Uh oh! Halloween is over, but are you too afraid to take our pop quiz? Find out what IT security topics cause fear in your life by taking our short pop quiz and reflecting on where you need to improve. The questions for this quiz can be found throughout the Sulzer Security Newsletters, beginning in November of 2017. Good luck!!
If you took a pop quiz about information security, how do you think you would do?
Well, we hope you have been catching up on the Sulzer Security Newsletters each month, because you could be tested in the near future! Our Junior Cyber Security Consultant, Matthew McCaffrey put together a fun pop quiz covering topics in the monthly newsletters. The answers to this possible exam can be found in previous newsletters, listed in sequence by month. For example – question #1 will be taken from his first ever newsletter back in November 2017! Better get your reading caps on!
So when can you expect this pop quiz?? We will have it available on the Sulzer US blog early next week, so keep an eye out for it and let us know how you score! But don’t worry if you do not do well – there may be other exams in the future.
The new “standard” regarding verification in IT security has become two-factor authentication. This is a process that can use a wide array of authenticators to allow a user access to an account. An example scenario of two-factor authentication could be: a user downloads a new application and enters their email address and corresponding password to create a new account (first factor). After this, a prompt appears to ask for a mobile phone number to send a 4-8-character pin, which is then entered in the prompt (second factor), authenticating the user. This is just one example of how two-factor authentication works. But, is this truly enough?
There are many conflicting opinions regarding two-factor authentications. Many security professionals believe that it is in fact not enough, while businesses believe that it is. A 2016 Secureauth survey recorded that 99% of IT decision makers thought that two-factor authentication was the best way to secure identity and access.  The reality is that hackers are adapting and figuring out ways to intercept messages, breaching two-factor authentication methods.
So, what’s on the horizon for advanced authentication? Three factor authentications? Four factor authentications? Well…. yeah. Businesses are evolving to advanced authentications (several factor authentication). But is there a limit on the number of authenticators? Probably. At this point in time businesses are moving to systems that require additional levels of verification based on the sensitivity of the data. This can almost be thought of as a pyramid. The higher you get (or deeper into the data) the more complex it is to reach, meaning you need more authenticators.
So… what can a user do to ensure that their two-factor authentication is secure in the meantime? Use an authenticator (the google authenticator application is great) instead of an SMS password. SMS passwords are becoming more and more vulnerable as hackers are becoming proficient in sim card attacks. Defined below:
“A SIM swap attack, also known as a SIM intercept attack, is a form of identity theft in which an attacker convinces a cell phone carrier into switching a victim’s phone number to a new device to gain access to bank accounts, credit card numbers and other sensitive information.” 
Another measure to ensure that your two-factor authentication is “more secure” is to implement Yubikeys. Defined below:
The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance (FIDO U2F). … The 4th generation YubiKey launched on November 16, 2015.
To summarize: a Yubikey is a piece of hardware that plugs into the USB port of your computer. This Yubikey works in conjunction with a username and password. If the username and password is compromised, but the Yubikey is not plugged into the USB port access will be denied.
Realistically, two-factor authentications should be a standard at this point. As time goes on things will change (as they always do in IT security) and, two-factor will become obsolete. In the meantime, making sure your business is at least up to par, and using two-factor authentication could help, and even add legitimacy to your businesses reputation.
By, Matthew McCaffrey
Did you know that the global cost of cybercrime is expected to reach $2 Trillion by the year 2019? It is no secret that criminals are infatuated by cash. In the year 2018, cyber fraud alone eclipsed $1.4 Billion. Not only is cyber fraud growing, but the types of cyber fraud are as well. In August’s Sulzer Security Newsletter, I will be shedding some light on the types of cyber fraud, specifically identity theft (cyber related), job scams, and greeting card scams. There will also be some useful tips on how to prevent and protect yourself, your business, and loved ones from a terrible experience.
Cyber fraud defined: cyber fraud is the use of internet services or software with internet access to defraud victims or to otherwise take advantage of them.
Identity theft related to cybercrime is extremely broad. Think of the information you share online….. now think about who can see it…now think about a malicious administrator who can also see the information. This information is all over, but also sensitive. If you have put two and two together by now, you understand why identity theft is so common. And if you have not: email, first name, last name, social security number, credit card information, bank account number, messages containing sensitive data, just to name a few. Cyber identity theft can occur for several reasons. Some of these might be out of your control, for example a business getting breached, sketchy administrators, lack of user awareness by an employee leading to a compromise of sensitive data. There may also be some aspects that you can control – ask yourself: “Do I know how to spot, and stop phishing emails?”, “Are my passwords strong?”, “Am I getting credit cards that I don’t qualify for sent to me in the mail?”
Preventing Identity Theft:
Strong security software like Webroot, or Norton, and other services of that nature are a great hands-free preventive measure. As mentioned above, learning to spot phishing emails can be an immense help. Did you know that 95% of all cyber-attacks on enterprise networks occur from spear phishing in some capacity?  Training yourself to spot phishing emails can be done simply by watching a short YouTube video. 
Job scams are when an alleged, “headhunter” (cybercriminal in disguise) reaches out with a dream “opportunity”…because it is. Often, the “recruiter” will ask you to make a pre-payment to get the on-boarding process started. Some “headhunters” will even ask for a resume in a word document (which is not secure for those of you in Human Resources) to use the template for personal gain, such as to sell “personalized resumes.”
Preventing Job Scams:
Job scams are avoidable by asking yourself a few key questions. Some of these questions could be “Is the recruiter’s profile legitimate looking?”, “Is this too good to be true?”, “why would I pay an employer before I start?” Most legitimate companies will ask you to send your resume as a PDF, which is usually an instruction from the company’s information security team.
Greeting card scams typically come in the from a spoofed email, injected with a trojan horse (type of malware). The trojan horse is typically embedded within a card that celebrates a milestone. These attacks often come from someone who would typically send you something like this (ex. Human Resources, Grandma, Dad, etc.). Attackers can achieve this by using social engineering. Defined below:
“(in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes” 
Preventing Greeting Card Scams:
Greeting card scams are a type of identity theft. That YouTube video we recommended earlier, in conjunction with a security software could help you. For example, say it is the holiday season and you receive a card from your Grandma, who just got a new computer and is excited to test it out (so you think) and you open an electronic card infested with a trojan horse, an anti-virus software could help protect you from things you cannot anticipate.
Cyber fraud will evolve as technology does, like most information security trends. The best way to prevent yourself from a tough situation is by staying aware and questioning the information you receive. As articulated by Abraham Lincoln “You can fool some of the people all the time, and all the people some of the time, but you cannot fool all of the people all of the time.” Don’t be fooled.
By: Matthew McCaffrey
“In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’. Almost four years later, agreement was reached on what that involved and how it will be enforced.” The result: The General Data Protection Regulation, otherwise known as GDPR. At its core, it is a new law that gives European Union citizens more control over their personal data, which requires users to be notified when companies use any form of general personal data such as photos, names, address, or credit card numbers. It also extends to IP addresses, genetic data, and biometric data.
In this month’s Security Newsletter, we will take a look at some of the positive outcomes of the new law, and some of the new challenges facing the information security world.
First, the positive.
Improves Customer Trust
When customers feel that their information is protected, they stay loyal to a business. Picture Company A and Company B who sell similar products. Company A complies with GDPR and therefore has never been breached. Company B has no security standards and is more susceptible to breaches. In a world where technology effects our everyday lives, customers are more aware of the security standards held by their product owners. Think of the GDPR as a competitive edge to your business.
Complying by the GDPR means that your company is required to report a known breach within 72 hours, which is a giant step in a positive direction for customers. In a recent Yahoo breach, 500 million users had usernames, email addresses, dates of birth and passwords stolen. Yahoo did not report this for over two years and left users in the dark in order to protect the company’s reputation. The GDPR will now require businesses to be transparent by notifying users of breaches within the appropriate time period.
And now, the challenges.
A consumer may not be affected by this challenge, but as a business this is a major concern. Fines for not complying to the GDPR regulations can become extremely detrimental. Google and Facebook faced up to $9.3 billion in fines within the first effective day of the GDPR. More detail on the fine parameters can be found within the following link https://www.gdpreu.org/compliance/fines-and-penalties/ (1)
If you are an international business owner with a third-party cloud service located in the UK for example, you are now also required to comply with the GDPR. “The GDPR won’t just affect companies based in the EU, despite the fact it concerns the data of EU citizens. Any business handling the data of EU citizens – whether customers, employees or other stakeholders – must comply, no matter where the business is located.” This is a new challenge for global businesses who may need to restructure their policies in other locations.
It is important for businesses and consumers to understand that the GDPR is not just another regulatory obligation, but a means for aligning business and technology. Now that data and technology are becoming the leaders of our digital world, businesses and consumers alike must consider a comprehensive approach to information and data management policies within their companies.
Don’t live in the EU but want to know more? Check out this video.
By, Matthew McCaffrey
Data breaches in 2017 reached an all-time high. “On December 20th, the Identity Theft Resource Center (ITRC) reported that there were 1,293 total data breaches, compromising more than 174 million records. That’s 45% more breaches than 2016.”1 Your company may think they’re doing all they can to prevent a breach, but hackers are taking advantage of something you might not be thinking of: a simple password.
Password breaches are one of the most common ways to break into a company and steal its information. So, the next time you roll your eyes at that password creation box that requires a password with crazy letters and symbols, you should trust that it’s for your own protection.
There are three types of password attacks used by hackers to break your passwords, but here are some steps you can take to improve your security.
A Brute Force Attack is when a hacker uses a program such as Metasploit, the worlds most used penetration testing framework, to attempt to crack a password by cycling through various combinations. There are several penetration testing tools such as Netsparker, Acunetix, Wireshark, and w3af. This type of attack is the most common because it focuses on the complexity of the password, so the shorter the password the easier it is to breach.
Resolution: One of the most effective and simple ways to prevent a Brute Force Attack is to implement an account lockout policy. When a user enters an incorrect password more than a specified number of times, the account will be locked- requiring an administrator to take action. Therefore, the hacker will not be able to cycle through enough combinations to reach the correct password with such a system in place.
In this type of attack, a hacker uses a special program to record all of the user’s keystrokes. It is a more complex tactic because it requires malware to be downloaded and is the reason why RSA secure ID tokens have become more common among businesses. RSA Secure ID tokens are hardware tokens used in conjunction with a rotating pin, and used to add a second factor of authentication when accessing confidential information.
Resolution: It is recommended to install anti-spyware and antivirus software, such TotalAV, ScanGuard, and PCProtect because they act as the first line of defense and can be the most effective with the least amount of effort from your business’ IT Administration.
This is when a hacker uses a script to cycle through simple words. Dictionary attacks are usually successful because most users tend to pick short, common passwords like Password123. Dictionary attacks differ from brute force because there are no special characters involved in the passwords. Brute force attacks are typically used against the encryption algorithm itself, whereas the dictionary attack focuses on the keys, or real words.
Resolution: The easiest way is to strengthen the password parameters. Most sites require that your password is 8-12 characters and must include one upper case letter, one lower case letter, a number, and a special character, such as @#$%!. Even if the site does not require this, we recommend following these guidelines, anyway.
Now that you’re more aware of the different types of password attacks, you can understand the importance of how having a unique password can prevent a major breach in your company’s information.
We understand the difficulty of tracking all the usernames and passwords that you create for all the sites you use on a regular basis, so we recommend using a password protection program, such as LastPass, which safely stores your credentials in its “vault.” But don’t forget, give that program a strong password, too!
By, Matthew McCaffrey
Spring has sprung and now it’s time for the dreaded, but ultimately satisfying, spring cleaning. Most chores are often put off or forgotten, but we’re here to help. Wash windows? Check. Dust shelves? Check. Clear data and reset passwords? Oh, good idea! Refreshing the well-being of your data could help prevent major headaches down the road, simply by following these steps:
“Before you delete the software, clean out and close your account with the company so it retains the smallest amount of data possible about you.”1 Be sure to review the app’s Terms of Service regarding data handling procedures. When you close an account, some of your basic data may still remain, but taking these steps will keep the account from staying active and potentially continuing to collect data.
Check browser settings and clear out old data such as cleared passwords and auto filed information. Also delete any unused browsers, and clear the cookies of your primary browser.
“Anything that has the ability to store information can retain that information even after you have deleted it, including ones that aren’t obvious, such as phones, wearables, networking equipment, copiers, printers and fax machines.”2 These devices should be handled as if they were credit cards. You can easily find links on the internet about how to securely get rid of your device. YouTube is a great resource for things of this nature.
There are electronic recycling events in several communities where you can bring your old devices and recycle or donate them. For Bergen County, NJ residents, the link below shows what devices are accepted and the locations for recycling.
Reset all of your passwords and have a “password purge” in order to avoid using the same one for years on an account that does not prompt you to change it after a fixed amount of time. Also avoid using the same password for multiple accounts. If you use one password for everything and someone gets a hold of it, they can gain access to everything else, too.
These four steps are easy to do and beneficial to the security of your information and devices. So, as you dust off your desk for spring cleaning, dust off your data, too!
By: Matthew McCaffrey
As the sun stays out later and the snow melts away, people are breaking out of hibernation. We no longer act as shut-ins on the weekends, hiding from the blistering cold of winter. Instead, we celebrate by shutting down the laptops and TVs, and going outside! Since everyone can’t stay away from being connected and sharing their “Rosé all day” social media posts and pictures with friends at a BBQ, we take our phones with us; after all, they’re called mobile phones! The convenience of mobile phones is great, but, just like computers, they can be extremely dangerous to the integrity of your data. If you’re out of the house and you urgently need to connect to the internet (and maybe you’re running out of your monthly data), you are more likely to connect to a suspicious Wi-Fi network. Phones are still essentially computers, which means that they are also vulnerable to things such as network spoofing, spyware, and phishing. Fun fact: today’s smartphones have more computing power than the computers NASA used to send Neil Armstrong to the moon. Crazy!
Here are some tips to protect your mobile data:
Luckily, iPhones have encryption built into the operating system (OS) if the user takes advantage of the password feature (which we highly recommend). Other mobile devices have built-in encryption methods that are commonly demonstrated via YouTube videos1 if the user struggles to take advantage of the feature.
A lot of people don’t even know their smartphones can update. Apple’s updates are usually very upfront about update notifications, with a prompt asking you to update several times a day until you complete it. Other companies are a little more relaxed, which is not ideal for security. Look up the current software version for your mobile device and make sure your phone has that version to remain secure.
Would you download apps from a website that you have never heard of on your computer at work? We would hope not. So, would you do this on your personal, mobile computer, AKA your smartphone? We hope you wouldn’t. Think twice and do research before downloading applications to prevent downloading malicious software.
By: Matthew McCaffrey
As the year moves on, cybercrime continues to grow as predicted. Last month, CNN reported that United States authorities revealed 36 cyber criminals who were responsible for more than $530 million dollars in cyber-related crimes cumulatively.1 Even though action is taken to deter this, the industry is projected to reach $2 trillion by 2019, according to Forbes.2 Not only is cybercrime demanding more dollars, cryptocurrency is continuing to grow as well.
Though the value of cryptocurrency has decreased in recent weeks, the potential for another upward burst in value is still looming. With that in mind, there has been a steady increase in the demand for cybercrime as a service. “Things like malware-as-a-service, ransomware-as-a-service, distributed denial of service-as-a-service and phishing-as-a-service are becoming commonplace items that can be purchased or rented online. Technology that steals passwords is just a couple of clicks away for a wannabe hacker. Not only are they available, they’re updated regularly and supported. There’s an entire ecosystem built around these products, much as you’d see around conventional software that you’d run on your laptop.” 3
As cybercrime-as-a-service is beginning to gain more traction, we notice that they are targeting small to mid-size business. The biggest reason for this is the inability to pay for proper cyber protection due to budget restrictions. Cybercriminals are aware of this and are always attempting to find innovative ways to obtain information. Therefore, having weak protective measures makes these businesses more vulnerable. If they can’t afford the protection, they are encouraged to find other ways to protect themselves to prevent an attack from cybercriminals. ITWeb provides some cost-effective suggestions to achieve this: