Everything You Know About Passwords is a Lie

Written by Joe Kozlowicz on Thursday, August 10th 2017 — Categories: Security

Well, maybe not quite everything.

You still need a strong — and long — password. And you still want unique passwords for each of your credentials.

But you don’t need to add any special characters or numbers, at least if you don’t want to. And you don’t need to change your password every month, or every week, or every day (even if it feels like the IT department is making you change it that often).

Here’s why experts are no longer recommending passwords like k1TTyc@7z or @ppl3Be3s — and what they say you should be using instead.

Continue Reading...


Should You Allow Windows Users to Have Administrative Rights?

Written by Joe Kozlowicz on Thursday, July 6th 2017 — Categories: Security

Allowing your users administrative rights under their Windows desktop certainly makes their life easier, but it can cause significant headaches for your sysadmins — and it also opens up a wide variety of vulnerabilities.

A recent study from security vendor Avecto found that 94% of critical vulnerabilities announced by Microsoft could be mitigated by simply removing administrative rights. These vulnerabilities range from phishing attacks that can hijack the system via applications like Microsoft Word to packets that are specially crafted to hit Windows Server. In most cases, they can be leveraged to remotely execute code and take control of the PC, potentially accessing sensitive data and applications deeper within the network.

Many modern workplaces allow users more leeway over the configuration of their workstations, as computer-savvy employees are often more productive when they have applications set up the way they want. But with shutting down admin rights proving to be a relatively easy and strong method of eliminating vulnerabilities, should you risk enabling them?

The answer is probably not...with some caveats.

Continue Reading...


2017 Changes to SSAE and SOC Accreditations for Data Centers and Cloud Providers

Written by Art Salazar on Thursday, June 29th 2017 — Categories: Cloud Hosting, Security

Two of the most common audit standards for data center and cloud service providers are SOC 1 and SOC 2, with the SSAE 16 Type II control containing both of them. These standards are created by the Auditing Standards Board (ASB) of the American Institute of CPAs in order to assure the customers of service providers that controls around services are operating securely and effectively.

Every so often, ASB revises these standards. In 2017, the SSAE 16 (which stands for Statement on Standards for Attestation Engagements — yes, these audits are frequently a mouthful) has been replaced by SSAE 18 for all audits dated May 1st and later.

Let’s take a look at why data centers and cloud providers certify under SOC 1, SOC 2, and SSAE — and see how the SSAE 18 changes might impact them in 2017.

Continue Reading...


The Ten Zones of Enterprise Cloud Security

Written by Joe Kozlowicz on Thursday, June 15th 2017 — Categories: Cloud Hosting, Security

Juggling security in the cloud can seem like an insurmountable task, especially when hybrid cloud and multicloud environments come into play. While your cloud service provider (CSP) can help manage some layers of cloud security, you’ll still be left with management of at least your users and data, if not your application layer.

One way to help keep track of all the security vectors within your organization is to divide them into these ten zones of enterprise cloud security. Any cloud security policy should cover each of these areas. You can also assign a single engineer or administrator to have ownership over each zone.

Continue Reading...


Security and Compliance Are Different Areas of Risk Mitigation

Written by Joe Kozlowicz on Monday, April 10th 2017 — Categories: HIPAA Compliance, Security

While many organizations combine Security and Compliance under a single banner, and there is nothing inherently wrong with having a Chief Security and Compliance Officer or managing risk mitigation under a single umbrella, the fact is that compliance and security measures are two overlapping but inherently different practices of information security.

Compliance standards often change quickly and require quite a bit of work to ensure enforcement across an entire organization. Audit trails, regulator inspections, minimum mandates…they have to be tracked and adhered to 24/7. But meeting compliance standards often puts blinders on a security administrator.

Simply meeting a compliance measure — or even four or five — does not mean that your infrastructure is up to snuff with security best practices. Nor does following industry standards of security guarantee that you’ll meet your next compliance audit.

Continue Reading...


Don’t Take the Bait! Avoid Phishing Scams with Tips from the GSC

Written by Andrew Long on Tuesday, March 28th 2017 — Categories: Security

Have you ever received an email from Amazon, PayPal, Blizzard, or another trusted organization saying they need you to verify your information? What about emails from a Nigerian Prince? Or maybe you’ve been the lucky winner of an iPad and you just have to send them your name, date of birth, Credit Card number, social security number, mother’s maiden name, and the blood of your firstborn child.

These phishing scams are an ever increasing and (to those who know what they are looking for) blatantly obvious attempt to steal your Personally Identifiable information (PII). The scary part is that according to Google, they are effective 45% of the time.

Read on to learn how to avoid phishing scams.

Continue Reading...


Does Your Organization Need Cyberinsurance?

Written by Joe Kozlowicz on Thursday, March 2nd 2017 — Categories: Cloud Hosting, Colocation, Disaster Recovery, Security

In the past decade, alongside the increased importance of digital tools for business, a new category of insurance has sprung up to cover digital data breaches and liability. With the average total cost of data breaches reaching $4 million dollars and the average cost of each lost or stolen digital record increasing to $158, it is clear that experiencing a data breach is an expensive affair.

While dedicated security response teams and encryption do decrease these costs, and IPS/IDS systems and other security measures can help reduce the risk, many organizations will still experience a data breach at some point.

Cyberinsurance can help mitigate the cost of a data breach by reimbursing your company for legal fees, helping with the cost of crisis management and investigation, notification costs, extortion liability fees, and third party damages relating to network or system outages. But does every organization need cyberinsurance?

Continue Reading...


To Maintain IT Security, You Might Need to Annoy Your Users

Written by Joe Kozlowicz on Friday, February 17th 2017 — Categories: Security

We've posted quite a bit about best user practices to maintain the integrity of your IT infrastructure, especially strong password hygiene, the use of antivirus/antimalware, and the importance of backups in the case something goes awry. With user negligence causing up to 68% of breaches, according to a Ponemon Research study, these practices are essential. But how can you make sure your employees adhere to them?

But a recent article covering the Clinton presidential campaign staff methods to encourage information security reveals one secret to IT security: being kind of annoying.

Continue Reading...


Legal Battles Over Local Data: Why Your Cloud Location Matters

Written by Joe Kozlowicz on Wednesday, February 15th 2017 — Categories: Cloud Hosting, Cloud Storage, Security

Placing data in the cloud comes with a set of concerns — accessibility (will my information always be available if the cloud has technical problems?) and security (how safe is my data when I can’t control the security measures?) chief among them. Of these, security has long been the primary concern for technology decision makers considering the cloud.

Recent surveys reveal that while security remains top of mind, the location of data is rising in prominence as a barrier or concern for cloud adoption. These concerns stem in part from the difficulty of visibility into data transit and storage. Customers might want to know where exactly their data is residing so they can retrieve it quickly — and also for legal implications.

Two recent court cases between Google, Microsoft, and the Federal Government highlight the legal entanglements that could come with storing information in the cloud. Read on to learn why the location of your cloud data is vital.

Continue Reading...


Avoid Virtual Machine Performance Problems from Antivirus Tools

Written by Joe Kozlowicz on Monday, January 9th 2017 — Categories: Cloud Hosting, Hybrid Cloud, Cloud Hosting, Security, VMware

You’re probably familiar with the kind of performance issues inherent in antivirus/antimalware tools. Anyone who has used a PC when the antivirus scan boots up can attest to sluggish performance. The same issues rear their head when using antivirus in a virtual environment – but virtual machines come with their own set of wrinkles.

Antivirus software can be installed either on the VM itself or on the host. Depending on your approach, you’ll want to consider these key factors to maximize performance.

Continue Reading...

Chat Now