Everyone in the IT services space has faced at least one or more cybersecurity challenges, whether with their users or even their own internal IT infrastructure. From corrupted patches to malware, from DDOS to physical failure of equipment. While not all incidents were necessarily tied to hackers, they did have a negative impact on the businesses we try to support.

In this post, I am going to go over what I feel are the top five areas that any bsiness should be doing to help strengthen their security posture and face the onslaught of threats in 2018.

1. Cybersecurity Training

If you aren’t educating your staff on cybersecurity best practices, it’s just a matter of time before human error takes over. They could click on a malicious link in an email because they assume it is from a trusted source, or they might still believe a Nigerian Prince really does need their help. To address this, you should start with the basics.

Note: If you need help finding some options, please don’t hesitate to reach NetTec NSI.

2. Password Management

Seriously ... it’s now 2018, yet the top passwords that were hacked last year were still “123456” and “password.” This needs to change, but we need to have a plan in place in order to do so.

There are a lot of ways to go about improving password management, and I won’t go into details on the specific vendors that can help here, but here are some requirements to look for. First, password managers are a must. Second, two-factor authentication is critical. And finally, it’s important to have the ability to know when passwords are being shared and with whom.

For example, when an employee leaves and the shared password isn’t changed, it puts the whole organization at risk. Simply setting the Group Policy Object (GPO) to expire a password after 30 days (or some other variation) isn’t going to solve this problem. Increased password security should be part of your training, in addition to using a password manager. We can’t be expected to remember every password as varying levels of complexity, so it’s critical to use a password manager that allows you to generate complex passwords. 

3. Compliance

At NetTec NSI, we help businesses achieve compliance and make sense of all the rules and regulations. I suspect many of you reading this are dealing with meeting some regulatory compliance deadline from NYDFS to NIST-171, so how can you help?

First and foremost, dot your i's and cross your t's with the regulation you need to meet or help your company meet. Documentation is critical here, and in many cases if you have a documented process and procedure—even if it has not yet been mapped to satisfying a control—it is better than having nothing at all.

We must always keep in mind new technologies that can be exploited as most regulations don’t yet incorporate current technologies and threats into their requirements, so be aware. 

You can have all the compliance in the world and still not be secure. Look at the controls in the regulatory requirement, and address it from a security business best practice first, and the control or regulatory requirement second. In doing so, you will have a secure environment and satisfy the auditors when they come calling.

4. Permissions

People, people, people ... you don’t need Local Admin rights to surf Facebook. In fact, regardless of what does require administrative rights or master key, you don’t need those credentials for your day-to-day—so stop using them.

Strangely, I still get asked why this is such a big deal—and again, it goes back to training and education. Hackers can’t install malware on your computer or start adding users to Active Directory if—when they hack your profile—it doesn’t get them the power they need to make those changes. You’ll notice I said “when” because it’s inevitable that at some point—either in the past, or someday in the future—you will likely experience some level of compromise in your digital world. This leads me to number five.

5. Incidence Response Plan

I don’t want to downplay any of the other elements of secure infrastructure or business security best practices, but throughout 2017 and as we go into 2018, there is an emphasis being placed on having an incident response plan. Security incidents are starting to occur more often, and how you handle an incident could have a serious impact on your business and your clients’ business. When handled correctly, it may have little to no impact at all.

Start internally and create an incident response plan for your own company. If you need assistance with where to start in creating this plan, either click below or contact us directly! 

There you have it, the top five cybersecurity areas we believe are going to have the biggest impact on your business in 2018. Obviously there are more than five, but this is a good place to start.

Sometimes it is the simplest or most obvious things that can be easily overlooked or taken for granted in life. The IT space is no different and many of the most basic elements, like password management, can often times be overlooked. While it’s not the sexiest of topics, passwords are something we use everyday and should be at the forefront of any security plan.

Passwords are the first line of defense against malicious activities in the digital space. We hear all the time about the importance of strong passwords, and many websites or software require certain password criteria that force them to be difficult to guess. However, the actual execution of these recommended practices is often lacking. The trouble usually lies with the end user who doesn’t take care of their passwords or doesn’t make them difficult enough. As a managed services provider, it is imperative to ensure that your clients are employing some simple, yet highly effective tactics to keep the bad guys out of their information and IT systems.

Hackers' Tricks

Before we look at the techniques to prevent hackers from gaining access to private information, let’s take a quick look at the most common means these folks use to crack the password code and get the proverbial “keys to the kingdom.”

Guessing – Some people think that no one could ever “guess” their password at random, but hackers are much more sophisticated than that. This technique is not simply sitting in front of a screen and typing many different combinations. First, the hacker finds personal information online and then uses sophisticated programs to help ‘guess’ how that personal identification can be turned into a password.

Dictionary-based attacks – Programs run names and other information against every word in the dictionary.

Brute force attacks – Just like it sounds. By simply running all combinations of keystrokes with a user name, passwords are discovered all the time.

Phishing – Beware of Phishing schemes! These scams try to lure you in with fake offers then track your keystrokes in order to steal private information. If the email or IM request looks odd, ignore it and please don’t click on anything. The trouble is that people are oftentimes tricked into giving away valuable data without even knowing.

Shoulder surfing – Not all hackers are technical whizzes. Shoulder surfers try to catch you entering a password in a public place like a coffee shop or even at a gas station (debit card PINs are vulnerable).

Password Security Tips

So what is the company to do? Educate employees on strong password practices. There is simply no-way to guarantee a bulletproof password. If someone wants something bad enough and is smart enough they can figure out what they need to do to get it. Most are not that patient though so any deterrents are usually enough to make them give up and find an easier target.

Some best practices to be teaching customers and employees include:

• Make sure password length is at least 8 characters
• Don’t use real words
• Use both upper and lower case characters
• Include numbers and special symbols when allowed
• Don’t use personal data
• Make patterns random and not sequential or ‘ordered’

Don’t get lazy when it comes to your passwords. Take the extra time to think of something creative, complex and something only you would remember. Here are some of the web’s most common passwords – and what they say about you as a person.

What else can be done? Here are some “do’s” and “don’ts” for password safety.

Do:

• Create different passwords for different accounts and applications. If you create only one password for everything you do online, you are exposing yourself unnecessarily. Sure it’s easier to use one but it provides more chances for someone to figure your password out, and if they do, gives them a great starting point for accessing other personal data of yours.
• Keep corporate and personal passwords separate.
• Change your passwords often (ideally every month)
• Always log off your computer or lock it when you leave it for any period of time
• Now some don’ts
• Don’t write passwords down or store then in the office
• Don’t store passwords on any device
• Don’t give passwords in emails or IMs
• Don’t give your manager your password
• Don’t discuss passwords with others
• Don’t use remember password function in applications
• Don’t use the “it’s easy to type’ rule (like asdfjkl;) since that will be easier for a lurker to see what you typed

After reading this, I’m sure you feel like you have some work to do. It’s never too early to start utilizing these recommended practices and you may not even know what data may currently be exposed or at risk. Changing your passwords and using the above techniques can help protect you and your users from malicious web attacks. Don’t overlook the importance of password management – it could make all the difference when a hacker sets his targets on you or your users.  

You tell your users all the time about good password policies. You tell your friends and family. You may be able to rattle off in your sleep “unique, long strings of varied characters with multiple numbers, capitals, and special characters.” But just how many people are heeding the call for better security? Has the public started taking cyber security seriously?

Well, not really—common passwords and password habits are still pretty bad. But there’s still hope. Much like a glacier, there has been some small, measurable movement in the right direction.

SplashData, a password-management application provider, has released another round of their annual “Worst Passwords List,” putting the spotlight on the poor password habits of Internet users. Unbelievably, the most terrible—and most common—passwords remain the same: “123456” and “password.”

Despite all of the warnings and notifications that have attempted to permeate the public consciousness, people are still using these risky and unsafe options, leading to the conclusion that they either don’t know or don’t care about the great risk such weak passwords pose to their data.

The 25 Worst Passwords of 2017
If you use any of the following passwords, please—PLEASE—go change them now.

25. trustno1 (new)

24. qazwsx (new)

23. whatever (new)

22. freedom (new)

21. hello (new)

20. master (up 1)

19. passw0rd (down 1)

18. dragon (up 1)

17. 123123 (new)

16. starwars (new)

15. abc123 (down 1)

14. login (down 3)

13. monkey (new)

12. welcome (unchanged)

11. admin (up 4)

10. iloveyou (new)

9. football (down 4)

8. 1234567 (unchanged)

7. letmein (new)

6. 123456789 (new)

5. 12345 (down 2)

4. qwerty (up 2)

3. 12345678 (up 1)

2. password (unchanged)

1. 123456 (unchanged)

Password Security Trends
This list was compiled from over five million leaked passwords, mainly from North American and Western European users. The passwords were revealed by hacking attacks throughout 2017, though SplashData chose not to include passwords leaked from the Yahoo email breach or from hacks of adult websites. From this list, though, there are some interesting trends to note.

First, it appears that users have begun to create longer passwords, perhaps a result of new site requirements that specify as much. In doing so, however, users have managed to render these longer passwords just as useless as shorter ones with perfectly predictable patterns, often dictated by a simple swipe of a finger over the keyboard in one direction.

Next, it’s seems as though movie buffs are among those bad-password creators. The rise of Star Wars passwords coincides with the big movie openings from the franchise, most recently The Last Jedi in 2017. Looks like The Force isn't as strong with these poor passwords.

The above list serves as an example of one of the all-time worst for password security habits. Using these types of short, searchable, identifiable and specific words as passwords can exponentially put the user at risk. Hackers use algorithms to plug in these words as easily as turning a key—all they need is the opportunity. To put this into perspective, I think this picture sums it up quite perfectly:

By now, you're probably looking for ways to help potential or existing clients increase their password and overall IT security this year. The following posts will definitely be of assistance:

Important Tips for Improving Password Security
5 Ways to Increase Cybersecurity Preparedness in 2018
The Basics of Cyber Security Training for End-Users

It's not what you know. It's what you do with what you know. That's something companies worldwide will be learning--for better or worse--in the coming year when it comes to big data. This article contains some tips as you assemble your strategic big data plan.

Even minor outages are unacceptable. With data as their lifeblood, your customers need a failsafe disaster-recovery solution that ensures constant, uninterrupted access.