Why It’s Important to Lock Your Computer and Phone

adobeLocked steel padlock in a drilled hole of the black laptop on dark background. Concept of protecting personal data on a computer. A laptop is locked with a lock. Closeup, selective focusstock

Network security is not always about implementing new encryption protocols and using state-of-the-art tools to protect your business. Sometimes, it’s the small things that can make a massive difference. So, if your collective staff can implement this one easy trick, you might be surprised by how beneficial it can be for your network’s security. This practice? Locking your computer and phone.

What Is Locking Your Phone and Computer?

Essentially, your phone and computer can go into a sort of sleep mode when they’re not being used. You do this every time you close the screen on your phone. When your phone “wakes up” to be used, there should be a password required to get back into your phone. Otherwise, anyone can swipe the screen and start reading.

Locking your phone is second nature, and many people have complex passkeys or fingerprints required to do so. Computers are a different matter. Most office workers will stand up and leave their desks without locking their PC. The better practice is to lock your PC, either by performing the lock sequence that will prompt the next user for a password or putting it into a sleep mode that requires a password upon your return.

Let’s take a quick look at the benefits you get from locking your phone and computer.

Keeping Private Documents Out of Sight

The chances that corporate espionage is going to take place at a medium-sized landscaping company might be small compared to a large media conglomerate. Nevertheless, private documents on phones and computers often hide passwords and personal information.

Allowing those resources to be compromised can harm your reputation and leave you open to a litany of problems, including lawsuits.

Your Work Phone and Computer Are Vectors for Malware

Hundreds of people can come and go from a large workplace daily, and it’s not like you can keep track of them all. Unfortunately, it only takes one person with bad intent to find a computer or work phone that is connected to your company’s network and upload malware.

The most common vector for malware these days is email, and many of your company’s resources are geared towards stopping that threat as long as it’s from an external source. However, if someone sends an internal email from a trusted worker’s account and CCs everyone in the building, then it’s safe to say most people would let down their guard enough to open that email.

All it takes is a single terminal to remain unlocked and someone can wreak havoc on your business. Locking your computer and work phones can deter this threat or make at least delay the intruder long enough for them to be caught.

The benefits of locking your phone and computer at work go beyond malware and corporate espionage, though. It stops workers from learning about promotions, pay rates, and internal investigations. Locking your computer can also prevent data from being altered on a project without your knowledge.

Implementing this change is simple, and it does not require a lot of time. Get your team together, teach them how to lock their computers and phones, and test them once in a while to make sure they’re compliant. Not only will this increase security, but it will make your workers feel more like true stakeholders in the well-being of your business.

Check out our blog posts here for weekly content on business, technology, best practices, and more!

Phishing Attacks in 2021 Trending Due To Pandemic

credit card phishing - piles of credit cards with a fish hook on computer keyboard

Hackers have made some nefarious choices over the past several months, many of which involve using the COVID-19 pandemic to spread their influence and steal data through the use of phishing attacks. Let’s explore how these cybercriminals have leveraged a global disaster to their benefit and some ways that you can keep your business secure.

According to SecureList, spam and phishing trends in Q1 of 2021 were heavily influenced by the COVID-19 pandemic, and not in a good way. Here are a few examples of the major threats that surfaced during this time.

Stimulus Payment Scandals

Early 2021 saw many initiatives by government agencies to suppress the financial burden placed on individuals and businesses through the use of economic impact payments and business bailouts. Hackers, of course, wanted to capitalize on this and began using phishing messages to trick people. Targets received messaging that was often specific to their bank and utilized similar branding to official websites. These efforts were all elaborate tricks to convince users to hand over their credentials. Users would unsuspectingly enter their credentials into forms on these fake websites and put their sensitive information at risk.

The Vaccine Race

Back when the COVID-19 vaccine was in short supply or the supply itself was limited to specific groups of people, there was a bit of a race to get to it. This rush created an opportunity for hackers to capitalize on peoples’ desires for security and safety, and they leveraged phishing schemes that used the vaccine to their advantage. They would use language and branding of official health organizations to convince users to click on links in emails, which would then redirect users to fake websites for harvesting credentials or banking information. Even those who got the vaccine received surveys offering free goods in exchange for information.

What You Can Do

It’s no surprise that cybercriminals are using these tricks to subvert security measures. These types of attacks are just more of a string of phishing attacks that must be kept up with in order to maintain network security. Here are a couple of ways that you can make this happen.

  • Utilize Spam Protection: While they aren’t 100 percent effective all the time, spam filters are great for keeping threats out of your inbox. The most advanced phishing attacks could still make their way into your inbox, which is why we recommend taking multiple measures of network security.
  • Train Your Employees: If messages do make it past your spam filter, you will want those who are reading the messages—your employees—to be able to identify the threat and avoid it at all costs. This is where training comes in.
  • Implement Unified Threat Management: Unfortunately, even the best employees will make mistakes, so you will want to have a contingency plan in place for when accidents happen. A UTM gives you just that with a single all-in-one security solution for your network security.

4Corner IT can help your business approach network security in a responsible manner, implementing the best solutions and constantly testing your employees’ awareness of important security practices. To learn more about how we can help you protect your business, reach out to us at (954) 474-2204.

These New Password Best Practices from the NIST Are Not What You Think

Closeup of Password Box in Internet Browser

When a hacker tries to access one of your accounts, the first challenge they must overcome is the password. This is why industry professionals always encourage you to create them with security in mind. The latest guidelines issued by the National Institute of Standards and Technology, or NIST, are not quite conventional or traditional, but they do give valuable insights into how to create more secure passwords.

What is the NIST?

The NIST is the authority on all things password-creation, and they are no strangers to issuing various best practices. While these practices do shift over time, due to the unfortunate side-effect of threats adapting to security standards, their advice is trusted and should absolutely be considered by all. Please see below for the recent update on password best practices.

The New Guidelines

Many organizations and Federal agencies have adopted these guidelines. Here are the latest steps to take when building a secure password.

Length Over Complexity

Most security professionals have advocated for password complexity over the past several years, but the guidelines issued by NIST disagree. NIST suggests that the longer the password, the harder it is to decrypt, and they even go so far as to say that complex passwords with numbers, symbols, and upper and lower-case letters make passwords even less secure.

The reasoning for this is that the user might make passwords too complicated, leading them to forget them entirely, so when it comes time to replace the password, they will add a “1” or an exclamation point at the end. This makes them easier to predict should the original password be stolen. Users might also be tempted to use the same password for multiple accounts, which is a whole other issue that certainly does not aid in security.

No More Password Resets

Many organizations require their staff to periodically change their passwords, mostly every month or every few months. The idea here is to preemptively change passwords on the off chance that the old passwords have been compromised. Trying to use the same old password multiple times would then lock the hacker out of the account, as the password has since been changed. While this has been an accepted best practice for some time, NIST recommends that this practice be put to the wayside, as it is actually counterproductive to account security.

The reasoning behind this determination is that people will not be as careful with the password creation process if they are always making new ones. Plus, when people do change their passwords, they will use the same pattern to remember them. This means that passwords could potentially be compromised even if they have been changed, as a hacker could recognize the pattern and use it against the user.

Make Passwords Easy to Use

Some network administrators worry that the removal of certain quality-of-life features such as showing a password while the user types it, or allowing for copy/paste, will make the password more likely to be compromised. The truth is the opposite; ease of use does not compromise security, as people are more likely to stick to established password protocol if you make it easier for them to do so.

Don’t Give Out Password Hints

At the same time, you don’t want to make things too easy for your employees, either. One way that administrators help out employees who easily forget passwords is by providing password hints. The system itself is flawed, especially in today’s society of oversharing information across social media and the Internet in general. If Sally makes her password based around the name of her dog, for example, the hacker might be able to find that information on her social media page, then can try variations of that name until the code is cracked. So, in the interest of network security, it’s better to just forego these hints. There are other ways to make your password system easier to deal with that don’t compromise security.

Limit Password Attempts

When you place a limit on password attempts for your business, what you are essentially doing is giving hackers a limited number of chances to get lucky. NIST suggests that most employees will fall into one of two categories in regard to password remembrance; either they will remember it, or they will keep it stored somewhere (hopefully in a password management system). Thus, if an employee is likely to do one or the other, a limit on password attempts will not necessarily impact them but will make all the difference against security threats.

Implement Multi-Factor Authentication

COMPANYNAME recommends that your business implement multi-factor authentication or two-factor authentication whenever possible. NIST recommends that users be able to demonstrate at least two of the following methods of authentication before they can access an account. They are the following:

  1. “Something you know” (like a password)
  2. “Something you have” (like a mobile device)
  3. “Something you are” (like a face or a fingerprint)

If two of the above are met, then there is sufficient evidence to suggest that the user is supposed to be accessing that account. Consider how much more difficult this makes things for a hacker. Even if they have a password, it is unlikely that they also have physical access to a mobile device, a face, or a fingerprint.

Make password security a priority for your organization now so that you don’t have to worry about data breaches later on down the road. WheelHouse IT can help you set up a password manager that makes adhering to these best practices easier. To learn more, reach out to us at (877) 771-2384.

3 Cyber Security Issues Businesses Should Prepare For

Caucasian IT professional admin using laptop computer doing data transfer operation with rack server cabinets in digital room of data center. Cyber security

Cyber security should be a top priority for all businesses, regardless of size. The unfortunate reality is that many business owners do not take the necessary steps to secure their data, which could lead to significant problems further down the line.  

As technology becomes more advanced and hackers become more sophisticated, it is important to stay on top of these issues so that your company doesn’t fall victim. In this article, we will highlight three cyber security issues that you need to address before it’s too late! 

Mobile Malware 

Increased dependence on mobile devices has led to increased mobile cyber-attacks. Cybercriminals are taking advantage of the fact that people have become increasingly reliant on their mobile devices. 

In 2020, it is estimated that there were two trillion text messages sent. These texts could contain “phishing” attempts whereby malicious actors could attempt to access sensitive information such as passwords, usernames, and account numbers. 

Bank apps and other apps with sensitive information are also at risk. Consumers typically download new apps without doing any research on the company, so it’s critical to do your homework, before adding these apps to your device.  

Check if other users have downloaded and installed the app before you install it yourself. Read the reviews, and conduct a search on Google or one of the other search engines to cover as many bases as possible.  

Compliance Fatigue 

The list of compliance standards grows each day with technology updates and new threats. Compliance fatigue is a real risk faced by businesses that can lead to costly mistakes and time investments. However It’s more cost effective to keep up to date now rather than face the inevitable repercussions of not doing so later 

Lack Of Awareness and Education About Cyber Security 

Many people have no idea that phishing and other cyber scams are a problem. Any security is only as strong as its weakest point.  Employees are a network’s biggest weakness, so education about the dangers of cyber security is one way for them to be aware of the risks they face with every click on their computer or mobile device. 

When it comes to cyber security, you need to take precautions at every level: from your on-site systems and data storage, all the way up through the different layers of technology that connect with various parts of your business. Engaging with a trusted MSP like 4Corner IT can help mitigate cyber security risks. 

The Android Botnet that Victimized Consumers and Advertisers

the android botnet that victimized consumers and advertisers

“If it sounds too good to be true, it probably is.” Unfortunately, over 65,000 users neglected to observe this time-honored adage and proceeded to download a “free” app that came with the promise of among other things, a free pair of tennis shoes. Before it was all over, the online criminals had spoofed over 5,000 Android apps that in turn, downloaded an ad fraud botnet onto on over 65,000 devices. The botnet was also responsible for more than 2 billion bid requests. Yes, that’s billion, not million.

When Did It All Start?

The attack, now codenamed TERRACOTTA, began in late 2019 when a family of apps listed on the Google Play Store, offered users an opportunity to download an app in exchange for a free pair of tennis shoes, or in some cases, items such as event tickets, coupons, or even expensive dental treatments. For those who opted for the tennis shoes as their free gift, all they had to do was fill in their name along with their address details, select the shoes they wanted and in 14 days time, the shoes would be mailed to their front door. Incredibly, there were no strings attached. 

Since initially many users gave the apps a glowing 5-star review, others were likely encouraged by such positive feedback and eager to download an app and then part with their personal information. As time passed and not a single user claimed they received free tennis shoes, the 5-star reviews understandably turned negative. 

How Did They Do It?

The ad fraud botnet used in all the apps silently loaded ads in the background, and this is what made this family of apps completely different from other apps that have used somewhat similar tactics in that they bombarded users with unwanted, but obvious ads.

The entire family of apps used in the exploit were not reported to the Google Play Store as being supported by ads. Since no users ever reported seeing any unwanted ads, the apps were able to do their work under the radar. Further analysis showed no monetization mechanism and the analysis confirmed that no ads were ever shown to users. Using these clever ploys, the apps were able to deceive users on Google Play Store until the final week in June 2020.

Exploiting Advertisers

In addition to defrauding the average user, the apps also contained malware that deceived advertisers. Beyond the 14-day window of shoe delivery that of course never occurred, the apps acted as a delivery platform for other functionality that initially remained dormant.  

Eventually it was discovered the other functionality consisted of a customized Android browser that was packaged beside a control module written in the popular React Native framework. After being loaded on the phone, the customized Android browser was used to create deceitful ad impressions. These were then purchased by advertisers who bought them in the digital advertising ecosystem. 

Expert Exploitation

Those committing the fraud made use of several techniques that allowed their malware to remain undetected for quite some time. With their clever 14-day “waiting period”, it allowed them to leave an app that had no real functionality for an extended period of time on countless phones. By waiting a lengthy period rather than immediately exhibiting bad behavior, it made it much more difficult for users to connect downloading the malware-loaded app with unwanted behavior that occurred much later. The lengthy waiting period also negatively affected cybersecurity analysis since the apps required observation for an extended period of time in order to finally detect the exploitive behavior. Those in the anti-virus community simply were not prepared for malware that remained dormant for such a long period of time. 

A Cautionary Tale

The clever exploitation described above should be a cautionary tale for companies who may not be well-versed in how to effectively train their employees to spot such deceitful malware. If you would like more information on how to protect your company’s portable devices and other hardware and software from exploitation, please contact us.