Why CISA’s Threat Advisory to MSPs Matters to You

The Cybersecurity & Infrastructure Security Agency (CISA) released an alert last week, May 11, advising MSPs “of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and [we] expect this trend to continue.” They also released guidance for MSPs and their customers to reduce the risk of falling victim to a cyber intrusion.

So what does all that mean for you? It simply means that the IT company you pay to manage your technology (like CBTech) is a target, and by extension so are you. Why? If the IT company is compromised, the attackers will most likely have full access to all the clients; that’s a lot easier than trying to infiltrate each client individually and is potentially a much bigger payoff (after all, money is usually the end goal).

What can/should you do? The best place to start is to have a conversation with your IT company. Understanding how your business operates can help the IT company recommend the right security measures. You also want to make sure the IT company has measures in place to protect themselves. Here are a few of the recommendations from CISA:

  • Prevent initial compromise
  • Enable/improve monitoring and logging processes
  • Enforce multifactor authentication (MFA)
  • Apply the principle of least privilege
  • Deprecate obsolete accounts and infrastructure
  • Apply updates
  • Develop and exercise incident response and recovery plans

For the complete list, along with explanations, you can read the CISA notice here: https://bit.ly/3yFSXV2.

Do you want to have a deeper discussion about this? You can contact us here: https://bit.ly/CBTech-contact.

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

What is Multi-factor Authentication and why should I use it?

Wikipedia defines multi-factor authentication (also commonly referred to as MFA or 2FA) as a login method requiring two or more pieces of the following: knowledge (something only the user knows, like a username/password combination), possession (something only the user has, such as an app on their cell phone or a security token), inherence (something the user is, such as biometric identifiers), and geographics (somewhere the user is, such as only allowing the user to log in while located in the US).

Typical scenarios would be logging in to a bank’s website where you enter your username and password, and they text you a code you need to input before allowing access to your account; or going to the ATM and putting your bank card in the machine along with your PIN number.

So now that you know what MFA is, why would you want to use it? The simple answer is that a password is no longer enough to keep your accounts secure. There are so many different accounts that we all have, coupled with the severity and frequency of data breaches that gather usernames and passwords from all those accounts and put them out in the open for anyone to grab, that it doesn’t take much effort to break into an account. This is where MFA comes in. Let’s say that a malicious actor has your username and password for your bank’s website: without MFA in place, they can log in and have full access to your account; however, if MFA is turned on they wouldn’t be able to log in without also having access to your cell phone to receive the text message code. Another example would be someone stealing your wallet with your bank card: they can go to the ATM and use your card, but without your PIN number they can’t access your account.

You can get really complex with the requirements too. For example, you can lock down a system so that you need to enter your username and password, along with allowing the login attempt through the mobile app on your phone, and then only allow the login attempt to be successful if you’re located in New Jersey. That may seem like overkill but may not be for a system that has extremely sensitive data.

The bottom line is this: if MFA is available, you should enable it to help secure your accounts.

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips.

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

April Fool’s Phishing

With April Fool’s fast approaching, it seems like a good time to review some phishing email tips so the joke isn’t on you.

Email is still the number one communication method, which makes it the perfect avenue for scammers and other malicious actors looking to get the highest return on their activities.

One of the simplest methods for checking an email is called “SLAM”:

  • Sender – look at the sender of the email address by hovering over the From: name. If the email address does not match the name, that is a red flag; also, are you expecting an email from this sender?
  • Links – look at any links in the email by hovering over them. Are they pointing to something different than what the text in the email says? That is another red flag.
  • Attachments – Are there any attachments, and if so, are you expecting this sender to send you a document or file?
  • Message – look at the wording of the message in the email. Does the wording make it seem like a consequence is imminent if you do not act? Is it asking you to do something and not tell anyone else? These are both red flags.

Keep in mind that world events and holidays are often good disguises for malicious actors to send out emails. That link to a funny April Fool’s prank may not be from your friend or coworker and the joke might be on you, so keep an eye out!

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips.

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

Tax Time Scams, and How to Avoid Them

It’s the beginning of another exciting tax season (though accountants might argue it never really ends). This is normally a time for an influx of tax-related scams, so here is some information on what to keep an eye out for as well as some resources from the IRS regarding tax-related scams.

Phishing email is still the biggest attack avenue, as it is cheap and easy. The usual rules of thumb apply to emails:

  1. Check the sender address
  2. Hover over any links to see if they match the text
  3. Be wary of attachments
  4. Check the body of the message. Red flags are a sense of urgency, consequences if something isn’t immediately done, or requests for payment in odd forms

The IRS compiles a list of its “Dirty Dozen” scams each year. It can be accessed here: https://www.irs.gov/newsroom/dirty-dozen. They also have a webpage dedicated to specific tax scams and consumer alerts: https://www.irs.gov/newsroom/tax-scams-consumer-alerts. It is a good place to And for the old school scams, here is a page dedicated to helping you determine if the IRS is really on the phone or at your door: https://www.irs.gov/newsroom/how-to-know-its-really-the-irs-calling-or-knocking-on-your-door.

And remember, the IRS will never:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.
  • Threaten to immediately bring in local police or other law-enforcement groups to have the taxpayer arrested for not paying.
  • Demand that taxes be paid without giving taxpayers the opportunity to question or appeal the amount owed.
  • Ask for credit or debit card numbers over the phone.
  • Call you about an unexpected refund.

(taken from their website: http://bit.ly/2AQf8cF)

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips. For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

Why You Should Implement Security Awareness Training

Security awareness training, usually done on a recurring basis, helps users understand different threats they might be exposed to during their personal and work lives, typically focusing on the digital realm. The goal of the training is to elevate users’ awareness of these threats so they can recognize them before falling victim to them.

So why should your company implement this training? In short, human nature. Without delving in to the psychological, I’ll highlight a few key points:

  1. humans are creatures of habit
  2. we all have a natural tendency to want to help
  3. as humans we have a natural fear of the unknown or unexpected

A great example of why constant training is necessary: a user was selling something on Facebook Marketplace and started a texting conversation with a potential buyer. The potential buyer asked the user to provide a Google authentication code to verify the user was a “trusted account”. The user received a text message from Google with a 6-digit code and provided that code to the potential buyer. The buyer came back and said the code didn’t work and asked the user to provide the code again. At that point the user became suspicious and ended the conversation. Unfortunately, the user had unthinkingly bypassed the multi-factor authentication on their Google account by providing that code to the potential buyer.

Implementing a training program that regularly teaches users about threats, tests their knowledge, offers additional training when necessary, and is concise, will help your company avoid many common threats that technology alone cannot mitigate while not impacting users’ productivity. This article points out why the “human firewall” is more important than ever now: https://bit.ly/3FC4ch2.

If you have questions about implementing security awareness training in your company, contact us here: https://bit.ly/CBTech-contact

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

Planning for Next Year

Can you believe it’s the end of the year already?!?! In between getting ready for Thanksgiving and thinking about all the holiday shopping, have you thought about planning out the next year for your business? Now is a good time to start the planning process, even if it’s just jotting down some goals and targets for next year.

Now you might ask “why is a technology company writing about business planning?”. Great question. Business planning is an important part of the CBTech Support process. CBTech Support evaluates its clients’ environments on a regular basis and uses that information to help inform the business planning process. As part of the planning process, you’re looking at what you want to accomplish in your business next year, and technology will play a part in that. It’s important to know what areas of technology will have the biggest impact on your business, such as where there is a large security gap or a disconnect in your workflow, or even something as simple as when you want to replace some old computers. It’s also important to know what you want to achieve so that you can make sure your current technology can help you get there; and if not, what might be needed to make it happen.

The good news is you can start with small steps just to get the ball rolling. Feel free to reach out to us with any questions or if you would like an introduction to someone who can help with the business planning.

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: https://bit.ly/2sCMb30 LinkedIn: https://bit.ly/375e6HB Twitter: https://bit.ly/3ajca0n

National Cybersecurity Awareness Month

October is National Cybersecurity Awareness Month. What is cybersecurity? Google defines cybersecurity as “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this”. The technology industry uses it as an umbrella term to cover anything from the anti-virus protection on your home computer to corporate policies that define how to respond to a data breach.

Cybersecurity Awareness Month was created by the Department of Homeland Security and the National Cyber Security Alliance in October of 2004. It was launched to help Americans to be safe on the rapidly growing Internet. Since its inception, the month has only grown more important as our lives become increasingly digitized.

So what can you do? Education is key. The most common way to be affected is through email-based scams called phishing attacks. Here are a few examples of these fake emails: http://bit.ly/2qkHAOU. You can also take advantage of a wealth of information available online such as:

  • the CBTech Support Blog (bit.ly/CBTech-blog)
  • KrebsOnSecurity (krebsonsecurity.com)
  • The Verge (theverge.com/cyber-security)
  • The National Cyber Security Alliance (staysafeonline.org)

Making sure you are backing up your data, and using multiple layers of security, like firewalls and anti-virus software, are other ways to minimize your risk. You should also make sure all your software is up to date; this includes Microsoft Windows, Microsoft Office, and any Adobe products.

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: https://bit.ly/2sCMb30 LinkedIn: https://bit.ly/375e6HB Twitter: https://bit.ly/3ajca0n

Outlook Search Tips

Have you ever tried to find an email in Outlook only to see no search results, or not the ones you expected? We’ve got some advanced search tips and settings for you.

Outlook Caching: Outlook is configured to cache email locally to keep performance as high as possible. This means it downloads a copy of your mail to the local computer and searches this rather than going out over the internet each time. The size of the local cache impacts performance but can also limit search results. In recent years Microsoft has changed the default setting to cache 1 year worth of email. This means when you view folders or do a search you may see a notice at the bottom of the list of emails stating “There are more items in this folder on the server. Click here to view more on Microsoft Exchange”. The good news is that clicking the link will load additional emails/search results for you almost immediately (depending on the number of emails). You can change the local cache if you don’t want to click the message when looking for older emails, but keep in mind that the larger the local cache is the slower Outlook will perform. The cache setting can be accessed by going to File, Account Settings, Account Settings, then double-clicking on your email address. It is a slider bar that can be set from All to 3 days.

Outlook Web: Many people don’t realize that Microsoft has a web version of Outlook. The advantage to using this version is that you are working directly on your email server, so there is no lag time or limit on the number of emails you see. While it is not yet as fully featured as the Outlook client you have on your computer, it is pretty close. You can access this version by going to portal[.]office[.]com and signing in. You’ll see all email available in your mailbox and your searches will be faster.

Advanced Search Criteria: Outlook has an Advanced Find feature that can be helpful when searching for email. Pressing the Ctrl, Shift, and “F” keys will bring up the Advanced Find window. On the Advanced tab you can use the Field drop down to select any field in Outlook as a search criterion, and you can layer multiple ones together. This could be useful if you’re looking for a specific email sent by someone between certain dates that you know included you as a BCC for example.

We hope you find these helpful. To get more tips like this to your Inbox, sign up for our monthly Timely Tech Tips: http://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

Working from home permanently

By now most companies have decided to return to the office in some capacity, while others have decided they don’t need an office. Others are leaving it up to their employees to decide what they want to do. If you have that choice and want to stay working from home for the long run, we have some tips and suggestions for you.

The first place to start is with your desk. Do you want a sitting desk, a full standing desk, or a standing desk converter that simply moves the monitor, mouse, and keyboard? CNN and The New York Times both have articles with reviews on standing desks and converters: https://cnn.it/3y1ML69; https://nyti.ms/3sokDZn. The size desk you pick will depend on what you’re working on from home (more on that later), so make sure you have enough space for your full setup.

After deciding on your desk, you’ll want to decide on your computer setup. What you get for a computer really depends on how you work. A laptop is great if you need to get up and go often, but if you’re not going to be bringing a laptop with you to appointments or meetings your best bet is still a desktop. If you choose a laptop, you’ll also want to look at docking stations. A docking station will let you connect monitors and accessories like a mouse and keyboard to your laptop with only one wire, which makes it easy to take the laptop on the go without having to unplug everything.

Now it’s time to think about monitors. The good news is you can use one or more monitors with either a laptop or a desktop. Decide what size monitor makes sense for the way you work and the space you’ll have. You can always run to Staples or Best Buy to get an idea of what size will work best for you. You’ll also need to make sure that the video connections on your desktop, laptop, or docking station match what the monitor has available; if they don’t there are converters available. Something else to think about with monitors is how they’ll fit on your desk. If you get a full standing desk or a regular sitting desk you can get monitor arms that will allow you to have the monitors off the desk surface, giving you more room and usually allowing flexibility in the placement of the monitors themselves.

Lastly, you’ll want to think about accessories that you might need, like mouse and keyboard, USB hubs, web cams, power ports, speakers, etc. If you’re getting a desktop, you should have enough USB ports for your accessories but if you’ve chosen a laptop, you’ll need to make sure you have enough (either on the laptop, using a hub, or on a docking station). Laptops have built-in web cams, but they may not be convenient for actual use on a desk; it’s best to get a separate web cam if you plan on doing any video meetings or recording. For a mouse and keyboard, you may want to get a wireless set to give you freedom of movement and eliminate some of the wires.

Happy shopping!

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n