Ulistic Projects Blog

On May 17, 2019, security firm Tenable announced that one of its researchers, David Wells, had discovered a Slack bug affecting Slack’s Windows desktop client. The bug affects version 3.3.7 of the Slack desktop app, which was just last week the most current version. Read on to learn more about this bug: how it was discovered, what it can do, and how to protect yourself.

Discovery and Reporting

Wells discovered the Slack vulnerability and reported it via HackerOne’s bug bounty program. This program allows white hat hackers to receive financial compensation for disclosing previously unknown vulnerabilities so that companies can address them before serious damage is done.

Under the terms of this program, the bug was not disclosed publicly until Slack had the opportunity to release a fix. Slack has since released that fix, but the segment of its 10 million active users that haven’t yet updated may remain vulnerable.

What the Bug Can Do

Wells discovered that slack’s protocol handler, “slack://”, can do quite a bit. It even has the ability to modify sensitive application settings. Attackers could abuse this protocol by creating a “slack://” link that reroutes the user’s download location. The powerful “slack://” protocol even allowed rerouting to an attacker-owned location.

The result of that action would be that files downloaded from Slack would actually be saved to the attacker’s server. The attacker would even be able to modify those files before the reviewer had a chance to open them.

The attack can also be hidden fairly well. Slack’s “Attachment” feature allows users to change the text that displays with a hyperlink, meaning the malicious link could be disguised as “Account Report 004.docx” or any number of realistic-looking files.

Lastly, an attacker with sufficient skill could inject malware into an Office file (like a Word document or Excel spreadsheet) using this exploit. This is a real danger, because Office files are tossed around as attachments all the time. Office warns users that downloaded files can be unsafe, but users will nearly always ignore this warning when they think they’ve downloaded a document from a trusted colleague.

The Danger Level

A bad actor gaining access to all downloaded documents isn’t good, of course, but how dangerous is this bug, actually? Tenable reports that it has scores 5.5 on the CVSSv2 scale, which is a medium score. We see two reasons the bug doesn’t score higher.

One, exploiting this vulnerability requires user involvement. If you don’t click the link, the attacker gets nothing.

Two, exploiting this vulnerability in a convincing way requires compromising the credentials of a Slack group member. It’s difficult if not impossible to send a message to just anyone using Slack. You have to first be a member of the same channel. This means that this exploit is more or less limited to disgruntled channel members and attackers who’ve hacked or stolen a channel member’s credentials.

How to Protect Yourself

The good news on this vulnerability is that Slack has already patched it. All you need to do to protect yourself and your organization is ensure that anyone using Slack for Windows has updated to version 3.4.0 or later. You can check yours by looking at the “About” window in the program. If you don’t have the access needed to update your application, contact IT right away.

IT Administrators looking to update a Microsoft Install deployment should check out these instructions provided by the Slack team.

More Good News: No Real-World Impact, Yet

There’s more good news about this bug and associated exploit. Because Tenable reported the bug to Slack through HackerOne, Slack was able to address the vulnerability before it became publicly known. According to the company’s reporting on its own research, they find no evidence that the vulnerability has been exploited in the real world yet.

Conclusion

Exploits like these are discovered every day. Are you protected? If you’re not sure, give us a call. We stay up to date and we keep our clients safe.

With the adoption of technology in the personal and commercial spheres ramping up to breakneck speed, the need for clear objectives for key business personnel like CMOs has never been greater. CMOs need to know what their responsibilities are. It may seem like a question with an obvious answer, but the reality of tech and business has made the answer much less clear than it once was. It can be argued that the role of the CMO has changed dramatically in recent years, far more than it has changed at any time since CMOs first came into existence. Marketing and tech are now inextricably interwoven and are unlikely to separate anytime in the foreseeable future.

Given the importance of tech in marketing and the necessity to make marketing efforts successful for the growth and maintenance of business, CMOs must be included in the decision-making process related to digital technology. When it comes to anything to do with marketing and customer engagement, including tech decisions, the CMO needs to be consulted. What tech a business uses, how it uses it and what changes need to be made—all of these choices should be made with the input of the CMO in today’s modern business.

Marketing and Tech—Ways Businesses are Investing in Technology

Saying that spending on marketing-related technology is increasing is an understatement at this point in time. In fact, the 1% of business spending that is common for marketing technology in the past few years is expected to grow to 10% by 2025. That is a huge increase, one that gives a clear indication of why key marketing decision makers, CMOs to be specific, are going to be much more involved in making tech decisions in the coming years. Some of the areas that are primary focuses for business spending today include:

CRM

CRM or customer relationship management software is drawing heavy investment from a wide range of industries because it offers an efficient way to manage and analyze the data produced from customer interactions. A single interaction might not tell a business too much about its overall market, but a thousand interactions do begin to paint a picture. When so many interactions are added up over the years, the potential for gaining important insights into how customers behave and react to the activities of a business is huge. CRM is an area where CMOs and CIOs can come together to learn an incredible amount of information about their market.

Digital Marketing

Marketing used to fall under the category of creative work much more than it did technical work, but modern tech has greatly blurred those boundaries. Marketing teams are engaging with consumers through a variety of digital platforms—with more and more platforms popping up regularly. Keeping up with the digital marketing options and what tools are effective at any given moment is a significant task, one that requires ongoing investment from businesses. Digital marketing is only expected to take a bigger piece of the marketing budget pie in the coming years. CMOs are the leaders of marketing for their perspective businesses. They certainly need the help of CIOs to implement their ideas, but in the end, it is the CMOs who are best equipped to choose a path forward in the marketing arena for businesses.

Marketing Automation

All the digital marketing opportunities available quickly create situations where human marketing teams cannot keep up with all the tasks on their plate. Marketing automation offers tools to automate many of the basic tasks that are required for businesses to keep their customers engaged and satisfied with their experiences. Automation can reach out to share new offerings from businesses, as well as react to actions performed by customers as they reach out to companies. Automated chat options on company websites are one example of how automation has grown increasingly prevalent and essentially required for businesses that want to stay on top of all the expectations that consumers have.

CMO Responsibilities for Digital Tech Decisions

Once it becomes clear how much marketing and technology are combined in today’s business environment, it becomes obvious that the role of the CMO must include participating in tech decisions. CMOs do not necessarily always have to be the leader in the decisions a company makes regarding its technology, but in most instances, they should be included in the decision-making process.

There are a few ways to determine if a tech decision requires the CMO, including:

• Does it involve marketing? If the technology decision in question has anything to do with company branding, consumer interaction, or other marketing focus, the CMO most definitely needs to be involved.
• Does it involve customer interaction? The marketing team specializes in creating and developing customer relationships. If the technology involves customer relationship management, the CMO needs to be involved.

There are technology decisions that may not need the input of the CMO, or at least they do not require the CMO to lead the way. For example, deciding which servers are best for the company does not involve marketing. It is clearly a hard tech decision, which is more appropriate for the CIO.

Ideally, CMOs and CIOs should be working together to make tech decisions for the company. The more they can work together and contribute their expertise, the better the company will be able to navigate the complex future of businesses and technology.

How to build an effective Hurricane Survival Plan

Now is the time to double check your supply inventories, invest in protective measures for your business, and make sure you have an actionable Hurricane Survival Plan in place.

The 2019 hurricane season is almost here – are you ready for it?

According to Moody’s Analytics, the 2018 hurricane season caused up to $50 billion in damages. Can you afford to be a part of however large that number becomes this year?

All of this is to say – we know when the hurricane season begins, and we can take steps to protect ourselves, our families, our homes and our businesses.

Without effective hurricane preparedness planning, your business can suffer devastating consequences during an emergency. Property damage and data loss can affect your resources, continuity and more, leading to loss of business, and lower return on investment in these resources.

What does effective planning for a hurricane really look like?

Key aspects of a Hurricane Survival Plan include:

Developing a Plan

As with most endeavors, the first step is to create a workable plan. Your business’ hurricane plan should be carefully constructed and written down for reference and review.

Remember, many companies are required to maintain an Emergency Action Plan by OSHA so this can be considered part of that process.

Your plan should put forth policies and procedures regarding employee safety, business continuity, and contingencies that can be activated if your business’ facilities are damaged.

There are three steps to an effective Hurricane Preparedness Plan:

Protect your property.
While so much of disaster recovery these days is focused on data continuity, it’s important to remember that your facilities are a resource as well, and they should be protected.

• Make sure your windows have proper shutters or are boarded up with plywood to keep them safe from airborne debris.
• Inspect your roof prior to each hurricane season to make sure it’s in good shape.
• Assess whether there are any aging branches or trees that could fall and cause damage during a storm. If you’re unsure, have an arborist check it out for you.
• Bring sandbags to areas that could be affected by flooding.
• Secure heavier objects, including bookcases, shelves, filing cabinets, computers, etc.
• Secure utilities, and raise them off the ground if necessary to avoid flood damage. Prior to the hurricane reaching your area, make sure they’re all turned off.
• Relocate any fragile or valuable items to less dangerous areas, if possible.

Protect your documents.

Once all your physical assets are taken care of, don’t forget about your business documentation.

• Make sure you have a backup of info on important business contacts.
• Backup documents that are not easy to reproduce or acquire in the event of water damage – insurance and legal contracts, tax files, etc.
• Keep as much of your documentation as possible in waterproof containers.

Maintain a checklist of survival resources.
Lastly, you’ll want to make sure you have an inventory of all the hurricane-specific resources you’ll need.

These are the types of items you won’t be using otherwise year-round, and so, when you do require them, you don’t want to realize you’ve forgotten something.

• • Independently powered radio/TV
  • Three-day supply of non-perishable food for as many employees as you have onsite (including 1 gallon of water per person per day)
  • Blankets, pillows, cots, and chairs
  • First Aid supplies
  • Flashlights (and additional batteries)
  • Toolkit
  • Whistles and/or signal flares
  • Tarps, plastic bags, and duct tape
  • Cleaning supplies
  • Smoke alarms and fire extinguishers
  • Electric generator
  • A backup supply of gas and additional jerry cans
  • Cash, credit cards and ID
  • Emergency contact info

Defining Procedures and Assigning Roles

Determine the critical staff that will need to be on-site or on-call during an emergency. It’s important to define who will be needed to keep your business running, and who should be responsible for any emergency response tasks. Remember that safety comes first and that your plan must focus on keeping your employees out of danger.

Coordination

A comprehensive plan should prepare your business to coordinate with others during an emergency. How are nearby businesses going to operate during a hurricane? How will police, fire, and medical response be affected? These questions are best answered before the storm hits.

Briefing Your Employees

Your hurricane plan should not be written and then left on a shelf. Every employee should be familiar with your procedures and plans to handle any future emergencies. Hold a meeting where your plan is reviewed, roles are assigned, and your staff can ask questions.

Reviewing and Updating Your Plans Annually

Changes in your business or the community in which you operate can have a major effect on your disaster plan. Be sure to review your plan at least once a year and make any necessary revisions to keep it current and effective.

What’s the bottom line of Hurricane Preparedness?

Effective hurricane preparedness keeps you safe and protects your assets, simple as that.

In addition to protecting yourself and your employees, proper business continuity planning should assess your individual requirements by estimating your current data retention needs and expected growth. You can then determine what systems are critical to your business and assess what recovery mechanisms are currently in place.

Based on this comprehensive analysis, you’re then able to build a hurricane preparedness plan that works best for your organization.

Remember – without comprehensive disaster recovery planning, you’re left vulnerable to any and all emergency situations, whether it’s a major meteorological event like a hurricane, or common — and still unpredictable — power outages. Consequences include:

• Permanent data loss as onsite copies of your data are destroyed
• Severe downtime as your business scrambles to replace hardware and get up and running again
• Major financial damages, from the cost of lost business to the cost of replacement hardware and more.

So, the question is: will you wait until after you get hit with a hurricane to start thinking about how you’ll recover?

Or will you do what’s right for your business, and start planning for the worst-case scenario today?

Organizational structure is something that is hotly debated at businesses around the world, but one of the biggest mysteries is where it makes sense to have the technology teams. IT has both a strategic thread as well as a day-to-day operational focus, making it a solid fit for the office of the CEO or the COO — yet IT often lands with the CFO, especially if there isn’t a CIO in existence. Businesses tend to organize around the functional strengths of their leaders and their business operations. If you are researching where IT makes sense in the structure of your business, see why organizations around the world continue to closely align IT with the finance department.

“We’ve Always Done It That Way”

Historically, IT has been aligned with finance due to the original reason technology was introduced to businesses: to aid in digitizing accounting functions. The highly detailed work that is performed by both finance and technology teams worked in lockstep, as finance executives leaned on IT for financial computing initiatives that would help make the organization more efficient and effective in their financial interactions. Over time, the original need for digitizing accounting morphed — yet the reporting structure still made sense. CFOs needed to have a tight handle on the burgeoning budgets that the technology teams needed to support the needs of the business. Many businesses find themselves locked into this aging structure for one of the worst reasons of all: “We’ve always done it this way”.

Aligning Departments Around Business Functions

At first blush, IT may seem to have more in common with operations than with finance. There are plenty of moving parts in both operations and technology, but that is where the parallels break down. Maintaining the daily execution of tasks is quite operational in nature, but the far-reaching strategic nature of IT is where the power truly lies for the organization. Hiding IT within the office of the COO could reduce the overall effectiveness of IT and may also lead to the team being a target when there is a need for budget cuts. Without a strong seat at the table for technology as it relates to the future of the business, both finance and operations Chiefs may reduce spending without seeing the longer-term impact of their decision.

Shifting Business Strategy

As more CEOs consider IT initiatives as strategic imperatives, the structure of organizations will continue to shift. CIOs — although they are “Chiefs” — have not always had a place reporting directly to the CEO of the organization as other chief officers do. Instead, they are relegated to second-string status by reporting to the CFO or COO, especially if there is a perception that the CIO is not comfortable enough working through complex business problems as well as providing technology solutions. The shifting business strategies that are caused by exceptional levels of innovation and competition in terms of technology make it more likely than ever that CIOs will be raised to the level of the CMO and CFO in terms of organizational structure.

There are no perfect or “right” structures for your organization. As technology leaders continue to expand their knowledge outside the scope of the technical realm, they are less likely to be reporting to the CFO and COO and more likely to be able to earn representation at the highest levels of the organization. This evolution of IT may feel uncomfortable for some organizations, but will ultimately help boost the visibility of technology projects that are often core to the success of the business.

Are You One Of Many Affected By The Quest Diagnostics Breach?

Financial & Medical Information of 12 Million Exposed

Quest Diagnostics reports that almost 12 million people could have been affected by a data breach.

On Monday, June 3, 2019, Quest Diagnostics said that American Medical Collection Agency (AMCA), a billing collections provider they work with, informed them that an unauthorized user had managed to obtain access to AMCA systems.

Quest Diagnostics is one of the largest blood-testing providers in the U.S.

Anyone who has ever been a patient at a Quest Diagnostics medical lab could be affected by the breach.

AMCA provides billing collection services to Optum360, which is a Quest contractor. AMCA first notified Quest about the breach on May 14th. Quest reports said that they are no longer using AMCA and that they are notifying affected patients about the data exposure.

The information included in the breached system includes:

• Bank account information
• Medical information
• Credit card information
• Social Security Numbers
• Other personal information

In its filing, Quest reported:

“Quest Diagnostics takes this matter very seriously and is committed to the privacy and security of patients’ personal, medical and financial information.”

What Should You Do?

Anyone who was affected by the data leak should freeze their credit report to prevent criminals from opening credit card accounts in their name. They should also be concerned that their Social Security numbers were exposed.

If you believe that your information has been leaked, you can contact Quest Diagnostics’ customer service at 1 (866) 697-8378 or on their contact page.

Here’s an honest truth: managed IT services cost money. With any business expenditure, it’s a good idea to understand the value that the expenditure will bring to the organization. We believe businesses can improve on many fronts by implementing managed IT services. One of the biggest areas of benefit is financial. Here are 6 ways that implementing managed IT services helps your bottom line.

Increase Productivity

Equipment downtime can be a huge detriment in any business setting. In the “break it fix it” model, businesses operate normally until something breaks, then work stops. If it’s IT equipment, the in-house IT team descends and attempts to fix. If, after some amount of time has passed, IT decides the problem is beyond them, they call in outside help. Then they wait. And wait. And wait some more. Work isn’t getting done while that piece of equipment is down. Waiting for an outside specialist can cost your company in a big way.

With managed IT, your managed service provider (MSP) is the outside specialist. As soon as something goes down, the MSP is on it, bringing their skills and specialties to bear on the problem. Use managed IT to get your business back up and running faster than the traditional model can.

Stabilize Monthly Spending

With the “break it fix it” model, your IT spend can spike wildly from time to time. When a high-value piece of your IT infrastructure goes down or even just needs replacing due to age, your costs soar. Companies self-managing their IT services also face sudden spikes in software upgrade costs.

Managed IT can stabilize your monthly IT spend. In this model, you pay a stable monthly rate for service regardless of how much or how little help you need in a given month. Software upgrades (or, more likely, subscription and licenses) are rolled into this monthly fee as well, removing those software spikes from your budget. Your finance team will appreciate this predictable expense.

Lower Your Initial Investment

Along the same lines, you can lower your initial IT infrastructure investment through managed IT. Depending on the terms of your agreement, some amount of your equipment may be owned by the MSP. The less equipment you have to purchase yourself, the lower your initial IT infrastructure investment.

Every MSP agreement is different, customized to the needs of the client business. If up-front costs are an obstacle for your business, be sure to craft a service agreement that lowers these costs.

Lower Overall IT Infrastructure Costs

Even if your MSP isn’t providing all your hardware as part of your plan, you’ll still lower your overall IT infrastructure costs in many MSP arrangements. For example, if hosting, storage, and backup are part of your MSP agreement, you eliminate some of your need for on-site servers. You’ll save money on hardware, power, and even real estate — since you won’t need space to house those servers.

The same principle applies to a number of other functions, including network monitoring and security. You won’t need to devote systems and system resources to functions that you offload to a managed IT provider.

Free Your IT Staff

Partnering with a managed IT services firm frees your IT staff to do what matters most. Contrary to what many assume, the goal of implementing managed IT isn’t necessarily reducing staffing levels. Sure, some larger businesses may benefit from reducing a bloated, inefficient in-house team, but the real value in managed IT service is freeing up your in-house team.

Your existing IT staff adds value to your company by wholeheartedly pursuing whatever high-value IT interests your business has—or, at least, it should. Many times, though, IT employees are too busy troubleshooting PCs and malfunctioning equipment to focus on the IT elements that are truly core to your business. Enlist a good MSP to handle the day-to-day IT troubles (among other things), and you’ll enable your IT staff to focus in and add value in the areas that are truly critical to your business.

Scale Your Business

It’s great to be a part of a growing business, but the growing pains are real. Scaling your business can cause IT headaches: new equipment is needed for each new employee, not to mention all the behind-the-scenes tech infrastructure, like server space, bandwidth, and software licensing.

Managed IT is the solution here, too. Your MSP has far more capacity than you need, so they can handle scaling issues during periods of growth or reduction.

Conclusion

By now it’s clear: that managed IT can help your bottom line. If you’re ready to begin the conversation about how we can help you, contact us today.

One of the major advantages of newer technologies is their ability to connect employees working remotely. Connections to colleagues, data and files help make doing business more productive, effective and accurate, no matter where employees and their teams are.

That’s why more companies are establishing bring-your-own-device (BYOD) policies. Such guidelines allow companies to save on the costs of providing employees with their own mobile devices or paying for their maintenance and replacement.

Adopting such policies requires companies to set clear guidelines for the use of such devices and what obligations employers and employees have.

What Are the Advantages to BYOD Policies?

Along with the cost reduction, there are several other advantages for companies that choose to use BYOD rules:

• Increased employee satisfaction. Employees who can bring their own devices are more satisfied in the workplace, don’t have to manage multiple devices and can use their own device for work-related tasks.
• More productivity. Employees with access to workplace apps on their own devices can respond faster to inquiries, gain needed information and address issues quickly.
• Flexibility. Make it easier for employees to work from home, remotely or while traveling with ready access to communication and apps that let them do their work effectively.
• Reduces uncertainty. For companies that pay for voice and data services for employee devices, switching to a BYOD policy saves not only on contract costs but also on data and voice overage charges.

“Employees who are willing to spend their own money to procure their own devices can be a boom for their bottom line. In some ways, this is a perfect arrangement. Employees get to use their chosen device, which can improve productivity and morale while saving companies money,” notes a recent article.

What Are the Primary Disadvantages to BYOD Policies?

The primary concern for many companies considering adopting a BYOD policy is security. Consider that for every device you add to your network, that’s one more device that has access to sensitive, proprietary or protected information. A company-owned device provides far more control of what websites are accessible, when devices are updated and how usage is monitored. Companies can control what anti-virus, anti-malware and anti-phishing tools are installed and how frequently they’re updated. Control means a greater understanding of what’s protected and how.

Another concern to BYOD workplaces is compatibility and support. Your employees are likely using multiple devices with multiple operating systems and capabilities. Your IT team will likely be responsible for some aspects of device management, including installation and updating of apps, security processes such as VPN and other protections, and ensuring security patches are applied. Having more devices in play means more expertise is required of your IT employees.

When employees leave, there need to be clear procedures and auditing rules about ensuring that all access to company files, apps and data is removed immediately.

Scalability is another concern. As the number of employees grows, with some of them using multiple personal devices, the staff demand for management and updating grows accordingly. Company network infrastructure also needs to be expansive enough to accommodate all the new devices.

For employees, the main concern is privacy. Employees may wonder how much of their personal activity and device usage is accessible to their employers.

Are There Other Options Besides Company-Provided and BYOD?

Some companies choose one of two alternative policies that reduce the risk:

• COPE. Corporate-Owned, Personally Enabled devices are those employees can use as their own but are purchased by and owned by the company. However, employee privacy concerns can make such an approach unpopular.
• CYOD. A choose-your-own-device approach requires employees to select from a limited number of devices for use with employer applications and access. While this helps minimize the amount of support required, it may require employees to spend more on new equipment.

How Can Employers Maintain Security with BYOD?

Clear and consistent policies are key to effective BYOD workplaces. Here are a few of the considerations you should use when implementing BYOD policies:

• Determine what operating systems and devices your company is willing to support
• Create device enrollment practices, requiring devices to be registered and authenticated before they are connected to your company network
• Require strong password or passphrase guidelines, including length, complexity, change frequency and failed-attempt blocking
• Create automatic lockouts on devices after a period of inactivity
• Require employees to immediately report lost or stolen equipment
• Mandate that personal devices can be disabled or wiped in the event of a loss or theft
• Install required anti-virus, anti-malware and anti-spam software on all BYOD smartphones, tablets and laptops
• Automate regular backups of company applications and data from personal devices
• Keep devices and applications up to date using automated patching and updating tools
• Encrypt all BYODs, ideally with full device encryption. If that’s not possible, require all sensitive data to be stored in encrypted folders on the devices
• Determine if BYOD users will be allowed to print, copy, save or email information pulled from your servers
• Require employees to sign an agreement stating they understand all the policies, procedures, regulations and consequences for noncompliance
• Detail the consequences of not adhering to company policies

When companies pay attention to the policies and guidelines necessary to ensure secure and proper use, BYOD policies can be an advantage to employers and employees alike.