Get Started Today!  732-747-9373   

Fotolia 68929807 M new

DeckerWright Corporation Blog

DeckerWright Corporation has been serving the Red Bank area since 1984, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Why Use Complex Passwords for Email

Email is ubiquitous. Everyone has at least one email address and many of us have four or more for different purposes. Each year a number of our clients have their email box stolen or compromised by criminals. This most often happens to public email accounts, but has also happened to the client’s business email account. Why do criminals want access to your email?

In the past, the most common reason was to send spam to all of the people in your contacts list. By making an offer or a link seem like it was coming from you, the criminals had a better chance of tricking the victim to click. Other uses of the email box included relaying spam and holding the email box for ransom. 

Today’s attacks on email are more targeted and sinister. Criminals use social media to discover email addresses that may be associated with a victim’s bank account or another account that can be used for purchasing or verifying an identity. Rather than completely hijacking the account once they gain access, the criminals assess what financial accounts the email is connected to and they wait. Recent documented thefts through email hijacking include cell phone numbers, diversion of bank wire transfers, Bitcoin theft, and identity theft. In short, the email associated with financial transactions, regardless of the form, must be protected.

The best way to protect an email account is to use random complex passwords or pass phrases. The National Institute of Science and Technology (NIST) issued new password guidelines last year recommending the use of pass phrases instead of passwords. The longer the better. Most systems support passwords from 8 to 32 characters. Pick a hard one and you have decreased the likelihood of having it stolen by a factor of 10. If multi-factor authentication is available for the email box, turn it on and use it as a secondary authentication system.

Check out this YouTube video link to see how easy it is to use social engineering to guess passwords.

0 Comments
Continue reading

Vulnerability Test Versus Penetration Test - What's the Difference?

Companies that need to meet HIPAA, PCI, PII, and other contractual requirements are required to have their security tested periodically. The tests check security from outside the firewall to see what, if anything, is accessible from the Internet. Some tests even require a look at the inside of the network to determine what is easily compromised if an attacker gains access to a computer on the inside. Tests to meet security requirements fall into two buckets: vulnerability tests and penetration tests. Many companies in our industry use penetration test to describe what are actually vulnerability tests or port scans. What are the differences between the two tests?

Vulnerability tests only test what can be reached on the internal network from the Internet. The first step in a vulnerability test is to run a port scan on the public IP addresses used by a company to discover open ports. Common open ports include HTTP, HTTPS, FTP, RDP, and SMTP. In a vulnerability test, the open ports are tested to see if a computer responds to the common application that is associated with that port. If the computer responds, the response is evaluated to see if well-known exploits could be used to successfully gain access to the computer. From the moment a vulnerability test is started to when it generates the findings, the process is fully automated; there is no human intervention. Vulnerability tests are required for HIPAA and PCI compliance and need to be conducted at least annually. Costs for vulnerability tests range from $100 to $250 per public IP address.

Penetrations tests are more intense. Penetration tests normally also include looking at the inside of the network for vulnerabilities as well as what can be compromised from the Internet. The biggest difference between a vulnerability test and a penetration test is that a penetration test is actively conducted by a highly skilled ethical hacker. The penetration test starts with a vulnerability test. Once the results of the vulnerability test are returned, the ethical hacker manually tries to gain access to the system using the latest techniques available from the dark web. If the ethical hacker is able to gain access, they will progress through the compromised system to see what they can gain access to. This discovery process may take many hours and reveal that all of a company’s data is at risk. The ethical hacker documents their findings and performs a similar test for each discovered open port. Once the external vulnerabilities are tested and documented, the ethical hacker is given access to the internal network to identify security weaknesses on the internal network. A full penetration test ranges from $8,000 to tens of thousands of dollars depending on the size of the company and the number of locations to be tested.

A common problem in our industry is “security” companies advertising a penetration test for $99. Be sure that the $99 test you are buying is really a penetration test; it is most likely only a vulnerability test.

Click HERE for more information.

0 Comments
Continue reading

Guard Your Cell Phones

A person’s cell phone is becoming a linchpin in technology security. Cell phones have taken on a major role in helping to verify an identity. Whether you are on the phone with a customer service person or logging into a computer system, the cell phone is often used as a method for verifying a person’s identity. As the cell phone becomes an increasingly popular tool for identity verification, criminals have a greater motivation to steal either your cell phone or your cell phone number.

Cell phone verification often starts with setting up a new account. Microsoft, for example, uses the cell phone number entered during account setup for verifying the identity of a person during password resets and other administrative tasks. Many banks and credit card companies also use cell phones for texting verification codes. This multi-factor authentication (MFA) technique is being commonly adopted by many service providers.

Another way cell phones are used for MFA is through the use of third party push applications to cell phones. Google, Duo, and Symantec all have cell phone apps that generate new codes every minute. When logging into a system, the code listed on the device gets entered into the login process, providing a second code in addition to the password. This MFA makes breaking into a system a lot harder for criminals. 

Since the access to your money has been connected to your cell phone, criminals have devised many schemes to take over your cell phone. The most common ways are tricking the cell service provider into assigning your cell number to a device in their control and changing the cell phone number attached to an account. Cell phone number theft has become a widespread problem. The cell phone theft is normally paired with the compromise of the victim’s email account. By gaining access to the victim’s email account, the criminals can have the cell company send verification information to the victim’s email address. Once the cell number is obtained, the criminals can use login information they may have obtained via keylogging malware on an unsuspecting victim’s computer. With the login information and control of the cell phone, the criminals can log in and clear out your bank account.

Here are some tips for safe guarding your cell phone:

  • Make sure you use either a random complex password or pass phrase on the email account associated with your cell phone.
  • Make sure you keep your computer fully patched and run current anti-virus software to guard against malware.
  • Check the mobile phone number associated with key accounts regularly to ensure your cell phone is attached to the accounts you expect.
  • Make sure the password you use on your cell phone account is complex or has a long pass phrase.
  • Practice good computer hygiene.

 Click HERE for more information.

0 Comments
Continue reading

Looming Security Requirements for Personal Identifiable Information (PII)

For many years DeckerWright Corporation has been working with healthcare firms to help them protect patient information by meeting Health Insurance Portability and Accountability Act (HIPAA) security requirements. The concept of Protected Health Information (PHI) was introduced in the HIPAA legislation in 1996. The Health and Human Services (HHS) Department of the federal government was tasked with writing the regulations defining PHI and how to protect it. An evolving body of regulation governs how healthcare firms should protect PHI from being lost or stolen and defines penalties if PHI is breached.

Fast forward to today. There is a lot of talk about Personal Identifiable Information (PII) and how to protect it. PII is any data that may be used to identify a person, such as first and last name, address, phone number, or social security number. From financial institutions to retail establishments with Payment Card Industry (PCI) data requirements, non-healthcare industries are rapidly adopting many of the key aspects of HIPAA. One of the takeaways from HIPAA regulations is the concept that there needs to be a constant focus on security improvements since security vulnerabilities and threats change over time. Putting in the latest security technology today does little to protect against the threats of tomorrow.

While there are plenty of technical requirements in many PII related guidelines, all of the guidelines require the adoption of policies and procedures meant to reinforce a culture of security and to provide the framework needed to respond to breaches when they happen. Each set of industry guidelines requires slightly different documents that describe the information technology environment, plan for disaster recovery, and provide for what to do during a breach. The guidelines normally include the need for regular vulnerability tests and an annual security risk assessment.

With the launch of General Data Protection Regulation (GDPR) in the European Union, it will not be long before the United States adopts its own PII guidelines modeled on HIPAA regulations. Absent any lead from the federal government, industry trade groups will take charge in developing and disseminating security guidelines. The foremost group in this regard is the PCI since it can enforce the rules through fines and penalties related to credit card use. As PII security requirements begin to reach all industries, look for federal legislation to address the PII in the hands of tech companies that are not touched by HIPAA, PCI, or financial institution requirements. These include large companies like Google and Facebook. Since the body of security requirements has been evolving from HIPAA’s origins over 20 years ago, look for the upcoming federal guidelines to build on the well-understood body of work.

Click HERE for more information.

0 Comments
Continue reading

Using Online Marketing Tools - LinkedIn Sales Navigator

We have tried many online tools for marketing over the years. The tools range from simple broadcast email systems to sophisticated utilities which combine a selection of suspects to work flows that send emails over time on a track. Last year, we upgraded our LinkedIn plan to include Sales Navigator. It is the only tool we are still using.

LinkedIn Sales Navigator is a powerful tool that allows the quick identification of possible leads and, more important, pulls information about the staff at the target company. That information enables us to target the right people in the organization. Have a client that is the perfect fit? Sales Navigator allows you to find clients with similar characteristics and add them to your marketing campaigns.

One of the main ways we use Sales Navigator is to help us find the right person in existing sales opportunities and to learn more about them to facilitate the sales process. Knowing their professional history and education gives us the opportunity to more quickly bond with a prospect and helps to establish credibility. Sales Navigator is now our first stop when we get a referral.

Sales Navigator can also monitor clients and prospects and report any changes in status. The reporting includes staff changes, posts, and news about the company. These alerts often lead to quality touches such as congratulating a prospect on an accomplishment. Sales Navigator is the best tool we have found to help our sales process.

Click HERE for more information.

0 Comments
Continue reading

Why We (Don't) Like Wireless

As a 21st century human, I love wireless. It’s one of the greatest technological innovations of the last several years. Eliminating the physical connection to the internet has given internet users unprecedented freedom and changed the way we retrieve and interact with information. I can now simultaneously order burritos from my computer, remind Alexa to add eggs to my shopping list, stream Netflix on my TV, and check Instagram on my phone without having to rearrange living room furniture in search of an empty wall jack.

As a 21st century I.T. guy, I hate wireless. No matter how many rabbits we pull out of our hat to make it work, wireless remains a source of complaint. Common issues include slow speeds and dropped connections. And don’t even get me started on wireless printing.

Wireless is perfect to binge watch Stranger Things from bed at home, but is it a good solution for business? Here are a few reasons why you should avoid ripping the wires out of your office:

  • Speed. Wireless is slower than wired. Though wireless speeds have increased considerably over the years, they still fall well short of the speeds afforded by wired connections. Gigabit wireless now exists, but so too do 10 gigabit wired connections.
  • Reliability. Wireless is less reliable than wired. Interference–caused by anything from air conditioning units to microwaves to nearby access points–can cause signals to drop and speeds to fluctuate wildly. It is for this reason that we do not recommend wireless printing for business use. For outdoor wireless, everything from rain to wind can affect signal quality. Wired connections are more stable, more reliable, and less prone to interference.
  • Density. Wireless performance depends on the number of users connected to the access point. Available bandwidth is divided by the number of devices attached. The larger the number of connected devices, the less bandwidth there is for each device. Have you ever tried using wireless at a crowded venue?
  • Construction. Wireless quality depends on building construction. Walls, whether they be sheet rock or cinder block, degrade signal quality. The more walls there are between you and the access point, the weaker your signal is going to be. Metal objects, like wall studs and ventilation ducts, can reflect wireless signals and wreak all sorts of wireless havoc.
  • Security. Wireless is an easy target for hackers. A big problem with wireless is that the signal is broadcast out into the open. That’s why we do not recommend connecting to the free wireless at Starbuck’s.

The only reason to use wireless is for convenience. Wireless–especially wireless printing–is better suited for the home. In the office, wireless is best used for connecting smartphones or for creating a separate network for guests. A perfect example is a waiting room in a doctor’s office.

In today's fast-paced world of business, performance trumps convenience. Wire might not be sexy, but they work, and they'll keep your business from falling behind.

0 Comments
Continue reading

The Risks of Using Public Email Addresses for Business Email

As remarkable as it sounds, there are still many businesses and medical practices that use public email accounts as their primary email accounts. Public email includes services like Hotmail.com, msn.com, aol.com, gmail.com, me.com, yahoo.com and many others. What’s wrong with using public email accounts for business email purposes? The problems fall into three large buckets: marketing, legal, and security. 

Since most companies today have their own email domain (e.g., deckerwright.com), not having one sends up red flags about the sender. The first is that the sender does not invest in technology for their business since they are using a free email account. The second is that the sender is not technically savvy, which can influence a potential client’s view of the company. Finally, using a public email address for business signifies that the sender has no idea of the security risks they run from using a public email address. In all, when looking at a business relationship either as a vendor or as a client, if either party uses a public email address, it sends a message about the sender.

We have been involved in providing technical support to several clients involved in litigation. Email is always included in the legal discovery process from either the plaintiff or the defendant. Most often if a person uses a public email address for business, they are using the same email address for their private emails. Fulfilling discovery requests from public email is challenging and the requests most often wind up exposing more emails than the discovery scope requested, causing additional headaches. 

Lastly, using a public email account exposes the account to many additional security problems that can be easily handled with a private business email account. First among these problems is the loss of control of the email account. Hackers regularly try to log in to everyone’s public email account to take over the account. In the past, hackers tried to monetize the attack with ransom requests or by sending malware-infected emails to everyone in the victim’s contact list. Today’s threats are more serious. If a hacker gains access to an email account today, they scan the account to see if it is used for financial transactions. If they find that evidence, the hacker will monitor the account and look for a transaction they can divert to their own bank account. Once the compromise of a public email account is discovered, it is often time consuming and difficult to regain control of the account from the service provider.

One last threat to public email accounts is the inability to add commercial spam filtering solutions to the email to catch malicious emails before they land in your inbox. With no spam filter in place, the likelihood of getting ransomware malware increases by a factor of 10. Other advanced email protection technologies, such as email encryption and data loss prevention, are also not available for public email addresses.

For those who are still using public email for business, pick up the phone and contact us today to assist you in setting up a business-class email solution.

Click HERE for more information.

0 Comments
Continue reading

Introducing URL Defense

For protecting our clients, we use a spam filtering service from ProofPoint. ProofPoint is generally considered to be the leader in spam filtering technology and is used by many enterprises for email protection. ProofPoint’s spam filtering technology has many advanced features that protect our clients from ransomware attacks. Chief among these technical features is the URL Defense.

URL Defense examines links within an email and wraps them in a protected URL. When a user clicks on the URL, the link is redirected to ProofPoint where it is inspected to see if it is valid or leads to a malicious website. If the URL looks suspicious, it is blocked so that the user cannot get there. This prevents users from getting infected with malware that could initiate a ransomware attack.

The URL Defense was recently upgraded to include attachment “sandboxing”. A “sandbox” is a secure, isolated computer environment that is created to mimic another computer environment. Since a sandbox is isolated in its own security and network space, any malicious code or software launched in the sandbox can do no harm to any users or systems. By opening a file in a sandbox, a file or program may be tested to see if it will harm users or systems. With attachment sandboxing in ProofPoint, any attachment to an email approved for delivery is opened in a sandbox at ProofPoint. If the attachment contains malicious code, the email is quarantined so that the user does not get the email. Emails with clean attachments are forwarded to the user.

Since the vast majority of ransomware attacks by criminals are being undertaken through email, we recently upgraded all of our clients to include the URL defense. Other advanced features in ProofPoint include Data Loss Prevention, Email Encryption, and Email Archiving.

Why use ProofPoint and not Office 365 spam filtering? Not only is the spam filtering engine more reliable than the Office 365 Spam Filter, but ProofPoint also has advanced protection features not offered by Office 365 like DLP, URL Defense, and attachment sandboxing. Most people understand that companies specializing in anti-virus software make better anti-virus software than the basic software provided by Microsoft. The same is true with spam filters.

Click HERE for more information about ProofPoint spam filtering.

0 Comments
Continue reading

HIPAA Security Risk Assessment Misinformation

There are a many misconceptions about the requirement for Security Risk Assessments in the Health Insurance Portability and Accountability Act (HIPAA). HIPAA regulations are enforced through the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). The regulations require entities that have “Protected Health Information” (PHI) to undergo annual Security Risk Assessments. A Security Risk Assessment by the regulations requires any entity that has PHI to go through an annual security checklist to:

  • Document the security safeguards in place.
  • Identify areas of deficiency.
  • Document risks.
  • Describe what the entity is doing to address the deficiencies.

The regulations are clear in that they allow entities the flexibility to determine how to address deficiencies and to defer addressing deficiencies if the cost for addressing the deficiency is prohibitive. 

From the HIPAA regulation view, PHI may be either electronic or physical. A patient’s folder sitting on a nurse’s desk contains HIPAA protected information, just like the Electronic Health Records system does. HIPAA makes no distinction between physical and electronic data, but does have specific regulations addressing both types. A Security Risk Assessment includes provisions that address both the physical and electronic worlds.

People in our industry have somehow come to believe that by running specialized and expensive software on a client’s network, the software will generate a report that meets HIPAA Security Risk Assessment requirements. Unfortunately, the people in our industry pushing this software have never taken the time to read the HIPAA regulations. Technology risk is one factor in determining risk to a patient’s data, but it is not the only risk included in the statute for review in a Security Risk Assessment. Other risk factors include employee awareness and training, policy documentation, security governance, physical security, and document destruction. In short, the most intensive part of a HIPAA Security Risk Assessment is consulting to do all of the non-technology security reviews, document the findings, assess the risk, and determine options for correcting deficiencies.

A completed Security Risk Assessment addresses all of the required areas in the regulations and outlines areas of compliance and deficiency for protecting PHI. Any area of deficiency must have an action plan stating how the entity is going to address the deficiency. The plan may include steps to eliminate the risk or could provide a business justification for recognizing the risk and continuing to manage PHI with the risk. Part of a risk management program may include insurance that pays the entity if the vulnerability identified in the report is exploited and PHI is improperly accessed. 

DeckerWright Corporation is experienced in conducting Security Risk Assessments for our clients. Contact DeckerWright today for a free consultation on getting a Security Risk Assessment.

Click HERE for more information.

0 Comments
Continue reading

Social Engineering: "Spoofing"

“Spoofing” is one of our industry’s more technical terms. In a broad sense, spoofing in technology means taking on an appearance or identity of something trusted. Some of the more common types of technology spoofing include MAC address, phone caller ID, email address, email content, and GPS spoofing. Each of these exploits uses technology to transform the real values of the criminals system to a value the criminal believes will trick the unsuspecting victim into clicking. Spoofing is made possible because most communications starts with the sending system providing identification information to the receiving system. The nature of network communications allows the sending system to modify the information being sent to change its identity.

One of the more common spoofs that gets reported to us is email address identity theft. In this type of spoof, the criminal mines dark web databases for valid email addresses. The criminal then uses the email addresses to send spam emails. By using a known valid email address, spam emails are able to circumvent spam filters. The carefully crafted email, with a believable message, is modified by special software that changes the sender from criminal@badguy.com to yourname@youraddress.com. Since the spoofing occurs at the criminal’s place of business, there is no way to stop the usage of the victim’s email address. We often get calls from clients complaining of thousands of bounce backs to their email when one of these spoofing attacks is underway. There is nothing that can be done to stop these attacks. In these cases we can only modify spam filter rules to keep the bounces from flooding client’s email boxes. Email services have been getting smarter about identifying and stopping these types of spoofing attacks, but they are still common.

A more recent and annoying spoofing attack is against cell phones. The criminals spoof phone numbers and caller IDs to make it look like they are calling from a trusted location or source. The criminal uses this attack to trick the victim into answering the phone and then sharing sensitive personal information or installing software to allow the criminals access to their computing resources. This spoofing attack has become so wide spread and common, I don’t answer calls with any caller ID that doesn’t authenticate in my contact list. If the criminals ever get my contact list, it will be time to stop answering the phone!

A recently reported spoof concerns the spoofing of GPS location information. The spoof was first reported by the US Navy in 2017 in the Baltic Sea when their GPS location was miles from their physical location. In tracking down the disparity, the Navy was able to identify land-based GPS transmitters that were sending the tracking data to the ships. Follow-up reports noted that GPS coordinates around the Kremlin change whenever Putin is in town. In a recent trip to Long Island, my GPS had some serious problems figuring out which road I was on. I wonder...

Click HERE for more information.

0 Comments
Continue reading

Latest Blog

Email is ubiquitous. Everyone has at least one email address and many of us have four or more for different purposes. Each year a number of our clients have their email box stolen or compromised by criminals. This most often happens to public email accounts, b...

Account Login