A Leadership Role in Rome

NYSTEC strives to take a leadership role for economic growth and social development in our communities. Our CFO and Director of Economic Development and Outreach Michele Salisbury is a prime example of this commitment to community leadership: she is the Chairwoman of the Chamber of Commerce for Rome, NY.

“Rome is such a great place to live, work, and raise a family,” she says. “I just wanted to find ways to support our community personally and professionally.”

The Chamber’s goal is to foster a stronger and more engaged community to support the sustainment, growth, and recruitment of Rome businesses.

After serving as a Board member for the Rome Chamber for three years, Michele assumed the Chair in June 2016. One of her chief objectives is to sustain a strong volunteer base for the 600-member Rome Chamber. Her energy and enthusiasm for Chamber activities have encouraged other NYSTEC employees to volunteer at Chamber events.

“All of the Chamber’s initiatives are meant to promote business and community pride—two components essential for a vibrant community,” she says. “We rely heavily on volunteers to achieve our goals. I can attest that collaborating with your neighbors to improve your community is rewarding on many, many levels.

Back to Innovation & Leadership

Info Security: You’re Doing It Wrong

To read the original post, click here.


This month’s episode: Too Many Toolbars

CUSTOMER:    The Internet is too slow.

HELP DESK:     Can I see how you have your browser set up?

Too Many Toolbars

If your toolbars are taking up most of your browser screen, you’ve got too many toolbars. Really.

Image Source: “Too Many Toolbars” by Abraham Williams. Copyright 2010.  Creative Commons License.

 

Too Many Toolbars = BAD

Sure, it’s convenient having lots of things in your browser toolbar, and you may like the personalization.  But you’re going to hate how slow all those toolbars make your Internet connection.  And we hate how many of these add-ons can (and do) steal your private data.

(Want to remove those extra toolbars?  Ask your info security team for help.)

So stop with all the toolbars already.  Your system—and your info security team—will thank you.

Disclaimer: The link to this content is provided because it has information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the link and neither endorses nor intends to promote the advertising of the resources listed therein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.

A Business Continuity and Disaster Recovery Checklist

To read the original post, click here.


As business processes and their supporting Information Technology (IT) systems become more important to public and private entities, the requirements for an effective Business Continuity/Disaster Recovery (BC/DR) program are becoming more critical. There are many factors to consider when developing an effective BC/DR program. The checklist below can help you get started.

First, high-level definitions:

Business Continuity and Disaster Recovery Program: The overall package; includes everything from the governing policy to periodic testing

Business Continuity Plan: A formalized set of steps that define how an organization’s business processes will be sustained during and after a significant incident

IT Disaster Recovery Plan: A written plan with detailed steps for recovering critical business applications in the event of a major hardware or software failure or the unavailability of facilities

Cold Site: An alternate site that has the necessary electrical and physical components of a computer and/or business facility but does not have the computer equipment or other business requirements in place; to facilitate a cold site, contracts with third-party suppliers would need to be in place for rapid delivery (typical recovery timeline: three to five days)

Warm Site: An alternate site that has the necessary electrical and physical components of a computer facility and is partially equipped with IT and telecommunications equipment to support relocated IT and business operations in the event of a significant incident (typical recovery timeline: two to three days)

Hot Site: An alternate site that is fully operational and equipped with hardware, software, replicated data, and/or business equipment to be used in the event of a disaster (typical recovery timeline: within hours)

So why should you implement a BC/DR program? Three key reasons:

  • A major incident/outage of system could have a massive impact on the business if there’s no BC/DR program in place.
  • When a disaster occurs, a BC/DR program with a formal process helps you avoid business failure.
  • Effective backup and recovery strategies will mitigate the impact of disruptive events.

Plus there are numerous business outcomes from an effective BC/DR program. You can:

  • Build a partnership between business units and IT to develop a set of plans and procedures that will maximize the potential of an effective and timely resumption of disrupted critical business processes.
  • Coordinate BC planning and IT recovery planning programs on an ongoing basis.
  • Minimize potential disruptions.
  • Mitigate financial and operational impacts to the business if a major incident occurs at an occupied facility.
  • Effectively utilize all available resources for recovery—including facilities, personnel, communications, equipment, and supplies.

The BC/DR Checklist

For a BC/DR program to be effective, it should include the following:

  • Business Impact Analysis (BIA) and IT Risk Assessment (R/A). The BIAs and R/As are required to identify and prioritize critical business processes, supporting IT systems, and other components. The BIA and R/A are crucial steps to ensure that efforts are being spent on truly critical business areas.
  • Continuity and Recovery Policy Statement and Standards. A formal policy provides the governance, guidance, and requirements necessary to manage an effective BC/DR program. Formal recovery standards define the minimum required for items such as tape backup, hard copy backup, crisis management, application development, and training.
  • Preventive Measures. Actions taken in advance to reduce the effects of incidents can also increase system availability and reduce BC/DR lifecycle costs.
  • Business Continuity Plan. The business continuity plan describes the steps the business will follow to recover quickly and effectively following an incident.
  • IT Disaster Recovery Plan. The IT disaster recovery plan contains detailed steps and procedures for recovering damaged or unavailable IT systems.
  • Application Recovery Procedures. The application recovery procedures should be detailed enough that any experienced IT person can recover the business applications. This reduces the need for the on-site support of application programmers, database managers, etc., for recovery. It also allows for the use of third-party providers to recover for you, with minimal knowledge of your systems.
  • Plan Maintenance. All plans should be thought of as “living documents” and, as such, should be updated and recertified regularly to remain current with facility and system enhancements.
  • Plan Testing and Training Exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall preparedness.

If you take the time and effort to implement a BC/DR program, you will be better situated to either head off or respond to major incidents that impact your ability to sustain your business.

The Internet of Everything: What Are the Risks?

To read the original post, click here.


I recently attended a training class where, during the break, one of the instructors told me how excited he was about the new refrigerator he’d just bought, which was going to be part of the Internet of Everything (IoE). From his smart phone, he said, he would be able to inventory the items in his refrigerator and know when he ran low on key items such as milk, eggs, and, of course, beer.

I said he might want to rethink putting beer in the new refrigerator, because he might not be the only one with deep insight into his dietary purchases. His health insurance company could have access and observe his sugar, fat, and sodium intake by monitoring his purchases—and even potentially raise his health insurance rates based on that data.

The instructor replied, “I never thought about that. I’ll have to keep my old refrigerator for my beer and junk food.”

What is the IoE? Is it something great, or should we be worried? The answer is likely a little of both.

The IoE essentially is the growing trend of connecting everyday objects to the Internet. These devices include everything from mobile phones, wearable devices, thermostats, and home entertainment systems, to coffee machines, refrigerators, and automobiles.

While there are many benefits to having items connected to the Internet, such as being able to inventory your refrigerator before you leave work or turn on the oven before you get home, there are privacy and security concerns that consumers must consider. It is important to understand that when items in your house are connected to the Internet, they are potentially accessible to the entire world of Internet-connected users—and the data they collect on you becomes valuable.

Read that privacy agreement on your new refrigerator carefully!

Cameras and Microphones

Think about all of the products in your house that may have a camera and/or microphone: TVs, videogame consoles, toys, and, of course, computers and smart phones. It is important to be aware that your private, in-home conversations may not be so private. Unfortunately, sophisticated attackers next door, or on the other side of the world, may be able to hack into your home network. If that happens, they could access your connected devices and compromise your data.

How can you protect yourself? If you do not have cyber forensic tools at your disposal, or don’t know how to use them, there are still some simple, cost-effective techniques to protect your privacy:

  • Secure your home router and wireless network. Don’t just look for the quickest and easiest way to get a home router working; instead, take the time to enable security such as strong passwords, firewall rules, and the use of encryption.
  • Unplug or turn off the device, or disable the microphone when you are having private conversations.
  • Cover or turn the camera away when you do not want to be seen.

Home Appliances

Others on the Internet may be able to access personal devices that are connected to your home network, or any wireless network in range. Hopefully, new IoT devices will be manufactured with basic security controls in place to restrict access. However, we can’t assume there will be built-in security. That’s because IoT devices, including home appliances, will have the same—if not more—bandwidth and energy constraints that all devices and applications face, which limits the amount of security that can be built in. Software is inherently insecure (new malware variants are being created at the alarming rate of nearly 1 million per day), so it’s well within reason to expect that home appliances connected to the Internet will be at least as vulnerable to cyberattacks as computers already are today.

It will also be more difficult to patch these devices, as they often run embedded firmware that is not easy to update or maintain.

Automobiles

Cars connected to the Internet may seem like a terrific way to help you be safe—your car could detect the sudden appearance of, say, a child’s ball rolling into your path and apply the brakes before you see the child running into the street. But as this article reveals, it’s possible for the manual controls in a car to be overridden by someone miles away from the driver. Among other things that could be done remotely: turn on the radio and air conditioning, even control the steering.

Along with this sobering news, remember that as auto manufacturers test driverless car features, hackers may see new opportunities for stealing and controlling cars from a remote location.

Medical Devices

There are countless lives saved every day by Internet-connected technologies that enable early detection of heart conditions and other maladies. That being said, proper security needs to be designed into these medical devices, which may be vulnerable to malware and other cyberattacks.

_________

In every decision, there is a cost-benefit analysis to be made. When it comes to the IoE, it is important for consumers to fully understand the risks before they make a purchase. The well-funded marketing teams of large corporations producing Internet-connected devices will understandably emphasize the benefits of the devices they sell. It’s up to consumers to look into the risks—and know how to manage them.

It may be worthwhile to stay off the bleeding edge of technology and wait until IoE devices are thoroughly tested.

Caveat emptor!

How to Spot Poisoned Links

To read the original post, click here.


You’re looking for information on a particular topic, so you do a web search using your favorite browser.  The results page displays the first batch of links, and the first one looks especially promising — from the title and link description, it seems a perfect match.  But how safe is that link you’re about to click?

Whether you are using Google, Bing, Yahoo, or another search engine, chances are you trust the results page.  Cybercriminals are counting on that.  They use automation tools to build fake webpages stuffed with popular search terms (or keywords), tricking search engines into placing those fake sites higher on their results pages.  The higher the rank (i.e., the closer to the beginning of the search results), the more likely it is that you’ll click one of those “poisoned” links—and when you do, you’ll open a page that’s loaded with malicious software intended to damage your computer or steal your information.

Getting Clicks at Your Expense

Search engine poisoning isn’t new.  “Spamdexing” — a combination of spamming and indexing — became a big issue in the late 1990s as the Internet rose to prominence and people looked to monetize websites by driving traffic to their pages from search engines.  Spamdexing is a form of unethical search engine optimization (SEO), a “black hat” technique that deliberately modifies HTML (the standard markup language to create web pages) to include irrelevant or even erroneous information — so spamdexers get clicks at the expense of search engine users.  Spamdexing had all but compromised search engines.

And then Google developed a page ranking system that discounted spam sites.  Ever since, Google has been updating the algorithms that sniff out and remove black hat sites, and other search engines have followed suit.

Attackers, in return, are constantly updating their methods.  Aggressive marketers are working to improve their ranking in search engine results pages artificially.  Spammers are looking to make a quick commission based on the number of links clicked, and cybercriminals are hunting easy prey.

A particularly effective form of search poisoning fools Google’s algorithms and presents a completely different search result to unsuspecting users.  This technique, called “cloaking,” tells Google’s search engine one thing but shows something completely different to the user.  You think you’re clicking a legitimate link displayed on the results page but are instead tricked into downloading malicious content — compromising your system and effectively handing over your personal information to the attacker.

Updated OHIP MARS poison search

This illustration shows the results of a Google search for a program under the Office of Health Insurance Programs (OHIP).  The red arrow points to the first search result, which is labeled as a petition for OHIP, but the URL points to a treatment for macular degeneration.

Poison Control

You can protect yourself from search poisoning and keep both your computer and your personal information safe from attackers.  Along with making sure that your browser and antivirus software are up to date, you should follow these key steps:

  1. Stop and look. When you perform a search through your preferred browser, don’t just click on the first link result.  Take a few moments to examine the URLs and the displayed links to make sure they are legitimate.
  2. Hover.  When you hover your cursor over the link — without clicking — you will see the full hyperlinked web address.  Check it carefully.  If anything looks wrong — misspelled, jumbled, nonsensical — don’t click.
  3. Check the format. It’s not only fake webpages that can be cloaked — fake PDF links can trick the algorithms and take you to a promoted website or to a page riddled with malware.  If you didn’t specifically request a PDF document in your search, don’t click a PDF link.

Remember, all an attacker can do is lead you to poisoned links.  No one can make you click.

Stop Using SSL 3.0!

To read the original post, click here.


Did you know that an obsolete security protocol developed waaaay back in 1996 is still in use today– and it can make your data vulnerable to a cyberattack?

In this Q&A article, you’ll learn why the original cryptographic protocol used in Netscape back in 1996 still matters today, how a design flaw can put your current data at risk, and what you can do to help keep your information secure.

What is SSL?

Security protocols are used every day on the Internet to make sure your data is secure (confidential, unmodified, and trustworthy). Secure Socket Layer (SSL) is the first secure protocol used in the original web browser: Netscape. The purpose of SSL is to provide a mechanism by which a user can access a webpage and be sure that the communication is both trusted and confidential. Version 3.0 was created in 1996.

However, there were some problems with SSL. It involved into a new protocol, called Transport Layer Security (TLS), in 1999. TLS provides a way for web servers to support older web browsers by changing (or downgrading) the security protocol from the new TTL to the older SSL protocol. Since SSL evolved into TLS, we often use one term to describe the other. The evolution of the SSL/TLS protocol looks like this:

SSL 2.0 → SSL 3.0 →TLS 1.0 →TLS 1.1 →TLS 1.2

Why is SSL 3.0 bad?

On October 14, 2014, two Google researchers discovered a new way to defeat the protection provided by SSL ((LINK: https://www.openssl.org/~bodo/ssl-poodle.pdf )). They called this vulnerability POODLE.

Can I patch this vulnerability?

No, there is no patch. The protocol has a design flaw, and the only fix is to stop using SSL 3.0 on browsers and web servers.

There is an optional protocol extension called TLS_FALLBACK_SCSV, but both the client and server must use it. Additionally, not all browsers support this extension; therefore, even if you configure your server to use it, there is no guarantee that the browser will support it. You cannot depend on this extension.

How bad is this problem?

The attack requires the attacker to both intercept your traffic and inject new traffic. This requires either malware on your computer or an untrusted network connection (such as a public WiFi connection). Although difficult, skilled hackers can do this, and for around $100, an unskilled hacker can buy a commercial device that makes this attack easier to perform.

When an attack is successful, your “secure” communication is no longer secure. It can be intercepted and modified. If you were to connect to your bank, your account information, passwords, etc., could all be seen and modified.

But my browser normally supports TLS.  Won’t this protect me?

No.  Normally the TLS protocol will check to see if both parties can agree to use TLS instead of SSL, but an attacker can intercept and modify the communication (this type of attack is called Man in the Middle, or MITM) and claim that SSL must be used. Once the two computers “agree” to downgrade (i.e., choose to use a weaker, older protocol) to SSL3, the POODLE attack can be used to intercept and modify all secure communications.

As long as both the server and your browser support SSL, you cannot assume that your connection is secure.

What should I do?

To protect yourself, you should configure your browser to stop using SSL.  

If you have a server, you can protect your clients by disabling SSL. For instructions on how to do that, this link ((LINK: http://disablessl3.com/ )) provides a nice guide.

What will break if I have a web server and I disable SSL?

You should not notice any problems. Nearly all browsers support TLS.

The only people who will be affected are those who use Internet Explorer (IE) version 6, or Opera version 4.0. These are the only browsers that do not support TLS. According to this page, the percentage of people who use IE6 is less than 0.3% ((LINK: http://www.w3schools.com/browsers/browsers_explorer.asp )).

The only users who must use IE6 are those running Windows XP, which received its last service pack in 2008. It is no longer maintained, unless you purchased an extended support contract for obsolete software from Microsoft. In other words, it is highly unlikely (0.3%) that your customers will notice any problem if you disable SSL 3.0 on your servers.

Does this affect only web servers and web browsers?

Sadly, no. Many companies allow clients to connect to their systems using a VPN (Virtual Private Network). This VPN creates a secure connection over the Internet from the client’s machine to the customer’s network. Some of these VPN servers use SSL/TLS. And that means the “secure” VPN connection is vulnerable to security attacks.

I’m still not sure I should disable SSL3.

If you do nothing at all, SSL3 will stop working. That’s because vendors are removing support for SSL3 from their products. Some examples include:

So TLS 1.0 is okay?

Well, that’s another problem. In December 2014, it was discovered that TLS 1.0 was also vulnerable to the POODLE attack. ((LINK: https://www.imperialviolet.org/2014/12/08/poodleagain.html))  This was an implementation error that browsers could be patched to address, but TLS 1.0 is still vulnerable to attacks from skilled hackers.  

Ideally, the latest and greatest version of TLS should be used, but this cannot be done until every one of your clients’ browsers have upgraded to support TLS 1.1 and 1.2.

As of February 2013, contemporary browsers (Chrome v20+, IE v8+, Opera v10+, and Safari v5+) support TLS 1.1 and TLS 1.2. However, Windows 7 and 8 users who use IE version 10 or lower do not have TLS 1.1 and TLS 1.2 by default. Therefore, we do not recommend at this time that TLS 1.0 be disabled on a server, unless you know that your users’ browsers will not be affected.

——

In short, a surprising number of web servers still use SSL 3.0. Stop using SSL 3.0! It’s not secure, and it’s not needed.

Links in this article are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.

Planning for a System Security Plan

To read the original post, click here.


Many organizations today are involved with collecting and processing Personal Identifying Information (PII) or Personal Health Information (PHI). Because it’s crucial that such data is protected and handled properly, regulating agencies are requiring System Security Plans (SSPs) to be completed.

For example, the SSP template provided by the Centers for Medicare & Medicaid Services  (CMS) is described as “the current level of existing security controls within the System that protect the confidentiality, integrity and availability (CIA) of the system and its information.” The resulting SSP contains many other documents that address policy and procedure, and also provide evidence of implementation for more than a dozen groups, or “families,” of related security controls.

It would be one thing if responding to SSP requests was a “one and done” process. However, an SSP requires periodic review and adjustment to changes in hardware, applications, staffing and other factors, as well as fresh evidence of implementation. In addition, if your organization is involved in healthcare, insurance, or analytics, it’s highly likely that you will be required to respond more than once to requests from multiple agencies.

In other words, your SSP is an ongoing process — one with many pieces, including dozens of documents, data files, and screen shots. And this process can be a burden.

But it doesn’t have to be — not if you plan for your System Security Plan. Once you assemble an SSP team, deciding to do some extra work up front will make it easier on the team in the long run.

Here are four steps you should take when planning for your System Security Plan.

  1. Share it. Store the SSP electronically and securely. Make it available to staff as appropriate — not just to the team collaborating to complete the SSP but also to those who will be using it to determine the supporting documentation that will be required. For ease of sharing, put your SSP on a trusted intranet site, such as a file server.
  2. Store your sources. A good SSP requires documentation of the assertions indicating compliance with controls from NIST, HIPAA, or some other regulation, law or requirement. For example, an assertion may indicate that an audit log extract shows proper configuration to capture events as required. In this case, store the log extract with the SSP on an intranet site. Make it clear which control or step the log extract is used with, and write instructions on how to create another such extract, including the systems and programs needed (e.g., text editor) for the next time.
  3. Commit to staying current. It’s not enough to create policy documents, which are almost always required with an SSP. You also need to show that these documents are reviewed and revised on a schedule (quarterly, annually, etc.). This clearly indicates that your organization is committed to keeping your security policies up to date.
  4. Take (and keep) notes. When using interviews of staff or management as evidence of compliance, keep notes of the conversations, making it clear what questions were asked and how they were answered. Put the notes in an electronic format and store them with the SSP on an intranet site. This will save time when you respond to your next SSP request — instead of starting from scratch, review the previous notes, identify changes, and make any necessary updates. In addition, making the effort to produce and retain this documentation will demonstrate a real commitment to properly securing PII and PHI.

Thinking about a System Security Plan as an ongoing process will greatly improve the SSP and provide a way to address and improve areas where changes or updates are needed.