Maintaining Data Security In Cloud Computing

Maintaining Data Security In Cloud Computing

With more and more businesses and companies moving to cloud computing solutions it’s important to understand the basics of maintaining data security in cloud computing.  Hackers aren’t looking for financial and credit card information as much as they used to—they are looking to obtain sensitive data that they can hold for ransom.  Much of the time these hackers can access this data through security holes in cloud data storage that have been overlooked.  It’s crucial that businesses take a hard look at how thorough their cloud security is and how employees are briefed on proper usage of cloud storage systems as well as virtual servers and software.

There’s a common misconception that cloud computing is less safe than traditional networks.  But this isn’t the case.  In most data breaches it’s an obvious oversight that leads to a breach in the first place.  The key is to ensure that you have all your bases covered when it comes to points of contact and the links you have within your network.

Examples Of Cloud Data Breaches

There are many examples of companies getting caught with less than stellar cloud security protocol.  Oftentimes it’s a small oversight that leads to big-time losses as cyber criminals are quite adept at sniffing out even the tiniest of holes in a security plan.

In April of 2018, cloud-based compliance resource company ComplyRight experienced a data breach affecting more than 76,000 customers which compromised names, social security numbers, dates of birth, phone numbers, addresses, and email addresses.  Although ComplyRight didn’t specify how the breach happened, security researcher and reporter Brian Krebs suspects that their tax filing website efile4biz.com was hacked and malicious code installed to capture information as it was entered into the website–before it could be passed on to any sort of encryption protocol.

Krebs goes on to write: “While ComplyRight hasn’t said exactly how this breach happened, the most likely explanation is that intruders managed to install malicious code on the efile4biz.com Web site — malware that recorded passwords entered into the site by employers using the service to prepare tax forms.  Translation: Assurances about the security of data in-transit to or from the company’s site do little to stop cyber thieves who have compromised the Web site itself, because there are countless tools bad guys can install on a hacked site that steals usernames, passwords and other sensitive data before the information is even encrypted and transmitted across the wire.”

Thus the obvious point: no matter how secure of an encryption protocol your company has on data in transfer, the data is only as safe as its weakest point of contact.

Cloud Data Protection Steps For Businesses

So is your data safe in the cloud?  The short answer is yes, with a caveat; you must ensure that no stone is left unturned when examining your network for security vulnerabilities.

Outsource Your IT Security

Since your data security is only as strong as your weakest link, it’s important to ensure that you are treating it as a top priority.  If your company’s in-house IT staff is too busy with tasks related to just keeping the servers online and systems running properly, then it might be too much to ask for them to also ensure that the IT security is properly tested and covered.  This is a common problem for small businesses as well as public organizations such as schools that have limited budgets.  This is where outsourcing your IT security could save you from a costly breach in the future.  Allowing professionals to take over security concerns can be more effective than having an already overburdened in-house IT staff try to do it.

Educate Employees

Oftentimes unsavvy employees can get tricked into falling for phishing schemes and other sophisticated email and phone attacks that can allow hackers access to vital information or logins.  Ensuring that your employees are cognizant of cloud security issues and threats is an excellent way to head them off before it becomes a problem.

Ensure Your Business Is Ready For Cloud Computing

Security protocols for in-house networks may not always be adequate for cloud-based infrastructure.  You’ll likely need to examine your current systems to ensure that they can handle cloud-based security standards.  In some cases, hardware or software must be upgraded in order to ensure that basic security levels are maintained.  This is especially true if you want to take advantage of server virtualization.

Vet Third-Party Vendors Carefully

When doing business with third parties you must do your due diligence in selecting only those that place security at a very high importance level.  In December of 2018, Baylor Scott & White Medical Center – Frisco reported that a security issue with a third-party credit card payment vendor had compromised the financial data of 47,000 patients.  In this case it was the security negligence of a third-party contractor that caused problems for the hospital.  This type of breach is a big problem for medical providers in particular due to the number of third-party vendors that they typically use.

Strengthen Your Cloud Security With An Outsourced IT Company

With threats becoming more numerous by the day it can be very hard to keep up with IT security standards and methods of prevention.  Letting a dedicated IT company manage your cloud security is an excellent way to ensure that a data breach will never be an issue.

If you’re a Southern California business or organization and need help moving to the cloud or ensuring that your current cloud-based systems are compliant and up to date with the latest in security protocol, give AMA Networks a call today.

Planning On Failing: The Importance Of Network Disaster Recovery Planning For Your Company

Planning On Failing: The Importance Of Network Disaster Recovery Planning For Your Company

Businesses and organizations both large and small rely on their data systems to function.  In the event that these systems are compromised it can be incredibly costly to conduct data recovery, and those companies who decide to put off setting up a disaster recovery plan can end up paying a huge price.  According to San Diego-based AMA Networks owner Amir Hadziosmanovic data loss due to malware, ransomware, and scams are currently the biggest threats to the IT security of companies.

“The biggest global threat to business cyber security today is malware or ransomware. Company data is their nucleus, and a malware/ransomware attack has the potential to take out even the most stable business in the world in matter of minutes–think Home Depot, Aetna, Target, etc,” says Hadziosmanovic.

Attacks Are Alarmingly Common

Although current data suggests that malware and ransomware attacks are increasingly and troublingly common, many of them are not even reported—suggesting the actual number of attacks is much larger.  “According to the IT community, MSP forums and general IT discussion, ransomware and malware attacks on business are more frequent and they will continue to be,” says Hadziosmanovic.  “So many incidents that we do not know about are not reported because the payout amount was below $500. Average ransomware request is between $500-$2,000 and 20% of them are over $5,000.”

And if you don’t pay the ransomware or your data is non-recoverable by normal means due to a fire or flood it can get incredibly costly.  “There was a study completed by Datto in 2016 that suggested downtime from malware and ransomware can cost a small business as much as $10,000. Some say it is $1,000 per hour if you hire some of the big recovery firms to help you. According to the FBI Internet Complaint Center there were nearly 2,500 complaints registered in 2015 resulting in about $1.6B in damages,” says Hadziosmanovic.

It’s important to weigh the cost of putting proper disaster recovery in place vs how much it would cost to lose everything.

You’re Never Too Small To Be A Target

Never think that you won’t be a target, whether it’s the size of your business or your industry.  “The old school mentality “I am too small” for the hackers is no longer acceptable,” says Hadziosmanovic.  “You are a business, you make money, therefore you are fair game. If hackers can hit up 10,000 small business and every one of them paid $1,000 ransom, that would equate to a very nice paycheck for the hacker of $10,000,000.”  And it’s true; hackers often spread their nets very wide in an attempt to target hundreds of thousands of businesses at once in an effort to get a few to bite.

What Is The Best Method For Disaster Recovery?

So how can a company take steps to prevent data loss, theft, and extortion?  Planning ahead is the biggest step.  Implementing a plan of action in case your business suffers a catastrophic loss is essential to preventing the loss of money, time, and customer trust.

Establishing a disaster recovery and backup plan is tempting to put off because it’s not technically necessary for a business to have in order to operate.  You can hum along just fine without one.  However, this can leave you high and dry in the event of an emergency.  You don’t want to join the throngs of people Googling “hard disk recovery”, “ransomware recovery”, or similar.  Setting up a plan of action is also cheaper than recovery.

Additionally, ensuring that security best practices are followed by your team can also help prevent “zero day” threats, or new threats that use phishing and scam tactics to gain access via human error.

Hire The Pros

Hiring a professional IT company to custom-tailor a BDR (Backup Disaster Recovery) solution fit to your needs and budget is the most cost-effective way to ensure that your business will be protected from both cyber threats as well as natural disasters such as earthquakes, fires, and floods.

Test, Test, Test

According to Hadziosmanovic, it’s important to ensure that these backup disaster plans are tested multiple times throughout the year to ensure that they are working properly.  At AMA Networks in San Diego, when BDR plans are set up for companies they are tested for redundancy multiple times throughout the year, and often they can have a company back up in a few hours or even minutes.

San Diego Data Recovery And Planning For Businesses And Organizations

If you are a Southern California or San Diego based business and you’re interested in hiring a professional IT company to handle your backup disaster recovery planning, AMA Networks is a great choice.  “AMA Networks has helped companies implement this solution across multiple vertices; construction companies, healthcare providers, government subcontractors, professional services, government agencies, and more,” says Hadziosmanovic.  “AMA Networks will test your BDR and BC solution 2-4 times a year and ensure proper testing and failover for both BDR and BC solutions.”  Contact AMA Networks today to get a free assessment!

AWS Security Best Practices

AWS Security Best Practices

With the advent of Amazon’s cloud technology, it has become very easy for businesses to be more flexible and enhance the sharing and usage of files and applications.  However, there are certain things that companies need to be aware of when it comes to the security of the cloud.  According to security expert and writer Brian Krebs, it’s increasingly common for hackers to steal files from unsecured AWS accounts and hold them for ransom.  And this is even when a company knows about the risks.

In order to prevent your business from falling victim to hacking or extortion it’s important to follow some important AWS security best practices.

Understand Security Responsibilities

Many Software As A Service providers (SaaS) will handle the security on their end – anything going on in their software will be secured as will the data going to and from.  However, certain cloud technology providers such as Amazon’s AWS leave the security and access controls of the storage up to the users in the “shared responsibility model”.  This means that companies and users are responsible to ensure that their ecosystem in AWS has the proper security setups in place to prevent data breaches.

In one example the company All American Entertainment, a public speaking contractor, had left thousands of speaking contracts in an unsecured Amazon S3 folder.  They were not technically “hacked” in the traditional sense, but the company was publicly exposed as having left secure files out in the open by a security researcher from NightLion Security.

Not all companies end up getting exposed by a “white hat” security researcher, and instead have their files seized and held for ransom by hackers.

Ensure That User Roles Are Defined

Defining user roles is very important for access control.  Taking advantage of temporary access roles in AWS is a great way to ensure that you don’t have to manage a large amount of user roles in the future.

Never share primary AWS access credentials; instead, use the Identity and Access Management (IAM) tools to create unique roles for users.  These various users are then easily managed by the Admin.

Take Advantage Of Multi-Factor Authentication

As a second layer of security it’s a good idea to set up two factor authentication for both the Admin AWS login and the IAM users in your AWS account.

Control S3 Buckets Via IAM Credentials

The default mode for Amazon S3 buckets for cloud storage is to only allow the creator access to them.  Do not make these buckets public, as that means that anyone on the internet can have access to the files. Use IAM credentials to ensure that only proper users have access. If you do need to make them public, ensure that your have a proper reason to do so and that there aren’t any other sensitive files in the bucket.

Make Use Of The AWS Trusted Advisor

The Trusted Advisor is a tool that can let you know of possible misconfigurations of security in your AWS environment. Another great tool that can be helpful is Netflix’s Security Monkey, which monitors AWS accounts for policy changes and can alerts admins of insecure configurations in their setup.

Hire An IT Security Team If You’re Unsure

If you’re not sure that your AWS setup meets proper security guidelines, contact your local IT services company and ask them for a review of your setup.  It’s better to be safe than sorry when it comes to handling sensitive data.  Security breaches can be very costly for companies in terms of both reputation and money.  All forms of hacking and extortion schemes such as tech support phone scams and phishing attempts are getting more and more sophisticated and difficult to detect.

If you’re a San Diego business or company unsure about any of the topics in this post or wondering if your AWS setup is secure, feel free to give AMA Networks a call for a free assessment and to see whether or not we can help you with your cloud security.

Tech Support Phone Scams Are Getting More Sophisticated

Tech Support Phone Scams Are Getting More Sophisticated

Think phone scams died off along with landlines?  Think again.  Phone scams are still alive and well, if not more so than in years past.  These scammers are now using specific knowledge acquired through hacking and weaving that personal information into their calls to seem more authentic to their victims.  And it’s working.  Phone scam calls are on the rise, and it can be increasingly difficult for unsavvy people to identify them.  These scammers target both individuals as well as businesses and companies.

In addition to the famous IRS phone scam that has been making the rounds in the past few years, there have been an increasing amount of fake “tech support” scams, with criminals posing as tech support agents from popular companies such as Dell and Microsoft.

Tech Support Scammers Use Your Personal Data To Seem Convincing

In one instance a scammer was able to tell their target the last time the target had called Dell customer support, what the issue had been about, and provided their Service Tag Number and Express Service Code.  Clearly that scammer was quite sophisticated.  The person on the receiving end, thankfully, was savvy enough to know that this was in fact a scam.  However, can you be sure that all the employees in your company have the know-how to spot these types of calls?

Scams are one aspect of IT security that can sometimes elude business owners because they’re not always that obvious or talked about.  Employee education of common scams and basic computer security practices is a simple but effective way of preventing not only phone scams but email phishing and other forms of intrusion that happens on an employee-enabled level.

Oftentimes business owners doing all their own IT themselves might fall victim to these sophisticated scams because they simply don’t know the ins and outs of computer security–and that’s ok!  One person can’t be good at everything, and not all business owners can be expected to be computer experts as well.  The same goes for your employees.  If you think that any of your employees might be the type to fall victim to phishing or phone scams, it might be a good idea to educate them.

Hire A Managed IT Service Provider To Avoid Scams

One way to remove yourself and employees from the IT security “chain of command” is to hire a managed IT services company to handle all your IT needs–including security.  That way you’ll know that any random calls or email solicitations received can be forwarded to the IT company.  You can let them handle it from there – a good IT security team can sniff out a scam in seconds.

A good IT security team can also ensure that your entire network is as secure as it can be, is following various AWS security best practices and other cloud security measures, and is up to compliance standards for the industry that your business is in.

Methods Phone Scammers Use

Malicious Computer Access:  Computer access is a big one for these sophisticated scams.  In the above story the “Dell” tech support agent requested the victim to access a website from the command prompt of his computer, which almost certainly would have resulted in some sort of malware intrusion.  If an employee allows one of these phone scammers access to a company computer it could lead to a huge data breach disaster which could be incredibly costly.

Asking You For Money For Phony Or Pirated Software:  Scammers may also pose as big brand tech support agents in order to sell you software, which in some cases may be pirated software or hacked software that does not have a legal license.  One commenter on the above-linked article indicated that he had been upsold thousands of dollars’ worth of Avast security software and other services such as insurance and Windows security.  Avast then contacted him and told him he was using illegal copies of the software.

Having You Enter Payment Information Into Phony Websites:  Scammers may also simply try to get you to enter payment information into fraudulent websites so they can capture and use this data later.

The Most Common Scams In 2017 and 2018

Here are a few of the most common scams currently making the rounds:

  1. “The IRS is filing a lawsuit against you” – This scam uses a computerized voice informing victims that the IRS is filing a lawsuit against them and that local law enforcement will arrest them unless they pay a fine. This one often tricks many immigrants and elderly people.
  2. The “Can you hear me?” or “Say Yes” phone scam – This scam is very, very tricky. The aim is to get the victim to say yes, and scammers will use the recording of that person saying yes to authorize purchases made in the victim’s name.
  3. The tech support or “your computer has a virus” scam – This scam is what much of this article has been about. Scammers inform a victim that there is a virus on their computer or that they are representing tech support from companies such as Dell or Microsoft.  Scammers attempt to gain access to a victim’s computer through directing the victim to malicious websites, or they attempt to acquire financial information.
  4. The “information verification” scam – Scammers will call a victim and pose as an agent from an insurance company, telling the victim that they simply want to verify information on file.

Tips To Avoid Becoming A Victim:

  • Do not trust unsolicited calls. If you need tech support, contact the company yourself.
  • If you receive an unsolicited call that asks you to click links or hand over personal information, hang up. Companies such as Microsoft do not make unsolicited calls to consumers asking for this type of information.
  • Obtain any software that you purchase directly from the vendor website.
  • Hire a managed IT company to help you ensure that all network and computer security is up to current standards and hand off any calls or information to them.

If you think hiring an IT company to manage your network security, AMA Networks might be a great option.  AMA Networks is an IT Security services provider in the San Diego area, helping dozens of businesses ensure that their IT systems are secure and compliant with national industry regulations.  Call for your free assessment today!