Posted on

How to Protect Data Storage from Hacking

How to Protect Data Storage from Hacking

Data protection is more important than ever, but also much harder to achieve. It was fairly simple to previously protect data storage from hacking when it was only saved on-prem and there was limited access. 

Today, data storage and access are more dispersed. Remote employees, cloud storage solutions, BYOD policies, and access via multiple devices from anywhere make data protection seem like an impossible goal.

It’s important to understand that a data breach is a business issue, not just an IT issue. 

To make sure your company and customer data are safe, you will have to protect data storage from hacking attempts. The following data storage safety practices will help you achieve a high level of data security and compliance. 

1. Use strong passwords 

The most common way data storage is hacked are weak or shared passwords. You would ever store thousands of dollars behind a simple “0000” or “12345” password? No.

The data you are trying to protect is worth even more than that, so make sure that anyone with access to it has a strong, complex, and unique password. 

Weak passwords are present in almost every organisation and can cost corporations millions in damages because of data breaches. 

  • To avoid hacking attempts, have a proper password protocol in place. All passwords that provide access to data should have a minimum of 12 characters and shouldn’t be complete words. 
  • Use a combination of upper- and lowercase letters, numbers, and symbols. The password should not have personal meaning – no names, addresses, dates, or anything that can be unearthed on social media.
  • Passwords should also be changed every 6 months.

2. Add Two-Factor Authentication 

Additional authentication protocols should be a standard practice to protect data storage from hacking

In case your first authentication layer – the usernames and passwords – end up in the wrong hands due to a successful phishing attack, the second layer of protection in the form of two-factor authentication (or multi-factor) will keep data safe from outside access. 

The authentication server will prompt the user to input another security code after authenticating their credentials. The code is usually delivered via SMS, or via a phone authenticator app. Some services will also offer the code via phone call if supported. 

3. Include Session Timeouts / Auto Disconnects 

To battle forgotten login sessions that could potentially lead to a data breach because somebody else used the device, incorporate session timeout routines onto your data storage servers. 

These routines will automatically disconnect the user from all inactive sessions. 

For example, if the user accessed your data storage but has been idle for the last 15 minutes, they will be logged out. When they come back, they will be prompted to log back in again. 

This security measure is especially valuable if your staff has access to data storage from shared, remote (and potentially unsafe) locations.   

4. Use encryption for all documents and emails 

Encryption helps protect data storage from hacking because in the event it ever falls into the wrong hands, they won’t be able to read it. 

When you encrypt data, the data is translated into ciphertext that is just a string of random characters. The only way to make it readable again is to turn it back to its original form with the right encryption key. 

The larger the key size, the more computational power is needed to crack it. The rule of thumb is to use encryption services that offer at least 256-bit encryption protocols.  

In order to ensure you have encrypted all sensitive documents, you should use a data protection solution that covers data discovery and sharing. Microsoft’s Azure Information Protection is such a system, and can be used to discover all your data, apply labels that determine how sensitive data is, and then apply rules on data access. The system will find all locations where data is stored and help you migrate it to a safer, centralised location. 

Because such systems also include email encryption, it also helps you keep data safe in case of mishaps. For example, if somebody accidentally sends an email with sensitive data to the wrong recipient, the recipient won’t be able to read the data without first having proper authorisation. 

5. Limit Access to Data Storage

In order to protect data storage from hacking, you have to limit access to data to inside actors too. 

The more people have access to sensitive and classified data, the higher the risk of data falling into the wrong hands. 

Your employees should have access only to data that’s essential to their role in the company. 

In case employees would need to access data occasionally, it’s better to have procedures in place that would authorise access to them temporarily rather than giving them unlimited access. 

6. Use Safe Cloud Storage Solutions 

Cloud storage solutions help you keep your data accessible at all times and is becoming the standard today. With so many employees working from remote locations and accessing data from multiple devices, it’s safe to say that there are many more vectors of attack.  

To protect data storage from hacking but keep it accessible and online, try using a decentralised cloud

It uses blockchain technology to keep data safe and such cloud storage is not controlled by a single entity and data is not stored on a centralised location. Instead, data is spread in tiny fragments across a large global network. When you need to access it, it will be assembled and decrypted as soon as you are authorised (either with an encryption key or password). 

7. Educate Employees

You can invest in the best firewall, anti-spam, and antivirus software, but if your employees don’t know how to spot a potential threat, your attempt to protect data storage from hacking will ultimately fail.  

Everyone in your company, be it the newest members of the team or senior executives, should go through regular education training. Ideally, they should learn about: 

  • The latest threats and risks, and vectors of attack – Suspicious email attachments, phishing attempts, how to stop a spoofed email address, and more. 
  • Best practices when it comes to data security – Teach them about BYOD policies, unsafe public networks, being safe while accessing data from remote locations, etc.
  • How to use new security software you implement – Get them on board with new software solutions and teach them how to use them to avoid slowdowns and disruptions.   

Your data security is only as strong as the weakest link. What’s your weakest link? 

Posted on

Data Discovery as an Important First Step in Cyber Security Implementations

feature image for data discovery in cyber security implementations post

Data security is the staple of a successful business in this era, and most businesses invest into at least basic cyber security. After all, it’s much more affordable when compared to the aftermath of a data breach. Before you implement security measures that will keep your business and reputation safe, you should know what type of data you deal with, and you can do that with data discovery tools.  

What’s Data Discovery and How Does It Help My Business?

The importance of data discovery in cyber security is experiencing rapid growth because of stricter regulations like the General Data Protection Regulation(GDPR) that mandate all businesses should be well aware of what kind of data they collect and how they use it. But what is data discovery anyway?

Data discovery is a business process of collecting and analysing data to gain insight into trends and patterns. This insight helps businesses shape their critical business decisions.

And while most businesses today will happily collect data to make data-driven decisions, they will often fail to store and protect that data in a systematic and logical manner.

This causes two critical issues:

  1. When data is disorganised, it will impact data analysis and affect the end result, which can lead to bad business decisions.
  2. Disorganisation also increases the risk of data being accessed by unauthorised entities, either through a data breach or because it was accidentally disclosed by an employee.

Data discovery helps businesses not only collect and analyse data, but it also shows them where and how data is stored and who has access to it, which gives them a good idea of how safe that data really is.

Data Discovery in Cyber Security

Because data discovery provides quite a number of benefits to a business, it’s safe to assume it can help with cyber security too. So what’s the best way to use data discovery in cyber security, and what benefits will this bring?

It is the first step to becoming GDPR compliant. Businesses gather all kinds of data to gain insight into the latest trends and preferences, and for this purpose, they often store sensitive data from their users and customers.

  • GDPR requires that ALL businesses that deal with personally identifiable information (PII) from EU citizens to disclose they are using and storing this data.
  • In addition, they must have consent from the user/customer to store all that data, and keep records of consent too. If they don’t, they are not allowed to store it.
  • Any type of data that can lead to the identification of an individual falls into this category: name, address, online identifiers, ID numbers, IP addresses, even cookie identifiers.  

It helps you implement the right cybersecurity measures. It can be hard to choose which cybersecurity measures are the best option for your business.

  • Firewalls and secure networks are a good start, but without implementing data discovery in cybersecurity, you won’t have a structured overview of your data, or who has access to it.
  • Considering that human error is the most prevalent reason for a data breach, limiting access to data and keeping it on a “need to know” basis is a sound defense against such errors.
  • This also helps you implement data encryption that limits further data sharing and disclosing it to somebody without the right authentication.

It helps you identify security threats quickly. When you have a unified and structured overview of your data and can see who accesses it and in what way in real time, you can quickly respond to any type of threats.

  • Machine learning and AI solutions can help you automate this process and monitor users’ access and detect any anomalies.
  • For example, if there is a sudden surge in data access from a specific access point, you will get a warning to investigate. In case you determine there was indeed a breach, the scope of the breach will be very limited.

Data Discovery Brings Your Cyber Security to a Whole New Level

With increasing volumes of data flowing through your on-prem or cloud data centres, you need solutions that will not only give you insights into trends but what type of data you have, where it’s stored, and how many of your employees have access to it. By structuring your data according to sensitivity levels and implementing solutions that limit access and keep a watchful eye on how it’s used, you will be able to thwart cyber security threats before they become a problem.

Learn more about data discovery by using Microsoft’s AIP scanner in our Udemy course now available at a discounted price.

Check out the TowerWatch Academy for more courses!

Posted on

11+ Ways to Improve Your Email Security Today

finger pointing to a padlock - improve your email security tips

Email accounts are used as the most common point of entry by hackers to get access to networks and either disrupt services, steal information, or spread malevolent software to more accounts. But, if you improve your email security, you can prevent this!

So, What Is Email Security?

Put simply, email security is a term that encompasses all the measures taken to secure access to an email account and contents of all emails of that account.

15 Ways to Improve Your Email Security

Email accounts are fairly easy to hack, simply because of the sheer number of email accounts there are. With everybody having at least one account, a simple error like clicking an infected link is often enough for them to gain access.

Coupled with a lack of knowledge, some people are easy targets, and can be the weak link for businesses or home offices to get a malware infection or lead to a security breach.

This is why it’s important to be up to date with email security measures and be able to spot hacking attempts.

Here are some of the ways you can improve your email security and help keep your personal and business data safe.

1. Use Strong Passwords

Weak passwords are one of the simplest ways to get access to an email account.

Often, people use simple passwords out of convenience, but this makes them more vulnerable. Most services won’t even let you have generic or weak passwords anymore and demand that passwords have at least eight characters, must include upper- and lowercase letters, at least one number, and one special character.

Our tips for strong passwords include:

  • Avoid using meaningful passwords – like the name of your spouse, children, or pets, birthdates, and similar. It’s best to use everyday items that don’t have much meaning. For example, look around your room or office and pick an item or two, then use them to make a password.
  • Change your password every 3-6 months. Set a reminder on your phone or work calendar to do so.
  • Avoid leaving all of your accounts logged in on multiple devices ALL of the time.
  • Don’t write your password down and stick it to your desktop screen! (it happens more often than you think!)

Think it’s hard to steal your password? Read this:

2. Use Two-Factor Authentication (2FA)

This puts an extra layer of security in addition to a username and password. It makes it harder for attackers to gain access. With 2FA, the user, after putting in their username and password, also has to input additional information, such as an additional PIN or password, or a security token.

3. Avoid Logging In to Free Wi-Fi and then Signing into an Email

While free Wi-Fi sounds great in theory, in practice, it’s chock-full of hazards. Using public Wi-Fi puts you at risk of being hacked, as hackers might be using the same network to gain access to other devices – if you log in to your email account, they can easily get access immediately.

If you truly need internet access out in the public, it’s best to use your phone and tether a connection instead (just make sure you use encryption while doing so).

4. Use Professional/Paid Services and Avoid the Free Ones

While free email services are convenient (for example, Gmail), they don’t have all the features you might if you’re a business. Always opt for professional and paid services (for example, G-Suite email services) as they have priority support and better security features.

5. Educate Yourself

One of the best ways to stay secure is to be aware of all the risks and ways hackers might try to get access to your email. It’s extremely important for businesses to train their staff as well, to minimise the risk of someone accidentally clicking an infected link.

6. Use Anti-Virus That Includes an Email Scanner

Anti-virus software will scan your device for malevolent activity, but it’s not a bad idea to get AV software that also includes an email scanner. Such scanners will actively scan all links and email attachments and alert you about infected items.

7. Don’t Click Links from Emails and Don’t Log In on Email Pop-Ups

If you are unsure about a link from an email, never click on it. The link might lead to a site that downloads and installs malevolent software to your device. Any pop-up window that requires you to log in to your email is likely a scam too. Always log in through the actual service.

8. Check the Original Sender

If you receive an email that seems to be a bit off, always check the sender. Often, the sender name will be spoofed to make you believe they are someone else. You can do so by hovering over the “From” to see the actual email address and not the name of the sender.

9. Help Your Provider

Every time you mark an email as spam or junk and report them, you help your provider filter the emails better in the future. This way, harmful emails will never even manage to reach the inbox.

10. Be Careful Signing Up for Things.

Using the same email for all the services – from those you use regularly to some obscure mailing lists, is always a bad idea. Always have a “throwaway” or temporary email address for services or websites where you only need one-time access.

11. Check Who Has Your Email

Never share your email on just any websites or public places. Also, avoid posting to public forums with your main email address to make sure it’s not collected and ends up on spam lists.

12. Protect Sent Emails

Use encryption services to protect all sent email. Some services even make it possible to see the email only if the recipient has an authentication code, and you can redact access at any time you see fit. We use Microsoft’s Azure Information Protection and recommend it to our clients for automatic email and file encryption.  

13. Be Careful What You Share Online

Avoid sharing personal information that could give hackers an idea on what you are using as a password! And I’ll say it again, don’t use obvious personal information as your password!

14. Run Regular Backups

With so many ransomware attacks happening lately, make sure your data is backed up regularly, just in case!

15. Be Careful About Apps

Avoid installing apps from third-party sites on your computer, browser, or phone. They are often infected with malware. Instead, only download from trusted sources, and always regularly update them.

These are all ways to improve your email security, whether you’re a personal user, have a business account, or are looking for organisational email security! Just remember, the more measures implemented, the higher the security of an email account.  

Posted on

Technical GDPR Staff Training Essentials

technical GDPR staff training essentials feature image

One of the challenges of implementing GDPR for businesses is the technical GDPR staff training.

But, you need to be prepared.

Your organisation’s compliance depends on having informed and well-trained staff, and the larger your business, the more difficult and vital this becomes.

We’ve dealt with many GDPR staff training sessions approaching from the technical standpoint and often consult with organisations to ensure they are passing on their knowledge correctly.

As such, we’ve decided to put together this brief list of essentials for a technical GDPR staff training session to get you started.

Before Your GDPR Staff Training

Data protection should already be part of the company culture meaning that your staff aligns with a privacy-first approach.

In practice: Incorporating privacy and data protection to your core values ensures you adhere to the GDPR “data protection by design and default” guideline – this means that your default settings should be privacy friendly, and all processes and operations, from sending GDPR Compliant emails to app development, include data protection measures at their core.

What To Include in GDPR Training Sessions

A well-rounded GDPR training should start with the basics and work towards the technical aspects of GDPR compliance like new policies and frameworks that you’ve adopted as an organisation. Key points to include are:

1. Consent

GDPR is all about consent, and ‘legitimate interest’ cases when contacting others and this needs to be thoroughly understood and explained.

If not, any one of your employees could contact someone without permission and it could lead to a complaint to the ICO and fines. This is one of the most misunderstood points of GDPR currently, particularly for marketers and businesses that thrive from reaching out to potential customers. You and your staff need to understand where the line is, and how not to cross it. 

2. The Risk of Non-Compliance

Your staff should learn about all the principles of data protection and be aware of the financial risk of not being compliant, how it hurts reputation, and what disciplinary measures the business (and they) can face. When they can connect the risks and arguments on why GDPR is necessary, they will understand just how important it is.

3. Understanding Your Business’ Role

Ensure your employees understand where your business stands. Participants should learn the difference between data processors and collectors, which category the business falls into, and the category of any other third party they conduct data-related business with.

4. Knowing Regulations & Regulatory Bodies

For example, your staff should know the role of the ICO and relevancy of the Data Protection Act 2018 and Privacy and Electronic Communications Regulations.

5. Being Specific To Your Business

There’s no point in explaining the rationale behind GDPR and the fines without some context. Your employees need specific guidelines about data-related operations and processes they do daily.

For example, your GDPR email training might be highly technical, so make sure that everyone understands how new regulations affect their daily email communication and work in general, with a focus on how it makes it better.

6. New Company Policies

Your business’ policies should be at the core of the staff training. Ultimately, you’re the ones to police your own staff and if it is enforced companywide, it’s more likely to be adopted (and stuck to.)

Every department should be aware of new company policies that ensure GDPR compliance and how they affect them – from developers working on a new app to the sales team dealing with customer data, to marketing staff sending out emails.

7. How To Spot Data Breaches

The staff should also learn how to recognise red flags – because a data breach has to be reported to ICO within 72 hours, knowing to spot one is crucial. They should also learn the correct procedure in case of a data breach, such as who to report it to in the company and whether additional measures are needed.

8. SAR Requests

Under GDPR, a company has to respect a subject access request – request for data. SAR requests need to be handled within 24 hours of being received, so having a policy in place and making sure your staff knows the correct way to respond to it is key, because the public and customers don’t always send requests to the right location straight away. 

The Technical Side of GDPR Staff Training

Implementation of new technologies and software solutions that ensure data safety is the next logical step for GDPR compliance. But this can be difficult to implement itself. 

This means that you and your staff will have to learn about new encryption technologies and software you decide to integrate into your business operations.

Article 32 of GDPR states that this can be achieved through:

  • Pseudonymisation and encryption of personal data
  • Ensuring your processing systems and services are confidential and resilient
  • Being able to restore access to personal data quickly if there was a physical or technical issue that prevented access
  • Regular testing and evaluation of technical and organisational measures that were implemented to ensure data security

For example, your email communications should be secured through solutions like Azure Information Protection – which provides email and file encryption that protects data in such a way that it’s secure no matter where it goes. Deploying systems like Azure Information Protection across your organisation can be tricky if you don’t know what you’re doing, but training your staff to use AIP should be easy – from GDPR email training to sharing documents securely – to ensure the highest security and your ‘best effort’ towards GDPR.

Continuous GDPR Training Ensures Compliance

The last point to note is that reminders and refreshers are the way to really reiterate the importance of GDPR to your business, to staff. 

Hold refresher sessions after the initial GDPR staff training on a regular basis. Data protection should be ingrained into every single business process. Make sure new members understand this too – make GDPR training an integral part of the onboarding process and make sure it becomes part of your company culture.   

If you need help with implementing Azures Information Protection in your small business, check out our fully comprehensive and supported course here:

https://towerwatchacademy.thinkific.com/courses/get-file-and-email-encryption-for-small-businesses-microsoft-aip-course
Posted on

The Different Tactics Hackers Use to Gain Access to Your Computer

We’d all like to think that hackers are spending weeks on end planning their every move to attack a business but the truth of it is nowhere near as exciting. Although this could happen to a big target, for most people it’s a lot more boring and they get ‘accidentally’ caught in the net as hackers looking to make a quick buck send out malware or ransomware hoping someone will fall into the trap.

That doesn’t mean the effects aren’t any less devastating!

So, to make sure you can protect yourself, let’s look at the various different tactics hackers use to try and steal your business’ data.

1. Relying on Human Error

We’re sorry to say that lack of education in businesses and human error by employees account for a large portion of breaches in our experience. For example, employees attempting to access internal systems from unsafe locations, using personal (infected) devices on the network, or clicking malicious links in an email. Hackers cast their net far and wide, and the likelihood is someone will click something and open the door. And that’s all they need. 

Hackers also pray on the lack of oversight from business owners on their employees. According to Keeper Securities’ State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report from 2017, 59% of small businesses do not have insight into the types of passwords employees use. This means that although the company is liable for a breach, they aren’t enforcing or even aware of the security standards of the passwords in use. 

2. Phishing

Phishing is one of the most common tactics hackers use. This is usually in form of an email that is spoofed to look like it’s coming from another sender, like your bank, or ISP. It will urge you to act immediately or you might lose your account, money, or face infractions. 48% of hacks on companies last year found that phishing or social engineering were the result.

Here are the warning signs you need to look out for in a phishing email

3. Public/Free Wi-Fi

Public computers and Wi-Fi networks are notorious for being plagued with malicious software that “sniffs” for data packets while you are using them. You risk losing your account data as soon as you type in your password. 

4. Phone Calls

Surprisingly these still work and is still one of the tactics hackers use! Hackers have been known to ring you claiming to be your bank or an organisation you’re affiliated with and ask you to confirm details over the phone. For example, banking pins or passwords as well as talking to you about family data or information, like your mother’s maiden name to get the ‘security question’ answers or take a stab at your password. If you feel a phone call is suspicious, never hand over your data, simply tell them now isn’t a good time and hang up.

5. Weak Passwords

Lazy, generic and consequently weak passwords are the easiest way for hackers to get access to your accounts. Many small business owners admitted that, while they still have password strength policies, 68% do not enforce them. A generic or commonly used password like 12345, makes it easy for hackers to gain access to your email or computer.

Check out our article below on protecting your password from hackers:

6. An Out-of-Date OS

While nobody likes how long OS updates take, they exist for a reason: to address flaws within the code that can potentially be exploited. Without regular updates, you enable easy access to hackers who are aware of the weak points.

7. Infected Attachments

It’s not just the links you should be wary of in an email. Masked to look like images or documents, they often carry viruses, malware, or spyware, like a keylogger that will install to your device and record your every keystroke to get your passwords that way.

8. Dodgy Devices

Be wary of those free devices being handed out to you as “freebies” in many cases, hackers can load malware or keystroke loggers on them so that when they are entered onto the computer they immediately infect it.

9. Pineapples – Spoofed Wi-Fi Points

A Wi-Fi pineapple is a fake Wi-Fi access point that has been purely set up to steal your data but it masks as public Wi-Fi. From the hacker’s point of view, they have multiple programs and software running to gain access but to the unsuspecting user, they just jump on as usual and voila, instant access to your data.

10. Unsuspecting Accessories

Your new smart lock, phone controlled thermostat, camera that is enabled to a network, card reader or any other online accessory all have access to your network. Hackers can use these as easy points of entry if they aren’t protected correctly to access your network and get to your data that way!

Unfortunately, we’ve only just scratched the surface of tactics hackers use to access your data and your files, and this is why we are firm advocators for using file protection as part of your cyber security strategy. That way, hackers can’t access the data from your files once you’ve been breached, therefore protecting the data stored within them.

To get automatic file and email encryption for small businesses using Microsoft’s Azure Information Protection, click the image below to get half off our course on udemy:

file and email encryption course image. click to take you to the course
Posted on

How “At Risk” Small Businesses REALLY Are to Cyber Attacks

busy coffee shop as a small business

Running a small business comes with a very specific set of challenges, like having limited resources, and often cyber security falls to the bottom of the list. But, the cost of a data breach, no matter the size of your organisation can be huge and the bad PR or image alone could be crippling as small businesses have to rely on reputation! 

Why Would Anyone Target Small Businesses?

Many small business owners don’t understand why their company would be an appealing target for hackers. They are small, don’t have vast funds or sensitive secrets that anyone would care about. They believe they are not big enough to be a target, so they don’t invest as heavily in cyber security as larger businesses do.

Some hackers do not target small businesses specifically but try to infect as many devices as possible, and without protective measures, backups in place, or the education, small businesses can very quickly become victims too.

The most common type of tactic that casts a wide net are ransomware attacks and more recently, cyber-attacks are becoming more targeted and specific.

The top 3 reasons why small businesses are targeted specifically by hackers are:

  1. The lack of investment into security makes it too easy for those looking to make quick money by selling details. 
  2. Small businesses often work with larger enterprises and if they’re not careful can serve as a point of entry for a large data breach.
  3. A small business is more likely to meet the hacker’s demands, such as a ransom, to get their data back because without it, their business is at a standstill. 

Cyber-attacks against Small Businesses are on the Rise

According to Keeper Securities’ State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report from 2017, attacks against small and medium business owners are on the rise. A staggering 61% of small businesses that were interviewed reported they were affected by a cyber-attack. The most common type of attack included phishing or social engineering, with web-based attacks and general malware following closely behind.

What Small Businesses Should do to be Safe from Cyber Crime

Change of stance is the most crucial thing.

If small business owners continue to believe they are not a good target to hackers and believe they don’t matter, they will continue to be vulnerable to cyber attacks. Small businesses should focus on the following areas:

  • New Technology and Software – Investing in the newest software solutions can give small businesses the edge that they need to catch breach attempts early. Machine learning can detect anomalies in network traffic or credit card fraud attempts so that small businesses don’t have to pay as much attention. 
  • Employee Education – Teaching employees about cyber security lowers the risk considerably. Get them on board about it and teach them about password policies, what makes a strong password, why password sharing is risky, and signs that indicate a possible breach. Check out the TowerWatch Academy for regular courses that you might need for educating staff and using protection software. 
  • Regular Updates and Patching – Ensure all your systems are up to date and patched regularly. New patches are applied to parts of code that could have been used as points of entry before the patch which is why you should always keep up to date. 
  • Use Encryption – Encryption is a precaution in case a data breach happens. If hackers get to your data, having it encrypted will render it useless to them. 
  • Physical Security – Have surveillance in place in areas where you keep your sensitive data to avoid malicious actions from the real world.
  • Two Factor Authentication – In case a cyber attack is successful in getting credentials to log in to your system(s), a two-factor authentication will stop them from getting further than trying to log in and will immediately alert you so you can lock it down and change your passwords. 

If you need any help or support protecting yourself as a small business from cyber security attacks, join our free Facebook community for IT support for your small business.

Posted on

GDPR Email Terminology You Need to Know!

When it comes to GDPR and emails things can get confusing! You need to make sure you completely understand the GDPR email terminology potential users/customers/businesses could be using so you can action accordingly.

Although not an exhaustive list, here are some of the terms that will be most useful to understand. We’ve taken this list from our Free GDPR Email Protection Course you can find here.

Consent – This means permission! GDPR’s aim is to allow users more control over their data and is big on consent which means if you don’t have it, you can’t use it. Now there are some situations where direct consent isn’t needed, for example if someone makes a purchase from you, you’re allowed to send them a relevant email about their order without their consent as it’s a necessary byproduct of the purchase. Another example is when a company or business has a business specific email address on their “Contact Us” page. This is considered consent as long as the email is a business and not personal address e.g. [email protected] NOT [email protected]. One thing to note here is you still can’t add them to a mailing list but you can contact them with something of genuine interest.

Data Breach – This is where information has been accessed by unauthorised third parties due to a security issue. This usually refers to confidential or sensitive information.

Data Controller – The ICO define a data controller as:

“A person who (either alone or jointly or in common with other persons) determines the
purposes for which and the manner in which any personal data are, or are to be processed”

Data Portability – This is the right of the user to move personal data to competitors and businesses have to comply. It must be readable and universally accepted by the other party and once moved, the original business may not store it (unless for legal/tax purposes.)

Data Processor – The ICO define a data processor as:

“In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.”

Data Processing – When information is handled, physically or digitally for any action. For example, collecting it, uploading it into an automatic algorithm, using it to segment etc.

Data Protection Authorities (DPA) – These will be appointed in individual EU-based countries to enforce and support the new data protection laws.

Data Protection Officer (DPO) – Data controllers will appoint an employee (or sometimes hire externally) a DPO whose responsibility is to make sure data protection and processing is met and understood throughout the organisation.

Data Subject – This is any person that the personal data is about.

Erasure – When an individual makes an erasure request, this means to have all of their personal data removed from your organisation (and third party organisations you use to manage this personal data) Not complying with this can leave you open to fines.

Encryption – A way of making information protected to prevent unauthorised entities or people being able to access, read or extract the data.

Pseudonymisation – A way to make personal data less identifiable to an outside party by using pseudonyms and preset identifiers in place of the data itself.

Recipient – The receiver of your email

Subject Access Request (SAR) – Contrary to popular belief, this isn’t actually new. A SAR request is something a user can do via email which entitles them to ask what information is stored about them. You may find the “Subject Access Code of Practice” by the ICO useful. Also known as a “Right to Access Request”

For more information on email protection in the age of GDPR, check out our FREE COURSE HERE to guide you through it!

Posted on

The All-Too-Frequent Failure of Data Protection in the Field of DevOps and Developers

I have decided to post this as a response to an article I read and ensuing discussion concerning the hacking of servers through RDP.

At present I see several major trends happening in this field:

  1. Ongoing transition to DevOps is happening also because of original System people (I am proud to have been one of them once upon a time, those that even used to install 2000/2003 on a physical server!) seeing the demand for 3rd level support declining steadily with the world of Cloud growing fast, so they understand the need to advance and expand into the field of software
  2. Current transition to DevOps is happening at fast pace because the software developers have begun to understand that it is not enough to simply “write code”. I can remember the time when the programmer did not know how to install an OS now I am delighted to see software developers that understand: their well-known world of code will have to become a world of Deployment!
  3. The younger people, those that never in their lives even tried to install a physical server and did not have to configure a Firewall from scratch, never had to deal with Assembler. These Children of the Cloud can develop products in a much faster way, providing a very effective delivery, albeit based on a pre-existing infrastructure.

I have been discussing the whole issue of DevOps with my colleagues lately, it can become a crucial one, as this community does mostly consist of brilliant system and software people that can work together in the Cloud, in Sweet Harmony (those over 30 might remember that song).

Personally, I have first encountered the field of DevOps while building the AWS infrastructure for an Israeli client. A software guy, whom I was helping to define the system, told me that he wanted to transit to DevOps, and that he was very eager to learn the architecture and networking I have set up for AWS (a quite beautiful structure with VPN clusters and about 200 VPC’s in different areas).

Evolution of Cyber Threats

Together with all this, the world of Cyber Threats is changing rapidly in several ways:

  1. Cyberattacks have become a fully-fledged business, operating according to a well-developed business model, even if this is performed by “illegitimate” criminal organizations or individuals. Some of the perpetrators used to serve for the Russian or Chinese versions of the NSA, and in China this is even done by proper cyber units of the People Liberation Army.
  2. The leakages of government/military level tools (Eternal Blue etc) have proven to be a huge game-changer, version of this software still penetrate systems that have not performed adequate patching until now! The speed with which Eternal Blue has morphed into Ransomware shows how quickly the bad guys adapt to the changes in environment, both in professional and commercial sphere.
  3. The size and frequency of DDOS attacks has reached record-breaking levels, and one can order DDOS services in easy and convenient manner, using tools that are similar to the shopping cart, you can see it for yourselves doing a simple search on a Dark Web. The IOT has also become a virtual petri dish for DDOS bots.
  4. The phishing threat has risen to a whole new level as means to steal sensitive data and intellectual property.
  5. The new and rapidly growing threat is Zero Day Exploits, very difficult to defend against during the initial phase of discovery (just like in point 1)

All this is very challenging, without a doubt.

In the World of Cloud everything becomes easier, more accessible and much more amazing. It is now possible to do in 5 minutes what would have taken 5-6 days before the Cloud was here, or even things that were just a fantasy just a few years ago.

Some of these changes are the possibility of deploying Virtual Machines in a few minutes’ time and getting instant access, Microsoft has also embraced the AWS approach, while dropping the default choice of NAT, so that the new machines are supplied directly with open 3389 (thus ensuring more speed).

Data Protection for DevOps

Now let us look back at our headline: why is the world of DevOps so slow to grasp the importance of Data Protection? From my experience as a consultant and designer of system architecture, the DevOps people cannot grasp the severity of the Cyber threat for some of the following reasons:

  1. Those that have transited from system administration and design know how to configure a server or a firewall, but they do not look at the application side, so if they need to install an outward-looking IIS server, they do not bother with configuring the necessary permissions and privileges, as this is “not really my business”
  2. Those who were software developers tend to exhibit more understanding of the applicative risks (like SQL Injection and various WAF issues), but all too frequently I see those guys setting up DEV machines with open 3389 configurations protected by ridiculously simple passwords (they think that because it is Dev – this is not really that important)
  3. Younger-generation Cloud kids that are used to direct cloud deployments usually do have awareness of Data Protection (a pleasant surprise!), but mostly use the only the ready-made manufacturer’s solutions, but if the concrete system requires a custom solution of some sort, like some sort of On-Prem connection, they cannot do it and there is no effective Data Protection as a result

What is to be done? They need to study and to learn new things! I have been dealing with the broad theme of Data Protection for many years already, but my eyes really were opened after I attended the very complicated and challenging course of Offensive Security, which really gave me the hands-on experience of Penetration Testing. During this course you could really see the process as performed by the attacker, who may be a system or software expert, a very creative and formidable foe.

Roughly, this is how it looks from the attacker’s point of view:

  1. Full scan and obtaining a complete system status and external structure
  2. Searching for weak spots
  3. Using existing tools to exploit the system weaknesses
  4. Building custom tools to exploit some of the weak spots
  5. Executing the exploit
  6. Your server is toast

This is a very concise summary, but enough to get a clear picture:

  1. When you install a server with open 3389, in a matter of seconds your server will be identified by various scanners that search the networks all the time, without stopping! The attacker, usually running a script, gets a precise update on a new open 3389 server. Following that, the operating system can by deduced based on the version of RDP that is detected
  2. After a few seconds the attacker’s scanner will start using a tool like Brut Force or Dictionary Attack, a relatively simple password will be discovered in a few minutes and your system breached (yes, a few minutes – during my lectures I sometimes set up a demo, showing how easy it is to breach AWS or Azure server with a simplistic or predictable password.

Yes, the open 3389 configuration is a “disaster”, because it gives the attackers some of the following information:

  1. I am not very professional, and me installing the open 3389 means that I also neglect installing addition defenses and security features
  2. This is a newly-installed server, without much or any protection, so this is the perfect time to penetrate the system, plant the “package”, and then wait to see what will be the purpose and content of the server (perfect for DC, as an example)
  3. My passwords will most probably be weak and predictable

Data Protection on RDP

On the issue of RDP:

  1. This protocol allows to run Remote Execution through it, which means running a malware without a need to plant it inside the server in advance
  2. Even if you have full patching, a weak password will give an attacker an opening to sneak in and plant the package in space of seconds, getting control of the server

So here is what needs to be done:

  1. You do not open a 3389 unless it is done through VPN or through ACL that restricts access to the source
  2. The passwords always (always!!!) need to be complex, never use the words that might appear in a dictionary, use password generators!
  3. You need to study all the time – every DevOps/Dev person needs to learn about existing and new off-the-shelf tools, such as Kali and others

One more thing (DevOps guys, please do not get angry with me about that): very few people are able to become true jacks-of-all-trades, that is why big tech companies employ dedicated DevOps teams that include system people, software developers and cyber experts as well.

The biggest problem is usually encountered when setting up new smaller companies or start-ups that do not possess the resources for the appropriate planning and execution of Data Protection. This can lead to Intellectual Property being obtained by your competitors (mostly in China, but also in other places) from the first day of the server’s operation.

Conclusion

To sum it all up:

  1. A 3389 port that is open to the internet is a really bad idea
  2. Simple passwords, even for a small Dev server, is very bad too
  3. Learning basic Data Protection is a must of all the range of DevOps positions

Eli Migdal – TowerWatch Solutions – CEO

Posted on

12 Warning Signs Of A Phishing Email

The importance of online security is bigger than ever and with criminals coming up with new and inventive ways to catch you, we must remain vigilant. Previously we have discussed how to defend yourself against phishing but with increasingly clever tactics we thought we would highlight some 10 ways you can sniff out a potential threat and detect signs of a phishing email.

As you probably already know, phishing is the act of misleading you into giving away your sensitive information, from login details to your credit card information there’s a wealth of data you don’t want falling into the wrong hands. The most popular way of phishing is via email so we will be looking solely at this, but remember that cyber thieves can masquerade in a variety of different ways so keep an eye out.

Here are the 12 signs of a phishing email that should throw up an immediate red flag.

  1. Email Address

Why is PayPal emailing you from [email protected]thief.com*? The correct answer is they are not and if a reputable company is not using their own server email or a recognizable email, then it’s definitely not them. If you are genuinely concerned and are expecting a similar email, do not reply to this one, go to the company’s website and find an email address or contact number of someone you can speak to and you can deal with the quiery directly. Also, contacting the real company helps to raise awareness that someone is using their name to steal data which they can then act upon by contacting customers legitimately and this avoids anyone else getting duped.

  1. Unsuspecting Urgency

If something was really happening with your account then chances are you would have heard something rather than a strange email out of the blue claiming that you MUST ACT NOW. If you aren’t expecting an email, then chances are it’s false and again, you can always contact the company and check. This also stands for unrealistic threats that are suddenly imposed in the email, stop and think about this company and what they are LEGALLY allowed to do, if the threat doesn’t line up it’s because someone is trying to use fear and intimidation to get you to click.

  1. Poor Language

In many instances phishing emails will have poor grammar or language and this could be because they were thrown together quickly with minimal spellchecking, because an automatic translator was used to quickly send to a variety of different countries or alternatively because the writer was writing in their second language. Although businesses can make mistakes, professional business emails are usually written by someone from your own country or at least spell checked and proof-read so this can be a major giveaway.

  1. Asking For Money

Email marketing is strong for a lot of businesses or charities and although you may find you get newsletters and emails drawing your attention to the latest products or services, when was the last time a company asked you for a specific figure to immediately hand over? Even if they are sending you an invoice, most of the time this will be in the form of an attachment, with a legitimate invoice, reference number and contact details so you can always check it out. Asking for money is one of the telltale signs of a phishing email!

  1. Wrong Child Domains

A favourite trick is to create a child domain which involves having a domain underneath an original, meaning that the parent domain details are in the URL which is how they catch you out. For example, Information.Security.TowerWatchTech.com would be a child domain of our own website and this is clearly indicated if the parent domain is on the RIGHT-hand side due to the way DNS naming works. However, a spoof version of this would be TowerWatchTech.com.phishing.com but because the brand name is in the URL, you get confused into thinking it is legit. The best way to remember it is:

On the LEFT, I’m LOSING money

On the RIGHT, everything is all RIGHT

  1. It Asks You To Log In

Be wary of any email that asks you to log into an account direct from their email. Most companies will ask you to log in but will not provide you with a link, or will provide a generic link to their own website that you will recognise. Links are often disguised as a dummy website which records your login data! If you think it is from a reputable company the easiest thing to do is manually go to their website and log in the same way you usually do, the extra minute it will take you to do this is better than the hassle if you don’t.

  1. TGTBT

Too good to be true. At the end of the day, if someone randomly wants to send you a £million then it’s probably not your lucky day. Do you REALLY think that if you had come into that much money they would contact you via email? No, they would use several points of contact, (as unlikely as it is anyway) or official channels. If it sounds too good to be true, it probably is.

  1. Embedded Links

Linking content can be beneficial in an email but it is also an excellent way to hide nefarious links! Many people don’t realize that embedded links can be checked by simply hovering over them (on a desktop) computer and seeing the actual link (rather than clicking on it!) Ask yourself if the link is reflective of the company you’re expecting, if it isn’t then DO NOT CLICK ON IT, and definitely don’t click on it to “see what it does.”

  1. Lack of Personal Info

This doesn’t always work as some criminals are getting more sneaky but a lot of the time, legitimate brands or businesses with your email address will use at least your first name, if not your first and second. “Valued customer”, “friend” or “client” are all ways of saying “I don’t know your name but I am going to pretend to anyway” and should be avoided, particularly if they are asking you to share personal information.

  1. Naked Signature

A business, brand or professional will sign an email with more than just a name at the bottom, even if it is a generic email it will still have “The Team” with contact information or website addresses underneath because it’s a marketing tool. Giving out as much information so that customers can contact you and potentially turn into a sale is good business practice so be wary of any “business” who is not willing to share that information and a name-only signature is a good way of doing this.

  1. Header Name

The header name can be inputted, the email address cannot be changed so ignore the header name and go straight to checking the email. Always check the little arrow to look at the email as a first point of contact. A lot of the time people don’t realise you can and that is why few emails will actually cover this up so you can save a lot of time and heartache by dealing with this first.

  1. Unexpected Attachments

Always double check before you click on an attachment, particularly those that you aren’t expecting, have strange names or aren’t mentioned in the email itself. This tactic plays on curiosity to see what it is and that is how they will get you! Normally, the sender will tell you what is attached, why and how it is relevant to you so that you know what you are looking at, the first warning signs of a phishing email is when they don’t tell you and the second is when they tell you it contains irrelevant information or info they could have just written in the email. If something sounds suspicious, don’t open it.

Find out what to do if you accidentally click on our “Defend Yourself Against Phishing” article or check out our Information security services to see how we can help you protect your business’s data.