What Stuff Needs Security?

Keyboard - Enter key replace with a RED HELP Key

One of the goals of this website is to help small business owners and regular folks secure their digital world by providing useful information that can be put into practice.  Today we are going to be looking at what sorts of digital assets need securing.

  • Email accounts are the number one target of cyber-criminals.  If they can access your email account and read your emails, they can learn everything about you, your friends, associates and suppliers, where you bank, and a lot of other very specific personal data.  Using the password reset facility on websites where you have accounts, they can use the links on the reset emails to access other online accounts.  Your best defense is using a unique, complex, and long password for this account, coupled with two-factor authentication (TFA).  I use Google Authenticator for my Gmail account, and some other accounts.  I have also started using LastPass (with Authenticator TFA) as a secure, encrypted password vault, and this allows me to use passwords of any length without having to remember them, or even type them in.  This pretty much defeats keyloggers, too.
  • Online banking has some unique risks, especially with Zeus, NeverQuest, Dyre Wolf and other banking Trojans possibly lying in wait on your computer to help the cyber-criminals join your banking session and then empty your bank account.  We recommend using a non-Windows computer system such as a ChromeBook or a Linux Live CD to access your bank’s website.  Using good password habits and TFA as described about are important too.
  • Online shopping accounts, such as eBay and Amazon, are another place for cyber-crooks to use your credit to purchase high-end goods which can be resold for a quick profit.  Some goods, such as iPads, can be purchased in the US and resold in Asia for three times more than the price in the US.  Again, using strong passwords with TFA is the best security.  Also, avoid storing your credit card information in the account.  This makes it much harder for the crooks to make those purchases.
  • Social network accounts such as Facebook and LinkedIn are another popular target, because the criminals can use your account to request money from your friends and connections or launch other exploits against them.
  • Blogs and websites can be easily compromised by attackers and used to host web pages that are part of a phishing scam.  Or they may use your website as a way to host drive-by download malware products that infect visitors to your website to create false security alert scams or create zombie hosts for a botnet.  We have discussed a couple of website security products in recent posts, and your website should be employing one of them.  This website was recently attacked and the installed security product kept us from being compromised.  you should also make sure that any site contributors are using strong passwords, and if you can add two-factor authentication, do so.
  • Business and personal data on your computer can also be targeted using remote access Trojans, or during a “Fake Tech Support” session.  Data of interest includes QuickBooks and other financial records, invoices and bills, tax returns, payroll information, and banking information.  Disk encryption will secure this information if your computer is stolen, and even if the information is exfiltrated over the internet.  Without the encryption key the information will be unreadable and useless.
  • Point of sales systems and other devices that accept credit card transactions are another popular target.  After October 1st, the new EMV card technology should protect your customers and your business from the current crop of exploits, but only if you upgrade your card processing equipment.  Failure to do so will make your business liable for 100% of fraudulent charges.  I also see lots of POS systems running on outdated operating systems such as Windows XP.  This is not an area to be frugal; if your business leaks card data and it can be shown you were negligent, you will be on the hook for these losses.
  • Do you provide remote access to your network?  People who access your network remotely may include employees working from home, a remote office location, or while traveling.  You may be providing remote access to vendors or suppliers, or even clients.  It is important to remember that the Target Christmas breach was launched from the remote connection provided to an HVAC vendor who used it to monitor cooling equipment in a few Ohio stores, and the attackers used that remote access to get to the entire Target store sales network.  Many bigger companies are performing high level due diligence on remote access provided to vendors and employees, and your business should too.  Find out who connects and how, make sure they are using good passwords, and set up two factor authentication if you can.  Log these connections and monitor the traffic for usual activity that may indicate a breach.  Right now this is a huge security problem, and the only solution is catching intrusions early and shutting them down,
  • Databases are another target of cyber-criminals, because the information can be readily sold on Dark Web marketplaces.  If you are storing information about clients, customers, employees, patients – or anyone else – in databases on the web or in servers in your operations you need to encrypt that data.  Personal information needs to be encrypted when in motion (across your network or the Internet) and when at rest (on a hard drive or flash drive).  Encryption is reasonably easy to set up, and should become a requirement for your business.  You may want to turn this task over to a professional.

Let these nine items become part of your Q4 technology to-do list, and set yourself up to start the next year in a much more secure position.  This way you can avoid the New Year’s Resolution process.  (We all know how well that works.)  Some of these action items are definitely do-it-yourself, but some will require the assistance of your computer support personnel.  In any event, get to it, and close those holes in your business data security configuration.

 

 

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.