Atlantic Business Technologies, Inc.

Category: Cloud Security

  • Security and Me: My Takeaways from Thirst for Knowledge

    In just the second quarter of 2017, there were at least 62 million detections of malware on IT systems across the world. This was just the introduction to ABT’s Thirst for Knowledge event last Thursday. Thanks to our Research Manager Randy Earl, I also learned that the first line of defense against these kinds of cyberattacks is teaching employees like me how to be smart about security.

    This was the first time my company has help this kind of informational lesson before one of our Thirsty Thursday networking events, and it was a big success. I got to speak with both new and old friends from outside my company, and there were lots of good points in the presentation and an engaging discussion from the crowd. Here are my main takeaways from the presentation:

    How to Make a Good Password

    Randy Earl referenced this xkcd comic at Thirst for Knowledge.
    Randy alluded to this xkcd cartoon on making stronger passwords.

    Judging by the questions and comments from the presentation, it’s pretty clear that attendees take password security seriously. However, some had gotten bad advice about how often to change passwords and how to design a good one.

    Thankfully, Randy provided some helpful guidelines on how to design passwords that a computer wouldn’t easily guess (and that guys with mediocre memories could actually remember!). Having long (12–15 characters) passwords that used a series of unrelated words were both difficult for a computer to guess while being simpler to recall later. Randy taught us that having this kind of longer password in place was more important than requiring employees to change their passwords every 60 days.

    Randy also spent some time explaining the need for password managers and how helpful they can be in a larger organization. At Atlantic BT, we use Pass as our main tool to generate strong passwords and store them in a safe location. Naturally, it’s important to use a strong password to ACCESS Pass, otherwise your credentials for this password manager could be stolen.

    Mobile Security Takes Some Effort

    When will there be a good password manager for mobile devices? Touch ID has served as a good security measure, but for those with lots of logins and/or multiple devices, an easy-to-use mobile password manager would be helpful. As of now, Randy described mobile password managers as “tedious,” implying that their usability needs improvement.

    In the meantime, it’s good to see password managers are trying to keeping up with mobile OS updates; LastPass announced AutoFill on the same day as Android announced their new Oreo OS. So it looks like we have the tools to secure our mobile devices (as long as we remember to lock our phones!) even if password managers are still working on usability.

    Do Individuals Need Offsite Backups?

    While Randy was explaining the importance of backing up critical data to guard against ransomware, one attendee made a big point of keeping data backed up OFFSITE in addition to offline. Randy agreed, since these offsite backups would protect a company if its office flooded, caught fire, or had some other environmental disaster.

    It might be easy for an individual to think their data is safe enough that they could get by without an offsite backup. I would disagree; offsite backups are as important for individuals as they are for large companies. We never know when disaster can hit us, so it’s vital for anyone with data they value (so, essentially everyone) to have an offsite and offline hard drive or thumb drive to back up important files. 

    That in mind, the point Randy made was clear: having a strong backup solution in place will save a business owner from a lot of anxiety—especially if they work in targeted industries like healthcare or finance.

    Next Thirst for Knowledge on September 21

    All in all, this Thirst for Knowledge event gave everyone a lot to think about and new practices to adopt in matters of security. I’m looking forward to the next Thirst for Knowledge event on September 21. Be sure to follow Atlantic BT via Twitter for updates on the subject and speaker for the next Thirst for Knowledge.

  • How to Protect Yourself from Ransomware like WannaCry

    The WannaCry Ransom Attack

    Earlier this month, hackers exploited a vulnerability in older Microsoft Windows servers to execute a global cyberattack using ransomware — a malicious software that holds your computer’s files hostage for ransom—as well as EternalBlue, a hacking tool stolen from the U.S. National Security Agency (NSA). EternalBlue is a network tool that can automatically spread itself across the Internet, scanning for vulnerable systems as it goes. The attackers used this tool to primarily target older Windows systems (including XP, Win 8, Win Server 2003) which were no longer being supported with security patches, but many new Windows machines were also affected.

    This massive attack known as WannaCry completely locked victims out of their PCs. Victims then received ransom messages from the attackers that promised to restore each owner’s access if the owner paid $300 in the digital currency Bitcoin. If an owner refused to pay, the attackers threatened to destroy that owner’s files. The attack was reported to have infected more than 230,000 computers in over 150 countries, including 40 National Health Service trusts in the UK. While the initial attack has been contained, experts worry that the next wave of ransomware attacks could be even worse. Is your organization ready?

    In this post, I will lay out common sense steps that organizations should take to protect themselves, as well as strategic security principles to guide you going forward.

    What You Need to Do Right Now about WannaCry

    If the worst has happened, and you had your data stolen by WannaCry attackers, there are now free tools available to help you decrypt your locked data (such as the EaseUs tool found here). If you have not already taken action to secure your systems from the existing WannaCry cryptoworm, here are the specific steps you should take:

    1. Apply the Microsoft patch for the MS17-010 SMB vulnerability.
    2. Perform a detailed vulnerability scan of all systems on your network and apply missing patches immediately.
    3. Limit traffic from/to ports 139 and 445 to internal network only. Monitor traffic to these ports for unusual behavior.
    4. Enable strong spam filters to prevent phishing e-mails from reaching end users, and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
    5. Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching your end users.
    6. Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans. I recommend Norton and Sophos.
    7. Manage the use of privileged accounts. Implement the principle of least privilege—no users should be assigned administrative access unless absolutely needed, and those with a need for administrator accounts should only use them when necessary. Configure access controls (including file, directory, and network share permissions) with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
    8. Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.

    The Long-Term Implications of WannaCry and Ransomware

    While the aforementioned steps will help protect your systems from ransomware and other malware attacks, we do not know what the next major attack will look like. Even the latest patches and security products will only block old and known variants of malware like Wanna—and new variants appear all the time. Making matters worse, some variants of ransomware can enter your systems via your RAM or firmware in order to avoid antivirus detection. This in mind, here are strategic best practices to keep your organization safe.

    Back Up Your Data

    Having reliable backups is essential for business continuity, especially if you work with PHI or other sensitive healthcare data. In some ransomware attacks, criminals will delete your files even if you pay their ransom. Reliable backups will also protect you from nonsecurity disruptions like unexpected damage to a data center.  

    As you back up your data, be sure to create frequent backups to several disconnected servers; this will protect you from malware that spreads across networks. It is also important to regularly test the integrity of your backup data to ensure it will meet your needs after you restore it. Finally, I recommend you set up an enterprise endpoint backup tool to protect individual user data on their laptops and workstations.

    Identify Sensitive Systems and Potential Vulnerabilities

    You might not be able to predict the next major attack, but you can prepare your systems by finding and protecting potential weak spots. For example, identify any of your users’ storage locations that are inherently vulnerable, such as file shares. It is also important to monitor the integrity of your module, as this has become a popular attack surface for cyber criminals.

    As you examine how data flows throughout your network, be sure to evaluate the potential business impact of that data being stolen or encrypted by a cyberattack. If certain data or systems are especially critical to your business, adjust your recovery point objectives to back up these systems more frequently.

    Have a Dedicated Security Team

    As your organization grows, the stakes of your information security will continue to elevate. The best way to stay ahead of cyberattacks is to create a dedicated security team ready to manage any crisis you face. Ideally, this team would include an applications expert, a network security engineer, and an analyst who can keep up with the latest data security trends.

    Once you have this team in place, it is also smart to align this information security team with your IT disaster recovery team and network team in order to develop a cross-department plan to respond to security incidents like the WannaCry attack. This cross-department plan should focus on making you resilient to attacks, not just preventing them altogether.

    Get Smart on Ransomware with the Latest Security Information

    Now that Verizon has released their yearly Data Breach Investigations Report, we have a host of new information about security breaches that could lead to your data being compromised. However, this lengthy report is only one part of the information security puzzle. In my upcoming webinar on July 12, I will discuss the long term implications of the WannaCry attack as well as best practices to help your organization protect itself from ransomware and other cyberattacks.

    Learning from WannaCry – The Long-Term Implications

    • Presenter : Ulf Mattsson, CTO Atlantic BT Security
    • Duration : 60 min
    • Date & Time : July 12 2017 12:00 pm EST

    UPDATE: Watch my other recorded webinar on Learning from Verizon 2017 Data Breach Investigations Report

    Get Help From The Experts – Have Your Cybersecurity Evaluated Today

  • The Magento Security Patch You Can’t Afford to Ignore

    If your online store is not secure, it doesn’t matter how much revenue it brings in—the right cyberattack could cripple your ability to run online transactions.

    This in mind, it’s critical for users of both Magento Enterprise and Community to install a critical security update called SUPEE-8788. In this blog post, I’ll go through the details of this patch and what my team at ABT learned from this process.

    Who Is Affected?

    If you use a version of Magento Enterprise older than 1.14.2.4 or a version of Magento Community older than 1.9.2.4, you need to apply this update.

    What Exactly Does This Update Do?

    SUPEE-8788 addresses 17 different APPSEC vulnerabilities in Magento, including ones found in the payments system, user sessions, the Flash-based media uploader, and within the Zend Framework itself (which Magento has assumed maintenance of since ZF1 passed end-of-life).

    In addition to the security updates in the SUPEE-8788, Magento versions 1.9.3 (CE) and 1.14.3 (EE) also provide several dozen other fixes and updates, including:

        • Tax calculation fixes
        • Shopping cart and checkout fixes
        • Catalog fixes
        • Price rule fixes
        • Configurable swatches fixes
        • Import/export fixes
        • Indexer fixes
        • Visual Merchandiser fixes (EE-only)

    How Do I Apply This Update?

    Visit Magento’s Security Patches page and follow the instructions to either update your version of Magento or download and install a patch alleviating these security issues. Because the patch can be applied quicker and with less complication than the version upgrade, we recommend installing the patch immediately if you don’t have the time or resources to perform a full Magento upgrade.

    Wait, Why Do I Need More Time to Perform This Magento Upgrade?

    Magento upgrades take a lot more than clicking a button and waiting a few minutes. Your developers will need to ensure the new version installs correctly and works with your existing design and customizations. We also recommend a thorough QA process across all areas of your online store when you install the upgrade. Making matters more complex, the new versions of Magento differ greatly in quality based on whether you’re using Community or Enterprise.

    How Should Magento Community and Enterprise Users Handle the Upgrade?

    Magento CE 1.9 users, especially those on 1.9.2, should review the fixes and features in the 1.9.3 upgrade to determine if it’s worth extra time to upgrade rather than install the patch. Spend some time reviewing the Magento forums, StackOverflow, and subreddit to see what kinds of issues people are reporting with the upgrade. This will help you anticipate and resolve any common issues or conflicts you’re likely to encounter with the upgrade.

    Magento Enterprise users should be more cautious regarding the upgrade. While it’s always preferable to be on the latest version whenever possible, we’ve been disappointed in the lack of quality control in this release. Our Magento developers have already identified multiple bugs in the EE-specific changes which required hotfixes. There’s also currently little public discussion around 1.14.3, so it’s difficult to find solutions by comparing notes with other users. While this update does fix some long-standing bugs and the aforementioned security issue, the update trades these problems for new ones without proven fixes. This makes it easier to just install the patch if you use Magento Enterprise.

    What If I Need Help or Have More Questions?

    Feel free to post any questions or thoughts in the comments section below. If you’re interested in getting Atlantic BT’s help in handling your upgrade, contact us today to get started.

  • Protect Your IT from a Dirty COW

    Imagine you lived in a luxury high-rise apartment. Chances are, you’d have things inside that home that are valuable to you (computers, TVs, jewelry, and the like)—not to mention your pets and family. Thankfully, your home is protected by an experienced doorman who never lets anyone in who doesn’t have your permission.

    Sounds secure—as long as an intruder couldn’t bypass the permission process. Unfortunately that’s exactly what’s happening with the Linux Dirty COW vulnerability. And to make matters worse, this risk has been present for more than nine years—so if you’re using any recent version of Linux or Android, you need to act now.

    What We Mean by Dirty COW

    Linux uses a Change on Write (or COW) approach to reduce unneeded duplication of memory objects. This works in conjunction with Linux’s Discretionary Access Controls to decide which users get read-only privileges or read-write privileges. However, this permissions framework can be bypassed if a cyber attacker manipulates the COW mechanism to alter read-only memory objects on the system.

    While this requires a payload to be installed and executed on the server, this COW exploit allows the attacker to modify and replace a secure command restricted to non-privileged users with a command that could provide root access to the entire system. Because the COW element is what’s been compromised, this attack is known as a Dirty COW. This vulnerability affects anyone using a version of Linux or Android released in the last decade—which includes millions of web servers.

    Now for the good news: there is a fix available. This patch will likely require a full reboot of your system (unless you have a special live-patch solution in place), so it’s crucial your IT team has a plan in place based on security and continuity best practices. However (and this is a big however), this vulnerability represents a major wake-up call for any organization that depends on interconnected web based systems—it’s time to get serious about your security if you want your business to survive.

    Get Serious about Web Security

    As web systems become more complex and interconnected, it’s always safe to assume that new vulnerabilities will emerge. What’s noteworthy in this case is the Dirty COW vulnerability is baked into the Linux system as opposed to being a completely external attack. This suggests application developers should no longer trust the integrity of a host server or kernel; instead, they should work to develop applications that protect themselves from attacks on the kernel.

    This makes it even more important to know that your web developers and hosting team are experts in IT security. You need a comprehensive security strategy that keeps attackers as far away as possible from executing arbitrary code on your systems. Before any attackers get close, they should have to first defeat your network firewalls, your intrusion prevention systems, your web filters, and the RBAC protections around your daemons.

    In short, it’s time for you to get serious about web security. If you’d like advice from our security experts, feel free to reach out to us on our contact page.

  • Web Education: Preparing for GenZ

    Connected!

    I remember the first time an AOL CD-ROM appeared in my parent’s mailbox. It promised me thousands of minutes to connect with others through our computer. A computer, that up until that moment, had been used primarily for solitaire.

    I patiently waited for the program to load. Nothing happened. Where was my Internet? I didn’t realize I needed a phone line to connect. I “borrowed” a phone cord from my parents room and figured out how to connect the computer’s modem to the phone jack. For the first time, I heard the strange sound of dial up, and the word “Connected!” appeared. I was online.

    Learning to use the web has changed slightly since then. While everything in the past had to be self-taught, we can now get degrees or go to bootcamps to learn all kinds of Internet technology. Indeed, staying abreast of the latest techniques is a must for developers to do their jobs. Learning more about the latest technology trends led me to attend ConvergeSE, where I heard a keynote that blew my mind—Pamela Pavliscak’s talk on Gen Z and the Future of Technology.

    As Pamela Pavliscak explained, GenZ is the first generation who are truly digital natives. They make up 25% of the population, representing how future technology users will navigate the web and expect applications and interfaces to work. By paying attention to how GenZ uses the Internet, we can both improve the quality of our own work and make future technology more accessible and useful going forward.

    The Future of Community

    The definition of community for GenZ is different from what I grew up with. My idea of a community was going to the park and seeing kids on the playground. Today, kids have fewer physical hangouts. Instead they hang out online in spaces like Twitch. These digital communities allow teens to have their own identities and play around with their social presence. Because GenZ uses the web to create a vast social community and develop real relationships online, their communities have the power to be both local and global.

    What does this mean for the future of technology? It means we can control the context. This means allowing and encouraging GenZ to participate in grown-up conversations through technology. We also need to know how to protect ourselves and GenZ from turning toward Dark Social–the social sharing of content that occurs outside of what can be measured or tracked by web analytics. Because everything in Dark Social is anonymous, it often leads to bad (even illegal) behavior. To combat this, we have to promote a digital culture of openness that shifts how we identify ourselves and others through the web.

    Communicate in All the Ways

    GenZ’s communication style favors immediate, diverse, and ever-changing connections. For GenZ, phones are no longer for talking. GenZ spends more time texting and talking to Siri than they do talking to real people. They do not email. Why would they? An email isn’t real time. Emails don’t offer instant gratification or connection like text messaging or Snapchat. GenZ wants to create a memory and experience something together. This means they want to re-frame, reshape, and re-experience the moment. For them, a memory isn’t something that is set in stone. It’s a moment in time that is captured and built on.

    The future of technology allows us to communicate in all the ways: to convey a mood, to show rather than describe how we feel, to constantly stay connected, even when we have nothing to say. We have to learn how to incorporate all kinds of technology into our communication, from voice to texting to video capture. GenZ communicates in bite sizes. They communicate in symbols. They speak in emoticons and emojis. The symbols provide context and create subtext for their private conversations. If we can understand what these symbols and shortcuts mean in our language, we can use the right visual and textual vocabulary in our technology and design.

    Default to Private

    GenZ often uses technology as a way to escape the everyday. This explains why they are usually the early adopters of new social networks. For them, new tech trends are like new wearables. For example, when I was a kid, everyone had slap bracelets. If you didn’t have one, you weren’t cool. For GenZ, being connected to the latest tech trend is their slap bracelet. They don’t want to be the only kid in school who isn’t on Twitch. GenZ is constantly online, but that doesn’t mean they want you to know everything about them—they understand how to hide and limit who can see their posts using privacy settings.

    What’s our lesson? Educating yourself on how to use privacy settings is imperative. We are stepping away from wanting everyone to know everything to only wanting to share with those that we know. This trend will lead to more social networks adapting stronger privacy settings. Besides affecting how we advertise and communicate on these networks, this also means we need to learn how to protect ourselves from what we share. As we continue to create our own social brands using technology, we need to know how to portray ourselves without losing our privacy. And when we design new communication technology, we should make user information private by default.

    Leave it Open

    Being creative and playing is about combining off-screen and on-screen. GenZ wants to be able to create. They want to to see what they are creating on-screen. Zs want to do anything but read on a device. They want to tell stories and they are using their devices to do this, by creating art with their screens. They create short animations through different apps. They build entire movies out of photos. They do this, not for themselves, but for their family and friends.

    When designing for the future, we need to leave our platforms and technology open. GenZ doesn’t want the story to end. They want to make their own choices. If there is an ending, it doesn’t appeal to them. We need to design for GenZ’s short attention spans, allowing them to operate multiple screens at the same time.

    We also need to learn how to build for the worst case scenario. For example, GenZ cares less about having the latest technology than just being connected. Growing up, they typically inherited older devices from parents or siblings, so they became experts at connecting with slower tools. Our lesson? If you’re building for mobile, you need to develop apps that work well on older devices instead of focusing entirely on state-of-the-art smartphones.

    Understanding Our Future

    I thought back to my first online experience. No one showed me how to connect to the web. I was lucky to have a computer. I had to teach myself everything that I learned about technology.

    This is not the case for GenZ. They will never need to figure out a dial-up modem or wait to connect. They were born with online technology, and navigating it has become primary for them. And one day, GenZ will be the ones who provide us with our future web education. Zs will be our teachers and we will be their students. But before that happens, we can learn from how GenZ uses the web: making our technology more secure, more connective, and more open.

    What are your experiences with how GenZ uses the Internet or web-based technology? What are you learning from this new generation’s preferences and practices? Let me know in the comments below.

  • On Edge about Leaving Internet Explorer?

    Our Answers to Your Internet Explorer FAQs

    On January 12, 2016, Microsoft ended support for older versions of Internet Explorer (IE). For those of us in web development, this was cause for rejoicing—we now had fewer browsers to support.

    However, for the many organizations and businesses who have relied on older IE versions to run their applications and websites, this news left them feeling a bit on edge. At Atlantic BT, we’ve heard a lot of questions from our clients who depend on IE: Why is Microsoft ending support?  Which versions are affected?  What happens for applications that remain on IE? And (most importantly) what are next steps I should take?

    Though we don’t know why Microsoft made the decision to end support for older versions of IE, we can help with the other frequently-asked questions.

    What Does End of IE Support Mean?

    Companies like Microsoft announce the end of support when the company feels their product is at the end of useful ‘life’. This decision usually means the company intends to focus its resources on supporting and developing newer software rather than patching older versions.  

    For Internet Explorer, end of support means that Microsoft will:

    • Cease technical support
    • No longer provide downloads of the browsers
    • Stop security updates

    All of these changes are excellent reasons to transition your company away from older versions of Internet Explorer.

    Which Versions Are Affected?

    The end of support announcement affects several versions of IE. Specifically, Microsoft has decided to end support for IE 10 and all previous versions; while IE 11 will continue to receive security updates this year, Microsoft has announced IE 11 will be the last version of Internet Explorer.

    This makes it vital to transition away from Internet Explorer. If you’d prefer to stick with Microsoft’s browser, then you should begin using Edge, Microsoft’s new browser for Windows 10. Microsoft developed Edge to better compete with Chrome and FireFox, so it offers new features found in these browsers. In addition, Microsoft is offering free upgrades to WIndows 10 for a limited time.  Because only Microsoft knows how “limited” this time is, it’s important to upgrade sooner rather than later.

    What Happens to Applications Running on Unsupported Versions?

    Older versions of Internet Explorer will not be automatically uninstalled from computers. So applications running on unsupported versions can still run on old computer systems.  However, this is not recommended because of the risks involved, including:

    • The end to security updates. This risk opens the application or website up to vulnerabilities from malware or malicious attacks. This puts your business application and its data at risk.
    • Appearance issues. If a user attempts to open your application or website in newer browsers, there’s a strong chance your site will not look the way you intended. The user may experience broken images, misplaced buttons and text, and an interface that appears scrambled.

    What Are My Next Steps?

    Considering the answers to these questions, it’s important for your business to plan its transition away from older versions of Internet Explorer. As digital problems solvers, AtlanticBT can provide direction as your business moves to newer technology.  We can help you:

    • Evaluate your current web applications and website to determine the most effective way to upgrade.
    • Redesign apps and webpages using cutting-edge technology that works across modern browsers such as Chrome, Safari, Edge, and Firefox;  these web browsers provide faster and more secure access to websites and services.
    • Develop a solution that is mobile-friendly; this means being more accessible on tablets and mobile devices, unlocking another path for business growth and productivity.

    And once your application or website has been updated, we can help you to stay up-to-date. If you’re interested in learning more about how we can help your business transition away from Internet Explorer, please contact us.