Category

Blog

What is a pen test?

By | Blog

A pen test, short for penetration testing, is a simulated cyber-attack on a company’s network performed to identify any potential vulnerabilities and exploit them. It is performed manually by a highly skilled security professional using various tools, techniques and processes to simulate the extent of what could happen under a real attack.

To explain it differently, think about checking if your house front door is locked. If it isn’t, you enter and rummage around seeing what you can take and the extent of damage you can cause. In finding the front door unlocked you have identified a vulnerability and by entering to find personal assets and sensitive information you have exploited it. This is in essence what a pen test performs except obviously the front door is the access to your company’s network and at risk is your data and customer information.

Why have a pen test performed?

Most company networks are designed, built, and maintained by employees that have little to no professional experience in security. Having a pen test performed provides you with a report highlighting points of weakness, the extent of damage that could be caused and a roadmap for security remediation. This resulting report can give you the opportunity to address any issues before they have been exploited by a criminal and peace of mind knowing your “front door” is secure.

Beyond peace of mind, if your business is required to comply with standards, for example HIPAA for healthcare or PCI-DSS for credit card processing, you may have a requirement for a risk analysis to be conducted periodically. A great way to perform this risk analysis is through a combination of a vulnerability scan and pen testing.

Things to consider

  • Pen testing is best conducted by a third-party vendor rather than your internal staff to provide an objective review of the network environment and avoid any conflicts of interest.
  • Pen testing is costly compared to a vulnerability scan for a few reasons. One main factor is a vulnerability scan is automated while a pen test is performed manually by an experienced security professional.
  • To keep cost down, don’t spending a lot of money on low-risk assets that may take several days to exploit.
  • Unlike a vulnerability scan, it is recommended that a pen test be performed once or twice a year.

Next up: What is Mobile Device Management (MDM)

Click here for our previous post, “What is a vulnerability scan”

Here are some items you should discuss when talking about performing a pen test. No need to read further unless you are seriously considering taking

  • What computer assets are in scope for the test?
  • Does it include all computers, just a certain application or service, certain OS platforms, or mobile devices and cloud services?
  • Does the scope include just a certain type of computer asset, such as web servers, SQL servers, all computers at a host OS level, and are network devices included?
  • Can the pen testing include automated vulnerability scanning?
  • Is social engineering allowed, and if so, what methods?
  • What dates will pen testing be allowed on?
  • Are there any days or hours when penetration testing should not be tried (to avoid any unintentional outages or service interruptions)?
  • Should testers try their best to avoid causing service interruptions or is causing any sort of problem a real attacker can do, including service interruptions, a crucial part of the test?
  • Will the penetration testing be blackbox (meaning the pen tester has little to no internal details of the involved systems or applications) or whitebox (meaning they have internal knowledge of the attacked systems, possibly up and involving relevant source code)?
  • Will computer security defenders be told about the pen test or will part of the test be to see if the defenders notice?
  • Should the professional attackers try to break-in without being detected by the defenders or should they use normal methods that real intruders might use to see if it sets off existing detection and prevention defenses?

What is a Vulnerability Scan?

By | Blog

The word cyberattack has virtually become a household term thanks in part to high-profile attacks in recent years. Mention a company name like Equifax or Ashley Madison and it will likely conjure up very different thoughts than they would have just a few short years ago. These type attacks have impacted millions of consumers and businesses forcing the need (and responsibility) to protect your important data.

A vulnerability scan is a technique used to identify security weaknesses in a computer system. Security weaknesses are what cybercriminals look for to gain unauthorized access to a network resulting in…. you guessed it, a cyberattack. I could get all technical and start talking about ports, patches, and the Heartbleed bug, but similar to my other blogs my intention is to bring awareness to these terms in a non-technical way.

A vulnerability scan is performed using software which upon completion produces a report that lists out found vulnerabilities and (depending on the software) will give an indication of the severity of the vulnerability and basic remediation steps. Performing these scans with routine is a widely recognized security best practice among large corporations, however, small and medium-sized businesses often believe they don’t have the resources or the budget for this security technology. You should know there are free scanners available, as well as, free trial software which can be used to test your network. Although there are free options, it is relatively inexpensive to pay a professional to perform one for you.

I’ll leave you with this final thought. Since there is free software available to scan for vulnerabilities, what do you think “the bad guys” are doing with it? You guessed it, using it to find companies who have obvious vulnerabilities they can exploit. This brings to mind a well-known saying: “You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you”. You don’t need to have the best security, just don’t have the worst.

Next up: What is pen testing?

Click here for our previous post, “What is a Hosted PBX?”

What is the Cloud and is it Safe?

By | Blog

A question you might be thinking, but apprehensive to ask. Let’s face it, the term “cloud” is used so frequently it’s difficult to understand what it really is.

I will share information and helpful resources I come across which I hope will demystifies the cloud. So lets start with the basics: What is the Cloud?

The cloud is not a physical thing, it is a network of servers, and each server has a different function. Imagine putting all your files, documents and other information in a cloud in the sky. Wherever you go, you can see and access this cloud. You can store more files, use/edit documents, or delete stored info from anywhere as long as you have a computer, laptop, mobile phone or any other internet-enabled gadget. This is how the cloud works. Storage, hosting of files (such as music, photos, applications, videos, etc.), and other services are outsourced to web-based cloud hosting service providers.

So there you have it, the cloud demystified. Your files are placed on servers that are “hosted” by other companies all linked together by the Internet and labeled the cloud. A good example is think of Dropbox, a common file  storage and sharing service that I use to store digital pictures. I had the privilege of spending a week in Scotland golfing and I took a million pictures on my cell phone. I only keep a few of my favorite pics on my phone and “uploaded” the rest to my Dropbox account. Now my pictures are securely stored in the cloud. But are they secure? How do I know that someone isn’t going to be able to access my pictures and laugh at me in a bunker?

The short answer is yes, it’s probably more secure than conventional data. Why? Well visit our blogs frequently as we will share fact and fictions about the cloud and the security of it.

Next Up: Cloud Security – Phishing

Cloud Security – Phishing

By | Blog

Cloud security is comprised of two different areas, each of equal importance. First is the security of your cloud provider (the company who provides the service that stores your information in the cloud) and second is your own security practices.

It is wise to have hardened security practices for your business, regardless of where your data resides. A lot of the issues around security are no longer technology issues, they are human issues. Jasmine W. Gordon, contributor to Tektonika, shares the following in her security post:

“Snapchat. Home Depot. The City of Calgary. What do these three entities (and countless other organizations) have in common? Data security breaches from human error, unfortunately. Each one of them faced expensive incidents as the result of simple employee mistakes.”

Don’t think for a minute “I am too small to be attacked”, because it happens to individuals and companies regardless of size, location(s) or revenue. One way to protect your company from human error is understanding and preventing phishing.

Phishing, pronounced “fishing”, is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. An example of this is I receive emails from my bank letting me know my account password needs to be reset, providing a link to login and reset it. The email looks like it comes from my bank, however, the link they are directing me to is not my bank. Odds are if I click the link I will be directed to a site that also will look like my bank’s web site allowing me to login. Simple enough, now someone has my bank login credentials.

Tips: Hover your mouse over a link and verify the actual URL is the same as what the email shows. Be cautious, the link may look the same only be off by a few letters. Another tip for businesses is to consider a phishing simulation. This is an effective way to test your employees’ security awareness and susceptibility to phishing tactics.

Next Up: Security questions you should ask your cloud provider.

Click here for our previous post, “What is the Cloud and is it Safe?”

 

Security Questions You Should Ask Your Cloud Provider

By | Blog

Cloud security is an important topic for many reasons, not the least of which it is one of the primary reasons businesses prolong moving to it. In a Gartner “Is the cloud secure?” report republished in March of 2018, Jay Heiser Gartner research vice president, offers insight into the subject. In part Jay notes: 

“The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user — not the cloud provider — who fails to manage the controls used to protect an organization’s data.”

This made me think, what questions should I ask my cloud provider? Here are my top 5:

  1. What measures do you take to destroy data after it is released by customers?
  2. What physical security measures, processes, and monitoring capabilities do you have in place to prevent unauthorized access to your data centers?
  3. How do you screen your employees and contractors?
  4. What security certificationsdo you possess?
  5. Do you encrypt data in transit and at rest?

You should expect your provider to be able to answer these questions and the answers should give you the warm and fuzzy.

Up next: What the heck is the difference between a public, private and hybrid cloud?

Click here for our previous post, “Cloud Security – Phishing”

What the heck is the difference between a public, private and hybrid cloud?

By | Blog

As if the cloud itself wasn’t enough we had to go ahead and complicate it by adding private, public and hybrid. While the term “the cloud” is certainly appropriate as a general term, the evolution of cloud computing has introduced different models and therefore the need for additional terminology. There are three general cloud deployment models: public, private, and hybrid.

In this post we offer a basic explanation of each cloud model. By basic we mean, if you were at a cocktail party and were to be asked which model you like best, you would not be clueless. Okay, let’s be real, I know it’s not likely to be the topic of conversation at a cocktail party, but a little knowledge never hurt anyone, right?

The word “server” is used in the below explanations, when you hear it think of a computer at the office that stores software programs or that “H” drive where everyone goes to find public files (Word, Excel, PowerPoint, etc.).

Public Cloud– A public cloud is where an independent, third-party provider owns and maintains the servers that customers can access over the internet. In a public cloud, server resources are shared by multiple companies, a model known as a multi-tenant environment. This is a cost-effective model since the expense of servers are shared by more than one company.

Private Cloud– For me this was the most difficult cloud model to wrap my head around, due in large part to differing opinions as to what constitutes as being private. Some would say the servers sitting on-premises in your datacenter are a private cloud, while others argue that just simply isn’t enough. In a private cloud model, the servers are owned by and dedicated to you and they can be located at your own datacenter or computer room, but they can also be hosted in a service provider’s datacenter. A private cloud can be managed by you, by the hosting provider or by a 3rd party.

Hybrid Cloud– While understanding the benefits and challenges of a hybrid cloud may not be that simple, explaining it is. A hybrid cloud is the use of both a public and private cloud allowing an organization to benefit from both models. To illustrate, imagine your company uses a software program for your annual employee review. Most of the year the software program is used infrequently, however, when it’s that time of year individuals are logging in and out of the program multiple times adding and removing information. The server needs to have sufficient resources to manage the increased activity (we all know the frustration of a slow program). Rather than purchasing a server for it to sit idle most of the year, you may elect to put this program in a public cloud. You then pay for the necessary server and their resources only when needed and used. However, the rest of your software programs are kept on-premises in a private cloud with both clouds being connected together.

Up next: Security awareness training, do we really need it?

Click here for our previous post, “Security Questions You Should Ask Your Cloud Provider

IoT or The Internet of Things

By | Blog

The “Internet of Things,” or the IoT, is best described as a physical network of connected “things.” So, what exactly is this connection of things”

One of the most highly visible and popular pieces of Internet of Things technology is the Nest, a smart thermostat that’s connected to the internet. This Wi-Fi-connected thermostat allows you to remotely adjust the temperature via your mobile device and also learns your behavioral patterns to create a temperature-setting schedule. According to Gartner, the IoT is the network of inanimate objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment. Here are some other everyday examples of IoT devices you may be familiar with;

  • Smart plugs used to turn electrical devices on and off on a set schedule or when you hit a button on your smartphone.
  • Smart locks automatically unlock when you get home, and locks behind you when you close the door.
  • Smart security systems combining video, audio, motion detection, night vision, siren, and air quality, temperature, and humidity sensors into a single device that you can control from your phone.
  • Smart toothbrush connecting to your smartphone encouraging good brushing habits for both kids and adults by turning brushing into a game and saving data on your phone about your brushing habits.

Smart pet feeders, health monitors, emergency response systems, automatic car tracking adapters, and more. Companies of all sizes are getting in and staking their claims. For large organizations that have already invested in IoT, the focus has been on internal operational improvements. The primary business case for IoT includes:improved efficiencies, improved data management, cost savings and enhanced asset utilization. They also hope to create new revenue streams through new products and services. Having the right data management strategy in place to support these efforts, however, remains key.

Without such a strategy, companies may miss out on making key business decisions.

 

Security awareness training, do we really need it?

By | Blog

I could fill this post with countless studies, statistics, and articles that should make the answer to this question obvious. However, I suspect most readers already know the answer, so I will spare those details. Rather, the question I would like to focus on in this post is; Why is security awareness training absent from so many companies’ priorities?

While there are many reasons the most common include the belief that a business is too small to be attacked, they lack the understanding of where to even start and they simply are not willing to allocate funds towards it.  Again, I could fill the rest of this post with information to dispel the believe that a company is too small to be a target. If you are curious, do a quick Internet search for “Is my business too small for a cyberattack?”. Happy reading!

For the remainder of this post I will focus on the other two reasons, getting started and funding.

Get started with making cybersecurity a topic of conversation at the highest level of your organization. Start with talking about the tips provided by the “National Institute of Standards and Technology”; Use strong passwords, backup your important information, use virus protection software, do not keep computers online when not in use, do not open email attachments from strangers, and use a firewall. Something is better than nothing.

While spending money to protect your business is wise, there are free resources available to you. First, phishingbox.com has a free Phishing Simulation which can be found at https://www.phishingbox.com/phishing-iq-test. This is a good way to test how well you do with identifying phishing attacks. Second, I recommend taking the Cybersecurity Challenge developed by the Michigan Small Business Development Center. If offers 8-well constructed tutorials covering various components of Cybersecurity. https://smallbusinessbigthreat.com/cyber101/

Next up: What is a Hosted PBX?

Click here for our previous post, “What the heck is the difference between a public, private and hybrid cloud?”

What is a Hosted PBX?

By | Blog

Let’s start with understanding what a PBX is. A Private Branch Exchange, which is what the acronym PBX stands for is more commonly known as your business telephone system. That desk phone at your workplace and the equipment it communicates with combined is your telephone system or PBX. It is the intelligence that provides your work voicemail, allows the buttons on your phone to do what they do, routes callers to your extension, and many other features. It is also the equipment that connects your phone with your phone service provider, enabling the ability to make and take calls to the public switched telephone network (PSTN). This is obviously a condensed explanation, but sufficient to serve the purpose of this post.

A Hosted PBX simply means the PBX functionality, or the brains of your PBX is hosted in the cloud by a service provider. Rather than your desk phone communicating with the PBX in your office, it communicates with a PBX in the cloud, via an IP network (like an internet connection, although there are other options.). A hosted PBX is often referred to by different names from VoIP PBX, Virtual PBX, Cloud PBX, Hosted VoIP, and many other variations.

While it is heavily debated whether a hosted PBX is less expensive than a traditional premise-based PBX, the benefits are not debatable. The most popular benefits include: outsourced system maintenance and upgrade, scaling up and down with ease, improved business continuity and disaster recovery, feature-rich for boosted productivity and eliminates the need and expense of having a datacenter like environment at the office.

Lastly, the success of Hosted PBX has introduced countless service providers offering their uniquely packaging and priced solutions tailored for their target demographics. Having options benefits consumers, however, it does require some vetting of service providers to determine which is best for your office environment. One size does not fit all.

Next up: What is a vulnerability scan?

Click here for our previous post, “Security awareness training, do we really need it?”