Why You Should Let Your IT Team Know When You’re Going Out of the Country

Why You Should Let Your IT Team Know When You’re Going Out of the Country

/in ,

Wish You Were Here: Why You Should Let Your IT Team Know When You’re Going Out of the Country

The Importance of Keeping Your Conditional Access Policies Current 

IN THIS ARTICLE: 

When planning a trip abroad, your to-do list is long. From personal tasks like setting up a cat-sitter and packing, to work-related ones like getting someone to cover key responsibilities and setting your out of office email autoreply.

Here’s another important item you may not have known about: Letting your IT team know where you’re going and when you’ll be back.

It’s not so we can live vicariously through you as you traverse a sunny beach in Bali. It’s so we can adjust your conditional access policies and keep your account as secure as possible!

Understanding Conditional Access

Conditional access is a security measure that uses criteria to limit login access to company resources. Josh Farlow, our Director of Cloud Services, explains, “These access policies are often applied to Microsoft applications. Your conditional access policy sets the conditions for who can access, and which authentication methods are required for logging in to your Microsoft 365 environment.”

One important condition is location. Josh adds, “Our default policy blocks authentication attempts outside the USA and Canada. For some companies, we include exceptions like Mexico if needed.”

Conditional Access: Location Restrictions

In this case, we’re focusing on the location parameter. Your IT team should have set approved locations as part of your access policy. For example, if you typically log in to your Microsoft 365 account from Central California, that would be the approved location that your account can be logged into from. If there is an attempted login with your credentials from anywhere outside of that area, the policy would flag that and block it. This disrupts a bad actor in, say, Uzbekistan, from accessing your account with stolen credentials.

However, if you’re going to be visiting family in Uzbekistan and need to log in to send a quick email while you’re there, your conditional access policy would prevent that. Notifying your IT team ahead of time lets them adjust the policy for smooth sailing while you’re away.

Think of it like back in the day when you had to call your credit card provider and let them know where you were traveling so your card would work in those countries without being blocked. Same idea!

Why Your IT Team Needs to Know About Travel Plans

Notifying your IT team of your international travel plans will enable them to adjust the conditional access policy appropriately for your temporary change of location. Not only will this prevent headaches and ensure smooth operations for you while you’re traveling, but it will also improve your security.

This information about your whereabouts empowers your IT provider to properly:

  • Maintain security protocols during your absence
  • Adjust conditional access settings to prevent authorized and unauthorized access
  • Proactively monitor and respond to suspicious activity

How to Notify Your IT Team

Before your trip abroad, give your IT team a call to let them know where and when you’re traveling. Once they verify your identity, they can adjust your policy temporarily to allow access from those locations should you need it.

If you’re a client of CIO Solutions, simply call into Support and let us know:

  • Where– Primary locations you’ll be traveling to
  • When– Dates you’ll be in the location(s) and when you’re returning

You can keep the “why” and “how” to yourself unless you really want to share the exciting trip you have coming up. Once we verify your identity, we’ll take it from there and you’re free to continue the rest of your trip preparations!

Adding this simple step of notifying your IT team when you’re going abroad means more security for your business and streamlined access for you. A win-win!

Are you a current client of CIO Solutions? Please feel free to reach out with any questions!

Not a client yet, but curious about maturing your IT solutions? Let’s talk!

Staying Frosty: How to Keep Calm and Stay Alert Against Spoofing and Phishing

Staying Frosty: How to Keep Calm and Stay Alert Against Spoofing and Phishing

/in ,

Staying Frosty: How to Keep Calm and Stay Alert Against Spoofing and Phishing

By Micah Ulrick, vCIO

IN THIS ARTICLE: 

We’ve said it before, but I’ll say it again, cybersecurity is more critical than ever. As a vCIO, I advise my clients on cybersecurity daily. While ransomware, DoS (Denial of Service), and Brute Force attacks are still a thing, phishing and spoofing are still two of the most common and dangerous threats today. These are the primary causes of compromises.

The problem is there’s no magic bullet that will 100% protect you from these attacks. So, understanding these threats and how to identify them can make all the difference in protecting both you and your organization from significant harm.

Every time you venture into your inbox or out onto the web, remember these tips to stay frosty (a.k.a. cool and alert) against the dangers of phishing and spoofing.

Understanding Spoofing & Phishing: What You Need to Know

Spoofing is when a threat actor masquerades as a trustworthy company or contact by faking their email, caller ID number, or website. Spoofing is effective because it manipulates your confidence in well-known companies or acquaintances and relies on the human habit of quickly scanning messages and missing signs that it’s a fake.

Spoofing is typically used in phishing, a technique used by cybercriminals to trick you into willingly handing over sensitive information, such as passwords, credit card and banking information, or personal and corporate data. These attacks often come in the form of emails or texts that appear to be from legitimate sources, such as banks, vendors, or even colleagues.

In simple terms: spoofing is the faking of “who” you’re talking to, and phishing is “how” they engage with you to take action. Like actual ‘fishing’, they’re trying to hook you with deceptive bait so they can reel you in.

How to Spot Spoofing and Phishing Red Flags

Identifying Spoofs

Email Spoofing

Signs of Spoof: Inconsistencies like slight misspellings in email addresses, domain names, and display names, or emails that come from a different domain name than usual.

  • Always scrutinize email addresses, domain names, and display names.
  • Talk to your IT provider about adding an “external” banner to flag emails coming from outside your organization to enhance awareness.

Caller ID and Text Spoofing

Signs of Spoof: Unexpected calls or texts from both familiar and unfamiliar numbers claiming to be someone you know. Scammers can manipulate caller ID information to make calls or texts appear as though they are coming from a trusted contact or organization.  

  • Look out for links in text messages (don’t click them) 
  • Be wary of abnormal requests. 
  • If you receive an unexpected call or text from a colleague, stop engaging and re-initiate contact in person or using a verified number or communication source you can trust.

Website Spoofing

Signs of Spoof: Spoofed websites may look identical to legitimate ones but have different URLs. They may also be missing “HTTPS” in the URL. The security padlock symbol in the address bar of the browser may also be missing.

  • Always double-check the URL spelling.
  • Check the name for familiarity. For example, “https://your-company.com” versus “https://yourcompany.com”.
  • Look for HTTPS and the padlock symbol in the address bar. If these are missing it’s not a good sign.

Avoid Falling for Phishing

  • Scrutinize Sender Addresses: Always check the sender’s email address. Phishing emails are often spoofed and come from legitimate-sounding addresses. Look for those slight alterations in the domain name, display name, and sender address. For instance, an email from “support@closolutions.com” instead of “support@ciosolutions.com”. Did you catch the difference at first glance? That’s how subtle they are. Look closely!
  • Beware Generic Greetings: Be cautious of emails with generic greetings like “Dear Customer” instead of your name. This is usually an indication that it’s a mass email blasted to many recipients and is a warning sign that something’s not right.
  • Resist Being Rushed: Look out for “account closure” notices, “unauthorized transaction” warnings, “password update needed”, or phrases like “Your account will be locked in 24 hours” or “Immediate action required”. Phishing emails often try to rush you into a mistake by creating a sense of urgency. Take a breath, and if you’re concerned, log into the questionable account as usual (not from any links in the email) to make sure everything is as it should be.
  • Note Unusual Requests: If an email is requesting information such as passwords, social security numbers, or credit card details via email, especially out of the blue, it’s likely a phishing attempt. Remember that legitimate organizations will never ask for sensitive information like this via email. Put your antennae up for these and note the strangeness of the request.
  • Don’t Click That Link or Attachment: Hover your cursor over the link text to see the actual embedded URL destination before clicking. Opening your email on a phone? Avoid the risk altogether and go directly to the website instead of clicking on a link. Phishing links often present themselves as one thing but really lead to malicious URLs. Similarly, be wary of attachments, especially if you weren’t expecting them. When in doubt: Don’t. Click.

Advanced Threats to Be Aware Of

Now that we’ve covered the basics of phishing and spoofing, there are several advanced threats that pose significant risks. Understanding these can further enhance your cybersecurity posture.

Whale-Phishing Attacks: Watch Out, C-Suite

Whale-phishing, or whaling, targets high-profile C-Suite individuals such as CEOs or CFOs. These attacks are highly personalized and sophisticated, aiming to steal sensitive corporate information or execute fraudulent transactions. Due to the high stakes involved, whaling emails often appear very legitimate and may reference actual company projects or executives by name, or ask for a change in payroll accounts. Bad actors typically gather this data by compromising lower-level employees with the phishing and spoofing tactics above.

Spear-Phishing Attacks: We Know You. No Really.

Unlike regular phishing, which is sent to a broad audience, spear-phishing emails are targeted and customized to the recipient, making them harder to detect. Bad actors often use information gathered from social media (LinkedIn, Facebook, etc.) and other online sources to spoof effectively and build convincing requests. These typically flow from the top down. For example, a threat actor may gather information about a CEO and will impersonate them to request a wire transfer from someone on the Finance team at their company.

Man-in-the-Middle (MITM) Attacks: You’ve Got Company

In an MITM attack, a cybercriminal first gains access so they can then intercept communication between two parties, for example between an Accounts Receivable rep at one company and an Accounts Payable rep at another. Once the attacker has access, they then “lie in wait” and eavesdrop to steal data or interject themselves into the communication chain to ask for a change in bank routing and account information or payroll information to steal money.

This is often done by compromising someone’s email, but unsecured Wi-Fi networks are also a common culprit, letting an attacker intercept data transmitted between your device and the network.

Remember These Best Practices

  • Be Skeptical: Always question unsolicited emails and calls. If something seems off, it probably is.
  • Slow Down: Don’t rush to respond, and don’t impulsively click on unknown links or attachments.
  • Keep Learning (and pass it on): Cybercriminals constantly evolve their strategies, so staying up-to-date and informed is crucial. Share this information with colleagues and loved ones to create a network of aware and cautious individuals.
  • Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it harder for attackers to gain access to your accounts. This typically involves a second form of verification in addition to your password, such as a code sent to your phone or an authenticator application. Enable this whenever possible!
  • Keep Software Updated: Regular updates patch fixes for identified security vulnerabilities, making it harder for cybercriminals to exploit your system. This includes operating systems, browsers, and any other software applications you use (even your phone and apps).
  • Report Suspicious Activity: If you receive a suspicious email or call or think you may have clicked on a sketchy link, report it to your IT department or service provider. Prompt reporting can prevent widespread damage and help authorities track and stop cybercriminals.

It’s up to everyone to stay informed and vigilant. The most important things you can take with you when you venture online every day are patience and suspicion. Don’t be trigger-happy with your clicks and responses, and take the time to look at emails, texts, and websites a bit closer. Trust little and verify when possible.

Stay safe, stay aware, and stay frosty out there.

 

An Additional Note For Business Leaders:

With compromises on the rise, Cyber Liability Insurance has become an essential part of protecting your business in the event of an attack. All companies, big and small, can benefit from Cyber Liability Insurance and we highly recommend acquiring it.

Did you know that CIO Solutions offers automated phishing awareness training and simulated user phishing campaigns? Reach out to your vCIO or Customer Success Manager to learn more about including Knowbe4 in your monthly service agreement at no additional cost!

Not a client yet? Contact us today to talk through your options for enhancing your IT management and security.

Email Authentication Protocols to Protect Your Business

Email Authentication Protocols to Protect Your Business

/in , ,

Email Authentication Protocols to Protect Your Business

By Peter Summers, vCIO

IN THIS ARTICLE: 

Email is an essential tool for businesses and individuals alike, making it a prime target for cybercriminals. Protecting your business against email-based attacks goes beyond having the latest threat detection tools and educating your users not to click on suspicious links.

Here are a few more technical email security measures, including DKIM, DMARC, and SPF, that organizations need to implement to cover their foundational bases.

Email Authentication Protocols: DKIM, DMARC, and SPF

DKIM, or DomainKeys Identified Mail

This is a protocol that enables email recipients to verify that an email is really from the sender it says it’s from and that it hasn’t been tampered with or modified during transit. DKIM works by adding a digital signature to the header of an email message when it’s sent. That signature is then verified by your email provider using a public key published in the DNS (Domain Name Server) records for the domain. If it’s checked and found to be a valid signature, the email is in fact from the sender it claims to be from and hasn’t been tampered with.

SPF, or Sender Policy Framework

SPF is an email authentication protocol that enables domain owners to specify which IP addresses are authorized to send emails on their behalf.

For this protocol, the domain owner publishes a list of authorized IP addresses in the DNS records for the domain. Email providers can use this information to confirm that emails claiming to be sent from this domain are truly coming from the approved list of IP addresses.

DMARC, or Domain-Based Message Authentication, Reporting, and Conformance

This protocol builds on DKIM and SPF by providing a way for domain owners to declare their email authentication policies and receive reports on how their emails are being handled by email providers. Giving domain owners this ability to keep an eye on their email traffic and detect unauthorized use of their domains can be incredibly useful for helping to prevent phishing and other kinds of email-based attacks.

A Dynamic Trio

DKIM, DMARC, and SPF work together behind the scenes to provide a more powerful defense against email-based attacks. Increasing the ability of email recipients to verify the authenticity of incoming email messages alone is a huge security improvement. Pair that with the ability for domain owners to specify the use of their domain name, monitor their email traffic, and detect and block unauthorized use of their domain name, and these protocols can help prevent phishing, spoofing, and other types of email fraud.

These protocols are more on the complex technical side, and they require careful planning and configuration. Be sure to work with experienced email security experts to set them up correctly and get your organization more protected against email-based security threats.

Already a client of CIO Solutions? Reach out to your vCIO to discuss DKIM, DMARC, and SPF and where it fits in your email security plan!

Not a client yet, but curious about learning how to boost your organization’s security posture? Let’s talk about your options!

A Hands-On Deep Dive Into CrowdStrike Identity Protection

/in ,

By Eric Egolf, CEO

As system administrators navigating the intricate web of cybersecurity solutions, we often uncover hidden gems that revolutionize our approach to managing digital security. One such treasure within the CrowdStrike suite is the Identity Protection Module (IDP).

As we began exploring this module, we recognized the possibilities it offered but finding detailed guidance was a challenge. That’s why we created this “CrowdStrike Identity Protection Overview”- for other system administrators seeking insights. Our aim? To offer a guide, complete with step-by-step screenshots and real-life examples showcasing how this tool transformed our daily workflows.

Throughout this overview, we’ll weave through practical scenarios, complemented by illustrative screenshots, showing how seamlessly the IDP module integrates into everyday administrative duties. By recounting our experiences and tangible gains, our goal is to demystify this tool and reveal its true potential, equipping fellow administrators with a thorough grasp of its capabilities.

An Administrator’s Need for CrowdStrike IDP

As system admins ourselves, we understand the quest for tools that promise value and truly deliver it consistently amid the daily grind of managing systems. The IDP module is often overlooked but holds incredible power. The implementation of this module into our suite of services has transformed our workflows, mitigated risks, and augmented our ability to maintain a secure digital environment for ourselves and our clients in this ever-evolving security landscape. It has provided proactive detection capabilities beyond what even the EDR platform can provide. As we move further into access being controlled by user identities, this tool will only become more essential.

Exploring CrowdStrike IDP Features: A Closer Look

Let’s dive right into it.

You’ll find the Identity Protection tab beneath the Endpoint Security tab in the CrowdStrike Falcon portal.

A Hands-On Deep Dive Into CrowdStrike Identity Protection

Domain Security Tab AKA “Risks”

The next part of the portal is what I call “the risks” section. It is referred to as the Monitor section. The first link in this section is to your “Domain Security Overview”.

This area is where you’ll find highlights of all the currently flagged risks. As you expand each risk, you will see an option to “show related entities”. Clicking on this will provide a full list of all the objects with that particular risk.

Compromised Passwords

In the example below, we have a list of compromised passwords, or what I refer to as “solved passwords”. These indicate users that are using passwords that are in existing rainbow tables on the dark web. These passwords pose a risk since they are much more susceptible to brute-force attacks.

A Hands-On Deep Dive Into CrowdStrike Identity Protection

The domain security overview, or risk section, shows you things (presumably) under your control that you can configure (change password, change GPO settings, change machine settings, etc.) to reduce your attack surface.

Privileged Accounts

The next link is super cool and shows you all the risks for Privileged accounts. Obviously, these represent a greater risk than other accounts because they have some level of administrative privileges in your environment.

A Hands-On Deep Dive Into CrowdStrike Identity Protection

One of the awesome capabilities this tool allows you is the ability to identify privileged accounts with “stealthy privileges”. That includes stale accounts, ones with compromised passwords, etc.

One cool thing I wasn’t aware of until we dove deeper was the honeytoken concept. This involves creating a deceptive account designed to lure potential attackers, labeling it as a “honeytoken account”. If it is ever accessed, it triggers an alert, so you know that you have a potential compromise on your hands.

CrowdStrike IDP provides this same view for all users, with ways to customize the widgets. It makes it easy to look at top user account lockouts, password changes, top password failures, and more; all with the same cool widget summarization seen above. It also offers links for risk analysis and event analysis (we don’t use these much ourselves, but they are powerful when needed).

Identity-Based Incidents Tab AKA “Detections”

Moving on from the risk section, we delve into the concept of detections. In CrowdStrike IDP this is called the Identity-Based Incidents tab. In the screenshot below you can see 3 detections (with names redacted).

Identity-Based Incidents Tab AKA “Detections”

Clicking on each gives you the expanded details (see below).

A Hands-On Deep Dive Into CrowdStrike Identity Protection

This gives us a summary of the accounts involved in the identity-based incident. In this case, it lets me know that a single account was involved and the alert was triggered because it logged into multiple servers.

Threat Hunter

From there, I can move to the Threat Hunter section, prefiltered with this user (see below). In this example, we can see all the systems this user accessed and with which protocols. This gives us a more complete picture and helps us determine if further investigation is necessary.

Threat Hunter

The Threat Hunter is, in my experience, the best tool for quickly looking through authentication logs. This allows you to quickly filter based on event types, identities, source, and destination endpoints. A highlight here is that the event types are nicely enumerated for you. This means you don’t have to spend time trying to translate Windows event IDs. Everything is spelled out neatly in the search itself making it far more convenient than sifting through Windows event logs or creating custom parsers.

This tool simplifies understanding authentication and timelines, offering straightforward and intuitive filters that streamline the process significantly.

“Enforce” Module

“Enforce” Module

CrowdStrike IDP features an enforce module, and although we’re still exploring its capabilities, the most impactful use case we’ve witnessed involves implementing MFA enforcement for all privileged accounts using the RDP protocol. Anyone in the system admin space knows how hard this normally is.

With CrowdStrike IDP, it’s as straightforward as crafting a policy and ensuring the machines have the standard Falcon agent installed. Just like that, you can enable RDP MFA (using options like Microsoft Authenticator or any number of the other authenticators provided by CrowdStrike IDP) for all privileged accounts.

Programmatic Accounts

Additionally, you can also block RDP access for all “programmatic accounts” a concept tracked within CS IDP.

Hackers often exploit credentials from service accounts (known as “Programmatic Accounts” in CS IDP) which makes it amazingly powerful to have policies that prevent these accounts from using RDP with a simple, singular policy enforcement definition.

Regarding programmatic or service accounts, another noteworthy feature is the account profiling tool. For example, a service account usually runs on a single machine or has a very specific use pattern. Once that is profiled (after 60 days), if CrowdStrike detects a login to a system outside of this established profile, it triggers an alert. This gives you a new layer of detection capabilities that EDR and other systems would miss.

The ability of CS IDP to profile the login patterns of every account (including stale accounts) and alert you to anomalies in their usage relative to the normal pattern is extremely powerful. This.

Connectors

Finally, we have the connectors. In the example below, there’s a connector to Azure AD which is another identity provider outside of AD. CrowdStrike IDP pulls in this other Identity Provider data, giving you detections on this dataset just like the normal Active Directory detections discussed above. Setting this up is straightforward—simply create an enterprise app in Azure AD and connect it.

Currently, at the time of this writing, it can use Azure AD and Okta as external identity providers for monitoring and detection purposes.

Connectors

In Conclusion: CrowdStrike IDP is Powerful

The key takeaway here is that CrowdStrike IDP stands as an extremely powerful tool. Hopefully, this brief dive into some of the uses and settings gives you the confidence to try enabling it and exploring the functionality in your CrowdStrike Portal. We believe it’s one of the best security investments you can make!

Enhancing Cybersecurity with CrowdStrike Identity Protection

/in ,

By Eric Egolf, CEO

In the realm of cybersecurity, staying ahead of threats is crucial. Organizations require comprehensive solutions that not only detect but also preemptively prevent potential breaches. CrowdStrike, recognized for its top-tier Endpoint Detection and Response (EDR), goes above and beyond by offering additional value-added modules. Among these is the CrowdStrike Identity Protection Module which stands out as a game-changer in the evolving landscape of digital risks.

Unveiling the Power of CrowdStrike Identity Protection

The allure of CrowdStrike isn’t merely its best-in-class EDR; it’s the supplementary capabilities like the Identity Protection Module that truly elevate its effect. This module is a force multiplier, offering functionalities akin to a Security Information and Event Management (SIEM) system at a fraction of the cost, especially when integrated with sources like Active Directory (AD).

Exposing Hidden Threats through Identity

This module broadens an organization’s detection capabilities, unveiling identity-related risks and abuse that traditional EDR systems overlook. For instance, it can identify anomalies like simultaneous logins from multiple locations using the same user account, a telltale indication of a high-security risk. With over 80 other detection capabilities, it ensures comprehensive coverage of identity-related threats.

Seamless Integration and Enhanced Visibility

CrowdStrike’s Identity Protection Module seamlessly integrates with common identity sources such as Azure AD and Active Directory, boosting detection capabilities and enhanced visibility into user account activities. This integration enables rapid identification of potential risks post-detection.

Leveraging Machine Learning for Proactive Defense

Another standout feature is the profiling function—facilitated by cutting-edge machine learning technology. Over a 60-day period, the module constructs user behavior profiles and promptly alerts administrators when any deviations are detected. This proactive approach enables swift response to potential breaches or unauthorized activities.

Combatting Dormant Threats and Unforeseen Usage

Additionally, the module can flag dormant or ‘stale’ accounts, like legacy service accounts, that suddenly attempt to log in. This is invaluable. Being alerted to these types of potential risks ensures your organization can take a proactive stance against unauthorized access attempts.

Empowering IT Departments with Cost-Effective Defense

CrowdStrike’s Identity Protection Module is more than a supplement to a powerful cybersecurity tool; it’s a necessity. It equips IT departments with an additional layer of detection and prevention capabilities, previously unattainable without traditional, more expensive SIEM solutions. Building on the CrowdStrike EDR platform, the Identity Protection module’s robust design, powerful features, and cost-effectiveness make it an indispensable choice for any organization seeking comprehensive cybersecurity solutions.

Strengthening Cyber Defenses with CrowdStrike Identity Protection

In the ongoing battle against cyber threats, CrowdStrike’s Identity Protection Module emerges as a force multiplier, empowering organizations to fortify their defenses, mitigate risks, and safeguard their digital landscapes efficiently and economically.

Are you a current client of CIO Solutions? Talk to your vCIO to continue the conversation!

Not a client yet, but wondering how to improve your business’s cybersecurity? Let’s talk!

Safeguarding Your Business Beyond Device Security: The Rising Importance of Identity Protection

/in , ,

By Eric Egolf, CEO

IN THIS ARTICLE:

In today’s digital landscape, IT security is a hot topic of discussion, and for good reason. Security is a constantly changing and complex field and while it may seem repetitive, as we rely on technology and digital interactions more for core business operations, companies have more to lose when their security posture is lacking. Staying ahead of the curve and paying attention to the emerging trends of IT security is now vital to keeping your business safe. 

In terms of priorities, securing individual endpoints (computers, laptops, servers, etc.) should be the initial step. If your organization hasn’t addressed this yet, that should be first and foremost. If you have this covered (maybe you have already implemented a solution such as CrowdStrike EDR), we can start to look ahead toward the next important concept on the rise: securing corporate user identities.  

User Identity- Who’s Who & What They Can Access 

A “user identity” is the digital version of who you are online. It includes things like your credentials (username and password), and other personal information that you use to access and control what you do on different websites and systems.

For our purposes, we will focus specifically on the corporate user identity (the usernames and passwords used to access your corporate data and applications) and how to secure it. Note that this does not include consumer user identity i.e., the credentials that employees use for personal online activity. 

When a user’s credentials are stolen, devastating credential abuse happens every day on devices without any security software. If your endpoints have powerful prevention, detection, and response capabilities, then the impact of this breach won’t be as disastrous as it would be on endpoints that aren’t secured.  

But considering how much power is associated with corporate user identities, it only makes sense that now, in addition to securing the endpoints, the next important security technology on the rise is identity protection- securing and detecting anomalies in the user identities accessing your business’s data.   

In the coming years, we see Identity Protection tools becoming equally as important as Endpoint Protection ones.  

On The Rise: Identity Protection Solutions 

Identity protection needs to be considered separately from securing a workstation. Endpoint security is done via software that is installed on the individual device or workstation (such as antivirus (AV) and Endpoint Detection Response (EDR) solutions).  

User Identity, on the other hand, is secured by monitoring databases of the corporate identities that access your business data. Identity Protection solutions catch risks in configuration and detect anomalies in credential usage.  

Some examples include: 

  • Someone logging in with a stale user account (user account that hasn’t been used in 90 days). 
  • Using a user account from a machine that doesn’t normally use it – different than baseline behavior.
  • Using an account from two geographically distributed locations, North and South California in the same hour.  

Identity Protection tools are an emerging technology that show incredible potential for increasing a business’s ability to detect and prevent user identity (specifically credential) abuse that they would have otherwise been blind to. 

At CIO Solutions, we offer CrowdStrike’s best-of-breed solutions including EDR and CrowdStrike’s latest module: Identity Protection. These solutions combine the power of modern Artificial Intelligence, a flexible cloud-native design, and now the power of Identity Protection logs to increase your organization’s security capabilities. 

Are you a current client of CIO Solutions? Talk to your vCIO to continue the conversation!

Not a client yet, but wondering how to improve your IT security? Let’s talk!

Neglecting MFA: The Scary Reality of Your Business Risk

/in , ,

IT security is more important than ever. Cyber-attacks and data breaches are a daily occurrence, they just don’t all make headlines. Businesses that fail to take proactive security measures put not only themselves at risk, but their customers too.

One of today’s foundational security measures is multi-factor authentication (MFA). But here’s the scary part: many businesses still aren’t using MFA, which means they’re at risk of some serious consequences.

IN THIS ARTICLE:

MFA Explained 

MFA is a security feature that requires users to provide a combination of two or more authentication factors to gain access to a system or application. This is typically something the user knows (like a password) and something the user has (like a phone or security token). These are used to verify the user’s identity. Unlike solely relying on a password for access, requiring more than one authentication method adds an extra layer of security. If the user’s password is stolen, the second authentication factor helps to prevent unauthorized access to sensitive information and systems.  

Business Consequences of Not Implementing MFA 

MFA is a relatively simple solution that can significantly increase your preventative security posture. In today’s world, it’s only a matter of time before a user’s credentials are compromised. Without a second verification method, that’s all it takes for a bad actor to get into your systems. The fallout of that can be severe.

Here are some examples of what can happen if your business doesn’t use MFA on critical business applications: 

  1. Data Breaches

    Without MFA, hackers can easily gain access to business accounts or systems by stealing or guessing a user’s password. No one’s password policy is good enough to prevent this. Once inside, your sensitive data including customer information, intellectual property, and financial records are at risk. 

  2. Financial Losses

    Along the same lines, without MFA, stolen credentials can give bad actors all the access they need to transfer funds, make unauthorized purchases, or steal sensitive financial information. This can result in significant financial losses, legal fees, and regulatory fines. 

  3. Reputational Damage

    A breach can damage a business’s reputation quickly which is difficult to recover from. Customers may lose trust in your business and look elsewhere. Depending on the severity of the breach, it can cause prospects to think twice about choosing your company. Reputations take a long time to build, can be damaged in an instant, and may take years to recover. 

  4. Compliance Violations

    If your business has cyber-liability insurance (something all businesses should have these days), MFA is a requirement. Failing to adhere to this could risk your insurance coverage. Additionally, many industries, such as healthcare and finance, are subject to strict compliance regulations that require the use of MFA. Failing to comply with these regulations can result in legal penalties, fines, and even license revocation.

  5. Operational Disruption

    The day-to-day impact of a breach resulting from the failure to implement MFA can be damaging on its own. Bad actors who gain access to your business systems can disrupt your operations or even shut down your systems. This results in downtime, lost productivity, lost revenue, and negative customer experiences.

The scary truth is businesses that avoid implementing multi-factor authentication (MFA) put themselves at significant risk for avoidable incidents. Cybercriminals are always looking for easy targets, and the absence of MFA makes your business just that. 

It’s true that implementing MFA won’t solve all security problems; it’s just one part of a robust security posture. But failing to take this foundational prevention step can lead to catastrophic events. The consequences for your business can range from uncomfortable to completely disastrous. 

It’s crucial that businesses take proactive measures to protect themselves and their customers. Implementing MFA on your key business applications is a simple yet effective way to increase security and mitigate risks. As the old saying goes, “an ounce of prevention is worth a pound of cure.”

Are you a current client of CIO Solutions? Talk to your vCIO to continue the conversation!

Not a client yet, but wondering how to improve your IT security? Let’s talk!

Email Safety | 5 Ways to Spot a “Phishy” Email

/in , ,

Quick Tips & Best Practices

We rely on email for many functions of business today. This makes it an excellent tool for bad actors to exploit. Email is one of the quickest and easiest opportunities threat actors have at their disposal.

Threat actors have gotten good at using our busy days and frequent use of email to trick users into providing information, making mistakes, or taking actions. That may look like tricking an Accounts Payable employee into wiring payments to a different account number or getting a user to enter login credentials by pretending to be a well-known company and sending a fake “response required”, “unusual activity”, or “update account details” email.

In the busy day-to-day, here are a couple of tips to keep in mind for practicing email safety both in your work and personal life so you don’t fall victim to these manipulation tactics.

5 Signs an Email Is Suspicious

Bad actors find success when their targets are busy, hurried, and accept things at face value. When you get a suspicious email, PAUSE and check to see if any of these signs are present:

P Passwords or sensitive info requested Pay attention to what the email is asking you to provide (passwords, social security numbers, account information, credit card info, etc.). This information shouldn’t be shared via email.
A Attachments you weren’t expecting Don’t trust attachments you didn’t ask for and avoid opening invoices, Word docs, and any other attachments that you didn’t request or weren’t expecting
U Urgency or intensity in the tone Notice the tone- is the sender requesting secrecy, stating something is past due or urgent, and generally trying to make you react quickly?
S Sender name & domain don’t match Check if the sender’s display name and email address don’t match, (name shows as John Smith, but the email is ra4azeu526@gmail.com) or if the email address domain is unfamiliar (usually from @company.com but this email is coming from @business.com)
E Errors in spelling & grammar Particularly from reputable, large companies, pay attention to spelling and grammar mistakes

Best practices if you think an email is suspicious:

  • HOVER, don’t click
    • Don’t blindly trust the display text, use your cursor to hover over links. This will display what the embedded link address is and give you more information. When in doubt, don’t click.
  • DELETE, don’t engage
    • Err on the side of caution and delete the email from your inbox rather than unsubscribing or engaging with it at all.
  • VERIFY, use a different method of communication to verify the source
    • Don’t respond to the email. Call, text, or chat with colleagues/vendors/executives to verify that email requests are from them.
  • LEAVE, go directly to vendor websites instead of through the email
    • Open your browser and go directly to the company’s website to log in to any accounts, change passwords, etc. Don’t go from any links in the email to reset passwords.

When it comes to email safety, be extremely skeptical.

This is an area in which it’s good to be hesitant, exercise extreme caution, and be wary. Email is quick and convenient, but now more than ever it’s important to slow down, stay vigilant, verify often, and change up communication methods.  

 

Are you a current client of CIO Solutions? Contact your vCIO or Customer Success Manager to continue the conversation around your IT security and anti-phishing education tools!   

Not a client yet, but curious about maturing your IT solutions? Let’s talk!

Reframing Your Approach to IT Security Decisions

/in , ,

By Sean Gill, vCIO 

The IT security landscape has continued to shift rapidly over the past couple of years. Threat actors leverage creative social engineering techniques, phishing and spoofing threats are continuously rising, zero-day vulnerabilities are exploited, and ransomware is at large. Businesses are more reliant on technology than ever before, and the industry continues to move toward SaaS (software as a service) solutions like Microsoft 365, shifting company data online and increasing the importance of adapting security best practices.

With rising threats and more at risk reputationally, financially, and operationally, it’s important that businesses adapt the way they think about security to meet these changing times. Taking an attitude of “if it ain’t broke, don’t fix it” or choosing to delay making changes “until it becomes a problem” can be devastating to a business.

Unfortunately, many companies still think that IT security breaches are a problem that only hits those unlucky few. But the reality is, the frequency and variety of threats turns the unlucky “few” into the unlucky “many”. Everyone knows a business that has experienced a compromise. We want to help you avoid becoming one of them.

Modernizing how we think about security 

Business owners and decision-makers now find themselves more involved in the nuances of IT security decisions in ways that they didn’t used to be. If this is true for your business, you’ll know that one of the frustrating challenges is figuring out how to keep up with security and associated IT jargon, especially when your core focus is, appropriately, on running the business and servicing your clients.

As the nature of threats and risks to businesses continues to change, how you think about security should as well. In this article, we will give you a simple framework that aims to help you conceptualize IT security and serve as an outline for making decisions.

IT Security Framework: Prevention, Detection, Response 

There are three key pillars to a thorough IT security framework: Prevention, Detection, and Response. Keeping these in mind when assessing IT security strategy can help ensure that in the budgeting and planning process, your organization doesn’t overload on one area and neglect another.

Prevention Pillar 

Historically, this category is where IT security spending primarily occurred. These solutions were the first (and often primary) line of security against threats. It is still an important focus, but no longer to the exclusion of the others.

Think of your business like a house. This would be like ensuring your locks work and installing a strong gate. These tools are there to prevent a break-in.

Technologies and practices that fall under this pillar of “Prevention” include: 

  • Firewalls – Perimeter security that blocks access to internal networks 
  • Antivirus – Software that recognizes and stops malware and viruses before they take hold and spread 
  • Password Policies– The practices of changing passwords frequently to prevent lost or stolen passwords from being used to access corporate resources 

All these are examples of Prevention security and are still valid and necessary today. But now, in addition to these, it’s important to consider additional ways of preventing malicious actors from getting in and gaining a foothold. Multi-factor authentication (MFA) and leveraging Artificial Intelligence (via Endpoint Detection and Response or EDR) are among the new technologies to improve the stack.

Multi-factor authentication is an essential component in your security foundation, and for good reason. As the name suggests, MFA requires a user to authenticate themselves more than once when trying to access company resources like your Microsoft 365 ecosystem. In contrast to simply providing a password (which could be compromised) to login, MFA also requires that the user supply more verification in the form of something they know, something they have, and, in some cases, something they are.  

This includes some combination of a traditional username and password (something known) and a digital token or code sent to a user’s mobile phone (something they have), and additionally, with most mobile phones incorporating some form of biometrics such as a fingerprint reader or facial recognition, (something they are). 

If your business requires users to utilize MFA for access, hackers will be prevented from accessing systems even if they come to possess a user’s password. This tool has given businesses of all sizes an additional layer of prevention capabilities in today’s landscape and has shifted from being nice to have, to a security standard across the industry.

Likewise, the use of Artificial Intelligence via Endpoint Detection and Response (EDR) has revolutionized traditional antivirus software. Traditionally, antivirus solutions were binary and merely reported on whether malware was or was not present – usually based on a set of definitions or some light heuristics. EDR moves beyond that. Instead of simply preventing known malware and viruses, in an EDR system, the antivirus feeds into and informs a more sophisticated detection and response platform. The use of Endpoint Detection and Response is continuing to become a requirement. In fact, most insurance companies require an EDR solution to purchase a cybersecurity insurance policy.

Detection Pillar

While everyone hopes that their Prevention stack is sufficient to keep out all the bad guys, the way the threat landscape has evolved, this is now just not the case. Even with a good prevention stack, bad actors still find creative new ways in and will spend time in your environment observing patterns and trends, waiting for their time to make a move – exfiltration of data, ransomware, or account takeovers. This is known as “dwell time”. Because of this, the Detection Pillar of the security framework may arguably be the next most important.

A traditional antivirus solution won’t detect if a system is still compromised after the initial compromise. If the bad actor is leaving traces of activity, without a detection tool like EDR, this trail will not be easy to find.

EDR keeps track of everything that has happened-from how a bad actor got in, to which systems or files were accessed, to newly spawned processes. This log of events is referred to as the “kill chain.” The kill chain provides an in-depth understanding of exactly which processes ran or files were touched. This ability to detect and understand all activities, in turn, allows for more certainty when remediating any exploit. From this information, it’s possible to determine if a threat has or has not been fully cleansed and shows exactly what systems should be reviewed for compromise.

Let’s go back to the analogy of your business as a home. Advanced detection tools like EDR are like installing a security camera system. You can detect suspicious activity early, be alerted to it, and if there is a break-in, have clear records of what occurred. 

Response Pillar 

Responding appropriately to any given event is essential – this applies to all areas of life, including our IT Security Framework. This pillar includes the tools and resources you would employ should a breach occur. This can be small (a plan for cleaning out all traces of a malicious actor) to large (hiring a forensics team, communicating to clients, and filing an insurance claim).

An effective Response Pillar includes creating playbooks for how to respond in different scenarios. Does your Security team or IT Steering Committee need to meet? Are there any reporting requirements for clients? Does a Cybersecurity insurance claim need to be opened? Do Business Continuity or Disaster Recovery plans need to be implemented? These reactions can, and should, be thought about before they are needed. Table-top exercises with the Executive Team can be a great way to brainstorm about various scenarios and how the organization should act if they were to arise.

To continue the home security analogy, our locks and gate (Antivirus and MFA) attempted to prevent the break-in. But when that didn’t deter the invader, our security system detected that something was wrong, and the camera (EDR) recorded everything. After reviewing the footage (EDR data) and assessing what happened (was anything taken, was anyone hurt, is the intruder still there?), we can respond and take appropriate action.

Was the alarm triggered by suspicious activity (antivirus quarantined a malicious file) and no actual break-in occurred? Or was the incident serious (a Zero-Day exploit that allowed bad actors inside the network) and do we need to call for help? 

We can see how all the previous pillars of the security framework support our abilities in the response pillar. Particularly the detection tools like EDR data, without which, analyzing risk and appropriate action becomes very difficult. Without this kind of clear insight, the organization may take actions disproportionate to what is needed – either by overreacting and spending unnecessary time and resources or by underreacting and opening themselves up to more risk.

IT Planning 

We all know that protecting our companies’ infrastructure is critical to the success of the business. The foundational requirements for securing your business have shifted to meet the demands of today’s current security landscape, and they will continue to change over time. If your business is part of an industry with inherently high-security compliance demands (like legal or medical businesses), it’s likely you’ve already been implementing modern tools to maintain the highest level of compliance. On the other hand, if your industry has less stringent security compliance regulations, your business may have historically viewed advanced security tools as “nice to have” but not necessary. Unfortunately, the reality of the world today makes that mindset a luxury that no business can afford.

The best place to start is by evaluating your current solutions with these three pillars in mind. With a better understanding of this framework, how does your security stack up? Has your organization implemented modern prevention tools such as MFA? Do you have an EDR solution in place to bolster your prevention and detection abilities? Have you mapped out a response plan? If not, the first step is discussing your security with your IT expert!

ABOUT THE AUTHOR

Sean has been shaping the IT strategies of businesses across a wide range of industries and sizes for over 10 years. As a vCIO at CIO Solutions, he works with business leaders every day to create a clear IT vision, mature technology solutions, and ultimately, enhance business productivity and security through technology.

He and the rest of the Strategic Client Services team at CIO Solutions are constantly evaluating important trends in the industry and advising clients on best practices and long-term IT strategies for success.

Are you a current client of CIO Solutions? Contact your vCIO or Customer Success Manager to continue the conversation around your IT security!   

Not a client yet, but curious about maturing your IT security? Let’s talk!

Understanding The Enemy + Why Your Antivirus Isn’t Enough

Understanding The Enemy + Why Your Antivirus Isn’t Enough

/in , ,

By Russ Levanway

You probably saw a dominant story in the news a couple of months ago about a major fuel shortage across the eastern seaboard. The pipeline that provides almost half the oil to the northeast and south came under a cyber-attack. Gas pumps ran dry in Tennessee, Georgia, and other states. This happened fast on the heels of other major exploits. Then in the last 2 weeks, tech news has been dominated by a serious vulnerability in management software called Kaseya, with over a million computers encrypted with ransomware as a result.

Ransomware attacks are getting to the point where they are becoming existential threats to organizations and can disrupt entire industries and supply chains.  If it wasn’t serious before, it is now.  Furthermore, hackers are increasingly sophisticated and daring. They’re often backed by foreign governments bent on destabilizing, stealing intellectual property, or just plain old making money via extortion.

The risks of a confidential data leak are higher than they’ve ever been before. It is critical that businesses not only understand how these adversaries operate but also rethink their own approach to security.

How cyber extortion works

Hackers’ typical MO is:

    1. Acquire your passwords or exploit some vulnerability
    2. Log into your device and/or network automatically or manually
    3. Steal a copy of your valuable data (credit card numbers, bank account numbers, social security numbers, intellectual property)
    4. Encrypt everything
    5. Hold it for ransom

If they don’t get what they came for, (you restore the data and can’t (or won’t) pay the ransom), the hackers leak your data all over the internet, selling it to the highest bidder.

Doesn’t my antivirus software protect me?

As someone in the IT field, one of the questions I often get asked is ”what about antivirus software? Doesn’t that protect me?” This is an understandable question. I preach the benefits of installing and maintaining antivirus software all the time. If it’s so important to have this tool installed, shouldn’t that be enough protection?

Unfortunately, no. The truth is, antivirus software stops 95 percent of attacks, so we always have it deployed as a security baseline, bar none. But what is it stopping exactly? Antivirus is preventing known viruses, known threats. When we talk about extortion and data infiltration, we’re not talking about viruses — we’re often talking about other tactics.

Flying under the radar

Threat actors often use phishing techniques to trick you into giving them your password (if they haven’t stolen it elsewhere). Often, a cyber-attack like this begins with an email from “your bank” that asks you to log in to your account to validate information. If you aren’t well versed in how to identify a counterfeit or deceptive email like this, you’ll fall for it and click the link. (No need to be embarrassed by your gullibility: you are in very good company. According to some estimates, a staggering 30 percent of people open phishing emails and 12 percent click on malicious links and/or attachments.) That fateful click leads to a counterfeit of your bank’s website. You put in the username and password, and you’re led to a blank page. You’ve been phished. Now the hackers have your credentials for the bank. All of this is done without using a virus of some kind, mind you.

Alternatively, threat actors may identify a vulnerability in your system. Once this vulnerability is identified, they exploit it by running what may appear to be legitimate software that goes undetected. Again, hacking you and your systems without the use of a virus.

These tactics leverage legitimate credentials and exploit existing vulnerabilities. Because of this, they can, therefore “fly under the radar”. Standard antivirus software can’t prevent this, it can only help stop code it knows to be malicious.

Adjusting your expectations

I talk about hacking all the time, I must seem like a broken record. But cyber-attacks keep happening, both in extreme cases like what we see in the news and for our clients, large and small. I keep hoping that if nothing else, a major event like the fuel shortage can help people understand how prevalent and destructive they really are.

Arming yourself with an understanding of how these threat actors operate is the first step. The second step is realizing that effective cybersecurity isn’t a question of simply having current antivirus installed. As we’ve seen, this tool can only do so much. That’s why the approach needs to shift. Cybersecurity is not one-dimensional and antivirus is not a catchall. In today’s world, antivirus is only one part of what must be a much broader cybersecurity toolset. It’s important that the expectation is adjusted to match the reality.

[ READ: Ditch the Drama: 5 ways to stay ahead of the hackers]