Wednesday, December 29, 2021

Tip of the Week: Understanding Your 2FA Options

 Regardless of how airtight your organization’s password policies are, relying on passwords as your exclusive security measure just isn’t enough to resist some of today’s threats. This is why we—along with most other industry and security experts—recommend that two-factor authentication (2FA) be put into place. Let’s review some of the options available for your 2FA, and the added security it can introduce, for this week’s tip.


First of all, we should clarify something: any 2FA is better than relying on a password alone. There are three ways for a password to be undermined, after all. It could be stolen, guessed, or cracked through software. Boosting your security with an additional confirmation of your identity gives those who would attack one of your accounts an extra hurdle to clear, which is why you should embrace every opportunity to use it… especially in the professional setting.

What Kinds of 2FA Are There?

There are a few different varieties of 2FA you can choose from.

SMS

Basically, when you try to login into an account, a secondary code is sent to your mobile device for you to provide. Not only is this a convenient and user-friendly option, but it is also accessible thanks to how often people will have their mobile device in the vicinity (if not on their person). While not the most secure option available thanks to phishing attacks, using text-based 2FA is still a safer option than foregoing 2FA altogether.

Apps

Authentication applications function by kicking out a refreshed code every minute or so that must be input into the requested field before the time expires. As a result, the mobile device serves as an extra key that the person accessing a resource needs in order to open it. Again banking on the near-symbiotic relationship many people develop with their mobile devices, the tradeoff here is that the device needs to be powered on and ideally present… so forgetting the phone at home could seriously hinder productivity.

Hardware

You know that key analogy we made with the authentication apps? Modern hardware authentication solutions are the more literal interpretation of this concept. Requiring the user to plug a token or a USB dongle into their hardware or press a button on the device, this method has surged in popularity with phishing and other scams being so commonly used. While these keys have a price, it is comparatively small to what a data breach could result in.

Biometrics

We’ve all seen the spy films, where an authority figure accesses a super-secret lair or lab by having their iris scanned, their handprint analyzed, and other similar tests. Biometric authentication is the practical application of that and is now found on devices as common as a smartphone. While useful, its convenience can be tempered by some solutions being less accurate than others.

The Best Option for You is the One You’ll Use

It’s really as simple as that. While the above options aren’t all as secure as the others, they each are undoubtedly better when the alternative is protecting your precious data with a crackable password.

Wednesday, December 22, 2021

The FCC is Using an App to Fix Internet Inequality

 Connectivity to high-speed, broadband Internet has quickly transitioned from a convenient luxury to a practical need for personal life and business alike. Considering this, it seems amazing that Internet access isn’t nearly as equally distributed as the need for it is. However, the Federal Communications Commission is calling on the public to help them change that by downloading an application that they first released in 2013: FCC Speed Test.


Is Broadband Accessibility So Important?

Look at it this way: how much do you do every day that requires some form of Internet connectivity? Between shopping, consuming entertainment, keeping in touch with people, and (as we tend to focus on) working remotely, it’s becoming rare that something doesn’t involve Internet access nowadays.

However, while this is the reality for many, just as many don’t have the opportunity to take advantage of the Internet for much at all, simply due to the lack of broadband connectivity in their region. To try and correct this, the FCC has taken action, reinvigorating their Speed Test application and campaigning for people to install it.

What Does FCC Speed Test Do?

Assuming that enough people put the application to use, the FCC can use the app to collect data specifically concerning the quality of Internet services in different areas. Once this data is compiled, it will help inform them where the most pressing investments need to be made and their available funds divided up accordingly.

By analyzing a Wi-Fi or mobile network’s baselines, including its upload speeds, download speeds, and latency, the app helps collect reliable data directly from the source: the networks being evaluated. While these evaluations run once every 24 hours by default, their schedule and data usage can be adjusted to fit your needs.

The app will also test connection speeds, giving users a visual representation of where they stood at different times and in different locations. While FCC Speed Test does collect some data (including location, IP address, device type, operating system, and ISP) none of it is personally identifiable to the user.

Android users and those running iOS alike can use the app. If you’d like to learn more, we encourage you to visit the FCC’s FAQ page about it.

Hopefully, these kinds of actions will bring a more accessible Internet to those areas lacking it, helping businesses and individual users alike. What do you think about these efforts? Is this an app you’d be willing to download? Share your thoughts in the comments!

Wednesday, December 15, 2021

Cyberattacks are Happening Faster with Less Time for Early Detection

 In what sounds like a positive shift, cybersecurity experts have announced their research has found that cyberattacks are spending less time on the networks they infiltrate. Unfortunately, this isn’t such a clear-cut positive. Today, we’ll discuss “dwell time” and how less of it is a problem. 


What Is Dwell Time?

Dwell time is a term that’s used a lot in technology. Typically, it is used to measure how long a user stays on a particular webpage, but in this context it is the duration a threat comes in contact with the network’s filter before it is detected by the software or a technician. You may be surprised to learn that in the latter context, the median dwell time for malicious code is 24 days. This may seem like an eternity, but just 10 years ago the median dwell time of a threat was well over a year at 416 days.

It’s reasonable to assume that since people are more cognizant of web-based threats and therefore are investing more time and money into cybersecurity initiatives, that the number would shrink rapidly. It stands to reason that the shorter the dwell time is, the more apt a program designed to catch cybersecurity threats would be able to quarantine and eliminate the threat, right? Unfortunately, it’s not so simple. 

New Threats Complicate Things

Many of the attacks we see today are far more sophisticated than they were a decade ago. Threats like ransomware, for instance, are now used more today, and dwell time isn’t as big of an issue. In fact, while your average attack method has a dwell time of 45 days, ransomware’s average is just five before it is deployed and causes you to be locked out of your files or systems. Ransomware doesn’t sit on the network, it is deployed and devastates quickly.

Ransomware Is More Sophisticated

Today more hackers are deploying more ransomware than ever and it’s a major point of emphasis that every network administrator should understand. Not only that, ransomware tactics are becoming more aggressive. Now there is a situation called a “multifaceted extortion” where ransomware is deployed and instead of deleting or stealing the data, they threaten to publish it publicly. Most organizations would do anything to keep their intellectual property and the sensitive information of their clients, vendors, and workers confidential.

It’s Not Just Ransomware

Network administrators need to be aware that it’s not just ransomware they have to be on the lookout for. Unpatched software exploits have exponentially risen recently. In fact, over one-quarter of all hacks (29 percent) happen because hackers find an exploit in a business’ network. Phishing, which is often cited as the most dangerous hacking method only accounts for 23 percent. 

Prepare Your Business’ Network

With the threat landscape the way it is, it is important that you diligently patch your software, keep your tools updated and actively train your employees to help you keep threats off your network. At Net It On, we can help. Give us a call at (732) 360-2999 to learn more about how to ensure your business can navigate through the minefield that’s out there today.

Wednesday, December 8, 2021

YouTube Can Help Take Your Business Where You Want It to Go

 I think if you took a deep look at it that you are probably paying too much to train your employees. If you account for the cost of the resources and the time it takes to properly train someone, you are talking a substantial amount of money. There is a way to use YouTube to subsidize your training practices and get the information you need your new employees to see more cost-effectively. 


YouTube and Your Business

Let’s not take a lot of time telling you about YouTube. If you don’t know what YouTube is you are in for a rude awakening once you see it. YouTube has billions of videos and that is a good thing for people. You can learn how to fix your car, care for your houseplants, or format that screenplay that has been in your OneDrive for the past ten years. For this reason, it is a great resource for business, as well as something that you need to keep an eye on.

YouTube can end up costing your business quite a bit too.

Anyone that has been on YouTube knows that there are literally millions of hours of videos about any topic important to any human being. It’s a lot of content. In fact, according to Google, the parent company of YouTube, nearly five billion videos are watched on YouTube every day. This is why many organizations have chosen to block or limit the use of YouTube. 720,000 hours of new video content is updated every day, and a lot of it is video game and movie reviews.

So, How Can I Use YouTube to Improve My Business?

There are many ways to use YouTube to your business’ benefit, but we’re not going to get into marketing and content creation here. Really, all we want to impress on you is that no matter what your business does, there is a literal library of content out there that, if you use it properly, can be beneficial to your business. 

Using existing YouTube content can help you educate your staff about your type of business goals, your culture, your market, the services you provide your customers, customer relationships, physical and cybersecurity, and much more. To do this, you’ll have to learn how to make a playlist. 

How Do I Make a Playlist?

Just as you would if you were making a music playlist, YouTube provides the ability to put together a playlist of videos. By choosing videos that can help improve the knowledge base of your staff, you can get them to quickly learn what you need them to learn to do their jobs more proficiently. Here’s how to do it:

  1. You find a YouTube video you want to add.
  2. Directly under the video, you will click the Add to button.
  3. There will be a dropdown menu. Choose Create new playlist.
  4. Enter a name for the playlist.
  5. Choose any privacy settings you want to enact for the playlist. For businesses, we suggest unlisted.
  6. Click create.

That’s it. Then you can add to the playlist by clicking on the Add to button under a video and placing it on the corresponding playlist. You will quickly find that the hardest part about building a playlist is watching content. Once your playlist is finished, however, you will reap the benefits as your staff will become more knowledgeable and start asking the right questions about how to do their jobs better. 

Wednesday, December 1, 2021

The Lessons to Learn from Coca-Cola’s Insider Trade Secret Theft

 In today’s business, your data is your number one asset. For this reason it is important that you take steps to protect it. One case that accentuates this is the case of Xiaorong You, which is currently playing out in a Tennessee court. The accused is charged with stealing trade secrets and committing corporate espionage, as she is accused of allegedly stealing almost $120 million worth of BPA-free technologies from several companies, among them the Eastman Chemical Company and Coca-Cola.


Let’s take a look at how these two companies deployed their threat detection systems and the effect they had on the companies. 

You’s Story

Xiaorong “Shannon” You, a naturalized US citizen and Ph.D. in Polymer Science and Engineering, has worked at several companies since the early ‘90s. From December of 2012 to August of 2017, she worked for Coca-Cola as a principal engineer for global research, moving to the Eastman Chemical Company to work as a packaging application development manager from September of 2017 until June of 2018, when her employment was terminated.

During her tenure at both companies, You was given access to many trade secrets that only a handful of employees were privy to. In the indictment, You is charged with retaining these secrets (despite affirming that she hadn’t in writing) and then handing them over to the People’s Republic of China in an attempt to qualify for its The Thousand Talents program. This program has been used before to introduce advanced technologies to China, with the Department of Justice having prosecuted some cases similar to You’s.

Her modus operandi was that she retained this information by simply uploading data to her personal Google Drive account or captured especially sensitive information on her smartphone. Once she captured this data, You worked with a Chinese national named Xiangchen Liu to form a separate company in China that went ahead to use these trade secrets to begin revenue generation. They allegedly used an Italian BPA-free manufacturer to incorporate the stolen technologies onto their own products.

The theft of this information impacted several companies, including Coca-Cola and The Eastman Chemical Company, AkzoNobel, Dow Chemical, PPG, TSI, Sherwin Williams, and ToyoChem. This led to the charges she currently faces.

How You’s Employers Could Have Stopped Such Activities

There were stark differences between the way that Coca-Cola and The Eastman Chemical Company handled these issues. You left Coca-Cola in August of 2017, but her indictment states that the crimes she’s charged with didn’t happen until 2019. This means that Coca-Cola had no knowledge of the theft until after she had been exposed by her later employer. 

This fact is indicative of two reasonable hypotheses:

  1. Coca-Cola lacked the tools to detect such activities in real-time, making it far more difficult to prevent protected and sensitive data from successfully leaving the corporate environment.
  2. Coca-Cola also lacked the policies that could have prevented non-authorized devices from entering the workspace or otherwise being kept in proximity to sensitive company data or infrastructures. While old-fashioned, the concept of taking photographs of such information is no less effective for its age.

If you compare that to You’s sudden dismissal from the Eastman Chemical Company, you would have to consider that they had the data protection standards implemented to catch would-be thieves pretty rapidly.  If they hadn’t, the $120 million in trade secrets could have been substantially more. 

This just goes to show that any business can have the right idea about security, but not pay close enough attention to the details. Coca-Cola is a massive brand, but it couldn’t stop You from allegedly raking the company over the coals.