Security Concerns of Phishing Attacks

Security Concerns of Phishing Attacks

I am re-visiting the security concerns of phishing attacks in this posting. These remain the largest vector for delivering malicious software, such as ransomware attacks. The reason that it remains the preferred method of attack in many cases is that it works: People are still opening those phishing emails, and clicking on those links.

Training employees to recognize phishing emails should be an ongoing process for all companies. By periodically reminding them of the dangers, and what to look for, it keeps the idea fresher in their minds, and hopefully, they will be more on the alert for these dangerous attacks. Also, as those conducting such attacks are getting evolving, also, and getting more sophisticated. These attacks are increasingly using more targeted approaches, and are less obvious that they are not legitimate.

Many use such things as having links to websites that are only a letter, or so, off from the legitimate site. If the legitimate site is a “.com”, for example, the nefarious site may be a “.co”. Or, if the site is something like “mybank.com”, then the fake site might be “mybank-info.com”.

By making data security an ongoing process, your employees will not only have it kept fresh in their minds, but they can also be trained on how to spot the increasingly sophisticated attack emails. The more likely that they are to think about it before opening an email, or clicking on a link, as well as being better able to spot emails that just are not quite right, the safer your data is. The bad guys are not taking it easy, so that means that the rest of us have to constantly keep our guard up.

Dave.

Customizing the Counterpoint Data Filters in the Reports

Customizing the Counterpoint Data Filters in the Reports

One of the nice features of the Counterpoint software is the ability to customize the data filters in the reports. If you run the items report, for example, you will get the option to choose a range of item numbers, the primary vendor, a range of categories, and sub-categories.

If you want you can change the filters further, and select records based on any of the fields in the item table. Profile fields, alternate units, dimensions, descriptions, and many other fields. The fields can be set to have values included, excluded, or even to be empty.

In order to change the filter properties, right-click the mouse button on the white background area of the filters, and select customize. The view will change to a list of the fields selected. At this point, you have the option of adding additional fields or changing the existing ones. To change a field, click on that field, and you will get a list of all of the available fields. Depending on which table or view is being used, the list can be quite long. The same field may be selected more than once.

To change the condition, such as the item number being a range, click on the condition, which in the case of a range will be “between”. You are then presented with a list of options, such as “is (exactly)”, “contains”, “more than”, “less than”, and many others. These are all fairly self-explanatory. Also, the “and” at the end of the line can be changed to an “or”.

So, if you wanted to run the report for two specific items, you would select “Item number” for the field on the first two lines. Then click on the condition, and select “is (exactly)” on both of those lines. Finally, you would click on the “and” on the first line, and change it to “or”. This gives the result of generating the report for both of the two item numbers entered on the first two lines.

To get the screen back to the more friendly view that you originally had, right-click on the white background again, and select “simplify”. You will be back at the selection screen that you are used to, with the ability to lookup item numbers, and such.

Dave.

Cryptojacking is on the rise again

Cryptojacking is on the rise again

After dropping off last year, the prevalence of cryptojacking is on the rise again. Cryptojacking is where the bad guys hijack your computer to mine cryptocurrency. That is, they use your computer hardware, and electricity, to mine cryptocurrency for their pockets.

While this is not as invasive, or devastating, as more malicious attacks such as ransomware, it still is taking money out of your pocket as well as impacting the use of your computer. By using the time that your CPU would normally be idle, the cryptojackers cause your system to use more power. That is in addition to slowing your system when you are actively using it.

In a simple form, your system could be hijacked by simply browsing a web site with a cryptojacking javascript. In that case, while you are on that website, your computer will be participating in the mining scheme and will stop when you go to another site, or close your browser. However, if the site can successfully infiltrate your system, it may load a persistent mining payload, and your system will then be mining until it is removed.

Of course, other avenues of an attack like phishing emails common, also. So, the usual warnings apply here, too, such as be very suspicious of any emails from people that you don’t know, keep your patches and anti-virus/anti-malware up to date, and so on.

If you are infected with a cryptojacker, the most likely thing that you will see is a general slowness using your computer. That is, until your electric bill arrives, which may be very much higher than you expected. Another indication, especially on a laptop, is that your cooling fan constantly runs at a higher rate than normal, indicating that your system is running hotter.

While cryptojacking software is typically not difficult to remove, it may be that other malicious software has also been loaded. Therefore, a good inspection of your system is in order.

Dave

Securing your Browser.

With the security issues involving your web browser these days, such as drive-by downloads, and other malicious attacks, it is important to do as much as you can to secure your browser. One thing that can be done, to help block a common avenue of attack, is to install a JavaScript blocker.

While it used to be that one could disable JavaScript, so many sites these days rely on it, that disabling it is no longer feasible. By using a blocker, one can selectively enable JavaScript only where needed. The methodology is to install the blocker, which normally disables JavaScript at all sites. Of course, you then start seeing sites that are not functioning properly due to JavaScript blocking. When that happens, you can enable JavaScript only for that site. Or, more to the point, only for the scripts on that site that are required. You will be surprised at the number of JavaScripts that many sites run, which are not directly related to what that site is doing.

A site may be running 10, 15, 20, or more, JavaScripts, of which only one or two may need to be enabled to get the site functioning. The rest are feeding your data to ad sites, and other data trackers, all without informing you.

Adding a JavaScript blocker to your browser varies by the browser you use. You may find it by looking at the available plugins for your specific web browser, or you may need to use a search engine to find one that works for your browser. It is worth it to spend a bit of time searching out, and implementing, a blocker. Once you get used to it, it only takes a few seconds to grant the needed functions on a web site, while leaving non-essential scripting blocked.

Dave.

Administrative access is often Overused.

Administrative access, root access in the Linux world, is often overused. For the most part, these super-user level logins should only be used for system setup and administration, and not for everyday use.

Most of the packages that allow remote access, at least in the Linux world, such as ssh and Samba, do not allow the root account to be used by default. While they can be configured to allow access for the root account, they require that it specifically be setup to do so. While it may be tempting to set them up, it should be considered whether or not it is needed. There are very few cases where such a need can be justified.

In the majority of cases, it is better to leave root access disabled. Of course, access for regular users should be thought out and implemented only where needed. When root access is needed in the Linux world, it can usually be handled with much finer control via such things as sudo. For example, the ability to do a system shutdown can be granted to specific users through sudo (sudo shutdown), without giving them access to other superuser level functions.

While the sudo approach takes a little time for planning and implementation, it is much more secure. Far better to spend a little time, than have to recover from a user mistake where they have unlimited access. Or, a malicious, disgruntled employee, which we all hope never happens.

Dave.

Social Media is used by Bad Actors also.

The rise in social media, often means that you have to take part, to a degree, to help your business grow and prosper. Most businesses have at least some social media presence. It is another method to promote your business, by at least making others aware that it exists. Many of you, I am sure, take a more aggressive approach using social media to promote your business actively.

One thing to keep in mind, however, is that social media is used by the bad actors, also. It is quite common, for them to try to “connect” with a business, often by sending “friend” requests. Accepting such requests should not be the automatic process that many use. By that, I mean that they accept any, and all, such requests.

There have been many cases where “friend” requests on sites such as Facebook, and LinkedIn was not from people wishing to support your business. Requests were used for more nefarious purposes. They may be trying to use the status of your “friend” to get access to other information, such as who else is on your friend’s list.

There have been cases, also, of using those that have accepted friend requests to leverage their position. By that, I mean that they use those on their friend list, to bolster their position when contacting others, by claiming to have contact sources (or influence) with you or your business. Think of the implications of someone saying “As you can see, I know the CEO of XYZ company, and they said…”, and they can then claim whatever they want.

Like many other things, a little time, and thought should go into your social media presence, like any other aspect of your business.

Dave.

Counterpoint Performance Tuning

The performance of your Counterpoint can usually be helped, with some tuning of the SQL server. Among the items that can impact performance, are memory allocation, file settings, indexing, and statistics.

When the SQL server is installed, the setting for memory is to be dynamically allocated, and the upper limit is way beyond the amount of memory you have in your machine. Left this way, memory swapping can occur. The upper limit should be reduced to a realistic level, at a minimum. Ideally, the lower and upper values are the same, so that no dynamic allocation occurs, which reduces overhead.

The file growth setting can have a significant impact at times.
Particularly during posting in various places, when large numbers of records are being created. When file growth does need to occur, it is better to allocate a significant new amount, rather than continually adding small amounts.

Finally, over time, as records are added and updated in a table, SQL server will eventually stop using indexes and start doing large sequential reads. This greatly affects performance! Performance can be restored by rebuilding indexes and updating statistics.

We would be happy to help you adjust your SQL server settings, to get the best performance from your system.

Dave.

Securing Your Network

Securing Your Network

One of the things that you should do in securing your network, is to limit internet access to only the sites that a particular station needs. For example, a Point-Of-Sale workstation usually only needs to be able to access the internet in order to validate credit and debit transactions. When that is the case, then your firewall should be configured to only let those stations through to the sites they need for authorization.

By limiting the access of those stations to only the card processor site, it prevents users from randomly browsing web sites during slow times. Thus, they cannot be checking their personal email or checking out the latest funny videos. This is not to punish them, but rather to eliminate those common vectors of attack. It prevents those viruses and malware-bearing emails from being read, and their payload potentially being unleashed on your workstations. It also prevents those drive-by downloads from malicious sites, from doing the same.

Obviously, there will be stations that need to access additional sites. However, if these sites can reasonably be limited to just those sites that need to be accessed, they should similarly be limited. It may be possible to limit those stations to only your company email, vendor sites, your store web site, etc. Additionally, those stations should be restricted to use by only those users that need to be accessing the sites that the stations are being allowed access to. Those users should also be trained on what to be aware of when accessing outside sites. In particular, the user or users that are accessing the company email should be trained on how to recognize potential phishing, or other malware, type emails.

Limiting the avenues that expose your network to outside contact, can go a long way towards preventing the network from being compromised. Such limits are often evaluated from the perspective of limiting outside access in. Access restrictions should be evaluated, and restrictions imposed from your network out, as well.

Dave.

Granting Administrator Privileges to users

Granting Administrator Privileges

Granting administrator privileges to users is one thing that I often see, that is done much more than it should be. The reason given is this simplifies those occasions when software needs to be installed or updated. However, in general, this is a bad practice.

The simplification of installing legitimate software will be exploited if you are ever the victim of malware or viruses. Since the user that the infection uses already has administrator privileges, the malware does not need to find anything to exploit for it to have access to your entire system. If the malware already has inherited the privilege from the user login and can wreak whatever havoc is in its payload.

On the other hand, if the user is given basic user privileges, and the malware is unable to find any way to exploit the system to increase its privileges, then the damage is contained to what the captured user can modify. While that is still upsetting, having to restore some documents, and change user settings is more desirable than having the entire computer system corrupted and compromised. Not to mention, the potential effect on other computers on your network, if administrator-level privileges can be leveraged against them.

With properly set permissions, users can do everything that they need, without elevated privileges. It can take some extra time to setup the appropriate permissions, but not nearly the time that it takes to recover from a malware attack that could have been limited in scope by a simple restriction of administrator level privileges.

Dave

Signs Your System Has Been Compromised

Signs Your System Has Been Compromised

Users need to be on the alert for signs that your system has been compromised. Let us look at some of the signs. One that often occurs is that icons on the desktop have been moved, or new icons have appeared. If new icons have appeared, and no software has been installed, as far as is known, it is a red flag that the system has been compromised.

Hackers will often install new software when they gain access to a system, to give them further control, or the ability to gather additional information from the system. Most times, there is no obvious trace of this additional software, but many times they are sloppy, and those surprising new icons are an indication.

Icons being moved is often also an indication. This is often due to the hacker going through and clearing those new icons. However, those icons moved some of your old icons when they were installed, and the hacker does not know exactly where the old icons were on the desktop. Or, the icons were subsequently auto-arranged, and are thus not in the location on the desktop that users had moved them to.

Another big indicator is that your system suddenly slows down. The screen may lag when you are typing, or processes that used to take a second or two, now take many seconds, to even minutes. This is due to the system having an increased load, due to the additional software that has been installed, and what it is doing to steal information or use the computing power for other nefarious activity, such as cryptocurrency mining. Cryptocurrency mining is using computing power to unlock cyber currency, such as Bitcoin. This takes a great deal of computing power, cybercriminals are farming this activity out to compromised systems, rather than using their own.

Basically, be alert to any change in the way that your system looks, or responds. While it may be due to legitimate changes, often it is a sign that unwanted people have gained access to your system.

CCS provides IDS products.  Contact our Sales Department to discuss the right solution for your operations.

Dave.