Agency Checklists published the article below last fall as part of National Cybersecurity Awareness Month. One insurance company thought enough of it to ask to republish it in a newsletter to all their agents. With the ongoing attack by the ransomware WannaCry virus, that has disabled almost 250,000 computers around the world, we thought republishing this article on some simple computer security practices might be useful.
Ransomware in its latest, WannaCry, form, is malicious software that targets computers running the Windows operating system. Once the virus loads onto a Windows system by either human error or an unpatched vulnerability the virus encrypts the infected computer’s data files and demands a ransom paid in an untraceable digital currency, bitcoin. The infected computer only shows the lock screen to the right. In the WannaCry attack the ransom demanded is $300 worth of bitcoins. Upon receiving the ransom payment, the hackers promise to provide the digital key to unlock the disabled computer.
The WannaCry ransomware exploits a vulnerability in Microsoft’s Windows systems. Anyone who simply followed the advice in the article below: “Make sure your computers get automatic security updates” would have avoided any angst over this latest ransomware attack. Microsoft, in March 2017, almost two months before all these computers became infected, issued a patch to remove from any Windows systems the vulnerability that WannaCry exploits. Any systems that received Microsoft’s automatic security updates in March had no risk of WannaCry infection. All of the systems infected by WannaCry are systems where automatic security updates were either not turned on or were not applied for one reason or another.
While the only advice in the following republished article that works for the WannaCry virus is the automatic security updates, the rest of the suggestions have equally effectiveness for the other risks that dwell in the wide-open Internet of today.
Our own little contribution to National Cybersecurity Awareness Month
Agency Checklists hopes that this article on five simple free methods for enhancing the computer security in your agency contributes something to cybersecurity awareness for our readers. Many, and hopefully all, of our readers will find that they are already applying these five simple methods. If that is the case, we hope dear readers that you will pass this article on to friends or associates that may not be as assiduous in maintaining security in their operations as you are.
Five free basic steps to check on your agency’s computers.
The following five computer security related suggestions are simply safety plays that would ensure that your security has no inadvertent holes. We expect that this would take a few minutes of training or reading to implement as well as downloading some recognized cybersecurity software that’s free. The free software has been used by Agency Checklist principals with good results in the past. We make no recommendations one way or another to the software or methods discussed, but simply state that we have used these methods and software. As far as we are concerned, they have worked work well for us.
The five particular items relate to, “strong passwords,” “password managers,” “automatic security updates”, “anti-malware programs” and “firewall settings.”
Strong passwords = Stronger Security
The first line of defense for using computers to access business resources from an agency is the individual passwords that agency personnel use to access those resources. Experts advise everyone to use “strong passwords” but often do not elaborate on the details for creating the types of passwords that are difficult to crack.
First, what a “strong password” is not
Before considering the rules for strong passwords, you might wish to peruse the following chart with the “Worst Passwords of 2011- 2015,” published by SplashData, a provider of password management applications (See below).
You also may want to look at your agency’s password list, or circulate this chart, to see if anyone’s passwords should be changed.
The passwords on the chart come from hacked passwords that have appeared on the WEB. The rating as one of the worst passwords results from the frequency of the password’s use.
Most frequently used passwords
A long password is a strong password
The strength of a password is a function of length, complexity, and unpredictability. The difficulty in using a long password with symbol keys and random letters is that they become difficult to remember and use.
A simpler method of generating a password that has reasonable strength is to use longer expressions that you can remember. These type of passwords will have substantially greater length than any of the passwords on the above chart. Some expressions that make good passwords are those that mix numbers with upper case letters.
A good way to create these type of passwords is to use expressions or locations that have a special meaning to you. For example, an address from my past that I do not use as a password “1040 Columbus Ave” has numbers, capitals, and spaces to increase the complexity of the password somewhat.
According to a website for testing passwords run by Kapersky Labs, Secure Password Check, this password example could be cracked by a home computer in 329 centuries and by the world’s fastest computer in four days. Correspondingly, the most popular password in 2015, 123456, could be cracked by the same home computer in one second.
Employing this type of password protocol in your agency may offer some greater protection along with the advantage of being relatively easy to remember.
Another smart option: Use a password manager
Another solution to using strong passwords is to have only one master password that accesses a “Password Manager.”
Password managers store your passwords for logging into sites. They also store your login information and will automatically log you into the site when you click on the site in the password manager’s interface.
Password managers will also automatically generate random character passwords for more secure site logins.
Password managers are highly recommended. They offer excellent security, real convenience for loading and logging into sites, and most have free versions. LastPass, the password manager I use, is a web-based app that encrypts all passwords, credit card information, and usernames in the program but allows me to use the login information from any of my computers and from my smartphone.
A review of free versions of password managers can be found here: The Best Free Password Managers of 2016. The paid versions with additional features can be found here: The Best Password Managers of 2016.
Think about implementing Signon Once in your agency
Another option to consider for your agency is Signon Once. Created by the ID Federation, Signon Once was created with the sole benefit of helping agencies with the problems associated with multiple passwords.
Many in the industry agree that having multiple passwords in an agency leads to bad data security habits as well as a significant loss in productivity. According to Boston Software, the vast majority of its daily customer services calls with agencies concern passwords.
In a 2014 Spring Big “I” Insider article, the rising costs of password problems was noted with Vertafore’s senior vice president and ID Federation board member estimating that 10 to 30% of a carrier’s technology help desk costs relate to passwords, with the dollar value ranging from $51 to $111 per call. In addition, he noted that 39 percent of all data breaches stem from the negligence involved in password resets. That is because many data breaches stem from the fact that the more passwords an agent needs to use, the simpler these passwords become in order to be able to remember them all.
Other problems of multiple agent passwords become even more complicated if passwords expire automatically or if a producer leaves the agency and does not disclose or disable their prior logins and/or passwords.
Make sure your computers get automatic security updates
If your agency uses some version of Windows as its operating system, hacker vulnerabilities are a fact of life. Microsoft has over the years continuously responded with security patches to update the different flavors of Windows over the years. All of these patches and enhancements do little good if the operating systems on all of your agency’s computers are not being updated.
The continuously updated operating system is a secure system. However, some computers sometimes are not updated as regularly as they should be for maximum protection. Without updates, these computers and networks pose a security risk. For example, in 2014, Community Health Systems, which operates 206 hospitals across the United States, allowed hackers from China to steal 4.5 million patient records using malware that an operating system update, if timely installed, would have blocked.
To avoid this issue, Microsoft has made the updating of its latest operating system, Windows 10, automatic. Windows 10 checks for system patches and updates then downloads and installs them without the user being involved. While this system is probably a benefit to users with computers running on Windows 10, user with older versions of Windows such as Windows 7, 8, or 8.1 should make sure that they have automatic updates enabled on their machines.
For readers with Windows 7, or 8, or 8.1, the following Microsoft site explains how to turn on automatic updates: How to keep my computer up to date.
Use anti-malware programs in addition to virus checker programs
All computer viruses are malware. But not all malware are computer viruses. The antivirus software that you have in your agency, if up to date, likely has malware protection. Remember, however, that these programs are still not capable of catching all kinds of malicious software. For example, certain types of spyware, programs that gather information about a computer user without permission, may not be detected by some virus checkers.
Dedicated anti-malware programs are focused on types of malware other than viruses. These anti-malware programs are not substitute for a good virus checker or virus checker suite. They are, instead, a backup or second line of defense for your first line of defense, your antivirus software.
A Free Microsoft anti-malware removal program
If your agency uses Windows-based software, Microsoft offers a free anti-malware tool: “The Microsoft Malicious Software Removal Tool.”
The program is downloadable from Microsoft by clicking this link, Microsoft Malicious Software Removal Tool.
Once downloaded and installed this anti-malware utility will work on any computers running Windows 10, Windows 8 and Windows 8.1, Windows 7, Windows Vista, Windows Server 2012 R2 and Windows Server 2012, Windows Server 2008, and Windows Server 2003 for infections by specific, prevalent malicious software—and helps remove malware and any other infections found.
When the detection and malware removal process is complete, the tool displays a report describing the outcome, including which, if any, malware was detected and removed.
The software is updated by Microsoft on the second Tuesday of the month, if the computer on which it is installed has Windows Update set to automatic. The version of this tool delivered by Windows Update runs on your computer once a month, in the background. If an infection is found, the tool will display a status report the next time you start your computer
Real-time protection with other anti-malware programs
Since your best defense is to block the malware before it can infect your computer, the free Microsoft malware remover that runs once a month may not be best solution.
A number of vendors offer real-time protection where detected malware trying to attach to your computer is blocked and quarantined before it can do any damage. Agency Checklists uses a program called “Malwarebytes.” This program has a free and paid version for both Window and Apple computers. The paid version has the continuous protection. Some other similar programs are: “SplashId,” “Ad-Aware Personal Security,” “Symantec Endpoint Protection,” and “McAfee Endpoint Protection Essential for Small Businesses.”
Personal firewalls turned on and operating on all your computers
A personal firewall is software installed on an individual computer that controls communication to and from that computer when connected to a network or the internet. It provides a line of defense against someone who might try to access your computer from outside the firewall without your permission.
Windows operating systems have a built in firewall that works well for most users. The Windows firewall is turned on by default in all of the Windows operating system versions since Windows XP.
The safety check is to make sure that somehow the firewall has not been shut off inadvertently. The directions from Microsoft to check are: (1) Click the Start button, click Control Panel, clicking Security, and then clicking Windows Firewall. If the firewall is turned off, just click on and click “OK.”
There are free firewall programs such as Comodo Firewall and ZoneAlarm Firewall that offer more features than the basic Windows Firewall. Both these particular programs offer greater protection because they not only block malicious access from outside the firewall but will block malware from accessing the Internet. While these programs are effective they are not simple in application for many users.
Remember cybersecurity lapses can affect more than just your own agency
Cyber Security lapses can involve more than just unauthorized access to your agency’s own records. If your firm’s desktops, laptops, tablets, and smartphones do not have adequate security, hackers may gain access through your computer systems to other companies or agencies through direct or indirect means.
An October 19, 2015 report of the Commissioner of the Security and Exchange Commission, regarding “The Need for Greater Focus On The Cyber Security Challenges Facing Small And Mid‑Size Business,” quotes a then recent survey of 400 small firms. The study found that 27 percent of them have no Cyber Security protocols at all and that a similar number of firms have difficulty implementing the most rudimentary cyber defenses, such as routinely backing up their data.”
The same report noted that small and medium size businesses are the most targeted entities for cyber criminals. This targeting is not only to get personal data from small business or to access their bank accounts for fraud but also to use the small businesses as a conduit to even larger security breaches.
The risk of a small business having inadequate cybersecurity has already been a contributing cause in the largest data breach to date in the United States.
Data breach of 40 million customers’ personal data results from HVAC contractor’s system
In 2013, many of our readers may remember that Target stores had a major data breach. Eventually, Target discovered that the hackers had obtained their initial access to Target’s internal network through stolen access codes used by a Pennsylvania HVAC vendor for Target, Fazio Mechanical Services.
A Fazio employee opened an email with password-stealing malware. The malware from the email installed itself on Fazio’s computers and passed Fazio’s login credentials for Target to the hackers. Using the stolen login information, the hackers accessed Target’s internal network eventually compromised Target’s point-of-sale system.
The Target breach led to the theft of 40 million credit and debit card numbers as well as personal information from almost 100 million customers. The fallout to Target and Fazio was not pretty.
Disregarding Fazio’s potential civil liability to Target for the data breach, Fazio had to publish a statement to its customers that “Fazio Mechanical is not subject of federal investigation” and that it was “fully cooperating with the Secret Service and Target to identify the possible cause of the breach.”
The lesson? Perhaps, an anti-malware program as discussed above would have stopped the intrusion of the malware or would have reported the intrusion.
Happy National Cybersecurity Awareness Month.