Author: Stuart Crawford

When you think of cybersecurity, protecting credit card numbers or government files might come to mind, but your students’ PII (Personally Identifying Information) is a target for hackers, too.

Young people make great targets because they’re a clean slate. They’re not using their identities to get a mortgage or credit card or anything, so no one is checking up on them. They also have a tremendous amount of personal information being shared – including medical, mental health, contact information, and performance evaluations in academia and sports or the arts – and it’s being saved in various, often poorly secured, locations. And finally, but perhaps of the highest utility to hackers, children are great targets because people will do ANYTHING to protect them.

It CAN Happen Here

If you’re thinking to yourself that you live in a quiet small town with no crime, no draw for a terrorist plot, think again. Yours might be the ideal spot to stage a crime like this. Look to a small Montana school district Columbia Falls in Flathead County. Home to nearly 16,000 students, the district’s parents and administrators received text messages and a seven-page letter containing threats, repeated references to Sandy Hook, creepy quotes, and claiming that the FBI could not help anyone.

Hackers generally don’t target specific cities, but instead are constantly searching for vulnerabilities wherever they may occur, security experts said. “The trick about ransomware right now is that it’s typically not a targeted, focused attack,” said Christopher Krebs, a senior official at the Department of Homeland Security, at a recent mayors’ conference in Boston. “You’re not special.” Source: WSJ

This came seemingly from nowhere, but as the extortionists explained, the choice was deliberate: the district had vulnerabilities that made it easy to gain access to confidential files. With all of the other concerns that educators have, it can be easy to overlook securing digital information properly. You may not even understand the threats that exist, and it’s hard to find qualified Information Technology professionals willing to stick it out for the comparatively low salaries school districts offer.

2017 Cyber Terrorism Attacks

A recent FBI briefing regarding attacks across the country at multiple school districts describes a terrifying ordeal: people all over the district awoke to find text messages informing them that their students’ information was up for ransom. Hackers had taken advantage of vulnerabilities in web-facing district servers to extract student PII (Personally Identifying Information). Victims received physical threats, were told that this information would be used for bad ends unless the district paid a ransom.

The extracted Information included:

• Parent, guardian, and student phone numbers
• Education plans
• Homework assignments
• Medical records
• Counselor reports
• Grades or other testing records

The hackers also demanded their ransoms in cryptocurrency, making it hard for local authorities to follow the trail (for now).

How Is PII Being Used?

PII can be used to forge false online identities, to launder money or get bad actors into the country. And once the information is out there, how do you safely get the genie back into the bottle? A child’s entire future (financial, academic) or even their physical safety is under threat if their identifying information ends up sold to bad actors. When you hold transcripts, grades, and achievements for ransom, you’re waving the flag at a future that’s quickly disappearing into the distance. Prevention is best. So where are your areas of vulnerability, and how can you shore them up?

Common Vulnerabilities

Phishing Scams

These are communications from supposedly friendly senders meant to entice you to open an email, text message, or oother messages or to click on a link. A “social engineering” hack, phishing attacks are meant to gather confidential or personal information. Make sure graphics look normal, hover over links to read their description, and check for any suspicious formatting or wording.

Phishing attacks can also come by phone. Do not give confidential information over the phone to someone who has called you first. Instead, agree to call the company back from the number that you have in your records. Don’t just click “ok” on an unexpected pop-up.

Non-school devices – your network should be configured to recognize new devices.

• Educational apps that store student identifying information
• Carefully read through privacy and security information from new software or EdTech websites.
• Improperly shared or stored PII
• Make sure everything is encrypted and password-protected.
• Ignorant or non-compliant personnel – not updating software, not checking edtech vendors out, not understanding what looks or is suspicious, not reporting suspicious activities.

Below is a list of cybersecurity measures you can take:

• Research privacy acts like FERPA, COPPA, and the PPRA as well as any state laws regarding privacy and educate staff and faculty so that everyone understands what is expected of educators and vendors of EdTech services.
• Do a survey of teachers, librarians and IT staff to see what software is being used in the school, and what information is being collected. It might be helpful to see all in one reports on how much information is being collected, and how many different services are collecting it.
  • Bonus: if anything happens, you know where leaks may have come from.
    • If parents want more specific information about these services, you’ll be able to tell them what services or websites their child’s teachers use.
• Review the privacy policies of EdTech companies that are being used in your district.
• Check for vulnerabilities in your data storage procedures.
  • Are you updating software when you’re supposed to?
    • Does everyone have their own passwords to get into high-value/confidential data storage locations?
    • Do you have a plan for how to react to a breach?
• Research school-related cyber breaches.
• Back up important data.

If you have evidence your child’s data may have been compromised, or if you have experienced any of the Internet crimes described in this PSA, please file a complaint with the Internet Crime Complaint Center at www.ic3.gov.

Federal regulations are usually complex and can have unintended consequences. If you are a lawyer, they are a goldmine both for prosecutors and consultants for clients. When it comes to the Health Insurance Portability and Accountability Act (HIPAA), there are, however, just a few (relatively) simple steps you can take to avoid violations, fines, and bad publicity for your healthcare organization. HIPAA is not a paper tiger. Healthcare organizations have been fined millions of dollars for breaches and violations so far.

Download a very informative infographic here.

What Is A Violation? What Is A Breach?

For once, there’s a nice, simple distinction which does not require a legal mind to understand. The definition of a violation is:

“A failure to do what HIPAA requires to keep protected health information (PHI) secure.”

Basically, PHI is data that HIPAA requires be protected by following the steps suggested below. There are a few simple steps one can take to avoid violations. These are things that you should be doing already to protect data in general. All HIPAA does is specify them. They are:

• Records must be secured. This means limiting access to the data that employees and providers need to do their jobs. Records can be secured by passwords, biometric identifiers, swipe cards, fingerprint readers, etc. PHI must be encrypted. Enough said. While you’re at it, what rationale do you have for not encrypting all data?
• PHI must be encrypted against hacking and breaches. This means that if there is a breach and encrypted records are stolen, you are still liable. Encryption can be broken, and every method of securing data, except for quantum encryption, which is not generally available, has vulnerabilities.
• Devices must be secured. This generally means that portable devices, such as smartphones and laptops that could be lost or stolen must be secured via encryption and passwords or have other limitations on access. The theft of a device should not enable the one who stole it (or finds it) to access PHI. If the chief of surgery leaves his or her smartphone in a cab, there must be a way to remotely erase all data on it.
• Finally, employees must be trained, not only on the importance of security, but also on the organization’s specific methods of maintaining PHI.

A breach is disclosure of PHI to parties that are not authorized by HIPAA to access it. A breach has occurred if PHI is accessed by an unauthorized party, even if that data is actually stolen.

How Do I Prevent A Breach?

• Train employees on why security is important and how to minimize risks.
• Maintain possession and control security on mobile devices.
• Enable firewalls and encryption.
• Ensure that files are encrypted and stored correctly.
• Move towards a paperless operation and properly dispose of paper files.

How Do I Plan Ahead?

HIPAA regulations require that a healthcare organization regularly audit its security and have a risk mitigation action plan. If you take the following steps, you will have gone a long way towards ensuring that your organization can pass audits and show that you have already taken steps toward risk mitigation:

• Encrypt PHI both in storage and transmission.
• Use secure access controls including strong passwords, access limited to job functions, auto timeouts, and screen locking.
• Use firewalls and antivirus software on all desktops and mobile devices.
• Keep track of incoming, as well as outgoing, data. Know where data comes from.
• Keep your risk mitigation plan updated to deal with new threats. The “threat surface” is constantly changing.
• Keep software and firmware updated. Many new attacks are aimed at hardware as well as software vulnerabilities.
• Keep employee training up-to-date.

How Can My Organization Respond to Breaches?

Your organization should have a written post-breach action plan that is regularly updated. It is foolish to assume that a breach will never occur. The plan should be updated and reviewed at least annually. What is most important is transparency. HHS needs to be notified. Those whose data has been exposed have to be notified. Your legal staff should be notified. And anything resembling a cover-up should be avoided.

Concealment of a breach is a violation of the law and regulations, and can be guaranteed not to work. Breaches will eventually be exposed, and the delay in reporting them or attempts at concealment will only make the organization look worse than would otherwise be the case.

Any breach – or even detection of an attack – should be used as a lesson for future security efforts. The first task is to figure out what went wrong. Where did your security measures fail? Once that is known, you need to determine the root cause. The root cause is usually a bit of a surprise.

In one case, the organization’s own security efforts were perfect. But it used a cloud vendor whose security practices were much laxer. Data was encrypted and communications between the organization and the cloud vendor were secure and encrypted. But the cloud vendor stored decrypted data on one of its own servers that were not even protected by a password and exposed to the public internet. The lesson here is that security audits should cover both your own organization and all of your vendors.

From its inception, Microsoft has been defining and redefining business. According to History, Microsoft was founded by Bill Gates and Paul Allen in April of 1975. The company introduced the Windows operating system in 1985. In 1995, it released its web-browser, Internet Explorer. Prior to the Microsoft Ignite 2018 conference for IT developers and professionals, the company announced the expansion of its Dynamics 365 portfolio.

According to Microsoft, the original Dynamics 365 is a “collection of intelligent business applications.” It included a line of customer relationship management (CRM) applications, which were later referred to as a customer engagement plan. It also has an enterprise resource planning (ERP) capability, which is basically a finance and business line.

Dynamics 365 is available in two editions. One is designed for small to medium-sized offices and businesses. The other is more appropriate for medium to large-sized law practices.

What Are the New Additions to Dynamics 365?

Dynamics 365 already offered assistance with accounting and financial management, customer service, field service, operations, and sales, etc. These applications work together seamlessly. Now, however, they can be combined with the following artificial intelligence and mixed reality additions.

• Dynamics 365 AI for Customer Service
• Dynamics 365 AI for Market Insights
• Dynamics 365 AI for Sales
• Dynamics 365 Layout
• Dynamics 365 Remote Assist

The Dynamics 365 Layout and Dynamics 365 Remote Assist are both mixed reality applications. They are not only new, but they are also the first of their kind. The company refers to them as “a whole new kind of business application.”

What Is Artificial Intelligence?

Artificial intelligence (AI) is essentially machines that have to use intelligence, such as when computing or analyzing, to perform tasks a human would normally carry out. They also collect data in order to adapt and learn how to do things better. Based on algorithms, statistics, and trends, AI is used to solve problems faster and more accurately than the average person would.

Common, contemporary examples of AI include the following abilities:

• Alexa by Amazon
• Facial recognition on smartphones
• John Paul—the luxury concierge company
• Netflix’s predictive user-preferences feature
• Pandora’s ability to pick user preferences based on 400 musical characteristics
• Siri by Apple
• Tesla’s self-driving feature

This is merely a handful of the many ways that people use AI on a daily basis. Oftentimes, they are completely unaware.

How Are the New Additions to Dynamics 365 Using AI?

Dynamics 365 AI for Customer Service provides firms with Virtual Agents to do some of the typical day-to-day interactions with clients. It also helps collect automated insights from clients to improve future services.

Dynamics 365 AI for Market Insights uses the actionable web and social insights to improve relationships with clients. It detects trends in marketing and social media to assist legal SEO teams to engage in meaningful actions and respond to current dynamics.

Dynamics 365 AI for Sales is used to improve an office’s bottom line by helping associates focus on high-priority endeavors. It provides detailed analysis and answers to frequently asked questions regarding outreach and income.

What Is Meant by Mixed Reality?

Considered the evolution in computer, environment, and human interaction, mixed reality blends the digital world with the physical one. With advances in computer vision, display technology, graphical processing power, and input systems, both holographic and immersive devices are possible.

Holographic devices are those with the ability to virtually place digital content into the real world like it were actually there. Immersive devices, however, are characterized by the ability to create a sense of “reality.” They replace the physical world with a completely digital experience.

How Are the New Additions to Dynamics 365 Using MR?

The two additions to Dynamics 365 that use mixed reality are the Layout and Remote Assist applications. Both are made possible with the use of Microsoft’s HoloLens. This wearable device allows people to interact with content by using gestures, vocal commands, and even their gaze. It provides the immersive experience required for Layout and Remote Assist.

The Dynamics 365 Layout allows users to visualize or even walk through physical space layouts in real-world scale. Potentially, this would be beneficial during a courtroom situation to provide jurors with an accurate depiction of a crime scene for example. It could also be used to assist clients with investment opportunities, etc.

Dynamics 365 Remote Assist is an immersive tool that helps first-line workers trouble-shoot problems in a “hands-free” environment. First-line employees are the ones to engage with clients, such as receptionists and legal support staff, etc. The Remote Assist application allows them to address situations and improve efficiency.

In Conclusion

In a virtual news briefing, Microsoft corporate Vice President Alysa Taylor stated, “We continue to expand our category with AI and mixed reality. We’re taking another step forward on our journey to help empower every organization on the planet to achieve more through the acceleration of business applications.” That they have.

Limited wireless networks are just what they sound like: small networks with limited range that cannot handle the demands of, say, the entire population of a large high school full of students, faculty, and staff all carrying one to three personal devices. Small networks cannot handle the bandwidth demand from multiple classrooms of students streaming videos at approximately the same time while all classrooms report their attendance at the top of the hour and district emails regarding cybersecurity threats go out.

Potential Small Wireless Network Areas:

1. Administrative Offices
2. Small Administrative Office, Small Multimedia Lab/Library, Mobile Computer Lab
3. Any staff that needs to be (literally) mobile/wears multiple hats
4. Very small elementary school. Teachers who are using iPads or something to take attendance. Small schools might make it with a few high-powered wired PCs and Printers, plus a wireless network for the other stuff.
5. Annexed community (e.g. a construction module office or library)

Small networks range from a small administration office with a skeleton staff to several offices, connected printers and copiers, and a couple of dozen devices spread across a tiny school (and that’s stretching it to its limits). Anything more than that and a larger network is necessary.

What is a wireless network?

Wireless networks, or Wi-Fi networks, are networked radio signals that relay information (data) from the internet to devices (laptops, desktops, mobile phones, tablets, etc.). Over the years they have improved to the point that they are as secure, reliable, and fast as most wired networks.

Advantages Of A Small Network

Small schools or contained school communities can benefit by having a faster connection on the limited space. It costs less to install and maintain a small network as well, and its general exclusivity makes it a more secure method to share and receive data.

Certain types of information or use are better on a wired connection. So one of the advantages of using a limited, small wireless network is that in an office with equipment better left on a wired connection, such as a dedicated printer or copier, wireless can be for everyone else, or for other appropriate devices as you see fit.

Where To Start

Like with any project, you must determine the scope, budget, and overall goals. What is this network supposed to be able to do? How many devices should it be able to support, and at what bandwidth? You need to know what your goals are, what the scope of the project is, and the budgeting limitations.

You’ll want your main office, the library, and maybe a small computer lab or mobile lab (cart with laptops) to have Wi-Fi. Any other computers would need to be wired or else you’d have to get a much larger system.

This small Wi-Fi network can be a separate network from the rest of the school, to separate

one network from the other for security or speed purposes, or it can be used in a smaller school, or only by a select group of people.

What Should The Small Network Be Able To Handle?

Think about the demands that each individual might put onto the network. Employees, teachers, students , and guests may be on the network if that’s what your school decides, and they will each have their own needs. In an elementary school, very few students will have their own personal devices on them at all times, and even fewer will be using internet access on those devices. This is why the small network might be all right for a small elementary school but not appropriate for a secondary school, where students often have two-three devices.

Account for at least two devices per employee on the network. They will likely have personal devices such as laptops, smartphones, or tablets that they may want to use in addition to work-provided devices.

Once you have the scope down, you can move on to the next phase: choosing your equipment.

You’ll need:

• Router(s)
• Antenna
• Extender
• Ethernet Cables
• Access Points

In Conclusion

If you have a small school or limited wireless needs to think about, go for the smaller wireless network. It offers convenient connectivity and could also be a way to test the waters on a wireless set-up. Further, elementary schools with fewer unknown devices being brought in could benefit from not wasting money on a monster system too large for the needs of the school. No matter what you decide, make sure that you properly measure the resources that you will need.

Four hospitals – Boston Medical Center, Brigham and Women’s Hospital, Massachusetts General (both teaching hospitals affiliated with the Harvard Medical School), and New York Presbyterian – have been fined by HHS’ Office of Civil Rights (OCR) for breaches of patient privacy. The takeaway here is that under HIPAA, protected health information extends to photos and films of patients, and permission has to be sought to obtain and make use of either of them.

What, Exactly, Was The Violation?

The violation in each case was allowing film crews from TV shows to film patients and their treatment without first obtaining permission. The total of fines for the four hospitals was $3, 199,000, an average of $799,750 per incident. That’s a chunk of change for even a major teaching hospital.

The first three hospitals listed above said that allowing the filming was not a violation of protected health information (PHI) and that patient consent had been obtained and that they were not liable for any fine. The OCR disagreed and decided that films and photos of patient treatment were, in fact, PHI and that the same HIPAA laws and regulations that cover data breaches applied here. This establishes a precedent that OCR can follow in the future.

Of course, healthcare organizations are proud of the services they provide, and the knee-jerk response of the public relations department will, of course, be to invite the media in when there is something to celebrate. Photos of treatment, films of procedures, and interviews with patients naturally follow. The lesson from the OCR decisions in the cases of these four hospitals is that it’s perfectly okay to do this, provided appropriate patient consent is obtained first.

OCR does not provide a standard form for permission to film or photograph. That will have to be developed by the hospital’s legal department, which should craft the consent, not only with HIPAA in mind but also any applicable state laws covering health care or privacy.

What About Digital Media?

The situation gets more complex if the films or photos are taken or stored using digital media, and that will very often be the case. Once this is done, all of the regulations and laws covering PHI in digital form apply. This gives OCR an opening to expand the fines to cover a double violation, even if the violation(s) stems from the same single incident.

It is worth noting that three of the four hospitals involved made the defense that they had, in fact, obtained patient consent. OCR apparently found that whatever form was used did not meet the HIPAA standards for consent. It should also be noted that under HIPAA, there is a difference between “authorization” and “consent.”

What Is Consent? What’s Authorization?

Authorization is more formal and must involve a signed document. The advice from the legal department is likely to be that there are ambiguities surrounding consent that are not present in the definition of authorization, and that obtaining authorization is always the safer course.

Just as providers have the motto that “if it’s not in the chart, it didn’t happen,” the posture of health care organizations should be “if we don’t have a signed form, consent was not given.” In particular, mere verbal consent is never a sufficient defense—it’s not worth the paper it isn’t printed on. The Privacy Rights Clearinghouse provides a good summary of consent versus authorization at How Can Covered Entities Use and Disclose PHI. Remember, in three of the cases discussed above, whatever the hospitals thought was consent was a violation in the eyes of the OCR.

“Health care operations” are generally, but not exclusively, exempt from HIPAA. “Health care operations” is somewhat ambiguous. Generally, the term refers to the activities that healthcare providers regularly engage in to keep the organization in operation – credentialing, billing, accounting, data operations (except handling of PHI) are generally HIPAA exempt.

But there are no necessary parallels between HIPAA and state laws, and “healthcare operations” that are perfectly exempt from HIPAA. Plus, these may be covered by privacy rights under state laws. Again, your legal department is the best authority on this, and if state laws differ from HIPAA, it makes sense for one form to cover both the required federal and state consents. A complete list of the activities covered by the term may be found at 45 Code of Federal Regulations 164.50.

What’s The Takeaway?

The chief takeaway from these four incidents is that common sense, or what appears to be common sense, does not govern here; the law and regulations do. Having good legal advice in any case where there is ambiguity is a good idea. If you are uncertain about what “covered activity” means, then consult your lawyers. You’re paying good money for legal counsel so make use of them.

Are You REALLY Secure? Follow This Checklist To Know For Sure

 

When everything is going well, the last thing you want to do is think about what will happen when something goes wrong.

It can be easy to think that just because you’ve recently bought some new hardware, or updated your security software, or simply the fact that it’s been a while since you had to deal with a major issue.

Don’t let that give you false confidence.

We don’t have to dwell on the potential for disaster though – you and I know that it’s a possibility, so let’s just leave it at that. What’s important about this is that you know to cover your bases. No need to assume the worst – just plan for it, so you know you’re covered.

What Are The Main 3 Areas Of Cybersecurity That You Need To Verify?

As important as cybersecurity is, it doesn’t have to be complicated. Follow this checklist to ensure you have all your bases covered:

• Do you have the necessary range of cybersecurity solutions?
  This is easy – do you have a firewall? Do you have antivirus software? Do you have a spam filter for your email?By investing in these solutions, you can eliminate a vast majority of common cybersecurity threats.
  
• Does your staff follow cybersecurity best practices?

The next step is to make sure your staff is contributing to your cybersecurity, not hurting it. Especially when it comes to their email practices.

Cybercriminals often use email as a way to transmit viruses, ransomware, and other malicious software. Give your staff the following list and have them walk through it when they’re unsure about an email:

• • Do I know the sender of this email?
  • Does it make sense that it was sent to me?
  • Can I verify that the attached link or PDF is safe?
  • Does the email threaten to close my accounts or cancel my cards if I don’t provide information?
  • Is this email really from someone I trust or does it just look like someone I trust? What can I do to verify?
  • Does anything seem “off” about this email, its contents or sender?
    
    
• Do you have an effective backup plan in place?

While these other two points are preventative, in this case, you’re ensuring you have a viable response to when something breaks through your cybersecurity.

In the event that your data is stolen, compromised or encrypted and held at ransom, a recent and regular backup will keep you protected.

And that’s it! Does that sound like a bit too much to handle? The good news is that you don’t have to deal with IT security on your own.

As vital as each one of those tasks is for your security, there is still the problem of making sure they are all done on a regular basis. That’s where a trusted partner in IT support can be so helpful.

By having an expert team of IT security professionals assess your network and manage its many aspects, you can ensure that your technology is secure, without having to see to it yourself.

Be sure to partner with a reliable IT support provider like {company} to make sure all your bases are covered when it comes to your cybersecurity.

There’s a new Gift Card scam going around that has already cost consumers lots of money, frustration, and headaches. Here’s how it works.

You’ll get an email from a friend or relative asking you to go buy them a gift card. The email will say that your friend or relative has been busy or sick and unable to get to the store. Once you get the card for them, they’ll ask you to take a quick photo of the gift card code on the back and send it to them. Once you do this, they can cash out the gift card and you lose your money. It happens just that quickly.

Can You Help Out a Friend?

This scam has been working well for several reasons. Usually, the email comes from someone you know, maybe a sibling, parent, or aunt. Of course, you want to help them out, right? But one thing many consumers don’t realize is just how simple it is to hijack an email account. This is easy work for any hacker worth his salt.

For some reason, people just believe that the email is legit and never take that extra step of calling their friend or relative and just asking them, “Hey, did you send me an email about buying you a gift card?” That’s all it would take to avoid being a victim here.

Instead, most people will run down to Walmart or Target, buy the gift card, take the photo of the code on the back and think they’re doing a great favor for someone.

After you send the pic of the code back to the hacker, they will move very quickly to cash out the gift card and you’ll lose all your money. Later, of course, you’ll learn that your friend did not make such a request and now you feel silly for not double checking. After all, we should we savvier than that as consumers, right?

New Apps Make Scamming Much Easier

Unfortunately, these types of scams have been working well for many years. Plus, new apps like Raise make it easy to turn unused gift card balances into money.

Though victims do sometimes reach out to local police for help, this is actually not a crime. I know that most people are stunned by that news, but it’s true. Because you were a willing participant and you initiated the action with intent, no fraud was committed. So now you’re out the cost of the gift card and there’s really nothing you can do about it.

Just In Time For the Holidays

Authorities are warning consumers that this scam will be prolific all throughout the holidays. That’s why it’s so important to spread the word. Let your friends and family know that if they get a request like this from you or anyone, be sure to stop and call the person. Ask them if they really sent the email asking for a gift card. It only takes a couple of minutes to do this and it can save you $50 or $100 bucks.

Other Scams to Watch Out for During the Holidays

Hackers infamously took over the Rio Summer Olympics a few years back using social engineering to exploit the event. Though some were shocked, social engineering has been around awhile and is used every day to trick business owners. This scam costs Americans millions of dollars each year and hackers find new ways to make their tricks even more effective.

Phishing Scams

Used more frequently than any other, phishing scams have become so widespread that it’s difficult to get accurate results of the losses incurred.

PhishMe is reporting that these scams are growing by at least 65% per year.

Kaspersky Labs claims that during the first quarter of 2018, its anti-phishing system prevented more than 107 million attempts to connect users to malicious websites.

A Barkly reports shows that 85% of companies have fallen victim to this scheme.

How It Works

Phishing scams work relatively easily. It’s not rocket science, as they say. You get a legitimate sounding email that seems to be from your bank or credit card company. These emails often use fear and urgency to make victims take action before double checking the legitimacy of the email.

Below is an example. This scammer claims to be contacting you from Apple. If you check out the “From” address, you can quickly see that it’s not a legitimate Apple email account.

Another big clue is that words are misspelled and the grammar is very poor. You can tell that this email was written by someone (probably from Eastern Europe) who has very bad English skills.

NEVER click the link in a suspicious email like this one. Once you do, the cyber thieves can download malware or ransomware to your computer. They may also redirect you to a site where they steal your banking and credit card information. At the very least, they will steal your log-in information for your Apple account and then hijack it.

Final Tips

In order for consumers to avoid being a victim during the holidays, it’s important to watch out for these types of fraudulent activities. Never click a link in a suspicious email. Instead, open a new browser page and navigate to the website the way you ordinarily would. If there’s something wrong with your Apple account, a bank account or a credit card account, you’ll have a letter in your Inbox explaining what happened and what you need to do.

By using a little common sense and double checking when something feels suspicious to you, we can all avoid being victims this holiday season.

 

The Internet Crime Complaint Center (IC3) released a public service announcement at the end of September 2018, alerting companies about the risks of allowing RDP endpoints to be exposed online. The IC3, a division of The US Federal Bureau of Investigations (FBI), is sending out the alarm to U.S. businesses about their concerns that millions of RDP endpoints are visible online and susceptible to manipulation.

What is RDP?

RDP (Remote Desktop Protocol) is a Microsoft registered technology created in the 90s that permits a user to log into a remote computer and interact with its OS through a visual interface that gives the remote user access to its mouse and keyboard input. The remote desktop was designed for a computer technician to be able to help a customer who had limited or remote access.

RDP access is hardly ever enabled on home computers, but sometimes it is turned on for workplaces in enterprise networks or for computers situated in distant locations. RDP conveniently allows system administrators to access the computer, without physically having the computer in front of them.

Why is IC3 Concerned?

In its September press release, the FBI states that the number of computers with an RDP connection left open on the Internet has gone up dramatically since 2016. IC3 is observing numbers and trends by cyber-security firms in the past few years that are alarming.

ZDNet reported that Rapid7, a multi-product analytics and automation company, has seen nine million devices with port 3389 (RDP) opened on the Internet in early 2016, and then suddenly rose to over 11 million by the end of 2017.

Also, IC3 is seeing a steady stream of incident reports where hackers have acquired initial traction into victims’ networks through the computers with an open RDP connection.

The Rise of Ransomware Attacks

Over the past three years, a cluster of ransomware families were particularly designed to access a network by hackers who jumped in through an open RDP server.

Ransomware particularly designed to be infiltrated via RDP involves strains such as LockCrypt, Horsuke, CryptON, SynAck, Scarabey, Bit Paymer, Xpan, RSAUtil , Crysis, Samas (SamSam), Globe, DMA Locker, Apocalypse, LowLevel, Bucbi, Aura/BandarChor, Smrss32 and ACCDFISA.

How Do Companies Secure Themselves Before It’s Too Late?

IC3 has collaborated with the Department of Homeland Security (DHS) and published a report for companies to use to ensure RDP security.

Six Ways to Improve the Security of Network Infrastructure Devices

The National Cybersecurity and Communications Integration Center (NCCIC) has published six security measures for companies to ensure safety for their network.

• Segment and Segregate Networks and Functions

Security engineers should study the overall layout of their framework, which includes both segregation and segmentation. A successful security tool for accurate network segmentation is to stop a hacker from spreading abuses or the ability to laterally move through an internal network. If the network is inadequately segmented, intruders can easily spread their control of analytical devices as well as obtain entrance into sensitive data. A securely segregated network can restrict malicious incidences and reduce the effect that intruders can have if they gain a foothold inside the network.

• Limit Unnecessary Lateral Communications

Permitting unprotected communications between colleagues involving a workstation-to-workstation situation sets up grave weaknesses. This can permit a network hacker easy access to spread their attack to multiple systems. Once penetrated, the attacker can create backdoor manipulation throughout the network. When a hacker has backdoor access, they have an easier time of maintaining their presence inside the network and keeping users from removing the intruder.

• Harden Network Devices

A basic way to boost a company’s network infrastructure security is to protect networking devices with secure designs. The best practice for a company is to implement the recommendations that government agencies, organizations, and vendors resource. Their guidance allows a business to be safe and stay within site security policies, and industry practices.

• Secure Access to Infrastructure Devices

A company can give administrative freedom to allow specific users access to data and resources that are not broadly obtainable by the general public or all employees. Limiting these administrative privileges for infrastructure tools is vital for security because hackers will infiltrate administrative privileges that are inadequately approved.

Ways to secure access for infrastructure devices include having a multi-factor authentication process to confirm a user’s identity and closely monitor and manage the user’s access.

• Perform Out-of-Band Management

Out-of-Band (OoB) management incorporates different contact paths that remotely manage your network infrastructure devices. These devoted communication paths can differ in configuration to involve areas such as physical separation and virtual tunneling. In applying for OoB access, it will strengthen your security by restricting access and dividing user traffic from the network management traffic.

• Validate The Integrity of Hardware and Software

Products purchased and downloaded through unauthorized channels are more than likely a reproduction or inferior in their use. Several media outlets have reported the use of grey market hardware and software in the workplace. Unlawful hardware and software cause the users’ information to be at risk. Because they have not been carefully tested to meet superior standards, grey market products can present risks to the network. These risks can lead to breaches in the supply chain and allow opportunities for malicious software and hardware to be installed unbeknownst to the user. Compromised hardware and software can affect the network and give away the confidential and valuable information. Companies should regularly check the integrity of software.

 

As technology continues to become more widely used in the legal sector, it is apparent that even the most traditional offices should adapt. Technological advances, however, are occurring quickly. Not all attorneys and legal support staff are equally prepared to manage these new systems themselves. They do not, necessarily, require an entire IT department. This is where the right managed services provider (MSP) can be instrumental.

Managed service providers are companies that manage their clients’ IT infrastructure remotely. These are generally set up as a subscription per-device, per-user, or all-inclusive plan. Since providers have access to sensitive information, it is vital that the decision regarding which to choose is made carefully. Consider the following before searching for the right provider.

Why Would a Law Office Benefit from Having a Managed Services Provider?

Outsourcing IT management would reduce the stress and effort of maintaining the devices and network required to run a law office. Along with streamlining the day to day operations, a managed service provider will increase efficiency. For example, it would provide the following:

• Adaptability to technological innovations
• Access to advice, knowledge, and skills
• Better business continuity and service
• Better operations
• Improved regulatory compliance
• Increased efficiency
• Increased IT security infrastructure
• Reduced costly, technology-related risks
• Streamlined operations

Although initially, it will add to the operating expenses, with the increase in efficiency it will reduce expenses over time.

Why Should Law Offices Choose an MSP with Industry Experience?

As with any service or product, the number of years it has existed indicates how well it can be expected to perform. Therefore, a more experienced provider is likely to have been tried and tested. Mistakes have already been made and solutions discovered. They have become seasoned professionals. Seeking a managed services company that has been around for a while reduces the chances that they are still figuring things out.

Be choosy. A qualified managed services provider may be capable of handling a new business with expertise. An industry-specific provider will handle it better. The legal profession is a highly-specialized vocation. It has a precise nomenclature and failure to use the correct word or phrase could result in big trouble.

An IT with legal experience is better suited to managing the services of a law office than an IT with a more general history. Choosing a provider with legal experience ensures they are able to anticipate potential issues, as well as understand the practice’s operational needs.

Why Should You Select a Provider with an In-House Network Operations Center?

Many managed service providers decrease the cost of their overhead by outsourcing their Network Operations Center (NOC). Although this may be fine for many companies, it could present problems for a heavily-regulated business like a law office. With the strict regulatory mandates, it is necessary to ensure that not only does the service provider adhere to them, but that their third-party NOC does, as well.

What Is Meant by Quality of Service When Comparing Managed Service Providers?

Determine whether potential providers outsource or handle service aspects in-house. If they handle in-house, inquire into their staffing levels. Do they have established procedures for various tasks? Do they have enough personnel to troubleshoot problems for clients?

A high-quality managed services company should also be able to have reasonable response times. They should offer accurate estimates for how long it takes for them to fix various problems that may arise in the future.

What Is the Importance of Innovation and Scalability?

Choosing a provider that adopts the most recent technology and offers the newest services ensures the office remains contemporary. An innovative IT managed services provider is able to use the latest strategies to address daily operations, as well as any potential problems that arise. This provides an edge over other, less modern law practices.

Additionally, when comparing MSPs, it is a good idea to address scalability. Like any company, a law practice is liable to grow and change. The right service provider should be able to accommodate this expansion. They should have enough experience that they can answer how they would handle these issues based on how they have in the past.

In Conclusion

Whether it’s a new practice or a well-established partnership, most law offices could benefit from hiring a managed service provider for their Information Technology. By following these suggestions, savvy lawyers can select the right provider for their needs. Along with the many other perks, it helps ensure attorneys and office support staff have more time to focus on other, more important aspects of their jobs.