Everything You Know About Passwords is a Lie

Written by Joe Kozlowicz on Thursday, August 10th 2017 — Categories: Security

Well, maybe not quite everything.

You still need a strong — and long — password. And you still want unique passwords for each of your credentials.

But you don’t need to add any special characters or numbers, at least if you don’t want to. And you don’t need to change your password every month, or every week, or every day (even if it feels like the IT department is making you change it that often).

Here’s why experts are no longer recommending passwords like k1TTyc@7z or @ppl3Be3s — and what they say you should be using instead.

Continue Reading...


Should You Allow Windows Users to Have Administrative Rights?

Written by Joe Kozlowicz on Thursday, July 6th 2017 — Categories: Enterprise Applications, IT Operations, Microsoft, Security

Allowing your users administrative rights under their Windows desktop certainly makes their life easier, but it can cause significant headaches for your sysadmins — and it also opens up a wide variety of vulnerabilities.

A recent study from security vendor Avecto found that 94% of critical vulnerabilities announced by Microsoft could be mitigated by simply removing administrative rights. These vulnerabilities range from phishing attacks that can hijack the system via applications like Microsoft Word to packets that are specially crafted to hit Windows Server. In most cases, they can be leveraged to remotely execute code and take control of the PC, potentially accessing sensitive data and applications deeper within the network.

Many modern workplaces allow users more leeway over the configuration of their workstations, as computer-savvy employees are often more productive when they have applications set up the way they want. But with shutting down admin rights proving to be a relatively easy and strong method of eliminating vulnerabilities, should you risk enabling them?

The answer is probably not...with some caveats.

Continue Reading...


2017 Changes to SSAE and SOC Accreditations for Data Centers and Cloud Providers

Written by Art Salazar on Thursday, June 29th 2017 — Categories: Cloud Hosting, Security

Two of the most common audit standards for data center and cloud service providers are SOC 1 and SOC 2, with the SSAE 16 Type II control containing both of them. These standards are created by the Auditing Standards Board (ASB) of the American Institute of CPAs in order to assure the customers of service providers that controls around services are operating securely and effectively.

Every so often, ASB revises these standards. In 2017, the SSAE 16 (which stands for Statement on Standards for Attestation Engagements — yes, these audits are frequently a mouthful) has been replaced by SSAE 18 for all audits dated May 1st and later.

Let’s take a look at why data centers and cloud providers certify under SOC 1, SOC 2, and SSAE — and see how the SSAE 18 changes might impact them in 2017.

Continue Reading...


The Ten Zones of Enterprise Cloud Security

Written by Joe Kozlowicz on Thursday, June 15th 2017 — Categories: Cloud Hosting, Security

Juggling security in the cloud can seem like an insurmountable task, especially when hybrid cloud and multicloud environments come into play. While your cloud service provider (CSP) can help manage some layers of cloud security, you’ll still be left with management of at least your users and data, if not your application layer.

One way to help keep track of all the security vectors within your organization is to divide them into these ten zones of enterprise cloud security. Any cloud security policy should cover each of these areas. You can also assign a single engineer or administrator to have ownership over each zone.

Continue Reading...


Be Prepared for a Breach with a Cloud Forensics Protocol

Written by Joe Kozlowicz on Friday, May 26th 2017 — Categories: Cloud Hosting, IT Operations, Security

While the goal of most infosec professionals is ostensibly to prevent data breaches and security incidents, the daily headlines about major hacks prove that no one is completely safe. If — or perhaps we should say “when” — you are breached, one of the first steps is to perform digital forensics to help locate the attack vector, identify compromised systems, and tag any stolen data.

Cloud environments further complicate the digital forensics process, especially in an increasingly multi-cloud world, where multi-tenant hosting environments and hybrid IT infrastructure is more and more common.

Preparing a cloud forensics protocol can help your organization reduce the overall cost of a security investigation and disclosure, quickly figure out how the attacker gained access, restore system operations faster, and even garner discounts on any cyberinsurance you may have.

Continue Reading...


Keep Exchange Secure: A Checklist

Written by Joe Kozlowicz on Monday, May 8th 2017 — Categories: Enterprise Applications, Security

It’s impossible to imagine modern business without e-mail. While your users may scoff at the idea of a fax or hard line phone, in the background your IT department is working to make sure the e-mail systems your business relies upon continue to function smoothly, both in the moment of sending and receiving and for long term archive and retrieval.

A key element of a functional Exchange server is security. E-mail is an easy route for phishing, social engineering, and malware to enter your environment. It’s also a great way to access confidential information.

To maintain Exchange server security and the integrity of your business e-mail, follow this security checklist.

Continue Reading...


Security and Compliance Are Different Areas of Risk Mitigation

Written by Joe Kozlowicz on Monday, April 10th 2017 — Categories: HIPAA Compliance, IT Operations, Security

While many organizations combine Security and Compliance under a single banner, and there is nothing inherently wrong with having a Chief Security and Compliance Officer or managing risk mitigation under a single umbrella, the fact is that compliance and security measures are two overlapping but inherently different practices of information security.

Compliance standards often change quickly and require quite a bit of work to ensure enforcement across an entire organization. Audit trails, regulator inspections, minimum mandates…they have to be tracked and adhered to 24/7. But meeting compliance standards often puts blinders on a security administrator.

Simply meeting a compliance measure — or even four or five — does not mean that your infrastructure is up to snuff with security best practices. Nor does following industry standards of security guarantee that you’ll meet your next compliance audit.

Continue Reading...


Don’t Take the Bait! Avoid Phishing Scams with Tips from the GSC

Written by Andrew Long on Tuesday, March 28th 2017 — Categories: Security

Have you ever received an email from Amazon, PayPal, Blizzard, or another trusted organization saying they need you to verify your information? What about emails from a Nigerian Prince? Or maybe you’ve been the lucky winner of an iPad and you just have to send them your name, date of birth, Credit Card number, social security number, mother’s maiden name, and the blood of your firstborn child.

These phishing scams are an ever increasing and (to those who know what they are looking for) blatantly obvious attempt to steal your Personally Identifiable information (PII). The scary part is that according to Google, they are effective 45% of the time.

Read on to learn how to avoid phishing scams.

Continue Reading...


Does Your Organization Need Cyberinsurance?

Written by Joe Kozlowicz on Thursday, March 2nd 2017 — Categories: Cloud Hosting, Colocation, Disaster Recovery, IT Operations, Security

In the past decade, alongside the increased importance of digital tools for business, a new category of insurance has sprung up to cover digital data breaches and liability. With the average total cost of data breaches reaching $4 million dollars and the average cost of each lost or stolen digital record increasing to $158, it is clear that experiencing a data breach is an expensive affair.

While dedicated security response teams and encryption do decrease these costs, and IPS/IDS systems and other security measures can help reduce the risk, many organizations will still experience a data breach at some point.

Cyberinsurance can help mitigate the cost of a data breach by reimbursing your company for legal fees, helping with the cost of crisis management and investigation, notification costs, extortion liability fees, and third party damages relating to network or system outages. But does every organization need cyberinsurance?

Continue Reading...


To Maintain IT Security, You Might Need to Annoy Your Users

Written by Joe Kozlowicz on Friday, February 17th 2017 — Categories: Security

We've posted quite a bit about best user practices to maintain the integrity of your IT infrastructure, especially strong password hygiene, the use of antivirus/antimalware, and the importance of backups in the case something goes awry. With user negligence causing up to 68% of breaches, according to a Ponemon Research study, these practices are essential. But how can you make sure your employees adhere to them?

But a recent article covering the Clinton presidential campaign staff methods to encourage information security reveals one secret to IT security: being kind of annoying.

Continue Reading...

Chat Now