Below are a list of questions that were submitted during CyberCon. If you would like us to elaborate on a question that you feel wasn't fully answered, send an email to firstname.lastname@example.org
1. Is it “really” safe to use a password manager like LastPass?
Nothing is truly safe 😊 – but we can make efforts to make it as safe as possible. Make sure a password manager’s main login is protected by using a complex password and at least one more form of authentication such as an authenticator app, hardware key, text, etc. That login is literally the key to the castle so it should be protected more than anything else you have. If the account is compromised then the hacker has access to everything in the account. Do not use that main password anywhere else and don’t have the MFA solution on the same device you are typing the password into. You never know, the device itself may be compromised so having both forms of authentication on the same device can give a hacker his entry point. There are many password managers available and they all have differing levels of security associated with them. Do a little research to determine which one might be best for you. It’s best practice to not store your passwords in your browser. Those are typically easy to extract and thus a primary target for hackers.
2. How do you keep that “one” password from LastPass from being compromised? Are all the passwords compromised if the “LastPass” password is compromised?
Great question! I hope I covered it in the answer it above.
1. How do you check the log for your failed Office 365 logins?
Login to the Office365 portal (https://portal.office.com) and click on the Account Manager button in the top right corner. Choose View Account. Scroll down and click on “My sign-ins”. A list of all recent sign in activity is shown for your account.
2. Secure Emails – For Patient DVCS address
There are many ways to securely encrypt emails and do so affordably. A good rule of thumb is to assume your email is not secure (especially free accounts like Yahoo, AOL, Spectrum, Gmail, etc.). Never send any passwords, health information or private info over open email unless you know it is fully encrypted.
3. Is it secure to login to work from home?
This is a very large question and it has many caveats. It is always best to assume you are never secure. That is the whole premise of Zero Trust we discussed at CyberCon. Use the free tips we provided, always be cautious and if possible use a Zero Trust strategy like Cyber Armor on all devices that touch your company data (including remote devices).
4. Are there Ipad security measures available?
Both Apple and Android both have built in security via their app stores that scan and verify applications on a daily basis to help ensure apps are as safe as possible. Bad apps are automatically removed from the app stores and blocked if found to be malicious. There are always exceptions of course. You can also edit the security settings on those devices to defeat that protection (which you certainly should not do). A good practice is to uninstall any old or unused apps. Do not install apps that are not useful for your business. Clutter does not help productivity and produces more attack points for the criminals.
5. How do you handle other forms of social engineering?
Social engineering takes many forms. Our ability to monitor that is limited which is why we rely on end user education via our included training to help keep that data safe. A good example is if someone puts their full name and full birthdate on FaceBook or other social media. We have no ability to stop them but that information is handy for criminals to have. They can scrape that info along with other info gained similarly to build a profile for a potential victim. By inadvertently providing information in this manner, the target is providing the hacker with everything they need to take out a car loan or fill out a credit card application in the victim’s name. Education on this subject is very important so users don’t put information out there for the public to see and use against them.
6. What about Hotel Wifi – with passwords? Are they safe to use?
One of the issues with any WiFi in hotels, Starbucks, etc. is making sure you are connecting to the right one. Always ask the front desk or cashier what the proper one is to connect to. As observed in the CyberCon video, do not install anything you may be prompted to by the new connection. That is a big red flag that you are on a bad WiFi connection. Once connected, using a VPN is a good practice since it encrypts your network traffic. There are many VPN services to choose from. Some are even free. If you are ever in doubt, use the hotspot all modern phones have built in.
7. How do you manage targeted phishing attacks?
Targeted phishing can be especially devious since the attacker is pinpointing possible weaknesses or interests of the target. Good cyber hygiene is the first step in management. Having good email filtering in place as well as strong passwords and using MFA are essential regardless of whether you are being targeted or not. Then it comes down to end user education. Teaching staff what a threat looks like so they can easily identify it is crucial in your defense. With all of those things in place, an attacker would have a very difficult time of successfully phishing your staff.
8. What is your level of risk you take?
We have spent the past two years designing and testing a system that hits all the main defense points needed for a business to have a good cyber security program. The result is called Cyber Armor. By using multiple layers of technology, filtering, monitoring, 24x7 response and end user education – we believe we have created an all-inclusive and very unique solution for protecting your business. The risk of being infected, hacked or exposed to ransomware is significantly lowered by using our solution. Nothing is 100% impenetrable but Cyber Armor is as close as you can get, while still keeping it affordable. If there is a breach, the damage should be minimized. Plus, we include cyber security insurance as one more layer of final protection.
9. What is the process for reporting personal attacks from scammers?
We don’t typically work with individuals on scammers and hacks since that isn’t our specialty. I did a little research and found this information Report Scams and Frauds | USAGov which I hope you find helpful.
1. Is Hosted Quickbooks safe to use?
In essence, yes the service itself is safe. However, if your machine has been compromised then no app or website on the device is “safe”. I’m sorry to repeat this over and over but it is imperative that all devices that touch your business data be protected and use the Zero Trust strategies. Your internal network may be totally secure but the moment you access QuickBooks Online from a compromised home machine then your security just fell apart.
2. Is Zell safe for Banking Transactions?
I’ll refer back to the answer asked above about whether QuickBooks Online is safe. The same answer applies here.
3. How are vendors protecting ACH/Bank Account Data? Is it “safe/how safe” is it to give your business account or personal account info to your vendors?
This is a very good question and can have a very long answer. I will try to keep it as short as possible. There are many laws in regard to PCI (Personal Credit Information) and how it is stored and used. I don’t pretend to be a lawyer so feel free to verify this as you see fit. It is my understanding that storing any PCI information (such as credit card or ACH info) requires a rigorous analysis of systems, security and processes. This is all controlled by the PCI compliance and associated credit card regulations. Companies that have went through the trouble to become PCI compliant have proven they have what it takes to be trusted with that data. For small companies, that is an awful lot of trouble to go through to store and protect that data. There is a good alternative and I can use ComTech as an example. We use a bank processor to store and process all of our transactions. That bank has the proper certifications and compliance to do so. The data is input via a secure portal by either us or the client directly and no account information is stored locally on paper or on any computer. We don’t even have access to it once it is stored so that puts all the responsibility on the bank processor. By using a system such as this, small companies can accept credit cards, ACH, etc. and still be PCI compliant. Obviously, some local responsibility is still involved. If you are required to not store data locally then you should not keep copies of the credit card numbers, etc. on hand. They should be immediately shredded after being input into the secure banking portal. If you have interest in learning more, I can arrange a joint call with our banking solution to go over the details. Feel free to reach out to your own sources as well. Considering how slow the USPS is, snail mail is a horrible way to make payments in a modern world so being able to securely accept credit cards or ACH for client payments is a no brainer.
4. Is it safer to pay vendors with a credit card or on ACH?
This ties in a bit with the previous question and also has a personal preference side to it. Personally, I like to pay for as much as I can with credit cards. They allow me to earn points and there is no direct link to my bank account. The latter is quite handy if there is ever an error or a dispute. However, many vendors do not accept credit cards for various reasons (including high fees) so ACH is there only option for online payments. Again, this is a personal preference I chose to make for my business. I setup a bank account that I use for ACH payments and keep enough cash in it for that purpose. My operating capital is kept in a different account. That way if there is a mistake or even a hack on the ACH account then the damage is limited. My main operating account has no ACH links of any sort so I never have little to worry about that number getting out into the wild and putting my operating capital at risk.
5. Are customer portals generally safe to use? What makes ComTech’s Portal safe for housing credit card or bank account data?
I will refer back to question # 3. We have partnered with a very large bank that provides a secure “vaulted” service for storing all the financial data. ComTech staff cannot see the account numbers once they have been entered into the secure portal. If provided to us on paper by a client, any documentation about those numbers is immediately shredded. The ComTech portal itself is also protected by SSL (Secure Socket Layer and Certificates) just like any bank would use to encrypt the connection in the browser.
6. Should our devices (computers) be shut down at the end of each day?
From a power perspective, it makes little difference. Modern computers are very efficient and most likely only save pennies in power savings. From a security standpoint, it is true most attacks happen on nights or weekends since the criminals are hoping less people will notice their actions. So if the computer is not going to be used overnight or on weekends then shutting them off is a consideration. Keep in mind that many maintenance routines, security updates, service packs, etc. are loaded overnight to minimize the workday impact. If you turn your machine off every night then you may miss some critical updates or maintenance. We leave our machines on 24x7 but make sure they are logged out or locked. That way they get the maintenance they need. If you do choose to turn your machines off after hours, choose at least one day a week to leave them on (but locked) overnight so they can update. The best days for this are Wed-Friday since Microsoft has an official “patch Tuesday” schedule. You want to make sure you get the latest patches as soon as possible since many of them include security updates. Patching on a Monday would mean you are always at least a full week behind.