What To Do When You’ve Been Hacked?

It’s a moment that can make your stomach drop faster than the word “audit”—the moment when you realize that your network system has been hacked.  Unfortunately, with the way the current world of cybercrimes is going, the odds of experiencing such a hack are becoming more likely.  With this in mind, it is imperative that you know exactly how to deal with a hack attack on your system.  Having a plan in place ahead of time will prevent fumbling and confusion in the event that a hack does take place.

  • The first major step is to bring together all of the members of the IT department to determine exactly what has happened.  It may be necessary to hire an outside company to do an analysis of your network system to determine the cause of the breach.   Whether you work in house or with a cyber security expert , it is absolutely necessary to get an idea of what has happened so you can determine how to proceed.
  • Once the breach has been assessed, determine if there has been an actual loss to the company (either data or monetary losses).  If this is the case, then you need to alert the proper authorities so that the appropriate legal action can be taken.
  • Next up, you need to repair whatever hole in your security allowed the hacker to gain access to your network.  If other issues are revealed as you go, fix them as well, but definitely make sure that the original point of entry is closed so that a similar hack can never happen gain.
  • After you have fixed the holes in your system, take care of a few maintenance issues.  Change all of the system passwords as those will have probably been compromised.  If data has been lost or corrupted, restore these from the most recent system backup.
  • Once you have updated your passwords and data, sit down with the IT department to take stock of what has happened.  Discuss ways that this can be fixed so that it never happens again.  Also, discuss other possible areas of vulnerability in the network that may need to be addressed.  The idea here is to not lay blame on any one individual, but instead to think outside of the box and look at multiple possible solutions to ensure the safety of the network.
  • If customer data, such as individual passwords or credit card numbers, were compromised in the breach, it will also be necessary to communicate this aspect with your clients to alert them of what has been done and what they should do to prevent monetary losses or identity theft.
  • Finally, run a full scan of your network to ensure that the new security measures you have put in place are working.  Make sure that everything is going smoothly and that any problem areas can be taken care of now before another attack occurs (because again, unfortunately, the chances are high that there will be another attempt to attack your system).

Getting hacked may feel like a disaster equivalent to the end of the world, but it doesn’t have to be.  Simply follow these guidelines and you will ensure that you can take care of the damage done and prevent any future attacks from occurring.

Posted in Cyber security, Hacking, IT and Computer Security, Uncategorized | Tagged , , | Leave a comment

Hackers and Tax Scams

It’s tax season again and as millions of Americans rush to their computers to get those last-minute returns in, hackers around the world are looking to cash in as well.  Those who are too hasty in trying to get those final returns in can find themselves easy prey of these cyber-criminals if they are not careful.  The key is to be diligent, observant and keep these tips in mind:

  • This first tip should be a complete given, even when it’s not tax time, but hold on to your social security number like it is your life.  Do not give this information out except to a trusted source like the Internal Revenue Service and only then when you see that the website you are on begins https instead of http.  This add “-s” indicates that the site is secure.  Once a hacker gets a hold on your social security number, you can be the victim of identity theft.  Your number can be sold to dozens of other people, some of whom could try using the number to file tax returns.  And if that’s the case, don’t be surprised if you hear from the IRS about an audit coming up.
  • If your information is compromised, report it immediately and then do everything necessary to make sure you are not the victim of identity theft.  Even the IRS is not infallible, as shown last year when the computers of the South Carolina branch were hacked.  The government quickly provided those affected with assistance to prevent their identities from being bought and sold on the open market.
  • Be wary of web sites that aren’t from reputable companies.  If you aren’t sure if a company is to be trusted, use a search engine to look for reviews.  If they are legitimate, you should be able to find multiple sources confirming this.  But, unfortunately, many web sites are set up promising quick returns and guarantees of big refunds when in fact they are designed by hackers to get your personal information including your bank account.
  • If it’s not a fake website, you also have to worry about fake software.  Installing it may install a Trojan virus that then gives the hackers backdoor access into your computer, your bank account, and your life.  That is why it is so important to keep all of your virus software up-to-date.
  • We’ve said it before and we have to say it again.  Don’t click on strange emails.  If that email comes in saying it is from the IRS with information about your refund, ignore it.  The IRS doesn’t work that way.  Clicking on one could wind up installing a dangerous Trojan virus such as Zeus, a nasty little program which will lie in wait until you go to your bank website to do some online banking and then hijack all of your financial information.

The bottom line is, even when it is tax season, not much changes about online security.  Computer users should simply be more diligent about how they conduct their business and be more careful about avoiding viruses and other criminal traps and tricks.  If you do receive one of these emails, the important thing to do is report it as soon as possible to the IRS so that they can shut them down.

Posted in Uncategorized | Leave a comment

Is Bringing Your Device to Work a Good Idea?

A decade ago, the lines between work and home began to blur substantially when telecommuting became the latest trend.  Employees were able to “dial in” from home and work at their computer from the comfort of their living room.  Now the lines are being blurred even more as many companies are allowing employees to bring in and use their own electronic devices in the workplace.  Personal laptops, smart-phones, and tablets are becoming quite common in corporate America, making for headaches for IT departments who have to contend with new issues that would have been unheard of before.  Here are some issues that must be addressed as companies examine developing a BYOD (BringYour Own Device) policy.

  • Access/Connectivity Issues—One of the first issues that an IT department will have to contend with is whether or not an employee will even be able to access the company’s server using their own personal device.  Because of malware brought in on these devices, the company’s data can be at risk, so this isn’t just a technical issue; it can also be a matter of finances if the company suffers a cyberattack and loses data and/or personal information of client’s and customers.  In fact, many hackers have already figured out this back door to corporate servers and are looking to exploit this particular problem.  Also, if you are allowing your employees to connect to your server to do work, are you liable if their device malfunctions?  Will your IT department have to use their own time and resources to fix a personal device so that they can work?  These issues must be discussed and addressed early on.
  • Privacy Issues—Privacy issues on work computers have already been addressed some time ago and numerous court rulings have upheld that, for instance, employers have the right to read employees emails when sent on a work computer.  The same goes for Internet usage on a work computer.  But what happens when the work computer is also the employee’s personal computer that goes home every night and was bought and paid for with the employee’s money?  There we enter a decidedly grey area.  It is completely unclear what expectations of privacy a worker and the employer have when it comes to personal device usage in the workplace.  A company needs to protect itself with an iron-clad user agreement which outlines these details up front before personal computer usage is allowed.
  • Productivity Issues—A final issue that has to be addressed goes to the reason that you are at work in the first place—to do a job.  If personal devices are allowed, employers have every right to worry that productivity will decrease as employees goof off playing Temple Run or checking their friend’s Facebook status every five minutes.  These are less IT issues and more personnel issues that should also be addressed before a company moves forward with a plan.

All three of these areas should give you some food for thought when it comes to the new trend of bringing your device to work with you.  Obviously, something so new leaves many murky areas that still have to be explored before final decisions can be made.  And certainly, just as these are addressed, new ones will arise.  Technology grows and with it grows the challenges that companies are face with.

Posted in Cyber security, IT and Computer Security, Smart Phone Hacking, Uncategorized | Tagged , , , | Leave a comment

IT Security Jobs — High Demand, Low Supply

Every year, a new study is released revealing the top jobs currently trending worldwide and, particularly, where the technology job markets are headed.  Unfortunately, in the past couple of years, one alarming trend has emerged from all of this.  Currently, there is a huge demand for IT security experts to fill jobs on a global scale.  However, there are not enough of these experts to fill the void.

One recent study found that cybersecurity jobs are growing 3.5 times as fast as other similar tech jobs and over 12 times faster than other non-tech related jobs.  This is the current growth industry of the cyber-world field.  Although increases in defense spending accounted for some of the growth in certain areas, this has not been the case for all as many companies are bringing in security experts to protect their companies and interests from cyber-criminals.

One of the reasons for such a growth in this area has been the recent spate of high profile hacks from cyber-criminals.  Attacks on the Department of Revenue in South Carolina, Nissan, Zappos, Coke, and Wal-mart are just a few of the big cases in the last year alone.  Even when customer security or information is not compromised, the company can still be at risk.  A great case in point is the recent hacking of Burger King’s Twitter account which was hacked to appear as if they were giving up and admitting defeat to rival fast food chain McDonalds.  This type of occurrence may not lose data or credit card numbers, but it still represents a public relations nightmare for the company.

So what exactly is behind the shortage in IT security experts?  One of the major problems is that many schools in the United States are not properly training computer analysts in this field.  Instead, they are having to seek training from outside sources.  This means going to certification companies to gain the training and expertise necessary to develop “white hat hacking skills” which will benefit them in reverse engineering attacks on their company’s websites.

As with any popularity explosion in a job field, there are upsides and downsides.  On the one hand, many of those in the field find themselves working longer hours to overcome the demand placed on them by the dearth of trained experts.  Those who are already trained have to compensate for this shortage.  However, on the other hand, salaries have grown steadily in this field, outpacing many similar technology-based jobs with an average annual salary of almost $100,000 annually.  (That’s more than $12,000 than other comparable jobs in computer related fields.)  With this in mind, it is easy to see why cyber-security analysts are, for the foreseeable future, the job of choice in the computer industry.

Posted in Cyber security, Ethical Hacking, IT and Computer Security, Security Certification, Training and Education, Uncategorized | Tagged , , , , | Leave a comment

Tips for Finding Qualified Penetration Testers for Your Website

It’s a nightmare that has been faced by many business owners.  They spend an exorbitant amount of time and money putting together a specialized webpage to showcase their product, only to have that page ruined by a hacker who gets kicks from ruining other people’s hard work.  Many websites out there offer “automated penetration tests” which will see if your website is “hacker-proof.”  But the reality is that none of these can compare to hiring a good, qualified penetration tester to check over your website and see if it can be hacked and, if so, where the problems lie.  Here are some tips for finding this type of white hat hacker.

As with any skilled job, one of the first things you would want to look at is recommendations.  Check local colleges or computer companies to see if they offer certification classes for penetration testers.  Many groups offer regular, very popular courses in this subject and would be happy to either refer some of their experienced instructors or some of their more promising certification graduates.  Be sure to look for these type of credentials when hiring a penetration tester.

Another thing to look for with a white hat hacker is the ability to think creatively.  Too often, many people in the computer industry follow the step-by-step guidelines that they have always followed in their job.  This linear thinking is not going to be helpful with penetration testing.  Today’s hackers are creative, looking at your website as a potential puzzle the way some people approach a crossword or a Rubik’s Cube.  You need someone who can think just as creatively, looking not just at the likely avenues of attack but also at all of the potential areas that a hacker might try to compromise in taking down your website.

Unfortunately, perhaps one of the hardest areas to find with a good penetration tester is the ability to communicate the situation as simply as possible.  Many hackers have great skills when it comes to penetration testing, but when it comes time to explain what needs to be done they can’t communicate this to you or your website designer.  Asking them to sit down and explain a complex problem in the interview process will tell you if they can communicate this type of information.

Regardless of who you choose as your tester for your website, it is a very wise choice to find someone before you go live.  Taking the time to look over the site from top to bottom before putting it out there will prevent embarrassing situations from arising when you want your customers to be able to access your site.  Just remember what to look for in finding your white hat hacker.

Posted in Cyber security, Ethical Hacking, Hacking, IT and Computer Security, Security Certification, Uncategorized | Tagged , , | Leave a comment

How Cyber Security Training Can Protect Your Business From Hackers

Nowadays, almost every business needs a corporate website to function. When your business depends on a network to run, it is also exposing itself to a lot of risks. Network security breach is one such risk. When information about your customers or your financial documents is leaked to an unauthorized third party, severe damages could be the result. Many businesses have lose millions of dollars due to security breach. If you don’t want to face with the same situation, it is time to consider Cyber security training for your employees now.

When everyone in your company knows how to detect security holes and protect your network, keeping your network safe becomes a much easier task.

Employees Could Spot Intruders Much Faster

When your employees are trained on cyber security, they could spot intruders and security breaches much faster than a hired network security specialist. Hackers usually leave traces and clues about where they have been and how they entered the network. With the help of your employees, tracking down a hacker becomes much faster and easier.

Protect Your Company Communication Network

Unprotected conversations could be monitored by intruders. That’s why most companies and corporations set up a cyber security program to protect their IM and email systems.

Track Your Employees’ Activities

To maintain work efficiency and prevent unscrupulous employees from leaking important and sensitive information to an outside source, companies should set up some form of security measurement. You could give each employee a unique ID number to access the company network, so that you could keep track of each employee’s activities easily.

Above are some steps you could take to protect your company network. If you need professional assistance, contact us today!

Posted in Cyber security, IT and Computer Security | Tagged , , , | Leave a comment

Top Ethical Hacking Books

Today, cyber security is of utmost importance.  Even the Department of Homeland Security has recently issued a warning of a potentially imminent cyberattack which could rival 9/11 in its devastation.  And one of the surest ways to deal with a potential cyber attack is to think like a hacker.  Cyber security experts must know how to hack computers so that they can learn where the potential holes in a network’s security are to be found.  But how does a security specialist learn the tricks of hackers?  Fortunately, there are several books available which provide guidance on how to be a “white hat hacker” so as to secure your own computer network.

  • Secrets and Lies:  Digital Security in a Network World (Bruce Schneier)—Bruce Schneier is a computer security expert who has written a practical guide to securing computer networks.  One of the best things that this book provides is a way of disproving many of the misconceptions of computer security, particularly when it comes to cryptography.
  • Cyber War:  The Next Threat to National Security and What to Do About It (Richard A. Clarke and Robert Knake)—What better reference about the potential for cyberthreats on a global scale than a book written by a former national security advisor?  Richard Clarke has worked with Presidents Clinton and Bush and in this book he discusses the how attacks to computer networks can cripple governments as has already been seen in the covert computer wars that have gone on for the past half decade in the Middle East.
  • Inside Network Security Assessment:  Guarding Your IT Infrastructure (Michael Gregg and David Kim)—This book, written by two experts in the IT field with

    connections to the International Information Systems Security Certification Consortium, is a step-by-step practical guide on how to secure your network with utilities and templates that are very practical.

  • Security Engineering:  A Guide to Building Dependable Distributed Systems (Ross J. Anderson)—This hefty tome (over 1000 pages) covers everything from security basics such as cryptography to types of attacks such as card fraud and hacking among others.  It is an invaluable guide for anyone interested in the topic of ethical hacking.

These four books are just the tip of the iceberg when it comes to the world of ethical hacking.  But those who are interested in the topic would do well to check these out first before branching out to others in the field.

Posted in Cyber security, Ethical Hacking, Hacking, IT and Computer Security, Security Certification, Training and Education, Uncategorized | Leave a comment

Do Movies Make Hacking Seem Glamorous?

If you were a computer geek like me, growing up in the late 1970s and early 1980s, then I am sure that weekend movies were a ritual for you and an opportunity to escape for two hours into a dark cinematic fantasy-world.  In 1983, courtesy of Matthew Broderick and director John Badham, many were introduced to the realm of computer hacking and

wardialing in the movie Wargames.  Many of us remember that idea of possibility when Broderick, as high school computer nerd, David, changed his report card grade.  And, come to think of it, Broderick also hacked his school’s computer three years later in Ferris Bueller’s Day Off to change his absence record.   Even movies like the Matrix have featured a hacking theme, where Nmap is used to search for a SSH vulnerability.  So the question is, do movies sensationalize the world of hacking?

While we have previously blogged about CISSP movie concepts, the fact is that many of the depictions of hackers in film tend to go towards extremes:  either slick sociopaths such as the laughably bad Sandra Bullock film The Net or, more often than not, the typical stereotype of the repressed loner with poor hygiene and even worse interpersonal skills who lurk in basements like a troll (take your pick…there are really too many to list).  What you actually usually see in films is either a black hat hacker, white hat hacker, or maybe a hacktivist who engages in hacking as a means of “sticking it to the man” or taking on the powers that be.

Take for example Sneakers (1992) and The Girl with the Dragon Tattoo (both the 2009 original and the 2011 remake).  In Sneakers, a security specialist team of white hat hackers (headed by Robert Redford) are hired to steal a chip which will be able to decrypt any computer on the planet.  Ridiculous plot from a computer standpoint, but it’s well done, by Hollywood standards, right down to the showdown with the evil mastermind of Ben Kingsley who is trying to steal it for criminal use.  The Girl with the Dragon Tattoo, based on the best-selling series of novels by Stieg Larsson, features Lisbeth Salander, as a hacker who breaks many of the stereotypes for computer geeks—she’s a woman, she’s independent, she’s a punk rocker, and, although she is socially awkward, she isn’t one dimensional as she has Asperger’s Syndrome which explains many of her personality traits.  In the course of the film, she is able to use her hacking, lockpicking, and coding talents as a means of tracking down and bringing to justice a serial killer.  Even at the end when she uses her hacking to embezzle millions of dollars, the audience is left feeling like it is excusable because the man she stole it from is a corrupt billionaire guilty of multiple crimes.

Hollywood’s depiction of hackers is, typically, skewed to better serve film narratives.  Most audiences would find the real work of hackers, spending hours scanning IP addresses, looking for vulnerabilities, writing computer code, launching SQL injection attacks, and compiling scripts much less dramatic than Jeff Goldblum uploading the virus that destroys the mother ship in Independence Day and, ultimately, saves the world.  Who would have thought that aliens would be running an old version of Apple’s OS?

Posted in Hacking, IT and Computer Security, Uncategorized | Tagged , , , , , | Leave a comment

Businesses Must Be Proactive With Cyber Security Policies

Security breaches and intrusions have been in the spotlight as businesses across several sectors have reported damaging intrusions into their networks. Many of these have resulted in the theft of consumer personal data, or even worse, sensitive government information. Unfortunately, many companies continue to turn the other cheek when it comes to effective cyber security policies.

In fact, business firm, Deloitte reports that an astounding 88 percent of companies surveyed believed that they were not vulnerable to external cyber threats. Out of those, however, 59 percent stated that they had experienced some type of security incident in the past year.

The main reason for the lack of closer attention to cybersecurity was budget constraints. However, most believed that failure in employee awareness of security threats was a major obstacle as well. Bring your own device (BYOD) policies were also a major concern with 74 percent believing this made the workplace that much more vulnerable to security threats. As James Alexander, lead partner for TMT security at Deloitte states, “….each employee holds the keys to the castle and must understand that responsibility.”

Small to medium-sized businesses are just as, if not more vulnerable since they tend to not be as technologically equipped to handle cyber intrusions. Unfortunately, many don’t even think they will be targets. However, the truth is that a neighborhood community bank or credit union has an equal chance of being hacked as a larger financial institution does, potentially resulting in catastrophic results.

So what measures can be taken to educate businesses about the vulnerabilities of their networks? The solution is an independent assessment by security engineers and ethical hackers with penetration testing. This can expose holes in their current security policies and provide solutions that could effectively prevent an attack.

Superior Solutions offers an independent audit of your network to expose vulnerabilities that could lead to costly damages. Contact us for more information on our data security consulting services and training programs for your business.

Posted in Cyber security, Ethical Hacking, Training and Education | Tagged , , , | Leave a comment

Increase your chances of earning that Big Customer’s business with an assessment from a cyber-security expert at Superior Solutions

It’s a dubious honor at times to be the owner of a SMB: the operational concerns remain top-of-the-mind 24/7.

No surprise, then, that hackers continue to focus their cybercrime on the ‘low hanging’ fruit offered by the softly-defended likes of small organizations—all the more reason you need a systems analysis by a Cyber security expert at Superior Solutions.

Stepping Up SMB Security,” an article by Ericka Chickowski, on the DarkReadng/Security website reveals the uptick in hacker attacks keyed to the small business organization with less than 250 employees.

In fact, those blistering forays into the network actually more than doubled in 2012.

That means the prospects for a company looking to break into new markets, such as “certain classes of B2B clients” simply can’t turn away from “security anymore;” same is true if new markets are on the horizon, but will require new security mandates company wide.

Does your vendor offer…

It should be a commonplace: Your vendor should make available a “formal documented risk program.”

Such evidence is critical as SMB’s reach for more market share, and is a powerful notch on your readiness program that your potential Big Customer will likely accept in your bid start conducting business with them.

Don’t reinvent the document wheel…

As you implement new security strategies and showcase your growing capabilities to business prospects, document the process along the way.

Such a “master list” will provide an all-important guide of the “best practices important to your (new business) partners.”

Put our ‘best practices’ to work in your firm or organization; contact us to discover how our full complement of Computer Security and Cyber Security programs can help you reach that next level of customer contact…safely and profitably.

Posted in Cyber security, Ethical Hacking | Tagged , , , , , | Comments Off on Increase your chances of earning that Big Customer’s business with an assessment from a cyber-security expert at Superior Solutions