Blog

Follow These 3 Easy Steps To Stay Safe

If you’ve ever been a victim of identity theft or have been affected by a cybersecurity data breach, you remember the anger and frustration you felt at a violation you had no control over. Don’t feel defeated – arm yourself with the latest in cybersecurity protection protocols!

Cybersecurity is an intense word, but do you fully understand what it means? Maybe you think it’s not important to you, so you don’t pay attention…

“I don’t shop online…”
“I don’t use social media…”
“I don’t pay my bills online; I only write checks…”

Unfortunately, even if all of the above applies to you (though we sincerely doubt that!), you can still be affected by a cybersecurity breach, and trust us when we say it does matter. We’ll tell you why, and how to protect yourself.

You might think you can avoid cyberattackers – “hackers” – by avoiding the Internet as much as possible, but the reality is much more complex. Your name, your personal information, and your identity are each online in some form. Even individuals that only make telephone calls to their bank are prompted with questions to verify their identity, and that information is stored in the bank’s software. Paying an electric bill in person at a local Department of Utilities won’t prevent someone from needing protection, either, and for the same reason. Cybersecurity is an issue at the heart of every aspect of life – even medical records are migrating to digital format these days, simplifying the process by which medical professionals need to access patient history to expedite care.

Consider the other side of the coin on this, too – cybersecurity is critical for organizations that store this information. Consumers need to know their information is protected, and we have a right to privacy and protection. The more PII a company stores, the greater the risk for which they assume the burden of proof of protection.

Cloud data storage of personally identifiable information (PII) leaves consumers vulnerable to a cyberattack in all aspects of life, from global enterprises with which they do business to their local machine at home or work. Got a credit card with Citibank? Over 360,000 Citibank credit cardholders had their data stolen in a cybersecurity breach in 2011. In 2013, more than 40 million consumers with Target credit and debit card accounts were affected. More than seven million small businesses had sensitive information exposed in a data breach with JP Morgan Chase in 2014. In one of the worse cybersecurity breaches of all time, in terms of volume and data sensitivity, the records of 80 million Anthem patients and employees were accessed in 2015, including social security numbers. Major data breaches make news reports more often than we like, reminding us of the dangers presented by hacking and phishing, malware, identity theft, and much more. Once a hacker has obtained your name, address, and personal information, they can then use this data to represent you online and try to infiltrate your desktop system to access even more personal data, to plant a virus or ransomware, or even mine cryptocurrency.

Does all of this sound like a foreign language? You don’t need to be a technical whiz to be able to protect yourself. A few simple measures can go a long way toward increased cybersecurity. The great news is that you can do a few things on your machine, at home or work, that can increase security. Follow these tips for improved protection:

• Use best practices for passwords.
  • Passwords should be unique
    • Create a different password for each computer and each website or web portal you access. If a hacker can determine one password and you use the same password for multiple accounts, the hacker now has access to more than one of your accounts and can cause that much more damage.
  • Passwords should be complex
    • Create passwords using a combination of capital and lowercase letters, numbers, and symbols like ?!@#$%.
  • Change your password regularly
    • Changing your password for each computer and website or web portal you access at least twice per year is wise. Even if a hacker can figure out your password for one machine or location, changing the password in a matter of days or weeks from that time can minimize the damage the hacker can cause.

• Know your privacy settings.
  • Maintain a realistic perspective on your risk
    • Every major organization performs routine risk assessments. Why wouldn’t you have a realistic perspective on the risks you face and do whatever you can to protect yourself? Trust us when we say you can’t afford not to!
  • Verify your privacy settings
    • You can verify the privacy settings on your desktop or laptop by clicking on the “Start” menu in the lower left corner of your screen, “Settings”, and then reviewing the options shown. On the right side of this menu, you’ll also see suggestions for how to restrict privacy, and as you read this you’ll know we encourage the maximum privacy settings!

• Take advantage of built-in security tools.
  • Updates!
    • Operating systems from Microsoft will regularly release updates for applications and security, and we strongly recommend regularly checking for these updates and installing the latest security packages.
  • Windows Defender
    • Windows 10 comes with a built-in tool called Windows Defender that helps protect your user experience against pop-up screens, slow performance and threats from spyware and viruses.
    • Microsoft’s default settings have Windows Defender automatically enabled for users.

It’s important to note that in professional environments, IT departments commonly establish guidelines for security and password protocols. While the above are best practices that you can follow to protect yourself, you should always follow the policies and procedures set forth by IT security teams.

• These tips are catered for a Windows 10 system, but the basic rules apply to any operating system.

Don’t fall victim to a hacker this year – take the proper approach to cybersecurity and protect yourself from vulnerabilities. See more details by watching this short video and taking the proper steps today.

Make 2018 the year you have an ironclad cybersecurity program, for your home and your office!

I Have Some Tips For You.

I often get asked by my boss to take the data she accumulates and put it into easy-to-read diagrams and charts. I was using Excel until just recently, which is great, but I needed something with more functionality and design choices. Then I found Microsoft Visio. I think it’s one of the best options available today to create diagrams and flowcharts. I have access to so many great templates and shapes that give my work the professional look my boss requires.

I really didn’t know much about Visio until a colleague told me about it. And when I gave it a try, I was sold. Now my diagrams can be as simple or complicated as I want. Visio provides all the tools and functions I need and comes with a wide variety of built-in shapes, stencils, and objects. I can even create my own shapes and import them if I want.

Have you heard about Visio Online? Microsoft Visio 2016 Viewer lets you view Visio drawings inside your Microsoft Internet Explorer Web browser. It’s a web-based version of Visio. So, when I’m away from the office I can still use it to design, create, edit and share diagrams and flowcharts online. I just upload my Visio diagrams and flowcharts to either SharePoint or OneDrive for Business and edit them in my browser.

Now I can collaborate with my team to streamline projects and work with them on diagrams right from my web browser. And I don’t have to worry about security. The only people who have access to my charts are the ones I authorize. I can even review their comments and add my own directly from my browser. And here’s another plus!—I can store all my diagrams in our OneDrive cloud storage that has 2GB of space.

What my team and I like best about MS Visio is that it’s so easy to use. It’s simple to create top-notch diagrams with commonly-used diagram types and rich shape sets. It’s easy to collaborate with team members and stakeholders, view and add comments, and share the diagram with others. We can pull external information into Vision such as an Excel sheet, or Access database. Now when my boss sends tons of data to me, I pull up my Visio, Excel or Access and design fantastic diagrams in just an hour or so. (She thinks I work all weekend to get this done!)

In case you didn’t know, Visio 2016 was released in September 2015 along with Microsoft Office 2016. It has dozens of templates you can use for a multitude of industries and verticals.

A few new features were added such the ability to connect to Excel data, information rights management for your Visio files, modern and detailed shapes for site plans and floor plans, IEEE-compliant electrical diagrams and home plans (architects, contractors, engineers, and designers will like these), and even 3D map diagrams. Plus, it comes with a bunch of new starter diagrams, themes, and built-in shapes–Hundreds of them! All these shapes are categorized, so they’re easy to find and choose from.

Want to know some really helpful Visio tips? I’ll share them with you here. I now consider myself a Visio expert, and I know there are a lot of beginners out there who might appreciate them.

Text Editing

Sometimes you need to edit text when you’re putting everything together, and not all applications let you do this. However, it’s easy to do in Microsoft Visio: Just click on the shape next to your text and press the F2 button. That’s it. Now you can edit as you wish–Simple! When you’re finished just press “Esc” to get out of the text-edit mode.

Shortcuts

• F1 -for Help
• Tab key to switch between shapes
• Crtl+1– for the “selector” cursor
• Ctrl+2 – for the text tool
• Crtl+3– for connector lines
• Alt for the main toolbar.
• F3 for the Format Shape task pane
• Crtl+PageUpor PageDown to move between sheets
• Ctrl+ scroll up or down with the mouse to zoom in and out
• Ctrl+click on and drag an object to copy and paste it in another place.  

Draw Shapes

The Drawing Tool is next to the Pointer Tool on the Ribbon. Click on the arrow and select a shape from the drop-down menu. Then you can start drawing your shape. Try combining shapes with the Pencil Tool to make more complex or intricate shapes. You’ll be an expert before you know it.

Save Shapes

If you want to save a shape that you made, Visio lets you do this. Look on the left of the toolbar for “More Shapes” > “New Stencil” and drag and drop your shape into the blank space. Then right-click it and choose “Save As.” Now, just rename the shape and save it.

Add Files

With Visio, you can copy anything from other Microsoft Office apps and paste it into your diagram or flowchart. So, if you have an Excel table or diagram, just copy and paste it right into your Visio diagram or flowchart. This saves you from having to redraw it. You can now proceed with Visio’s editing tools.

Create Flow Charts Quickly in Visio Online.

1. Choose the Basic Flowchart diagram.
2. Choose a shape from the Shapes Panel and drag/drop it into your canvas.
3. Hold your pointer over the shape until you see the Auto-connect arrows.
4. Move the pointer to one of the Auto-connect arrows. You should see Quick Shapes where you can choose the shape you want to add.
5. If you want to add some text, double-click the shape.
6. You can add more shapes by dragging and dropping them from the Quick Shapes list.
7. Use the smart guides to align your shapes the way you want.

Before long, you’ll be an expert in Microsoft Visio. I hope this helps, and you get the kudos from your boss that I did from mine!

I just read this warning: “Don’t overcharge your mobile phone. Make sure you unplug it from the charger after it reaches 100%. Don’t leave it charging overnight.”

Why is this?

It’s because your mobile phone charger doesn’t stop charging after your phone reaches 100% capacity. It keeps topping off the charge during the night. This is called a “trickle charge.”

While you’re sleeping, and the phone is plugged in, it works to keep fully charged by compensating for the small amount of charge it loses by just being turned on. This is bad because the trickle charge causes your mobile phone to retain a higher ambient temperature than it should. This ultimately reduces the battery’s capacity.

I wondered why I couldn’t seem to keep my phone charged all day. It’s barely three-years-old, and I’m already having battery issues! Now I know why. I’ve been damaging the battery all this time by charging it at night while I sleep. I wish I had known this before!

Mobile phones contain a rechargeable lithium-ion (or Li-ion) battery that charges faster than traditional rechargeable batteries. So, when we plug our iPhone or Android into a charger, it can get fully charged in just about two hours.

By keeping our phones charged overnight we’re increasing the amount of time it spends on the charger, thereby degrading its battery capacity that much sooner.

Hatem Zeine, the founder of Ossia, a developer of wireless charging technology, tells us: “If you think about it, charging your phone while you’re sleeping results in the phone being on the charger for 3-4 months a year. So even though the manufacturers try their best to cover this scenario, this process inevitably lowers the capacity of your phone’s battery.”

Batteries decay from the moment you start using your new phone. This means they gradually lose their ability to hold a charge. By charging your phone overnight, you’re increasing the amount of time it spends with the charger. As a result, it degrades the capacity much sooner.

If you’re like me, you’re always on your phone checking text messages, emails, calling people, listening to music, watching videos, surfing the Web and more. It’s no wonder the battery runs down so quickly. However, if we’re careful about the way we recharge our phones, we can get much more life from the battery.

The people at Cadex Electronics that make lithium phone batteries say:

“Go ahead and charge to 100%. There’s no need to worry about overcharging as modern devices will terminate the charge correctly at the appropriate voltage…Modern smartphones are smart, meaning that they have built-in protection chips that will safeguard the phone from taking in more charge than what it should. Good quality chargers also have protection chips that prevent the charger from releasing more power than what’s needed. For example, when the battery reaches 100%, the protection hardware inside the phone will stop current from coming in, and the charger will turn off.”

However, they go on to say:

“Li-ion does not need to be fully charged as is the case with lead acid, nor is it desirable to do so. In fact, it is better not to fully charge because a high voltage stresses the battery.”

Don’t wait until your phone battery gets to 0% to charge it. A good time to charge it is when the battery reaches 35-45%. Doing this will help to preserve the battery life. If you do this religiously, then you should be able to keep your smartphone for longer than two years.

So essentially what I’ve learned is that rechargeable batteries are doomed to failure. They are constantly decaying from the moment you first turn on your brand-new phone and eventually lose their capacity to hold a charge. How depressing!

This is why my phone keeps losing its charge more quickly the longer I have it! I’ve owned my current iPhone 7 for over two years, and I’ve experienced a significant reduction in battery capacity.

Even worse, Apple tells us that constantly charging and recharging the iPhone battery isn’t good because the capacity of Li-ion batteries diminishes slightly with each charging cycle.

Most Android phones have a feature that allows for fast charging. They also have a chip with a Power Management IC (PMIC) that tells the charger when it’s receiving the higher-voltage fast charging to prevent it from overheating. Heat is a bad thing for all mobile phones. This is why you should never leave your phone in a hot car. The same goes for freezing temperatures.

So, what do the experts advise us to do? How should we charge our smartphones?

Here’s what the people at Cadex say to do:

“Don’t wait until your phone gets close to a 0% battery charge until you recharge it. Full discharges wear out the battery sooner than do partial discharges. Wait until your phone gets down to around a 35% or 40% charge and then plug it into a charger. That will help preserve the capacity of the battery. You should also keep your phone cool, as higher temperatures accelerate the loss of battery capacity.”

Another tip: Take off your phone’s case before you charge it so it won’t overheat.

Well, I guess this is the reason why I never seem to keep a phone longer than two years. This, coupled with the fact that Apple keeps coming out with cool new phones entices me to replace my old one. I know–This can be an expensive proposition. Maybe this is what the phone companies planned for all along–To keep us buying new phones! And with the pay-by-the-month plans that providers now offer, they make it even easier to swap out our not-so-old phones for a new one.

But for those of you who want to keep your phones for longer than two years, charge your phone during the day after it reaches 35 to 40 percent and unplug it when it reaches 100%. This might get you more longevity from your Li-ion battery so you can hang onto your phone for another year or so.

You probably use a number of personal identification numbers (PINs), passwords, and passphrases to get money from ATMs, to use your debit card when shopping, or to log in to your personal or business email. Hackers represent a real threat to both your personal and business password security and confidential information. Now, these criminals are using a technique called Password Spraying to steal your information.

According to information derived from FBI investigations, malicious cyber actors are increasingly using password spraying against organizations in the United States and abroad. In February 2018, the Department of Justice in the Southern District of New York indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses. However, password spraying isn’t limited to this group. Other hackers are using it to gain access to both personal and business confidential information.

Manhattan U.S. Attorney Geoffrey S. Berman said: “Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code. As alleged, this massive and brazen cyber-assault on the computer systems of hundreds of universities in 22 countries, including the United States, and dozens of private sector companies and governmental organizations was conducted on behalf of Iran’s Islamic Revolutionary Guard. The hackers targeted innovations and intellectual property from our country’s greatest minds. These defendants are now fugitives from American justice, no longer free to travel outside Iran without risk of arrest. The only way they will see the outside world is through their computer screens, but stripped of their greatest asset – anonymity.”

How Does Password Spraying Work?

Password spraying is a type of brute force attack where hackers use a username with multiple passwords to gain access to your IT system. With traditional brute force attacks, the criminal uses one username with multiple passwords. Employing a lockout functionality, which locks the criminal out after a set number of login attempts, is an effective means of dealing with traditional brute force attacks.

However, with a password-spray attack (also known as the “low-and-slow” method), the malicious cyber actors use a single password against many accounts before moving on to another password. They continue this process until they find one that works. This strategy works for them because they can avoid account lockouts. It circumvents lockout functionality by using the most common passwords against multiple user accounts until they find one that works.

Password spraying targets single sign-on (SSO) and cloud-based applications using federated authentication. A federated authentication identity provides single access to multiple systems across different enterprises. Criminals target federated authentication protocols because it disguises their activities and ensures their anonymity.

Attackers use password spraying in environments that don’t use multi-factor authentication (MFA), rely on easy-to-guess passwords, or use SSO with a federated authentication method.

Your Email Is Also At Risk

Hackers also prey on email accounts that use inbox synchronization (which pulls emails from the Cloud to inboxes on remote devices). Malicious actors use inbox synchronization to obtain unauthorized access to your organization’s email directly from the Cloud. Then they download email to locally stored files, identify your company’s email address list, and secretly apply inbox rules to forward your sent and received messages to them.

The United States Computer Emergency Readiness Team (US-CERT) details how hackers use password spraying, what you should watch out for, who is at risk, and the impact this type of attack can have on your organization.

Your Technology Service Provider can explain this to you and your employees in plain language, and help you protect your organization against password spraying and other attacks.

 Traditional Tactics Techniques & Procedures

• Using social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray
• Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method
• Leveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a target’s email client, and performing a larger password spray against legitimate accounts
• Using the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within the network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZilla

Indicators That You’ve Been Attacked

• A massive spike in attempted logins against the enterprise SSO portal or web-based application;
• Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String).
• Attacks have been seen to run for over two hours.
• Employee logins from IP addresses resolving to locations inconsistent with their normal locations.

Typical Victim Environment

The vast majority of known password spray victims share some of the following characteristics:

• Use SSO or web-based applications with the federated authentication method
• Lack multifactor authentication (MFA)
• Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”)
• Use inbox synchronization, allowing email to be pulled from cloud environments to remote devices
• Allow email forwarding to be set up at the user level
• Limited logging setup creating difficulty during post-event investigations

The Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

• Temporary or permanent loss of sensitive or proprietary information;
• Disruption of regular operations;
• Financial losses incurred to restore systems and files; and
• Potential harm to an organization’s reputation.

7 Steps You Can Take To Mitigate Password Spraying Attacks

1. Enable MFA and review MFA settings to ensure coverage overall active, internet facing protocols.
2. Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords.
3. Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align with company policy, creating an exploitable security gap.
4. Many companies offer additional assistance and tools that can help detect and prevent password spray attacks, such as the
5. Make sure your employees change their corporate passwords every 60 days.
6. Establish a password policy that prohibits easy-to-guess passwords. Enable multi-factor authentication (MFA) for all web-based applications. If MFA practice is already in place, review current protocols thoroughly to ensure it is maintained well
7. Ask your Technology Solutions Provider to conduct Security Awareness Training for your employees at all levels.

The FBI Reporting Notice

The FBI would like you to report any suspicious or criminal activity to your FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at [email protected].

Your report should include:

• The date,
• Time,
• Location,
• Type of activity,
• Number of people affected,
• Type of equipment used for the activity,
• The name of your company or organization, and
• A designated point of contact.