We live in a world that revolves around and depends on the Internet. Our personal and professional lives depend on it. I wrote this article on a computer and delivered it to the editor electronically. Odds are you are reading it on some sort of electronic device connected to the Internet. Can you imagine how difficult it would have been to make this all happen without our connected world? Extremely inefficient. But, as wonderful as this all is, it comes with a price. By being “connected”, you expose yourself to individuals looking for opportunities to take advantage of you. Disconnecting yourself and your business from the rest of the world is not an option. So what is one to do? Turns out there are quite a few things you can do.
We spend a good chunk of our day browsing the Internet. It is therefore a good idea to follow some simple guidelines.
- SSL Sites. When visiting sites, make sure the site is protected by an SSL certificate. SSL certificates provide an encrypted, secure tunnel of communication between your browser and the site you are visiting. It also serves to authenticate the owner of the site. Depending on your browser, sites using SSL are identified by the letters “HTTPS” at the beginning of their URL as well as a “lock” symbol near the URL. If you can avoid sites not using SSL, do so.
- Passwords. You have heard this many times before. Do not use the same password across different sites. Criminals know this and take advantage of it. You would be surprised how easy it is for cyber criminals to obtain your password. The best passwords are very long and consist of upper and lowercase letters, numbers and symbols. But who can remember all those complicated passwords? Instead, use password vault services like LastPass. These services create very long, complex passwords for each of your sites, encrypts them for you and stores them in your password vault. You only need to remember one highly secure password and LastPass will handle the rest.
- Be careful what you download. Do not download and install applications from sites that are not 100% trustworthy. Installing applications on your computer is the number one way to get infected with malware. If you are not 100% sure, stop and do not install. It is better to err on the side of caution here. Some malware can be downright nasty.
- Multi Factor Authentication. Multi factor authentication is a method used to identify you and grant you access to websites, such as a banking site. Although not 100% secure, multi factor authentication is more secure than single factor. One popular form of MFA involves your mobile device. The site requires you to type in a password as one form, and then requires you to type in a code that is delivered to your mobile device as a second form of authentication. Now the criminal would need more than just your password to access your account. Much more secure although certainly a bit inconvenient.
- Email. Electronic mail. Imagine our world without it. Our productivity levels would plummet. Every day, billions of emails are sent around the world. It is an extremely efficient and inexpensive method of communicating. Unfortunately, this huge volume of emails is a perfect opportunity for cyber criminals to strike. Three popular methods of security compromise are attachments, fake links and phishing scams.
- Attachments. Malware is often spread by means of attachments to emails. The safest thing is to never open an attachment. If you must, I would only do it from a known source (known sources are not always evident; viruses spread by sending emails from the infected person’s computer to recipients in their contact list). Having good anti-malware software and high security settings in your mail client also is helpful.
- Fake links. Another common trick is to include links in the email body that seem to point to a known, trusted location but actually take you to a different, malicious site. Do not ever click on these links. There are a couple things you can do here:
- Most mail clients will allow you to hover over the link to see the true destination. If the URL is to a different site, don’t click on it. Another common giveaway is the URL will point to a foreign country. Don’t click on it if you want to play it safe.
- The other thing to do is to view the email source. This process can seem a bit cryptic since you will be looking at HTML tags in the case of an HTML formatted email but it allows you to “look under the hood” of the email to see the truth.
- Phishing Emails. Phishing emails are typically fake emails that appear to come from legitimate sources (e.g., your bank, a service provider). These emails usually try to direct you to a spoofed website where it attempts to obtain private information such as passwords, credit card info. Some common giveaways to phishing emails are:
- Poor grammar and misspellings. If you see this, delete it.
- Fake links. These emails tend to contain fake links as I described in #2 above. Follow my suggestions.
- The domain of the email may look legitimate but it is not. For example, you may get an email from what seems to be Chase Bank using the email address Chase@securityonline.com. A little bit of research will show you that the domain name is fraudulent.
- Firewalls. Firewalls come in two flavors, software based firewalls and hardware based firewalls. Firewalls are an essential part of your arsenal against cyber criminals. Think of a firewall as the “Gate Keeper” to your computer infrastructure. It is designed as the first point of contact between the Internet and your computer systems. It decides what type of traffic to allow into your network and what kind of traffic to block from entering. It is critical that firewalls be properly configured. Doing so is a bit of an art. Hire the right IT company to do the work. Well worth the money.
- Virtual Private Networks (VPNs). Do you have a branch office or employees that work from home? If so, you may want to invest in VPNs. A VPN establishes a secure connection from one location to another over an unsecure line, such as the Internet. Think of it as having a secure, encrypted “communication” channel between your office and a remote location. Others can see the data being sent back and forth but they can’t understand it. The data is encrypted and private. Like firewalls, VPNs are also available in hardware and software form. Both have advantages and disadvantages. Talk to your IT professional for guidance.
- Anti-Virus/Anti-Malware Software. AV/AM software works by constantly scanning computer files and memory for patterns or “signatures” of known viruses/malware. The files identified as viruses are then quarantined and eventually deleted. There are many different types of AV software. Every IT person I know has their own favorite. Some are free and others are not. AV/AM software is another tool you can use to protect yourself but be aware that it is not 100% protection. You see, AV/AM software vendors are always playing “catchup” to new threats. Microsoft2 Windows2 8 included Microsoft’s own malware protection software called Defender. It continues to be included in Windows2 10. It is free and I recommend you use it. Keep it current and run a scan on a regular basis.
- Ransomware. This one is nasty. Ransomware is a form of malware that disables use of your computer or access to files. One flavor of ransomware locks you out of your PC. You can’t log in until you pay the ransom. The other common form of ransomware encrypts files on your system. I have seen the later first hand and it can be completely disabling. The malware finds files on your system and encrypts it so that you no longer are able to access them. These files can be Word documents, Excel spreadsheets, accounting data, or databases. The cyber criminals claim to hold the key to decrypt your data if you pay them. A few years ago a hospital was victim to ransomware and reportedly paid the ransom to get back their data.
How do you get infected? The same as any other malware. It could be an attachment to an email that you open, or an application you installed on your computer from a malicious website. Once infected, the process begins the encryption process and leaves you helpless.
What do you do if you are the victim of ransomware? Well, you have two options. One, you pay the ransom. Problem here is that you have no guarantee that you will get the decryption key once you pay. Your second option is to not pay the ransom and instead restore your data from a non-infected backup. Which is a great segue to my next topic.
- Backup, backup, backup! One of the most important steps you can take to protect yourself from cyber-crime is to implement and maintain a strong backup procedure including good retention policies. Good backups will save you if you fall victim to ransomware. A good backup procedure must include onsite and offsite (aka “cloud”) backups.
- Onsite backup. This form of backup often involves backing up to magnetic media such as tape. Other forms involve backing up to hard disks in a network attached storage devices (NAS).
- Offsite/Cloud backup. Additionally, to your onsite backup, you should implement a method of backing up to an offsite location. There are several vendors that provide cloud backup. We have been customers of Barracuda Network’s backup devices for over a decade now. Their device resides at our office onto which the local backups take place and then are offloaded to Barracuda’s cloud during non-office hours. Highly recommended.
- Stop Using Windows XP. On April 2014, Microsoft stopped supporting Windows XP. Windows XP was a great operating system but is very old and very dangerous to use. Microsoft no longer releases security updates for XP, leaving you dangerously vulnerable to numerous cyber-attacks. From Microsoft’s website:
What happens if I continue to use Windows XP?
If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses. Internet Explorer 8 is also no longer supported, so if your Windows XP PC is connected to the Internet and you use Internet Explorer 8 to surf the web, you might be exposing your PC to additional threats. Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter more apps and devices that do not work with Windows XP.
What should you do? Odds are a computer running Windows XP is very old. Recycle it and buy a new one running Windows 10.
- Stop using QuickTime for Windows. Chances are your computer has QuickTime installed. QuickTime is software used to play certain video formats. Apple, developers of QuickTime, stopped support for the product. This along with recent security flaws exposing your computer to remote code execution makes running QuickTime very dangerous. Unless you have essential software that requires QuickTime, uninstall it immediately. Refer to the Department of Homeland Security website for more information: https://www.us-cert.gov/ncas/alerts/TA16-105A.
- Built-in Security Features of The Mortgage Office (“TMO”). Many CMA members use our software on a daily basis to originate and service loans and mortgage pools. TMO provides several security features that will protect you and your data.
- User and Group Security. These security features are essential to limiting your liability and protect your data from fraudulent access.
- Set up groups. A user who is a member of one or more groups, inherits the aggregate rights of each group, in addition to his own. Security groups also simplify the process of managing security and user rights across the entire organization. Use the Access tab to grant/revoke access to different parts/functions of TMO:
- Set up a user for each employee that will use TMO. Assign the users to the groups created above.
- Password restrictions. I have already expressed the importance of complex passwords as a requirement to protect your data. Use the Password tab to configure these password requirements. I strongly recommend that use as many of these as you are comfortable with.
- Set up at least one user as a “supervisor”. Only supervisors are allowed to perform certain functions in TMO such as making changes to the User/Group Security.
- Positive Pay. TMO contains a fraud protection feature called “Positive Pay”. Positive Pay is a feature that generates a file containing a list of checks (check date, amount, check number, payee, etc.) that is then provided to your bank electronically. Your bank will only accept the checks included in the file. This feature eliminates potential check fraud.
My last bit of advice is one that you can apply to all aspects of your cyber life. Use some common sense. It will go a long way. In this connected world, if something you receive looks too good to be safe, stay away from it.
- LogMeIn, Inc. dba LastPass
- Microsoft and Windows are registered trademarks of Microsoft Corporation
As Published in Points of Interest Magazine in 2016