Get in Touch

Is your business really secure from cyber threats?

There is a profound difference between feeling secure and being secure. Cyber security is constantly evolving with it's rules adapting every few months. Consequently, effective cyber security has become as much if not more reliant on process over products. In other words, it's more about how security is managed rather than the actual technology in place. So, if it's all about process, how does a small business that outsources their IT really know if they are secure?

The unfortunate truth is that most business leaders rely on blind trust.

Whether it be misplaced trust, ignorance, or a combination of both; most businesses are far more at risk than their leaders or owners are aware. This gap in understanding and resulting lack of actions being taken is contributing to many businesses becoming more and more exposed when it comes to data breaches, data loss and/or insurance issues.

 

The Reality for Many Businesses

When outsourcing IT, many businesses quite rightfully have an expectation that their provider is looking out for them on the cyber security front. Whilst this is generally accurate; there are many levels to cyber security. More often not, the reality of the protection a business has is very different to the expectations of where they think they are.

Effective cyber security requires clear communication of expectations and requirements between business leaders and the provider. Without regular dialogue, your security strategy is going to be misguided at best.

Your provider should be held accountable for communicating your exposure, providing recommendations, and providing you the ability to make clear and confident decisions. Commonly this dialogue is not routine but rather is instigated either by the client in reaction to a directors concern, or brought about by the provider in the context of a new product they have to sell.

If your provider is not driving the security conversation proactively then it is more than likely that your security is lagging well behind your expectations. Cyber security done well takes a lot of work; any provider working hard in this space is undoubtedly going to want to be talking to you about it.

 

What is 'secure'?

Being secure is like being healthy; despite everyone having a different opinion on what it is, you kind of know it when you see it. Likewise, it is important to define goals in the same way that you would with a nutritionist or personal trainer.

If you told a health professional you wanted to be healthier, you would expect them to start asking questions. Do you want to lose 10kgs? do you want to gain 10kgs? Do you want to run a mile? or do you want to climb a mountain?

Without understanding what you are trying to achieve, they would be ineffective in helping you achieve your goals. Similarly, an IT provider needs to take the time to ask questions. They should understand the risks, and impacts that a cyber attack could have on both the commercial and reputational elements of your business. Without this knowledge they are likely to provide little more than good feelings.

This is pretty easy to test; if you tell your provider that you are concerned about security and they immediately respond by explaining all the things they do to keep you safe or worse, begin to sell additional products and uplifts; then they're not conditioned to listen and understand your needs.

Some important things to consider when defining what 'secure' means to you:

  • What is the impact of downtime as a result of a cyber attack?
    A business with minimal transactions of high values products often has less risk than one with frequent small transactions. Losing a day's transactions could create irreparable damage to customer relationships in some settings.
  • What is the impact to your clients in the event of a breach?
    Many clients are now imposing compliance of various elements of data security. There could also be legal ramifications to a data breach.
  • Would you lose business if you had to declare a data breach to all customers and suppliers?
    You have an obligation to advise others if you experience a data breach. What reputational damage would such a breach create, and what may happen as a result.
  • What is your level of liability, and how are you protected?
    It's possible that directors may soon be liable for negligence around cyber security. Additionally, insurance companies are providing little leeway for businesses that are caught out.

The above questions and others like it are all about understanding exposure and risk. Ultimately its these elements that should inform what 'secure' is to you. The standard of 'secure' should be driven by the commercial impact to the business, rather than some arbitrary level of security as defined by the IT industry. If your provider is unable to have this conversation on a commercial level, you have a major gap in your security strategy that is either falling short, or wasting money.

 

Separating the Wheat from the Chaff

In either case, there are those who operate an effective security practice, and those that say they do security with their clients. The latter is far more common as Managed Service Providers (MSPs) look to create addons and low cost features to add to their subscription offerings in an effort to make them appear more valuable and appealing.

Whilst this technically passes the test for 'doing security', it commonly does very little in the modern world towards making an environment secure.

The most commons security features or addons provided by MSPs:

  • Managed Anti Virus
  • Managed Spam Filtering
  • Managed Backup
  • Managed Updates and Security Patches

Whilst these are all essential components of a robust security strategy, simply having them does not ensure any real level of success in regard to cyber security. These features are common predominately since they are all low touch, automated processes provided by the remote monitoring and management systems that MSPs employ.

This is the functional equivalent of putting on a jacket and helmet before riding a motorbike. It will provide the comfort of feeling safe, but ignores all the other variables of safety such as weather conditions, the riders ability, the roadworthiness of the bike, adherence to speed limits, etc. All of which are just as important albeit much more difficult and costly to control.

Some of the hallmarks of an MSP that is truly providing an effective security practice include:

  • Security Standards and Policies that are regularly reviewed and implemented.
  • Processes & regular audits designed to ensure that essential security software (as above) is not only operating correctly, but that their configuration remains consistent with changing policies and best practices.
  • Cyber security training & regular testing of users for potential vulnerabilities.
  • Compliance checks, configuration management and routine reporting of key findings.
  • Strategy & Advisory around key decisions to bring security in line with requirements.

Ultimately if you decide that security is important to you, ie. it represents a big enough risk to justify investing in it, you need to understand the difference in the above to avoid wasting your money on false assumptions.

You shouldn't need to become an expert in cyber security to get the results you require. Your provider should be meeting you on your level to have these discussions.

Like any specialised field, you may not understand all that they do, but you can recognise a mature and competent person/provider in their field when you see them. You can recognise them by the way that they work, the logic of their processes, and ultimately the clarity and insight they are able to provide you regardless of your knowledge in the matter.

This is what great customer service and value is made of, and is likely a cornerstone in your business as it relates to your product or service.

 

Summary

The gap between good and bad is as broad as that of good to great. If you're not getting great clarity and results in regard to cyber security, you really need to assess your needs and consider that you may need to make a change.

Ignorance is not bliss in the realm of cyber security. Likewise, it's important to keep a good balance between security, functionality and costs.

If your unable to have this conversation with your provider, are intimidated by the topic or would just like an outsider's perspective; we would be happy to have a brief chat to get you pointed in the right direction.

Simply give us a call or book a time directly here https://calendly.com/ray-sweeney

 

 

The purpose of a password is to protect sensitive data from unauthorised access.

For a long time, to keep up this protective layer, we have advocated that employees create ever more complex passwords and change them even more often.

This is now wrong ! What’s the point of a password system if it makes employees lives even more complex and it doesn’t even properly provide protection any more? Most current password practices were designed for a different age and are no longer fit for purpose. One enormous lesson that the COVID pandemic has taught us, is that the work environment is now totally different :

  1. Systems and data only used to be accessible in a single office, on a single device, on a single network, where we could easily identify the trusted people.
    1. Now, many (unseen) people can now work on many (known and unknown) devices on many networks on many different systems at many locations – How do you know what to trust?
  2. Cybercrime is now super-industrialised which means old defences are easily and cheaply beaten. Bad actors can easily be profitable targeting individuals, let alone small businesses.
    1. Attacks will happen – so you need to contain and limit the spread and damage that will occur.

However, Human Nature is unchanged:

The more rules and complexities and changes you introduce , the more people will try to find an easy way around them.

  • Use the same passwords for every system – once known, access everything!
  • Predictable changes in passwords (e.g. !Password1 just changes to !Password2, etc.)
  • Use the same special characters all the time ( ! at start / end, $” for “s”, “@” for “a,” “1” for “l”, etc.)

 

The new Best Practice Password System:

  1. Introduce 2-Factor Authentication for all systems (e.g. a separate notification on your smartphone to make sure it’s you).
  2. Passwords should be a small phrase (not a single word) that contain no personal information and are easy to remember – e.g. the first few words of your favourite song.
  3. Use a password management system so you can easily have different passwords for every system and not have to remember them.
  4. Introduce risk-based protection / analysis
    1. Automatically Report/ Block any logins from locations you will never travel.
    2. Automatically Restrict what unknown devices can do with your data – e.g. if its unmanaged, don’t allow edits / downloads, etc.

If you do this, then:

  1. Passwords can stay small – around 8 characters in length
  2. Passwords rarely need changing at all (every 12 months or only if a breach is suspected)

Even better, with the right computer equipment, you can now even get rid of passwords all together when using a trusted device. Your employees will really appreciate the difference and your security will now actually work !

If you need help , feel free to give us a call; we’re happy to lend our expertise to your organisation.

 

The Internet of Things (IoT), has become a hot topic in the technology field. The exponential sophistication and adoption of devices have experts comparing this to the third industrial revolution from steam and power to computers, referring to this wave of new device usage as Industry 4.0 or the fourth iteration of industry as we know it.

IoT is already bigger than you might expect - from doorbells, security cameras, weather stations, smart workout gear, baby monitors, and even coffee pots are streaming data and connected to the internet. As with any cutting-edge technology, IoT does have its kinks that still need to be worked out. The biggest being the security threat that adding IoT devices poses to your network.

To read more on what is IoT: click here.

The Security Threat Posed By IoT Devices

The problem with IoT device security is that they are easily hacked, gateways to your entire network, and can't truly be protected by just a firewall.

In the first half of 2018, Kaspersky IoT honeypots detected 12 million attacks aimed at IoT devices coming from 69,000 IP addresses. By 2019 that increased to 105 million attacks from 276,000 IP addresses. Attempting to block all malicious IP addresses would be a huge and ineffective feat. Just recently, a Senior Researcher with Avast hacked into a WiFi-enabled coffee pot, devised a ransomware attack, and deployed it, causing the coffee pot to spew coffee and make noise until it was either unplugged or the ransom was paid.

The old castle-and-moat approach to cybersecurity - building an effective and strong firewall perimeter around your network, hasn't proven to be effective since smartphones and mobile devices have made working from home or on the go so easy. The more devices you connect, the higher the risk of a breach becomes.

How To Upgrade Your Security Approach For IoT Devices

Here at Sensible, we encourage the usage of IoT devices. They can be substantial productivity boosters, excellent solutions for your business needs, and can help your business scale. However, whenever introducing new devices to a client's network, we have to be cautious and mitigate the additional risk they pose to security. These are the steps we take to do so:

1. Evaluate the current security approach

As mentioned, only having a firewall isn't enough anymore. If we encounter a client that has not yet shed the castle-and-moat approach, we start by shifting their security to a more policy-based approach. Basically, this means we are adding extra security on the drawbridge over the moat. For every attempt to access the data, we put policies in place to prompt the user to verify they are who they are and that they should be accessing that information.

2. Be selective

With the addition of every IoT device, the security risks increase. We caution our clients against adding devices that they don't necessarily need. You shouldn't have to be accommodating for threats posed by your office coffee pot!

3. Research your options 

As the need for IoT devices increases, the market is being flooded by tons of new products. Just like in purchasing a new computer, you should do your research to understand if the device is good quality, has the features you need, is compatible with your existing systems, and can be secured. Working with an IT partner like us, we can make informed recommendations on what you should be looking for, and even source the devices for you.

4. Configure the IoT devices adequately

Once you have settled on the device you would like to add, make sure you have technical support when configuring it. The majority of devices do not come out of the box set up to be secure. We can help add additional security or enact the devices existing security measures to ensure it doesn't become a liability.

Client Success Story: Recently, we helped a medical research company implement video cameras in their lab so they could adequately observe and record sample changes 24/7. We were able to help them evolve their security approach, determine the necessary devices required to achieve the solution they needed, source cameras that were compatible with their existing network, could add necessary additional security and featured the live streaming and recording options the lab required.

If you have a business need, we can help you find a sensible solution. We love to help businesses improve by crafting and offering informed technology solutions. Book a call with us anytime, and we'd be happy to lend you our expertise.

 

Apple computers have long touted enhanced security measures as compared to their PC counterparts. The truth? Macs can be just as vulnerable as PCs.

Apple’s closed system: once a strength, now a downfall

Though their closed system is an advantage over Microsoft, it has recently proven to be a massive downfall. The T2 equipped Macs, meant to be their most secure version yet, has proven vulnerable. Hackers have found that with physical access, security encryption can be compromised entirely.

Usually, Apple would issue a patch (an update) to fortify any openings, but this specific weak spot lives in the hardware of the machines, not the software of the operating system. Hackers can use what is called the Blackbird exploit to boot with root access to the SEP chip in your Mac which stores your most sensitive data: encryption, passcodes, ApplePay, biometric data, etc.

In simpler terms, all Macs with the T2 chip are seriously hackable, and Apple can’t fix it.

What about Macs that don’t have the T2 chip?

Even though this hardware vulnerability is a specific case, Macs have always been and will be susceptible to cybercrime. Though cybercriminals are typically focused on PCs since they are more widely adopted, the rising popularity of Macs is proving to draw their attention. We are seeing more system-agnostic attacks meaning they can be effective on both Macs and PCs.

Beyond the T2 chip vulnerability, all Macs are susceptible to viruses, malware, and web threats. Here are some busted myths:

1. Macs don’t get malware. Even though the system has certain safeguards, users are ultimately the vulnerability when it comes to malware. Actions like opening an unknown attachment, downloading software from malicious sites, or clicking on bad online ads can land you with malware that can sap your system's productivity or worse.

2. Macs don’t need security software. Again, the system is at the mercy of the user. Users can be fooled by phishing emails or prompted to download bad software. Security solutions will stop you before you do something detrimental.

3. My Information is safe on my Mac. Though many cybercriminal attacks are geared towards Pcs, device theft skews towards Mac computers and devices as they are easily identified and highly priced. Make sure that your devices have Find My Mac set up, are password protected, and go through regular data backups to an external storage space.

Should I stop using Macs? How do I protect my device?

We are not at all suggesting that Macs are not suitable for personal or business use. We see the discovery of the T2 chip vulnerability as a timely example to underscore that no matter what devices you are using, you need to take precautions to protect yourself or your business from cybercrime. Here are some basic steps to protect your device:

1. Install security software. Period. There are so many options, finding one with adequate strength and at a reasonable price point is fairly simple. If you run into any issues, we encourage you to give us a call (book a call link), and we would be happy to help you out.

2. Keep on top of software updates. The reason for updates is to improve your device. Though it can be a minor annoyance, keeping your devices up to date ensures you have the most recent security patches and big fixes.

3. Invest in education and training. Especially for businesses, training your employees on how to adhere to security policies and recognize cyberthreats will exponentially decrease their likelihood to put your information at risk.

4. Work with an IT professional. An IT provider can help ensure that you aren’t leaving any holes in your defences, advise you on which tools or software would work best for your organization, and help provide solutions to any IT problems you are facing. Here at Sensible we love giving our clients back their peace of mind, knowing that with all the potential threats out there, we can expertly protect their information and help craft solutions for any problems they encounter. If you need IT assistance, give us a call.

Cybercriminal attacks are getting more and more sophisticated. If your business's site doesn't have an SSL certificate you are putting your reputation and your site's visitors at risk. In this blog, we will be covering:

What is an SSL Certificate?

The Types of SSL Certificates

Why do SSL Certificates Vary in Cost?

How to Pick an SSL Certificate Provider

If your business's website doesn't have an SSL certificate, we can help. Book a call today.

What is an SSL Certificate?

SSL Certificates are a vital part of internet security, especially when your business needs to have an online presence. SSL certificates secure your domain, providing your online visitor's security, which is paramount.  You need to create a secure environment that makes clients and potential customers confident in your business. Position your business as a trusted and secure resource- an SSL certificate helps you do that in two essential ways:

  1. It provides an encrypted link between the user and the server hosting your particular service. This is vital when exchanging sensitive information like personal information and housing financial transactions.
  2. It provides proof of identity. Verifying that the site they are on is owned and operated by the correct owners and has not been spoofed. How to check this: When you view the certificate (click on the padlock next to the URL)–The company name should match the website

As technology advances, so does the sophistication of cybercriminals attacks. We have seen business's websites spoofed or redirected which causes a lot of grief for the business, their clients, and their potential clients. In fact, as a result, Google Chrome and other browsers will now penalise (and potentially block) any website that does not have an SSL certificate. Check to make sure your URL begins with https:// not just http://. The S indicated that the website does have an SSL certificate. If you don't have one, we can help you get one- book a call with us today.

Types of SSL Certificates

Not all SSL Certificates are equal. There are essentially 2 types of SSL Certificate generally available now:

  1. Single Name Certificates (for only one service/host server) - e.g. www.companyname.com.au OR service.companyname.com.au, etc.
  2. Wild Card Certificates (for use on multiple services/host servers) - e.g. www.companyname.com.au AND service.companyname.com.au, etc. Wildcards, of course, are more expensive, but if you have more than 2 or 3 services they can be cost-effective.

SSL certificates can only now be purchased for 1 year periods, so make sure to renew it every year.

Why the Varying Costs for SSL Certificates?

There are definitely cheaper options out there for SSL certificates. However, you do get what you pay for.

As we outlined above, SSL certificates are not all the same. Having a cheaper SSL usually provides minimum encryption and trust, and is considered the bare minimum when it comes to protecting your website and it's visitors. The more expensive the SSL the more protection it provides. We can help you weigh your options and find the right provider for your business.

Which SSL Provider Should I Pick?

We have put together a checklist to help you decide on the best SSL provider for you:

1. Do they properly validate the identity of the SSL purchaser? This is a manual, slower process to ensure that the purchaser of the "www.CONTOSO.com.au" SSL certificate actually is CONTOSO and not an imposter. They also include your business name on the certificate. Cheaper providers simply do not have the infrastructure for this important step, or they skip it or do a very basic check = Lower Trust = the main reason for a cheaper price.

2. Is there a warranty offered to users of your internet services? Warranty is an insurance for an end-user against loss of money when they make a payment on an SSL-secured site. This is very important for e-commerce sites but is also important if personal data is being submitted to the secure site. e.g. GoDaddy offers only a limit of $1000 to end users against loss of money when submitting a payment on an SSL-secured site. = Lower Trust Our preferred provider comes with a $1 million warranty.

3. Are you buying the SSL from a registered Trusted Certificate Authority or just a wholesaler? Is the provider simply a mass wholesaler of other people's SSL's or do they directly stand behind it and offer the service themselves? Trusted Certificate Authorities are organisations that have earnt trust globally (and by all web browsers) to safely and securely provide secure identities. There are only 8 actual Trusted Certificate Authorities in the world. Our preferred provider is one of these Trusted Authorities and offers 24X7 support.

4. What Level of Encryption is provided? What level of encryption is provided to protect the data in transit over the public internet- 128-bit / 256-bit? This encryption means how easy is it for a hacker to grab the sensitive information. The standard now is 256-bit - which is a lot harder to hack.

5. Is the SSL Certificate guaranteed to Work on All Devices? Has the certificate been verified to work on all devices that may connect? e.g. smartphones and tablets? Some providers do not - though this is becoming less common.

As an internationally ISO27001 accredited organisation, Sensible Business Solutions takes security very seriously.

We have to go out of our way to ensure the systems and suppliers we deal with have best practices in place, offer business-grade support, etc. The choice is up to you - but we will always be able to help you with the systems we recommend.

If you need more assistance, give us a call, we're happy to lend our expertise to your organisation.

Microsoft Office 365 has proven itself to be one of the foremost business-level office solutions in the world, regardless of industry. It’s a set of tools that companies and MSPs all over the world utilise and promote—but that doesn’t mean it’s perfect, and it definitely doesn’t mean that people have mastered and taken advantage of all of its features. Unfortunately, one of the most important aspects of IT management is neglected in most Office 365 implementations: cybersecurity.

Here in Australia we’ve seen a number of high-profile successful cyberattacks in the past few months; Toll Group suffered two attacks, BlueScope Steel was hit by an attack that forced them to shut down operations company-wide, and money management company MyBudget was hacked, causing a nationwide shutdown that left over 13,000 customers financially upset.

If companies of that size are able to be hacked, so can your organisation—you cannot assume that your standard firewall and antivirus combination will keep you safe.

This takes us back to Office 365, which has a variety of security features that many organisations are not aware of, and therefore do not utilise. With more and more organisations moving to Office 365, there are more and more people not optimising their environment or taking the next steps to protect themselves. When we consider the growth and staying power of remote work environments, it becomes an even higher priority.

A Case Study

In our years of experience, we’ve run into a few cases where a company adopts Office 365 out-of-the-box, and experiences some form of cybercrime that they thought they were safe from. In one case, there was a malicious actor that was automatically forwarding every email the employee received to their company’s competition—including sensitive personal and financial information. Office 365 has a security feature that can alert the user and/or administrator if company emails are being forwarded outside of the network, or if there’s other strange behaviour—but this feature is not enabled automatically. The victimized company in that case was being spied on for two weeks before they found out —not many companies come out of that with revenue and reputation intact. If they had looked into their cybersecurity options, and didn’t assume that Office 365 automatically secured everything, this could have been mitigated or avoided entirely.

Noteworthy Office 365 Security Features

Another form of security that Office 365 supports is “impossible travel detection”. In an impossible travel scenario, the system detects if logins are being attempted from different geographic locations in a timeframe that you couldn’t physically achieve. e.g. Login attempt in London, and after an hour it’s being attempted again from New York. This is impossible travel, and it’s a major indicator that someone is trying to hack your account. There are tools to detect those things and alert the proper individuals—but again, these are not automatically turned on. You need to set it up specifically.

While those tools (and others like them) are less known or understood, there is one security feature that almost everyone is aware of—and also isn’t activated out-of-the-box : Multi-Factor Authentication (MFA). With MFA activated, users are required to validate their login attempt via another system—this could be a text message, a smartphone app, or token. While yes, MFA adds another step to every login, it also adds an impossible step to any hacker or social engineer that manages to get a hold of your password. If they don’t have both your password and your smartphone, they can’t get into your account to cause problems. Sensible recommends always implementing MFA.

Another major misconception and point of neglect with Office 365 is the assumption that data stored in OneDrive or other Cloud-based solutions are backed up. Microsoft only supplies a short term recycle bin. They do not supply backups at all: this is up to you to arrange. Just because you are working in the cloud does not mean your data is immune from accidental / intentional data loss or corruption.

So what can we do? Sensible is happy to work with you to improve your cloud defences and cybersecurity solutions, whether it involves an Office 365 subscription or not. We begin by discussing your current environment, and business, before auditing your company for security risks. Once we’ve audited your network and identified your weak points, we can work with you to improve. Whether there’s a certain cybersecurity benchmark you want to hit, or if you need to meet regulatory compliance criteria, we can help you get there.

If you’re interested, feel free to give us a call; we’re happy to lend our expertise to your organisation.

Businesses and organisations of all kinds are thinking about the eventual transition back into the office environment. This experience will be different for each organisation. Some have been running essential services during the COVID-19 outbreak, and haven’t really noticed much change in this. Their experience will differ greatly from the business that transitioned to an entirely remote workforce in response to the pandemic—their needs are going to be more costly and drastic. Whatever your experience has been, or what your situation currently is, it’s time to start planning for what comes next. Are you going to return to the office life, like before the pandemic? Are you going to stay entirely remote? The answer to both of these questions is likely “no.” Most organisations would benefit from adopting the Hybrid Working Model.

What is the Hybrid Working Model?

The Hybrid Working Model (HWM) is simply a simultaneous adoption of in-office and remote work environments. We’re expecting to see a significant number of workers continue to work from home after the social distancing and quarantine restrictions are lifted, and we expect that number to stay fairly consistent. There are also good reasons for returning to the office: face-to-face collaboration can be more effective than remote collaboration, it’s easier to stay focused without the trappings of home, and there are social benefits to working in the office with other people. With these things in mind, we need to look at what businesses and non-profit organisations need to do to prepare for this kind of HWM environment.

Security

Security is always important, but it’s even more important right now. Ransomware attacks have increased by 400% over that last three months as a result of the COVID-19 pandemic response. With businesses and organisations everywhere trying to function with a hastily-assembled remote work environment, hackers are taking advantage of the generally weakened cybersecurity. Your business needs to take steps now to solidify your cybersecurity solution and prepare for securing your HWM environment. We expect issues regarding file version control and virus corruption to spike as employees move back into the office, which can put company data at risk.

The quickest and most cost-efficient step you can take to shore up your security is to enable Multi-factor Authentication or Two-Factor Authentication across all of your accounts and devices. Requiring a secondary verification source (like a smartphone app or a text code) to access accounts and data adds a layer of defense that all but the most dedicated hackers and cybercriminals won’t be able to penetrate. Beyond that, Sensible is happy to work with you to refine and strengthen your cybersecurity offering.

Efficiency

When your team is split between the office and remote work, there are a few things that can make a positive impact. The first of which is establishing solid policies around transferring data between home and the office. The second one is to learn and leverage the full functionality of your current tools. We very commonly see people using great tools like Microsoft Teams, but not using it effectively. For example, Teams has a chat function, a collaborative file sharing function, video conferencing, and task management; a lot of companies only use it for communication. Leveraging your tools to the fullest extent, especially when on-site and remote workers are working together on one project.

We hope this article highlighted some helpful things for you, and gave you an idea of what you need to prepare for when implementing your Hybrid Working Model environment. If you’re interested in working with a trusted IT partner, Sensible is happy to help you figure out how to best meet your needs.

You have probably heard about the latest vulnerability that affects most modern wi-fi networks.

The possible exploit is called KRACK.

The vulnerability is related to a discovered flaw in the WPA and WPA2 encryption protocols used by most modern wi-fi access points.

WPA and WPA2 (Wi-Fi Protected Access II) are also currently used as a security layer so only authorised devices can connect to your w-fi network

In simple terms, an attacker can adopt a man-in-the-middle position on your Wi-Fi network. They could force access points and client devices to reinstall a different encryption key.The KRACK attack then allows an attacker to intercept wi-fi traffic,.

A criminal could then not only decrypt network traffic from a victim's device on a WPA/2 network, but also hijack connections. In some cases inject malware or ransomware into unencrypted websites you are trying to visit (those not using SSL). Users could also be redirected to malicious websites.

What does this mean for you?

  1. Don’t panic. No, you do not need to turn off your Wi-Fi network. There have been no known attacks taking advantage of this vulnerability - yet.
  2. An attack would have to be very sophisticated using special hardware on-site. This limits the potential for concern.
  3. Disable the 802.11r protocol on your access point as it currently has a particular sort of vulnerability.
  4. Implement Best Practices.
    1. Your IT Support provider should already be installing the right firmware updates from your vendors as they become available. You must update both sides of the wi-fi connection - your "client" device (smartphone, laptop, tv, etc.) and the Wi-Fi Access Point (AP) you are connecting to.
      1. Note some clients Android 6 and Linux devices are more susceptible than others.
    2. Schedule a regular audit of your Wi-Fi network to ensure best practices are being applied.
    3. Enable Rogue Detection on your Access Points. This is a feature which detects and blocks devices pretending to be authorised.
    4. Separate Your Business wired network and your Wireless network.
    5. Implement RADIUS technology for more robust security authentication on your corporate network.
  5. Finally, until you are updated, only use sites and services that use HTTPS as they encrypt data from your web browser to the server and back.

 

A glaring security mistake has been discovered in Apple’s most recent desktop operating system. It’s not the sort of vulnerability that requires complicated malware or IT knowledge; anyone can learn this exploit in a matter of minutes to steal your password. Here’s how to stop that from happening.

What is the bug?

The vulnerability pertains to sweeping changes in how macOS stores files. In the High Sierra update, the Apple File System (APFS) was introduced to make opening and saving files much faster. As an added bonus, APFS also added advanced features like drive encryption.

However, users who add a second encrypted APFS partition to their computer’s drive aren’t keeping their data safe from prying eyes.

Let’s imagine you want to create a separate storage partition for your work files. The data contains sensitive information so you encrypt the drive and add a password.

If in the course of setting the password you were to provide a password hint, High Sierra will display your password when anyone clicks Show Hint when accessing the drive. You can see how it’s done in this 45-second video.

When anyone can retrieve your password in a matter of seconds, encryption becomes completely pointless.

How to fix this vulnerability

Sadly, the update for encrypted APFS drives requires much more than installing a patch. As such, we do not recommend trying to fix this issue without professional help if your encrypted partition has irreplaceable data. It is a complicated process and could result in data loss.

Apple procedures for fixing the issue if you’ve already encrypted a drive include:

  1. Installing the most recent macOS update
  2. Backing up the encrypted drive
  3. “Unmounting” and erasing the original drive
  4. Creating a new encrypted APFS drive
  5. Entering a new password and password hint
  6. Restoring the backup from Step 2 to the updated partition

Apple’s macOS is a great operating system. It is reliable, secure, and user friendly -- but like any piece of software, it’s not perfect. Don’t make the mistake of assuming macOS is safe enough to protect your data without outside help. For help encrypting your drives or securing your Macs, call us today.

Published with permission from TechAdvisory.org. Source.

When it comes to security, it’s better to be safe than sorry. But as the Equifax leak case has taught us, once a security breach does happen, it’s best not to be sorry twice. Read on so your business doesn't experience the same fate as the giant, bumbling credit bureau.

What happened to Equifax?

Equifax, the huge American credit agency announced in September 2017 that its database was hacked, resulting in a leak of tons of consumers' private data, including personally identifiable information of around 143 million US and UK citizens. It included names, social security numbers, addresses, birthdates, and credit card and driver’s license numbers.

Equifax responded by setting up a new site, www.equifaxsecurity2017.com, to help its customers determine whether they had been affected and to provide more information about the incident.

Soon after, Equifax’s official Twitter account tweeted a link that directed customers to www.securityequifax2017.com, which is actually a fake site.

Fortunately for Equifax’s customers, the fake phishing site was set up by a software engineer who wanted to use it for educational purposes and to expose flaws in Equifax’s incident response practice. So, no further harm was done to the already-damaged customers, and Equifax is left with even more embarrassment.

So what did Equifax do wrong?

One of the huge mistakes Equifax made in responding to its data breach was setting up a new website to give updated information to its consumers outside of its main domain, equifax.com.

Why? You first need to know that since the invention of phishing scams, organised criminals have been creating fake versions of big companies’ websites. That’s why so many major corporations buy domains that are the common misspellings of their real domains.

You should also know that phishers can’t create a web page on the company’s main domain, so if Equifax’s new site was hosted there, it’d be easy for customers to tell whether the new page was legitimate and not be fooled by a fake domain name.

What’s obvious from this embarrassing misstep is that Equifax had never planned for a data leak. And this is an unforgivable oversight by a company that handles the information of over 800 million consumers and more than 88 million businesses worldwide.

Don’t repeat Equifax’s mistake

Whether your business is a small startup or as big as Equifax, it needs to prepare for a data breach. Besides having a comprehensive network defence plan, you also need to have the right incident response plan in place. New Australian Data Privacy Laws which come into effect in February 2018 have stiff penalties and mandate that you must have a data breach system in place.

So what you should do is implement a system that makes you aware of leaks, then, after you’ve discovered the leak is, first of all, be upfront with your customers and notify them as soon as possible.

You also need to establish a message that includes the following information:

  • How the leak occurred
  • How the leak could affect your customers
  • How you will prevent future attacks
  • What your company will do to support affected customers

You should also create a web page to keep your customers up to date. But remember, the new web page should be under your company’s primary domain name.

As we’ve seen from Equifax, an incident response plan that's robust is a must. Feel free to talk to our experts about how you can come up with an acute one -- so you won’t have to repeat Equifax’s apologetic statement, since it doesn’t help the company redeem it's reputation at all.

Sales
Support
Email
Sensible Business Solutions © 2022 All Right Reserved
Privacy Policy
magnifiercrossmenuchevron-down