Longleaf System & Network Specialists

Managed IT Service Provider

by

How Hackers Steal Your Data (Part 2 Of 2)

In Part 1 of our data hacking article, we explored two of the most common methods cybercriminals are using to attempt to access your data. In Part 2, we’ll look at three slightly more sophisticated attacks that you should be aware of to properly steel yourself against data breach attempts.

Social Engineering

A catch-all term that can include phishing (discussed in Part 1 of this article), social engineering uses your real-world instincts against you to get you to divulge information you usually would be hesitant to reveal. Typically speaking, hackers use technological vulnerabilities to exploit holes in your cybersecurity, but in social engineering attacks, hackers lean on your personal weaknesses.

Some examples of this might be:

  • A hacker calling and posing as a client who’s locked out of their account and needs you to give them access.
  • A hacker calling or emailing pretending to be a local charity asking for financial information to make a donation.
  • A hacker texting you posing as a friend, boss, or coworker who needs urgent help.

Relying on psychological manipulation, these examples illustrate the importance of slowing down, staying skeptical, and carefully reviewing any “urgent” issues before taking action. Be wary of links or downloads even if they seem to be from a trusted source, set your email spam filters to the highest setting, and always be wary of anyone asking for credentials in a text, email, or phone call if you want to avoid being misled by this form of emotional manipulation.

Man-In-The-Middle Attacks

In a man-in-the-middle (MITM) attack, an adept hacker will use IP, ARP, or DNS spoofing to position themselves in the middle of a conversation between you and an application to intercept user traffic. After they’ve intercepted this traffic, the attacker will decrypt it using HTTP spoofing or SSL hijacking to avoid detection. This allows them to then monitor and control the session and steal account details, log-in credentials, banking info, etc. A MITM attack is hard to detect, but can be prevented with due diligence. Avoiding the use of free Wi-Fi hotspots, closing out secure connections when they are not in use, and steering clear of unsecured websites are key preventative measures you should be taking to avoid this scenario. If you’re also a web administrator, you’ll want to be proactive with these types of attacks by making sure you’re using SSL/TLS to secure each page of your website and not just log-in pages.

IoT Attacks

The wave of the future, The Internet of Things (IoT) is a term used to describe the increasing array of interconnected devices that interact with each other across your network. The more devices become “smart” and connect and share information, however, the more entry points hackers have to gain access to your systems. It might seem far-fetched, but hackers can actually install viruses or hack into your wireless routers, printers, and any new device you introduce that may connect to your network regularly. If you are investing in IoT devices to stay current, only buy them from reputable vendors with track records for reliable security. Many businesses are also guilty of sticking with the factory preset passwords that come out-of-the-box with new devices. These factory passwords are often not strong enough, are easily found in product manuals, or have been made public on databases stored in the dark web. So, make sure you create a unique set of new credentials for each IoT device as soon as you introduce them to your network.

Although using the preventative measures detailed for these five types of attacks can dramatically decrease your chances of data theft, there are endless ways that cybercriminals can target you. Therefore, the true key to making sure you avoid a data breach is to have a plan. This is where an MSP like Longleaf can help. By helping you formulate a comprehensive, structured approach to cybersecurity, we can streamline the time-consuming tasks of learning about new threats, keeping your systems up-to-date, and educating your team. Contact Longleaf today to put your cybersecurity plan in motion.

by

How Hackers Steal Your Data (Part 1 Of 2)

It’s no secret that your data is a hot commodity. Each day sophisticated cybercriminals attempt to make money by stealing your private information to pose as you, blackmail you, or simply sell your information to someone else who will. If you want to stay in business, you’ll need to be able to thwart these attempts. But to do so, you must understand the increasingly advanced methods hackers use. In this two-part article, we’ll examine the techniques hackers are currently utilizing to try and gain access to your sensitive data.

Cracking Passwords

The fact that hackers might simply guess your passwords probably seems painfully obvious, but the hard truth is that many companies still lack proper password management. If your password is a series of common words, a dictionary attack can use algorithms to cycle through a word database and quickly discover your chosen phrase.

Simply adding some numbers won’t be enough either, as hackers can up the ante with a brute force attack which allows them, with some additional computing power, to cycle through alpha-numeric combinations until they strike gold.

Even when passwords are hashed, or turned into a different string of text to guard against hackers cracking all the passwords in a database, they can still be broken. The most determined and well-equipped hackers can use a form of attack that rebuilds the password, called a rainbow table attack, which can cause hashed passwords to become defenseless. In this type of attack, pre-computed tables are used to recover hashed passwords and reverse them to reduce guessing time and discover complex passwords.

To prevent these, you’ll need to create unique passwords that are more than ten characters long and have a mix of numbers, lowercase and uppercase letters, and symbols for each account. One popular trick for this is to think of a phrase and codify it. For example, “Cousin Greg lives in Seattle” becomes “C0u$iNGr3gLiV3SinS3ATtLE”.

Additionally, you should use multi-factor authentication (MFA) whenever possible. Many services such as Office 365, Facebook, and Google, offer MFA options in their settings. Simply navigating to the settings and opting for the MFA feature is the best way to make sure your password isn’t the only thing standing between an attacker and access to your accounts.

Phishing Schemes

One of the most common methods of data hacking, phishing scams are so effective, they’ve produced many high-profile data breaches including the hacking of Clinton campaign chairman John Podesta, who unknowingly gave up his Gmail password, and Snapchat, where an employee gave up payroll information that led to widespread identity theft.

In a phishing scheme, disguised e-mails are used to lure the recipient into a trap. Posing as a trusted source, such as someone you do business with, your bank, or your email provider, hackers trick you into providing them information directly, clicking a link that leads you to a fake site, or downloading an attachment that then allows them access to your system. One of the oldest tricks in the book, phishing is an evergreen technique that is continuously being re-invented in order to become harder to spot.

The best way to not get hooked in by a phishing scam is to study the way they are being used and stay vigilant. Make sure to check the spelling of URLs in email links and watch out for URL redirects , or being forwarded to a different URL than the one you clicked. Keep your browsers up-to-date to ensure you have the most recent security patches and install anti-phishing toolbars on your browser that can run checks on sites you visit and compare them to a database of known phishing sites. And, of course, never give out personal information over email.

These are two of the most popular ways attackers attempt to gain access to your system, and stay tuned for Part 2 of this article as we dive into three more sophisticated methods cyber attackers are currently using. Concerned you’re not as safe as you thought? Contact Longleaf immediately. Our cybersecurity professionals have the expertise to make sure you’re one step ahead of the latest tricks, scams, and hacks that could threaten your business.

by

Step Up Your Spring Cleaning with A Network Assessment (Part 1)

Spring has sprung, and you’re already busy clearing out all the clutter that accumulated during the winter months. But shiny floors and polished tennis trophies won’t keep you in business. A reliable and robust network will. When your network is a mess, employees waste time troubleshooting, customers disengage, and revenue is lost. To avoid this, in addition to busting out the broomsticks, it’s imperative that you set aside some time this spring to complete a full network assessment.

A network assessment is a thorough evaluation of your IT systems that gives you a comprehensive overview of every weakness and opportunity for improvement. In this two-part “spring cleaning” article, we’ll detail some of the simple steps you can take to get a better sense of where your network stands today.

Define and Prepare

Step one to assessing your network is preparing properly, so you save time and know what your goals are. Because if you don’t know what you’re looking for, how can you find it? Begin by defining the scope of your evaluation and decide how long it will take, who will take part, and what aspects you want to analyze. Next, make sure key members have the usernames and passwords needed to edit access rules accordingly so authorization issues won’t slow down the process. Once you’ve defined the scope of your inquiry and provided access to your chosen team, you’ll be ready to begin. For this article we’ll define our primary objectives as surveying these five key aspects of the network: inventory, infrastructure, performance, security, and management.

Assess Your Inventory

Like an old attic, your network is probably home to more than a few items you forgot existed. This is why it’s important to start digging through the clutter and make a detailed inventory of all of the devices, network appliances, software, and hardware that are currently in use (or not in use) across your network. The most effective way to do this is to create a simple spreadsheet with details such as:

  • Name
  • Type of Device
  • IP Address
  • Manufacturer
  • Make
  • Model/Model Number
  • Serial Number
  • Operating System
  • Physical Location

As tedious as it may seem, this is no time to slouch. You’ll want to get up on your feet, walk around, and take a look at everything in the office. Note every laptop, printer, server, router, etc. It’s time to get a clear picture of what you’re using and how it’s being utilized. This is also a good time to take some photos to file away so that if you ever need to file an insurance claim, you’ll have good documentation.

However, as a business owner, you may find that taking inventory of your all your office devices falls to the bottom of your priority list. In that case, partnering with an MSP might be a more practical option for your business. As an MSP, we provide Inventory Management, so you will never have to worry about every device your employees are using, or if they are updating their programs as often as they should. Instead of the tedious “spreadsheet” approach, our Inventory Management is automated through our Remote Monitoring and Management (RMM) tools, which automatically generates your inventory for you.

Test Your Infrastructure

Now that you’ve figured out what you own, it’s time to ask yourself: Do these devices work well together? Streamlining infrastructure is the crucial next step to achieving network efficiency. Similar to our inventory process we’ll want a dedicated document containing all our findings. A network map is the most useful tool for examining the overall design of network systems. If you’re particularly talented, a hand-drawn diagram can suffice, but a network mapping software solution like Visio might be more practical. MSPs often use Visio themselves to create clean network maps, but may also have monitoring software that automates this process for their clients. Longleaf, for example, routinely auto-discovers devices and creates live diagrams in real-time to make sure our clients get the most thorough sense of how their systems are working together to identify flaws and make improvements, as well as quickly identify and remove unauthorized devices that shouldn’t be on your network.

You’re halfway there! Stay tuned for part two where we’ll cover the best ways to assess network performance, strengthen your cybersecurity, and stay on top of these various aspects post-assessment. Already overwhelmed by the intricacies involved in a full network assessment? Consider contacting Longleaf. A top-of-the-line Managed Service Provider, Longleaf can expertly survey your entire system in a hurry to get your network in top shape.

by

Is It Time to Upgrade the Software on Your Office Devices?

Are you using an older version of Windows, Outlook, or Windows Server? If so, don’t panic, but Microsoft may be about to stop supporting those products.

Microsoft publishes the lifecycle of each product on their website, but it’s a big wall of text and tables, so we’re happy to decipher it for you. It can be inconvenient and costly to find yourself in need of tech support for an unsupported product, and it can take a while to do a company-wide update, so make sure you know ahead of time what you’ll need to replace, and by when.

Here’s what they’re telling us:

  • Windows 7: Microsoft will stop giving any support at all, including user support and security patches on Jan. 14, 2020. This is called “End of Life.” Until then, they’ll provide security updates and you can buy support if you need it.
  • Windows 8.1: They ended mainstream support (new features, free user support) on Jan. 9, 2018, but End of Life won’t happen until 2023.
  • Windows Server 2008/2008 R2: End of Life will occur Jan. 14, 2020.
  • Windows Server 2012: End of life will occur Oct. 10, 2023.

The ones we think will have the greatest impact will be the End of Life for Windows 7 and Windows Server 2008. Many people are still running Windows 7 because they love it, and many servers are still running 2008 because it really was a great product. They both will reach End of Life on Jan. 14, 2020, so that’s worth some attention.

You should also know that Microsoft has been moving toward a subscription-based model, encouraging clients and companies to move toward Office 365 subscriptions instead of the old model of buying software, loading Microsoft Office onto your device, and having a perpetual license for the product. Users who have a perpetual license, such as those on Office 2016, will need to upgrade by 2020 in order to use their product in conjunction with the suite of Office 365 products, like SharePoint and Exchange.

These end dates are important to track to keep all of your products working together. When you connect Office 365 products with “legacy” versions of Microsoft tools, you don’t benefit from the full range of the current product capabilities and certain features may not work properly.

If you act on nothing else, take the 12 months to ensure that your software and systems are up to date and well-thought-out. Ask your Managed Service Provider or dedicated IT staff to tell you what your business is running now, whether it’s up to date and supported, what actions you need to take to stay supported and compliant, and help you think through moving to a subscription-based product. If you have proprietary or industry-specific software that ties in, you’ll need some extra planning time.

If you’re a Longleaf client, we’re already doing this on your behalf, so please do ask us for more information. You also have the benefit of our virtual CIO services, to ensure that your current and future business needs are supported by your technology investments.

If you’re not yet a Longleaf client, and have a need for this sort of strategic IT planning and execution, we’re always glad to help. Please do reach out to us at sales@longleafsys.com for a full discovery and analysis of your IT infrastructure.

by

Is a Bring Your Own Device (BYOD) Policy Right for Your Business?

Technology is changing so quickly these days that your business environment can evolve right under your nose, before you’ve even noticed. One of the biggest changes that has happened in recent years is Bring Your Own Device, or BYOD, which is when employees use their own devices, either on company premises or to access company resources from home or the road. A decade ago, people with personal cell phones used them to just take work calls when needed. Now, practically everyone has a smartphone and/or tablet with email access, work-related apps, and download capabilities.

Some businesses saw it coming a mile away and addressed it with clear, deliberate strategies and well-considered policies. But more often than not, it’s been ad hoc, with employees casually setting up work email on their personal phones and laptops, or accessing business cloud storage platforms from their phones or tablets.

As a decision-maker, you’d be wise to actively decide how your business will handle it. Will you allow BYOD as long as employees follow a set policy, or will you insist on your team members using employer-provided devices?

First, you need to know what the pros and cons are. Is this even a problem that needs solving, or are companies just being paranoid?

The Clear Benefits of BYOD

There are plenty of reasons to allow employees to bring their own devices into their work environment. It provides more flexibility to employees, allowing them to work when they feel inspired, access files when an emergency comes up, and work with the devices they feel most confident and comfortable using, rather than adjusting to, for example, Windows products at work while using Apple devices at home.

Relying on the same device for work and personal use can also help alleviate small inconveniences, like going home for the weekend and realizing you forgot to send yourself an important file that is stored on the workplace desktop (although this can also be solved through cloud storage solutions).

Your employees may enjoy small perks like having the use of expensive workplace software on their personal devices while being part of your team. If bringing their own devices makes your team more productive, efficient, and happy, it may be worth considering.

Another benefit of BYOD is potential cost savings. Instead of buying new hardware when you onboard employees, through implementing BYOD you may only need to cover supplemental software costs that get them up and running, and avoid lost productivity as the employee will not have to adjust to a new, unfamiliar device.

Be aware, though, that there can be hidden real costs, and there are certainly inherent risks.

The Downside

In addition to those actual costs – such as surprise replacements if their own devices aren’t as reliable as your corporate-quality equipment – it can also open you up to other problems.

Users tend to be more lax in security protocols for their own devices, and your business can end up paying the price for innocent mistakes made by your employees. Without proper cybersecurity practices in place, BYOD can leave your business network infected by viruses or infiltrated by hackers.

When a team member leaves the company, they bring their device with them, and may forget to delete or turn over sensitive business information like passwords. You might end up with a legal issue if you are subject to privacy or data protection regulations, like HIPAA. And if your salesperson owns their own cell phone number, and they take it away with them, what number are your customers going to call when they want to place an order? Perhaps that salesperson’s cell phone, which they’re now using in their new job with your competition.

Finally, if their phone or PC needs technical support, who’s responsible for that cost? It’s possible that your IT company has expert knowledge in one type of device, but would be starting from scratch with a less common type and would have a learning curve. Or if an employee’s personal activities are the cause of their laptop’s meltdown, who’s going to pay for that support ticket? It can be confusing to sort through.

Best Practices

None of these risks are deal-breakers, but if you are going to allow BYOD, you need a set policy with guidelines for your team to follow. There is a good chance that your team is already using their own devices without realizing they could be putting your company at risk. It is time to take action.

Here are a few guidelines to get you started.

  • The same rules should apply to everyone. If the administrative assistant has to follow security protocols, so does the CEO. It’s fair, and it signals that the rules are to be taken seriously.
  • Use plain English in your policies, and make them ubiquitous. You’re going to have to explain it with every employee, probably multiple times as people cycle through devices over the years. They should go in the handbook, on your bulletin boards, and give reminders every so often.
  • Make security and data protection a priority. Whatever rules apply to corporate equipment should also apply to personal equipment. Passwords should be strong and changed often, backups should be automated, and care should be taken to limit theft opportunities.
  • Consider having your IT team check out each device to ensure it’s not arriving into the network already loaded with viruses, and to make sure the performance is adequate for the business need. Making it required to receive explicit approval before using personal devices can ensure that each one is reviewed for risks, and the policies explained again.
  • Spell out who pays for what. Include software and apps, support and repairs, and upgrades. The time to decide who pays is not after the laptop is dropped.
  • Finally, lay out the procedures when someone leaves the company. Be specific about what the company will require, and double-check that company data is removed from personal equipment whenever feasible.

Armed with this information, how do you move forward? Your first step is to call Longleaf. We will help you explore the pros and cons of BYOD and identify whether it makes sense for your unique business. If it does, we will help you find the right tools and software to stay safe, and work with you to build a policy for your team to follow. Contact Longleaf today to get started!

Contact

888-823-2939
336-870-9295

Follow Us

Locations

640 Main St.
Plantsville, CT 06479

245 E Friendly Ave. Top Floor
Greensboro, NC 27401