What’s the biggest risk to an organization’s information security? Hint: it has little to do with the technology. Rather, it is the action—or inaction—of their employees.

Human error has become a major weak point today; one that is easily exploited by cyber criminals. In fact, almost 90 percent of cyber attacks are caused by human error or behavior. Therefore, it’s vital that businesses have some form of cyber security training in place to educate employees on the importance of protecting sensitive information and what malicious threats to look out for.

As an IT services provider committed to protecting your business, the task of security education and training falls into our hands. Keep reading to discover which essential elements we cover when providing security awareness training.

Generally, a solid security awareness training program should cover the following topics:

• Phishing and Social Engineering
• Access, Passwords and Connection
• Device Security
• Physical Security

Let’s dive into how you can best educate clients and end-users on each of these topics.

Phishing and Social Engineering

Social engineering is typically defined as an attack that’s based on deceiving users or administrators into divulging information. Phishing, an attempt to acquire sensitive information (passwords, usernames, payment details) from an individual through email, chat, or other means, is a common type of social engineering attack. 

The reason phishing and other social engineering attacks are so successful is because they’re disguised to look like they come from credible, trustworthy sources—forcing a sense of falsified trust. But, there are some tell-tale signs to help spot a phishing attempt, such as typos and misspellings, links containing a string of random numbers and letters, the email relying on a sense of urgency, or feeling like something if off about the information they’re requesting.

Pro Tip: Tell end-users to look out for these seven red flags!

How to Avoid Phishing and Social Engineering Attacks
What should your clients do if they think they’ve come across a phishing scam? Here are some best practices:

Don’t click! Users should never click on a link, attachment, or reply with the requested information if they feel like something is not quite right.
Inform the IT team or MSP. If it’s a legitimate scam, informing the right people and passing along that knowledge may help prevent it from spreading company-wide. Encourage your clients to forward the email to you to investigate, or turn to you for next steps.

Access, Passwords and Connection
Use this time to go over the different aspects of the network; from access privileges and passwords, to the network connection itself. 

Your clients should be able to distinguish general users from privileged users, those who have elevated rights or access above that of a general user. Generally, privileged access is given to users who need to perform administrative-level functions or access sensitive data. Every employee should know which level of access they have—meaning which information, applications or functions they can and cannot perform and have access to.

On a similar note, employees should be thinking about the passwords they’re using to access the IT environment; keeping in mind length, complexity and whether or not they’re sharing those passwords or using them for multiple apps. There are a few best practices around strong passwords, including the length being at least eight characters, containing letters and special characters, and staying away from obvious information such as names and birthdays. Additionally, it’s wise to think about changing and/or updating their passwords every six months or so.

What’s sometimes least obvious to employees is that they should also be wary of the network connections they’re using outside of their home or work. Although the data on their device may be encrypted, it’s not necessary that the connected network transfers that data in an encrypted format—opening all sorts of vulnerabilities. What’s more, there’s always risk of the public network being tapped, which puts the data being exchanged over that network at risk. You should encourage end-users to only use trusted network connections or secure the connection using appropriate VPN settings.

Device Security
In the era of Bring Your Own Device (BYOD), more and more mobile devices are entering the workplace, connecting the corporate network and accessing company data. However, this creates even more entry points for threats to come through. Therefore, it’s important for employees to ensure their mobile devices are securely connected to the corporate network and always in their possession. 

The same threats that lurk over desktops and laptops are applicable to mobile devices. Arguably, tablets and smartphones could be seen as less secure because they lack pre-installed endpoint protection. Users should always be mindful of which websites they’re visiting, which apps they’re installing and which links they’re clicking on.

Physical Security
Cyber threats aren’t the only ones employees need to look out for. Physical security also plays a role in keeping sensitive information protected. Leaving a mobile device or computer unattended is a common mistake most end users end up committing unintentionally. If someone were to swipe an employee’s phone or log into their computer, all of the data and information that’s accessible via that device is put at immediate risk.

Below are a few best practices to help your clients increase their physical security in and out of the office:

Lock your device before you leave your desk. For Windows users, press and hold the Windows key, then press the “L” key. For Mac users, press Control + Shift + Eject (or the Power key) at the same time.
Store documents in a locked cabinet. Employees should avoid having sensitive information floating around on their desk. At the end of the day, or before they leave their desk unattended, it’s always a good idea to stow company documents and the like into a lockable safe or cabinet.
Properly discard information. When it comes time to get rid of those documents or files, be sure to properly shred and discard them.

Email hacking is one of the most common forms of cyber attacks today. It takes place every day and throughout the world. You may be familiar with the email attack that occurred in 2016 during the Presidential Election. John Podesta fell for a phishing attack, which led to the release of a decade’s worth of emails. The hacker posed as Google and alerted Podesta to change his password because of suspicious activity on his account. By clicking on the link within the email, hackers were granted full access to his inbox.

Situations like this happen to businesses of all sizes, and the rate of these cyber attacks is only increasing. As an MSP, our goal is to protect your business against these attacks, which can be difficult if the employees are not properly trained to identify potential threats. People are tricked into giving hackers information because they are not aware of the warning signs to look out for. However, here is a list of seven red flags to look out for and include in your security training for your users:

1. “From” Line

The first thing to pay attention to is the address you are receiving the email from. Pay close attention to the sender because the person may appear to be someone you know but in reality, it could be a spoof. Hackers know that people are more likely to trust an email from someone they can recognize, which is why they make the email address appear to be from an existing contact. Let’s look at a quick example of this.

Real Email: amanda@wellsfargo.com
Spoofed Email: amanda@welsfargo.com

Notice that an “l” is missing from “wellsfargo” in the spoofed email, therefore it appears legitimate but the domain is not accurate. 

2. “To” Line

Sometimes, the hacker will send an email to many different people. If you do not personally know the other people in the “to” line or you are being cc’d on a strange email, that should be a red flag. This is the second aspect of an email to pay attention to in order to detect email fraud and prevent email hacking.

3. Hyperlinks

Always be cautious of clicking on embedded links within an email unless you are sure it is from a trusted source. Before you click on a link, you can hover over it with your mouse to see the destination URL before you click on it. If the URL does not match what the text says, it’s not a good idea to click on the hyperlink.

4. Time

Consider the time you receive an email and compare it with the normal time you receive similar emails. Do you generally get an email from the CEO of your company at 2 a.m.? If not, this is an indication of a potentially spoofed email.

The same goes for the specific time of year. Be extra cautious around holiday or tax season, as cybercriminals typically increase phishing attempts when financial information is being shared or online shopping is heightened. 

5. Attachments

Attachments may seem harmless, but some can contain malicious viruses or another form of malware. So, as a rule of thumb, do not open attachments that you are not expecting. If a sender does not normally send you attachments, this is a sign that it could be a fraudulent email. In addition, if the attachment has a strange file type such as .exe or a duplicate file type such as .xls.xls you should not download or open it.

6. Subject

Phishing attempts usually try to trick you with scare tactics or immediate action. If the subject line seems fishy, such as “Need wire transfer now” or “Change password immediately”, validate the source before you take any action. The subject may also be irrelevant or not on topic with the rest of the email content, which can be another red flag.

7. Content

The sender may be urging you to update your information or change your password in order to avoid a consequence, which instills fear and prompts action. This is another method to look out for as hackers use this to trick you. In addition, if the grammar or spelling are incorrect and the email seems out of the ordinary, confirm the legitimacy before you click on links or download any files.

So there you have it, seven simple red flags to look out for when examining an email. Never click on links, download files, or transfer money unless you are sure the email is legitimate. We recommend a two-step verification process to establish validity. For example, if you receive an email from your CEO requesting a wire transfer, we recommend you also confirm via phone or in person. This two-step verification process validates the sender through multiple mediums, which helps avoid falling for scams.

It is important for all businesses to take email hacking seriously. Hackers attack corporations and individuals, so understanding social engineering methods is crucial in addition to having proper spam filters and firewalls installed. Lack of employee education is what makes it difficult for businesses to properly secure an environment. However, you can use these tips to educate employees within your company to reduce the risks of a cyber attack. 
 

Everyone in the IT services space has faced at least one or more cybersecurity challenges, whether with their users or even their own internal IT infrastructure. From corrupted patches to malware, from DDOS to physical failure of equipment. While not all incidents were necessarily tied to hackers, they did have a negative impact on the businesses we try to support.

In this post, I am going to go over what I feel are the top five areas that any bsiness should be doing to help strengthen their security posture and face the onslaught of threats in 2018.

1. Cybersecurity Training

If you aren’t educating your staff on cybersecurity best practices, it’s just a matter of time before human error takes over. They could click on a malicious link in an email because they assume it is from a trusted source, or they might still believe a Nigerian Prince really does need their help. To address this, you should start with the basics.

Note: If you need help finding some options, please don’t hesitate to reach NetTec NSI.

2. Password Management

Seriously ... it’s now 2018, yet the top passwords that were hacked last year were still “123456” and “password.” This needs to change, but we need to have a plan in place in order to do so.

There are a lot of ways to go about improving password management, and I won’t go into details on the specific vendors that can help here, but here are some requirements to look for. First, password managers are a must. Second, two-factor authentication is critical. And finally, it’s important to have the ability to know when passwords are being shared and with whom.

For example, when an employee leaves and the shared password isn’t changed, it puts the whole organization at risk. Simply setting the Group Policy Object (GPO) to expire a password after 30 days (or some other variation) isn’t going to solve this problem. Increased password security should be part of your training, in addition to using a password manager. We can’t be expected to remember every password as varying levels of complexity, so it’s critical to use a password manager that allows you to generate complex passwords. 

3. Compliance

At NetTec NSI, we help businesses achieve compliance and make sense of all the rules and regulations. I suspect many of you reading this are dealing with meeting some regulatory compliance deadline from NYDFS to NIST-171, so how can you help?

First and foremost, dot your i's and cross your t's with the regulation you need to meet or help your company meet. Documentation is critical here, and in many cases if you have a documented process and procedure—even if it has not yet been mapped to satisfying a control—it is better than having nothing at all.

We must always keep in mind new technologies that can be exploited as most regulations don’t yet incorporate current technologies and threats into their requirements, so be aware. 

You can have all the compliance in the world and still not be secure. Look at the controls in the regulatory requirement, and address it from a security business best practice first, and the control or regulatory requirement second. In doing so, you will have a secure environment and satisfy the auditors when they come calling.

4. Permissions

People, people, people ... you don’t need Local Admin rights to surf Facebook. In fact, regardless of what does require administrative rights or master key, you don’t need those credentials for your day-to-day—so stop using them.

Strangely, I still get asked why this is such a big deal—and again, it goes back to training and education. Hackers can’t install malware on your computer or start adding users to Active Directory if—when they hack your profile—it doesn’t get them the power they need to make those changes. You’ll notice I said “when” because it’s inevitable that at some point—either in the past, or someday in the future—you will likely experience some level of compromise in your digital world. This leads me to number five.

5. Incidence Response Plan

I don’t want to downplay any of the other elements of secure infrastructure or business security best practices, but throughout 2017 and as we go into 2018, there is an emphasis being placed on having an incident response plan. Security incidents are starting to occur more often, and how you handle an incident could have a serious impact on your business and your clients’ business. When handled correctly, it may have little to no impact at all.

Start internally and create an incident response plan for your own company. If you need assistance with where to start in creating this plan, either click below or contact us directly! 

There you have it, the top five cybersecurity areas we believe are going to have the biggest impact on your business in 2018. Obviously there are more than five, but this is a good place to start.

Sometimes it is the simplest or most obvious things that can be easily overlooked or taken for granted in life. The IT space is no different and many of the most basic elements, like password management, can often times be overlooked. While it’s not the sexiest of topics, passwords are something we use everyday and should be at the forefront of any security plan.

Passwords are the first line of defense against malicious activities in the digital space. We hear all the time about the importance of strong passwords, and many websites or software require certain password criteria that force them to be difficult to guess. However, the actual execution of these recommended practices is often lacking. The trouble usually lies with the end user who doesn’t take care of their passwords or doesn’t make them difficult enough. As a managed services provider, it is imperative to ensure that your clients are employing some simple, yet highly effective tactics to keep the bad guys out of their information and IT systems.

Hackers' Tricks

Before we look at the techniques to prevent hackers from gaining access to private information, let’s take a quick look at the most common means these folks use to crack the password code and get the proverbial “keys to the kingdom.”

Guessing – Some people think that no one could ever “guess” their password at random, but hackers are much more sophisticated than that. This technique is not simply sitting in front of a screen and typing many different combinations. First, the hacker finds personal information online and then uses sophisticated programs to help ‘guess’ how that personal identification can be turned into a password.

Dictionary-based attacks – Programs run names and other information against every word in the dictionary.

Brute force attacks – Just like it sounds. By simply running all combinations of keystrokes with a user name, passwords are discovered all the time.

Phishing – Beware of Phishing schemes! These scams try to lure you in with fake offers then track your keystrokes in order to steal private information. If the email or IM request looks odd, ignore it and please don’t click on anything. The trouble is that people are oftentimes tricked into giving away valuable data without even knowing.

Shoulder surfing – Not all hackers are technical whizzes. Shoulder surfers try to catch you entering a password in a public place like a coffee shop or even at a gas station (debit card PINs are vulnerable).

Password Security Tips

So what is the company to do? Educate employees on strong password practices. There is simply no-way to guarantee a bulletproof password. If someone wants something bad enough and is smart enough they can figure out what they need to do to get it. Most are not that patient though so any deterrents are usually enough to make them give up and find an easier target.

Some best practices to be teaching customers and employees include:

• Make sure password length is at least 8 characters
• Don’t use real words
• Use both upper and lower case characters
• Include numbers and special symbols when allowed
• Don’t use personal data
• Make patterns random and not sequential or ‘ordered’

Don’t get lazy when it comes to your passwords. Take the extra time to think of something creative, complex and something only you would remember. Here are some of the web’s most common passwords – and what they say about you as a person.

What else can be done? Here are some “do’s” and “don’ts” for password safety.

Do:

• Create different passwords for different accounts and applications. If you create only one password for everything you do online, you are exposing yourself unnecessarily. Sure it’s easier to use one but it provides more chances for someone to figure your password out, and if they do, gives them a great starting point for accessing other personal data of yours.
• Keep corporate and personal passwords separate.
• Change your passwords often (ideally every month)
• Always log off your computer or lock it when you leave it for any period of time
• Now some don’ts
• Don’t write passwords down or store then in the office
• Don’t store passwords on any device
• Don’t give passwords in emails or IMs
• Don’t give your manager your password
• Don’t discuss passwords with others
• Don’t use remember password function in applications
• Don’t use the “it’s easy to type’ rule (like asdfjkl;) since that will be easier for a lurker to see what you typed

After reading this, I’m sure you feel like you have some work to do. It’s never too early to start utilizing these recommended practices and you may not even know what data may currently be exposed or at risk. Changing your passwords and using the above techniques can help protect you and your users from malicious web attacks. Don’t overlook the importance of password management – it could make all the difference when a hacker sets his targets on you or your users.  

You tell your users all the time about good password policies. You tell your friends and family. You may be able to rattle off in your sleep “unique, long strings of varied characters with multiple numbers, capitals, and special characters.” But just how many people are heeding the call for better security? Has the public started taking cyber security seriously?

Well, not really—common passwords and password habits are still pretty bad. But there’s still hope. Much like a glacier, there has been some small, measurable movement in the right direction.

SplashData, a password-management application provider, has released another round of their annual “Worst Passwords List,” putting the spotlight on the poor password habits of Internet users. Unbelievably, the most terrible—and most common—passwords remain the same: “123456” and “password.”

Despite all of the warnings and notifications that have attempted to permeate the public consciousness, people are still using these risky and unsafe options, leading to the conclusion that they either don’t know or don’t care about the great risk such weak passwords pose to their data.

The 25 Worst Passwords of 2017
If you use any of the following passwords, please—PLEASE—go change them now.

25. trustno1 (new)

24. qazwsx (new)

23. whatever (new)

22. freedom (new)

21. hello (new)

20. master (up 1)

19. passw0rd (down 1)

18. dragon (up 1)

17. 123123 (new)

16. starwars (new)

15. abc123 (down 1)

14. login (down 3)

13. monkey (new)

12. welcome (unchanged)

11. admin (up 4)

10. iloveyou (new)

9. football (down 4)

8. 1234567 (unchanged)

7. letmein (new)

6. 123456789 (new)

5. 12345 (down 2)

4. qwerty (up 2)

3. 12345678 (up 1)

2. password (unchanged)

1. 123456 (unchanged)

Password Security Trends
This list was compiled from over five million leaked passwords, mainly from North American and Western European users. The passwords were revealed by hacking attacks throughout 2017, though SplashData chose not to include passwords leaked from the Yahoo email breach or from hacks of adult websites. From this list, though, there are some interesting trends to note.

First, it appears that users have begun to create longer passwords, perhaps a result of new site requirements that specify as much. In doing so, however, users have managed to render these longer passwords just as useless as shorter ones with perfectly predictable patterns, often dictated by a simple swipe of a finger over the keyboard in one direction.

Next, it’s seems as though movie buffs are among those bad-password creators. The rise of Star Wars passwords coincides with the big movie openings from the franchise, most recently The Last Jedi in 2017. Looks like The Force isn't as strong with these poor passwords.

The above list serves as an example of one of the all-time worst for password security habits. Using these types of short, searchable, identifiable and specific words as passwords can exponentially put the user at risk. Hackers use algorithms to plug in these words as easily as turning a key—all they need is the opportunity. To put this into perspective, I think this picture sums it up quite perfectly:

By now, you're probably looking for ways to help potential or existing clients increase their password and overall IT security this year. The following posts will definitely be of assistance:

Important Tips for Improving Password Security
5 Ways to Increase Cybersecurity Preparedness in 2018
The Basics of Cyber Security Training for End-Users