Posts

What Are The Compliance Standards That Cloud Vendors Should Follow?

Cloud services are part of all our lives today on our computers and mobile devices.  Everything from music, taxes filings, mail, photographs, phone calls, server backups applications and documents can be hosted by a cloud provider.  The security and privacy practices of cloud venders should always be considered when evaluating hosted services.   Here is an overview for two of the most common security compliance standards and regulations as it relates to the cloud. 

ISO/IEC 27001:2005

ISO/IEC 27001 is one of the top security benchmarks available in the world. ISO/IEC 27001:2005 is part of the family of ISO/IEC 27001 standards and specifies requirements for the implementation of security controls customized to the needs of an organization. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and appropriate security controls that protect information assets. ISO/IEC27001:2005 formally specifies a management system that is intended to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). 

In addition, this is used by vendors to provide information on security policies,  software updates, physical security, malware protection, cyber threat protection and other privacy adoptions.  

ISO/IEC 27001 requires that management:
• Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
• Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

An ISMS may be certified compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide. Certification against any of the recognized national variants of ISO/IEC 27001 by an accredited certification body is functionally equivalent to certification against ISO/IEC 27001 itself.  A certified cloud services provided must be able to to demonstrate formulate security requirements and objectives, implementing planned measures, inspecting and modifying activities based on changing conditions to meet those objectives.

SSAE16 / SOC2 

SSAE16 / SOC2 are a series of accounting standards that measure the control of financial information for a service organization. The SOC 2 reporting focuses on a vendors non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality and privacy. SSAE16/SOC2 reporting follows the Trust Services Principles established by the American Institute of CPAs (AICPA).  SOC 2 provides a standard benchmark by which data center audit reports can be compared and the customer can be assured that the same set of criteria was used to evaluate each site. (SOC 1 is a report on the internal controls over financial reporting)

SSAE 16 Definition:  Statement on Standards for Attestation Engagements (SSAE) No. 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to a user entities internal control over financial reporting (ICFR).

The Trust Service Principles which SOC 2 is based upon are modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the principles have defined criteria which must be met to demonstrate adherence to the principles and produce an unqualified opinion. The engagement for SOC 2 reports must be done so in accordance with AT Section 101. 

These are two of the primary standards that most cloud vendors should follow.  Again, they provide a standard for security benchmarks and non-financial reporting. Depending on the industry they serve, cloud providers may also comply with Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), U.S.–EU Safe Harbor framework, Family Educational Rights and Privacy Act (FERPA), Gramm–Leach–Bliley Act (GLBA) and Financial Industry Regulatory Authority (FINRA). 

Finally, there are several new cloud compliance standards that are on the way of being completed and adopted. Wide acceptance and agreement from NIST, Cloud Security Alliance and IEEE are involved, but will only gain ground when the major cloud vendors join in.  More on this topic over the next few months.

Many firms are recognizing the value of cloud services.  To learn more about how cloud services can cut costs and improve your firm’s security check out the benefits of our Ease Cloud Workspace™ or call us today at (301) 854-0010.

    

Free Webinar - Apple Update 2014 for iOS 8 and OS X Yosemite

iOS 8Apple has just released iOS 8 for the iPad and iPhone.  About to be released is OS X Yosemite for the Macintosh in mid-October.  These two upgrades offer many significant enhancements with hundreds of new features. Some of these new capabilities are closely coupled between devices, which make them even more powerful.

Ease Technologies will be offering a free lunch time webinar that will cover the major highlights of these upgrades.  We will demonstrate how you can get quickly started by using key productivity, messaging, sharing and security features.  The online webinar will cover iOS 8, OS X  Yosemite and shared features between the two operating systems.

Sign up today for this free Lunch and Learn webinar!  During registration you can include questions you want to hear more about during the webinar.  

Some of the topics covered during the webinar will include:
• iOS 8 Upgrade for the iPhone and iPad
• OS X Yosemite for the Macintosh
• Messaging
• iCloud and iCloud Drive 
• Notifications and Widgets
• Security enhancements
• Handoff
• Key apps and application updates
• Apple Pay
• Numerous tips 
• Q and A

Date: November 5, 2015 
Time: 12pm- 1:pm
Location: Online Webinar
Registration: Online Here

Presenters:
Dave Kile - Vice President

Dave Kile is a co-founder of Ease Technologies and a former Apple employee
with over 25 years experience in the IT industry. He provides an invaluable expertise working with clients in all aspects of IT support.
Dave has lead teams implementing projects ranging from healthcare patient portals, the creation of public safety IT help desks to the relocation of financial trading firms. Additionally, he is actively involved providing education seminars, webinars and blogs sharing ways that businesses can improve security, productivity and reducing costs.

Matt Schmidt – Director, Managed Accounts 
Matt has been with Ease Technologies for over a decade and currently manages the Help Desk Teams at various institutions.  Matt brings a wealth of experience to his role focused primarily on technology in education, which he has successfully honed for over a dozen years.  Matt also helps lead and manage the company’s infrastructure consulting business and plays an active role in leading the firm’s Managed Services segment.  During his tenure with Ease, Matt has directed and participated in many high profile technology projects throughout the region and has successfully shared his knowledge and real world experiences assisting many key education institutions both locally and nationwide.

Don't wait and get started with latest upgrades by attending the online webinar!

    

Protecting Your Personal Information From Identity Theft

Identity theft and personal information compromises have been uncovered at an alarming rate. We seem to be hearing news of major companies almost weekly being hacked and millions of users personal data at risk. Hackers use this data for financial heists on your credit cards and identity fraud.  

Identity TheftThe credit card companies are generally pretty easy to work with and willing to quickly solve credit card fraud.  

Identity theft can be a more complicated process involving time working through remediation with different organizations fixing this damaging financial situation. Identity theft is often centered around your personal information being stolen that includes your social security number.  Once the cyber thieves have this type of very personal data they can obtain loans, make significant purchases and file for tax refunds in your name.  Again, a much more complicated recovery.

Cyber thieves use a variety of techniques to obtain your personal information.  Some of it can be obtained from major businesses on-line, but often they target individuals through phishing attacks. 

Hacking and Phishing Techniques

Hacking takes patience, know-how, and an understanding of how websites and computers work. Hackers can choose from several types of attacks when they plan to steal your personal data. Many of these include malware, a malicious software code, that unseen by you gives cyber thieves the personal information they seek.

Phishing is one of the most common ways hackers gain access to personal information. Fraudulent yet official seeming emails are sent to a recipient. These emails generally urge the recipient to enter their user name and password in the hopes the recipient will be tricked. Afterwards, the hacker uses this information to compromise their account or identity.

A type of malware called a keyloggers are another type of common attack. These small programs run hidden in the background on a computer, completely invisible to the user. Keyloggers systematically record every keystroke made by the user and send the information to the hacker. Hackers then filter through the keystrokes and extract login credentials and personal information. Again these can be installed through a phishing attack.

Be wary of unsolicited phone calls that are anxious to fix your computer or encourage you to hand over personal information.  Just last week I had a solicitor from the "Windows Company" offer to provide a free fix to my computer.  All I had to do was go to a web site and log in with some information.  They would have ultimately injected my computer with some sort of type of malware. 

How You Can Protect Yourself

In this day and age, protecting yourself is more about mitigating the damage from a compromised account rather than preventing any given attack.

One of your best defenses is to create unique passwords for each site. You can't control if a website is going to be compromised. However, you can prevent the information gained from being used to access additional accounts. Using a unique password for each online account prevents an attacker from compromising all your accounts with a single attack.  Create and use complicated passwords that include upper letters, lower case, numbers, special characters and are at least eight characters long. 

It's especially important to use a unique password for your email. If a hacker learns your email password they can easily reset the passwords on any of your linked accounts, possibly even gaining access to your financial accounts.

To defend against malware keyloggers, install an anti-spyware application. While not 100% effective, many of these applications can detect and quarantine software-based keyloggers. Then, they'll disable or purge them.

Take advantage of a free annual credit report from Central Source LLC, which is a joint venture created by the three credit reporting agencies – Experian, Equifax and TransUnion that operates Annualcreditreport.com.  "You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring." - Brian Krebs, Security News and Investigative Reporter 

Get a shredder for all your personal information you toss out at home.  Old credit cards, bank statements, tax documents and other personal information can be pieced together from a simple dumpster dive of your trash if not properly disposed.

Finally, be cautious of any emails with red flags such as those that request you to login and verify your information, or reset your password. Even if the email "from address" looks correct, and the link or URL appears legitimate, you cannot be sure. Contact the company directly to ask them about the email.

Call Ease Technologies today at (301)854-0010 and learn how Managed IT Services can help secure your business and reduce your IT costs in Baltimore, Washington or Fairfax.


    

Enhancing Your Security in Microsoft Office 365 with Multi-Factor Authentication

Microsoft Office 365 is a popular cloud-based version of Microsoft Office. In addition to the standard features, this new version of Office now offers online conferencing, file sharing, business-level email, shared calendars, and website creation. Unfortunately, since Office 365 is cloud-based, there are new security concerns that should be considered when using it.

cloud servicesPlacing data in the cloud introduces risks such as data breaches, data loss, account hijacking, and more. Microsoft acknowledges these issues, and has started to put measures in place to help you protect your data. Multi-factor authentication (MFA) is one such measure. Multi-factor authentication is sometimes referred to as Two-step authentication as well.

Multi-factor Authentication

Under normal circumstances, authentication relies on a username and password. If a hacker were to steal that password, they could easily access your account. Multi-factor authentication, on the other hand, requires two pieces of information: something you know and something you have. An example of MFA in everyday life would be ATM access. In order to access your bank account through an ATM, you need something you know (your PIN) and something you have (your card). Similarly, accessing an MFA-enabled account on Office 365 requires interaction with a mobile app, phone call, or text message, in addition to entering a password.

How to Set Up Multi-Factor Authentication

To set up MFA in Office 365, follow these steps:
Sign in to the Office 365 portal, and go to the "Office 365 admin center."
Select "Users and groups." On the right, you will see a list of options. Click on "Set up" next to the "Set multi-factor authentication requirements" line.
Find the user that you want to set up with MFA, and check the box next to their name. You will then see two options on the right: "Enable" and "Manage user settings." Click on "Enable."

If you enabled MFA for another user, be sure to contact them and explain how it will affect the way they use apps like Outlook and Lync.

Call Ease Technologies today at (301)854-0010 and learn how Managed IT Services can help secure your business and reduce your IT costs in Baltimore, Washington or Fairfax.
    

CryptoWall: The Latest in Ransomware and Cyber Crime

Over the last year, authorities have been fighting a series of ransomware viruses — first CryptoLocker, then CryptoDefense, and now Cryptowall. CryptoLocker infected over 500,000 computers and although only 1.3% of the victims paid the ransom, the criminals are believed to have made over $3 million dollars.

In June 2014, the US Justice Department began a multinational campaign to eradicate CryptoLocker. Department officials then announced that they had managed to neutralize it. Unfortunately, their efforts may have been a case of too little, too late as two new versions appeared: CryptoDefense and the malware's newest iteration, CryptoWall.

CryptoWall appears to have been derived from CryptoDefense, a shortlived and unsuccessful version. Unlike CryptoDefense, CryptoWall infected around 625,000 systems in six months according to an August 2014 report from Dell researchers. The report revealed CryptoWall encrypted 5.25 billion files and netted criminals over $1.1 million from March to August. CryptoWall's reach is expected to grow. The analysts described it as the largest, most devastating ransomware threat on the Internet.

CryptoWall's Plan of Attack

The ransomware typically enters a system by masquerading as a legitimate program update. Usually these programs are well-known, such as Java, Flash Player, or Adobe Reader. CryptoWall can also infiltrate a system through an infected email attachment.

Cyber security professionals have also warned about the criminals using exploit kits. This term refers to web pages with pre-packaged methods for sending malware. This means that in some cases, an ill-advised download is not necessary in order to spread CryptoWall. Victims can instead become infected just by visiting a website with a hidden exploit kit.

Once the system is infected, CryptoWall will begin encrypting its files. These protocols use twin encryption keys. The public key locks the files and the private one unlocks it. While this method may sound simple, it has been touted as nearly uncrackable.

Digital criminals have also developed offshoots of the basic CryptoWall virus. These new versions can infect mobile devices as well as personal computers.

After CryptoWall encrypts the system's data, the ransomware will display a warning. This tells victims that their files have been "irrevocably changed," and that they will not be able to work with them or even see them.

The ransom note demands that people pay several hundred dollars in order to free their files. Victims are directed to the Tor network, where payment can be received anonymously. They also face a ticking clock, since the criminals generally threaten to double the ransom if they do not pay within a few days.

Authorities' Ongoing War Against Ransomware

As part of law enforcement's crackdown on ransomware, the FBI in June 2014 put Evgeniy Mikhailovich Bogachev on its list of most wanted criminals. The authorities have accused him of committing bank fraud, wire fraud, computer fraud, money laundering, and aggravated identity theft. Bogachev is believed to be the man behind CryptoWall's predecessor, CryptoLocker.

While the US government was shutting down his criminal network, a group of private cyber security professionals was hard at work on recovering the stolen data. In August, they announced that they had uncovered the encryption keys used to hijack people's data. They also created a website where victims can receive the key needed to unlock their files.

While these efforts crippled CryptoLocker, they left CryptoWall unaffected. As of this publication, the ransomware is still at large and IT experts have yet to find a remedy for it. Thankfully, there are a number of ways that users can protect themselves.

Defense and Prevention

First and foremost, users should have current anti-virus software on their computers. In general, all software programs should be kept up-to-date with the latest security enhancements.

Suspicious websites should be avoided at all costs. Users should never open emails that appear suspect or were sent by entities that they don't trust. Similarly, users should never download attachments that they're not expecting. These statements may seem intuitive, but the spread of ransomware is driven almost entirely by the behavior of careless and unsuspecting victims.

Additionally, files should be regularly backed up. Ideally, one backup copy should be stored through a cloud-based service that backs up daily and provides for access from anywhere. The second backup should be on an external hard drive. Users should update this copy on a weekly or monthly basis.

Once a computer has been infected, users should also be concerned about their networked devices. CryptoWall victims have found that the malware can infect connected drives through the network. Users should carefully examine these devices to see if they have been compromised as well.

Threats like CryptoWall pose serious challenges to businesses across the globe. Being aware of these issues is the first step in combating them. For assistance with the prevention of CryptoWall, or possible recovery, contact us today at 301-854-0010 or here.
    

Sign up here for monthly newsletter

Upcoming Events

Calendar Icon

Upcoming Events

Blog Archive

Archive by Years