good password apps are offered at no cost. We use LastPass, but here is a link to reviews of the best known password managers.

https://www.tomsguide.com/us/best-password-managers,review-3785.html

The one additional suggestion I will recommend is to make sure you can export your passwords out of the app in a human readable format and completely wipe the vault should you elect to change apps or no longer use one. A password app will make you and your data safer, and reduce the hassle of managing passwords! And we all need that!

The post Too Many Passwords and Too Little “Personal” Memory! appeared first on Third Rock.

The Equifax Data Breach – What You should do to Protect Yourself!

Ed Jones, PMP, CHSP — Thu, 21 Sep 2017 14:00:40 +0000

Stealing headlines from Hurricane Irma was the revelation that Equifax experienced a major data breach during the summer. Equifax is one of the “big three” credit monitoring services and therefore the data they collect on each of us is broad and deep. They estimate that data for 143 million people – nearly half the population of the United States – has been stolen!

What does this breach mean for you? Your financial history and ability to buy a home, new car, or even get healthcare could be at stake. Here are recommended steps to protect you and your family.

Be skeptical! Equifax is looking out for itself, not you! They will fight to survive this fiasco, spending the minimum required. Don’t give away your rights – read all documents carefully before signing. Don’t rush to sign any agreements. The aftermath of the breach will play out over months, not hours, and new information will emerge every week.
Be cautious! This breach is so large, scammers will take advantage of it. We learned this morning that a hacktivist created a fake EquiFax website where consumers could check to see if their information was stolen. EquiFax actually linked to this bogus site and directed consumers to it! (Remember item 1 – Be Skeptical!) Also be wary of offers to sign up for credit monitoring services and giving out any additional personal information! Validate the authenticity of any such services. Research these services because many do not provide the protection you need or believe you will receive.
Assume your data has been stolen, even if Equifax says your data has not been stolen! Breaches tend to grow over time because companies often under-report to minimize the bad publicity. As the company investigates the breach, they are also likely to uncover more theft that wasn’t obvious at the beginning of the investigation. For instance, on Tuesday of this week, it was publicized that EquiFax suffered additional breaches this year before this major breach.
Check the Equifax website set up to inform people if their data was stolen. The link to the site is equifaxsecurity2017.com. Questions abound about whether the website provides accurate responses or not! Remember, be skeptical!
Keep all your records! Record all your interactions with Equifax. Ask for email confirmations after phone conversations. Save email as PDFs. Any costs you incur, get receipts and put them in a specific location or folder.
Check your credit report at; https://www.annualcreditreport.com/index.action. This is a free service and you can get one free report a year from each credit reporting service. I recommend getting one report every 4 months from a different service so you can maintain a fairly regular status of your credit information.
Freeze your Credit – this is your last option and prevents companies from checking your credit score in an effort to get additional credit. This is not something you should do without evaluating your circumstances. If you are planning to purchase a new car, take out a loan, or get a new credit card, you should evaluate your options.

This blog was originally intended as the second article in the new “Protect Yourself” section of our monthly newsletter. We focus on protecting small to medium sized businesses but felt we needed to offer some cyber protection information to the individual people who read our newsletter. I was looking forward to gradually building up our readers knowledge and skills to eventually cover this topic, but the Equifax breach is just like hurricanes Harvey, Irma and Maria – unpredictable and causing a lot of damage and pain. I hope this helps you all and best of luck! We are all going to need it! And please remember and help in any way you can all those affected by these hurricanes.

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

Protect Your Patients. Protect your Practice. Protect Yourself. ™

The post The Equifax Data Breach – What You should do to Protect Yourself! appeared first on Third Rock.

Protect Yourself!

Ed Jones, PMP, CHSP — Wed, 20 Sep 2017 14:00:01 +0000

If you’ve read our blog articles before, you’ve seen our tag line; Protect your Patients. Protect your Practice. Protect Yourself. Most of our articles focus on protecting your practice and patients. Very few have been focused on you, the individual and your protection. Now each newsletter will include advice on how you can better protect yourself and your confidential data. Hopefully we can help your family and friends as well.

So, let’s start at square one; your home computer. If it is connected to the Internet, it is vulnerable to cyber attack. Install a reputable antivirus software package on your system and turn on automatic updates. Thousands of new computer viruses are created daily and existing ones are continually updated in an effort to sneak past antivirus software. Almost a million new variants per day! It’s very important that antivirus software is continually updated to recognize the latest viruses. If you use on-line banking or bill payment, it is essential to have antivirus software. There are many good products on the market that will cost between $20 to $60 per year. There are some decent free versions available as well. Search on 2017 antivirus reviews and a wide range of reviews are available, most from publications. In my opinion, most are not completely unbiased due to ad revenue issues. I tend to rely on Av-Test, an independent lab: https://www.av-test.org/en/antivirus/home-windows/.

I won’t recommend a product as preferences vary and it boils down to personal preference. I will say I don’t rely on Microsoft’s Windows Defender. There are also concerns about Kaspersky Lab, which is always rated high, but there are worries about links to the Russian intelligence agencies. Though Kaspersky denies any ties to Russian government or spy organizations, the US government is blocking purchase and use of the software in its organizations.

Hope this helps you personally! Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

Protect Your Patients. Protect your Practice. Protect Yourself. ™

The post Protect Yourself! appeared first on Third Rock.