Top Cloud Security Threats Include Misconfiguration

a red wrong way sign sitting on top of a wooden pole

The shared, on-demand nature of cloud computing can only lead to more concerns about data security on the one hand and often forgotten areas like misconfiguration on the other.

Best Practices Begin with a Solid Cloud Adoption Strategy

The Cloud Security Alliance (CSA) pegs misconfiguration as a very real component to security threats. The Alliance is a leading global organization that not only sets “standards, certifications as well as best practices,” but annually lists top threats to cloud security. The biggest risks to today’s cloud strategy are related to an overall, poor cloud adoption strategy. 

Invariably, overlooking these areas can torpedo a company’s risk-management game plan. Generally, these sectors include data breaches, of course, but also:

  • Misconfiguration and improper change control
  • Overlooking the importance of cloud security architecture/strategy
  • Faulty permissions strategy and credentials
  • Threats from inside the company
  • Accounts ‘stolen’ by a hacker
  • Vulnerable APIs and interfaces
  • Vulnerable routing protocols (control plane)

Secure Your Single and Multiple Cloud Networks

According to CSA, these ‘call-to-actions’ should be a high priority for SMB decision-makers in order to secure their single, or multi, cloud strategies. 

“The complexity of the cloud can be the perfect place for attackers to hide, offering concealment as a launchpad for further harm. Unawareness of the threats, risks, and vulnerabilities makes it more challenging to protect organizations from data loss. The security issues outlined….are a call to action for developing and enhancing cloud security awareness, configuration, and identity management,” said John Yeoh, Global Vice President/Research for CSA.

Contact us to discover how you can partner with a proven, managed service provider (MSP) to achieve your security goals. Our expertise can not only help you deploy your programs and apps to the cloud but provide all the necessary security backups in a timely manner—and with minimal disruption to your network.

Warning – The Most Effective Social Engineering Attacks

a person holding a cell phone in their hand

Although it may seem as if hackers, criminals, and thieves prefer the challenge of attacking only seemingly impenetrable computer systems, this is not necessarily the case. While it is true that companies do need effective security measures in place to handle these types of impersonal attacks, hackers still frequently turn to more traditional methods of cyber attacks for one good reason.

As IT security methods continue to become more sophisticated, hackers sometimes find it more lucrative (and easier) to perform social engineering attacks that allow them to manipulate human behavior. Unfortunately, this is because staff members are either poorly trained (if at all) to spot hacking attempts or unlike a machine, they sometimes let their guard slip. Of course, hackers understand all too well that a busy or unsuspecting employee may eventually provide them with an opportunity to slip their way into a corporate system — they just need patience.

Top Social Engineering Attacks 

  • Phishing – All it takes is a credible-looking email with either a link or an attachment to click on, and an employee may either give away sensitive information or allow a virus to enter their corporate computer system.
  • Spear Phishing – This is similar to traditional phishing attempts, except that hackers target a specific person in a company. Often the targets are in positions related to lucrative financial aspects of the company.
  • Whaling – Rather than targeting one individual, whaling attempts involve attacking an entire level of higher management. This could be in companies or government agencies. Some of the attacks require a significant amount of research and are quite sophisticated in nature.
  • Vishing – Vishing involves using a phone rather than email in order to impersonate a business. The hackers pretend to be a legitimate company simply making a business call. Their goal is to find unsuspecting employees who will provide them with sensitive corporate information, often banking details.
  • Pretexting – This type of hacking also involves impersonation. A hacker may phone an employee and pretend to be the company’s IT vendor. They may state they are investigating a hacking attempt. Then that they need passwords and other sensitive information for specific computer systems.
  • Baiting – A hacker may leave a memory stick somewhere in or outside of a company they want access to. An unsuspecting employee discovers the memory stick and plugs it into a company computer to determine what it contains. Unfortunately, the memory stick is loaded with a virus or other penetrative software.
  • Tailgating – This is another type of hacking attempt that involves the physical presence of the hacker. In this scenario, a hacker pretends to be a delivery driver, company visitor, or facilities manager in order to gain access to unauthorized areas.

Summary  

It’s difficult, if not impossible, for companies to stay up to date on all the latest technology pitfalls. Many hackers are very sophisticated, methodical, and patient. It takes a professional IT vendor who makes it their business to stay on top of all the latest technology security issues to develop an effective security training program for their clients. If you would like more information on security training for all of your staff members, please contact us.

Proactively Addressing Mobile Threats

a close up of a keyboard with a fingerprint on it

More and more employees are using their smartphones and other portable devices in order to work on off-site projects, at home, or simply on the go.  While this has greatly increased productivity in many respects, there are inherent dangers in essentially allowing access to corporate systems to go out the office door, with very little to safeguard this access.  Any organization that allows their staff members to either use their own mobile devices for work-related activities and/or who issues mobile devices to their staff for external use should ensure they have an all-inclusive policy to cover usage and security practices. This will help protect individuals and companies from mobile threats.

External Threats

So what are some of the issues that can arise from the use of mobile devices used for corporate activities?  Regardless of whether an employee is using their own device or a corporate one, it is very easy for any of the following to occur:

  • a device is lost or stolen,
  • downloading of questionable 3rd party apps,
  • sharing of devices with unauthorized people,
  • and/or using unprotected Wi-Fi sources.

If any of these situations occur, unless protective measures are already in place, corporate data can easily fall into the wrong hands.  In addition to the expenses incurred from cleaning up a data breach, are other costs such as loss of trust and potential litigation from clients, and loss of public reputation as a trustworthy source of products and/or services.

Policy Solutions

A good mobile device policy will cover two key areas, and both must be addressed proactively, rather than after the fact.  The first part of the policy is put into place by IT administrators.  Their responsibilities include:

  • remotely locking lost or stolen devices,
  • creating and enforcing proper password and encryption policies,
  • discovering and restricting tampered devices,
  • and ensuring corporate data is removed from personal devices upon employee termination.

The second part of the policy pertains to instructing employees on the proper use of their mobile devices.  Employees need to follow certain protocols including:

  • reporting lost or stolen devices immediately,
  • following their employer’s policy on downloading 3rd party apps,
  • following password and Wi-Fi policies,
  • and not sharing their devices with family members or other external parties.

By creating a proactive and comprehensive mobile device policy, employees will thoroughly understand what their employer expects of them and IT administrators will be able to quickly resolve issues if they arise.  Using this two-pronged approach maximizes the ability of any business to properly secure both corporate and client data.  Please contact us if you would like more information on how to properly institute a mobile device security policy to protect your organization’s essential data.

The Importance of Network Vulnerability and Penetration Tests

an open laptop computer sitting on top of a bed

A company’s network system is of paramount importance to its ability to conduct daily business operations.  If a network goes down, whether from a security breach or for another reason, the cost to individual organizations can be significant.  This is just one of the reasons why it is important to select an IT organization that can provide proactive support in order to prevent problems before they even occur.  In this post, we will define what network penetration and vulnerability tests are, the differences between the two, and why both are essential.

Network Vulnerability Tests

A network vulnerability test scans an entire network, looking for all the vulnerabilities across the entire system.  This type of automated test should be conducted on a regular basis. Typically every quarter and when any new equipment is added to the network.  A baseline report for each new piece of equipment should be included as part of the vulnerability test. Including any subsequent changes investigated such as added services or open ports. Both of which could mean unauthorized changes occurred on the network.

Network Penetration Tests

A network penetration test, also known as a pen-test, is more specialized than a vulnerability test. A vulnerability test is designed to alert network administrators to any and all weaknesses. Whereas a penetration test will report on the severity of any weaknesses found in vulnerability testing.  Unlike an automated vulnerability test, a penetration test is conducted by a tester looking for specific ways in which to exploit a network.  In short, they are acting as if they are a real hacker.

Some industries are mandated by government regulations as to how often their network should be pen-tested.  For others, at a minimum, a professional network support team will recommend their clients have penetration testing when any of the following occurs:

  • changes in end-user policies,
  • new office location(s),
  • significant upgrades,
  • applications, infrastructure modifications, additions
  • after the application of security patches.

If you would like to know more about network vulnerabilities, network testing, or our professional support services, please contact us.

IT Tips For Your Fort Lauderdale Business

a man writing on a whiteboard with diagrams

Everyone loves technology, right? This is especially true when it is working the way it is supposed to. It does not matter how advanced your company’s equipment is, there will still be a chance that your equipment can be breached. Computers are constantly being hacked, someone can steal a cell phone, and data can be changed. As the technological equipment gets smarter, the thieves also get smarter. Here are some IT tips for your Fort Lauderdale business.

Fort Lauderdale Business

Data thieves are not the only issues you need to think about when you are using computers. You can lose critical information during unexpected events, including the following:

  • Computer failure
  • Corruption of hard drives
  • Accidentally unplugging a device
  • Forgetting to save an important file

As the owner of a business, you will be held responsible for customer data and employee data. You cannot afford to lose any of this data. Fortunately, there are ways for you to always keep that information safe and secure.

  • Always remember to back up your data
  • Invest your money in equipment that will allow you to improve the overall operations of your business, while protecting employee and customer data
  • Utilize the services of an IT support company, even if you do have an incredible IT support employee on your payroll
  • Before you make any big upgrades to your equipment, you should weigh all your options so you can determine what computer systems and other equipment will be a perfect fit for your company.
  • Introduce a policy that includes internet safety tips that your employees should know

You want to make sure your data is safe at all times. If you can keep customer and employee data safe, they will have a significant amount of trust in your business. If you would like more information on small business safety tips, or if you would like more information on our services, contact us today.