Small Businesses Do NOT Get Hacked!

Just Kidding…

If you are a small business owner, you may be thinking: “Why would we get hacked? We are not such a huge company and we could not possibly have anything that the hackers want. I don’t see how a hacker can do things against us when we are very good at managing our infrastructure.”

Maybe so, but then again, maybe not. Think again.

Cyber defense is not a minor concept that any business owner can just dismiss as this can post a grave threat even to the simplest business type. Let’s dig deeper and discuss in plain language what you may need to know with regards to your Cyber security.

Ask yourself these questions: Do you run computers in your business and have a domain that you maintain, or servers that are connected all the time to the Internet? Do you use computers to look-up websites or to generate more leads and to process online payments via credit cards for your customers?

 

In other words, if you are you using computers to perform business processes for standard uses in the delivery of marketing, sales or servicing your clients, — which of course, you most probably are, it is imperative that you must give time to review and protect your hard earned assets. As most businesses get more efficient by using computers and software that help facilitate the business, Cyber protection is also a must for your industrial infrastructure.

All these are quite basic, so why do I mention these? What is it then, that can happen to your computers without the proper cyber defense? Here are some truths below.

 

  • Malicious software may potentially insert itself into your computer and into your system causing: 
    • Slow computers
    • It could be that the hacker is now on your computer and is using it to attack others
    • It could be that the computer is now running bitcoin mining software that it may get the hacker money
    • A Computer that freezes
    • Reboots the computer
    • Ransomware encrypts all your files making your computer inoperable

 

  • Hacker software may get installed into your website causing:
    • Hackers collect info from everyone that visits your website (clients or potential) so they can send well crafted emails to snare your clients or your clients’ client
    • Installation of ads that can mount malware (malicious software) on anyone that visits your website
    • The software that is installed on your website can be invisible to the eye, yet it does its work for the hacker

 

  • Cloud environment has different threats:
    • Other cloud customers could see your information
    • Hacker software gets installed in the cloud that you use to steal or alter business information that can be silent until it’s too late

 

Risk management in the age of Cyberattacks.

 

The problem with constant threats of Cyberattack is that one has to work on the highest risk to counteract on first. Large scale companies (those of more than 1000 employees) have Cyber Security Departments who review specific security threats, depending on their environment, business portfolio or on their technological situations and hire accordingly.

To ensure that you have what you need to do in this day of higher risks and unknown attacks, it is always beneficial if you perform information security reviews or infrastructure checks more regularly, by a qualified technological individual.

 

You don’t need to go far to talk to a professional. Contact Us and we’ll help you identify your potential infrastructure hazards, vulnerable computers and potentially high technological risk situations.

Cybersecurity Attacks Never Strike Same Place Twice Right?

There is a myth that was busted(Lightning never strikes the same place twice) by the Mythbusters at stormhighway.com:

(image from youtube video)

As you see in the youtube video, lightning can strike the same place 50 times actually. This makes scientific sense actually, as the WVAH tv tower shows if a metal rod is the highest point during electrical(thunder) storms. And since it is the highest point the large amount of positive energy in the clouds will create electrical circuit for a brief instant to jump to the rod.

So in cybersecurity  do you think if you had a weakness in process 10 years ago and did not fix it,  unfortunately a cyber breach occurred.   Now that it occurred once would it occur again?

Or in another brain teaser – If your process is not good enough to prevent a cyber breach will you be breached  even though you were never breached before?   The entire Psychology of Security should be dumped in the trash can.

It is not wise for most of us to ignore or delay reviewing our cyber defenses for any reason (including cost). The cost of a cyber breach goes so high as to even result in destruction of the business.

 

This makes sense as if you have an incorrect defensive cyber process the breach may cause data loss in the form of Ransomware on your devices. As you may know if you have a cybersecurity vulnerability on your machines they are susceptible to Ransomware which result in your loss of data.

So what you say, I have a backup, so it will not effect me. That may be true, but have you tested your backup to make sure it will actually result in a seamless transition?  In other words, a test for you to see the restored data on a separate machine?

If you have not actually tested the restore then one is leaving the corporation on a risk of how well the backup was performed. So you may get a partial recovery, which may or may not be enough to keep you in business.

The answer to the question do Cyberattacks hit the same place twice, yes of course. Due to the hackers making large attacks looking for vulnerable machines. If 20-25% of machines are not patching their machines on a regular basis then millions of  machines are susceptible to attacks and will make more attacks themselves. So the exact opposite will happen, just like on the radio tower that is the highest point in an electrical storm, the weak computer machines will create more and more attacks, thus finding all the weak machines and infecting them.

So the maxim will be: If you have a weak machine then it will be attacked no matter if you have been breached before or not. And one of these days the attacks are going to be successful, which means you will lose your data to ransomware. And I hope you have tested your backups. the day of a catastrophe is not the time to test your restore process.

Contact us to test your processes

 

What is the Minimum Cybersecurity Defense?

We all heard about the Equifax computer breach.

Which was entirely preventable¹

The problem was a little known piece of software called Apache struts, which had a vulnerability and thus if attacked would be the entry into the webserver at Equifax.

So a software vulnerability within the web server caused a weakness, and the hackers used this weakness to break in. Once the hackers were on the webserver, they had to get additional access and reviewed the server information to find a database that could be useful to the hacker.

 

So what can a Company do to prevent these kinds of breaches?

First one has to know what software one has.

Then keep up with the latest patches and updates for all software.

Seems easy right? Well sometimes there are complications. But one has to try and make the updates as quick as possible. It is tough sometimes on big servers though. As the big servers may have to reboot after an update and there is always a chance something unknown happens. So the window of opportunity to make updates may be only Saturday at midnight. And then you might have to  be ready to restore and recover if more serious problems, thus means resources must be available to be down and recover for several hours on Saturday midnight until it is brought back up.(could be several hours).

 

So to recap one needs to update software and make changes to the server with possible significant downtime.

Second, must have anti-virus or malware software software that is updated and operational.

Third, educate your employees to not perform risky Cybersecurity actions (Social engineering tricks and phishing methods).

 

If it only takes these 3 steps

  1. Update and patch your software
  2. Have an updated Anti-virus software
  3. Employee education on social engineering and phishing.

So why doesn’t everyone do this?

 

Our mission at Oversitesentry (Fixvirus.com) is that everyone _should_ do this

We propose to small and medium business:

Tell your consumer that you have done the minimum Cyberdefense (and thus you will be around even after an attack)

 

We propose to the consumer:

Tell businesses where you spend money: get the shield (Oversitesentry approved) so they can stay in business even after a Cyber Attacks.

 

Contact Us to discuss.

 

 

  1.  (story by Wired) and by story David Krebs

Cyberjoke friday v1.992 Halloween edition

Yes it is time for another edition of Cyberjokes edition, might as well make it Halloween themed:

Q: When is it bad luck to meet a black cat?
A: When you are a mouse.
So we can make it cyber related(mine):
Q: When is it bad luck to meet a Hacker?
A: When your computer is named Murphyslaw
Halloween jokes from halloween.com
Q. What do you get when you cross a vampire with the internet?
A. blood-thirsty hacker baby
Q. What did the bird say on Halloween?
A. Trick or tweet!
1. If a test installation functions perfectly, all subsequent systems will malfunction
2. Not until a program has been in production for at least six months will the most harmful error be discovered
3. Job control cards that positively cannot be arranged in improper order will be
4. Interchangeable tapes won’t
5. If the input editor has ben designed to reject all bad inputan ingenious idiot will discover a method to get bad data past it.

How Do We As Consumers Get companies More Secure?

Every week there are more hacking incidences.

There is a serious problem – a significant number of people and companies are not doing what is necessary to prevent Cyberattacks. This is also a moral weakness, and is a function of misunderstanding Cybersecurity and human nature.

The problem we have is that everyone needs to be better at cybersecurity. So it is a colossal misunderstanding of the nature of Cybersecurity.  This is compounded by Hollywood’s portrayal of hackers and hacking events.

Kevin Mitnick was an early  hacker (before 2000) and got caught – convicted, now he is a consultant.

Hollywood makes hacking mysterious and easy for certain people, but this is a fantasy world. And of course there is no explanation as to how one can defend against hackers.

In my mind (as an ethical hacker and computer professional of 20 years) this state of Cybersecurity affairs will not get better until a paradigm shift.

It would be nice if everyone understood at least the basics, as I have many posts on this topic.

Let’s try and push the companies to do the right thing.

Why are Companies not protecting their computers the way they should?  Misunderstanding and psychology, but what can we do to change their minds?

(from an old post an infograph by Small Business trends)

As a small company if you do not do what it takes, then you may go out of business if you literally lose your data tomorrow. The reason for this is that backups are not what they seem.

Apparently the knowledge of potential failure in the future(due to bad decisions) is not enough for 22% or more ( in some surveys) of companies. This is a huge number and will keep the criminal hackers fed forever. So how can we change that?

All Cyber-consumers should demand Cybersecurity done right from all companies we do business with.  And since it is 2017(almost 2018) and we depend on computers and what the convenience does for us, we should all be interested in making sure only what we want to get done gets done.

So we have to ‘help’ the companies which we depend on to keep operating – like restaurants, banks, hotels, and many other seemingly innocent companies (let’s not discuss government and Equifax), as we are talking about all small businesses, the accountants, the lawyers, the plumbers, HVAC, everyone large and small. All except the public companies, as they _have_ to have somebody taking care of business. It is only the companies that do not “have” to do that don’t in sufficient numbers

What if you could “know” that at least a minimum of processes were done to at least prevent a catastrophe if something does happen? What is that worth to you?

Would you do business with someone if at any moment they can have a catastrophic event and then go out of business?

Sure it should be where we do not have to think about this Cybersecurity thing and thus it “Ought” not to cost anything, but it we do not live in fantasyland like Hollywood.  Do you know why it costs? Because ransomware has changed the game. It used to be when hackers were  just annoying, like spam. But now criminal hackers are making serious money and thus they will continue to do it until we stop them cold. As I have mentioned in the past this is an uphill struggle though since human nature is to ignore the problem and  this has been proven in the fact that 25% of people do not patch their computers.

So let’s repeat: If one does not patch your computer, your computer(or device) becomes vulnerable to malicious software, then it has a higher and higher chance of getting hacked every month it does not get patched.

So eventually it is a beacon for bad software to come in, and very soon (like a year or 2) ransomware will  test your cybersecurity defenses. This problem will get worse until we can peer pressure everyone into  getting Cybersecurity audits from CISA certified professionals.  Like us.

Contact us to help you get up to snuff, or to get a neighbor company up to snuff.

We are going to have an Oversitesentry seal of approval so that everyone that is doing the basics can at least sleep a bit better about their future.