IT Security

Let’s start with IT security because it’s undeniably important if you want to maintain not just IT regulatory compliance, but business on your own terms. IT security, like the act of complying with regulations, is an act of risk mitigation. In the case of IT security, the risks are many and complex. You have the risk of operational issues like downtime. You have the risk of system corruption from hackers and other outside entities who are trying to break through (or in) and get access to your assets. There is also internal risk to physical systems, central computing infrastructure, and every endpoint on the network.  

In IT security, the amount of risk often dictates what kind of action is necessary, since reacting to the problems themselves isn’t a viable option. Thus, when protecting your network from threats, you will likely have to be much more comprehensive about your attention to detail as you would even under the most strictest compliance standards.

IT Compliance

Compliance also is all about minimizing risk, but to stay compliant, it’s more about focusing on following set-in-stone rules than it is about keeping systems secure. Most of the regulations that have been passed down by a government entity, third-party security framework, or customer contract have very specific requirements. This gives network administrators a punch-list of tasks that need to happen to keep their organization’s IT compliant with their various IT mandates. 

Insofar as it works to maintain digital asset security, many regulations are created to ensure that risky behavior is not introduced, while others are very specific about what data needs to be protected, and what systems need protection. In fact, some regulations barely touch the IT infrastructure, only dictating that the business purchase regulation-compliant hardware. 

Where Your Company Stands

Compliance standards typically depend on which vertical market your business does business in, or more specifically, how it uses sensitive information in the course of doing business. That doesn’t speak to your organization’s complete IT security strategy. In order to keep all of your digital (and physical) assets secure, there needs to be a dedicated plan to do it. After all, today the user is the most common breach point. 

With that truth it is important for the business that operates under the watchful eyes of a regulatory body to understand that you may be compliant, but still be at risk. It’s important that aside from meeting all the compliance standards set forth by your industry’s regulatory mandates, you need to put together a cybersecurity strategy that prioritizes the ongoing training of your endpoint operators. 

At Coleman Technologies, our technicians are experts in modern compliance standards and cybersecurity. Our team can work to simultaneously build an IT infrastructure, the policies to govern that infrastructure, and the endpoint monitoring and protection solution that will keep your business secure from threats, while also being compliant to any mandated regulations your business is under. Call us today at (604) 513-9428 to learn more.

Some of the best cybersecurity methods are practices developed over the past few years. This is because social engineering, specifically phishing, has become a major problem. There are billions of phishing emails sent each year, and some of those are so convincing that even people who have had some basic cybersecurity training fall victim to them. To fight this, security firms have started to look to tomorrow’s technologies to help them mitigate risk today. 

Artificial Intelligence - The Future of Cybersecurity 

One of the most effective ways of combating this rise in hacking is to use the most dynamic technology you have access to and make a tool that will help you mitigate the massive risks. One way is to reduce the effectiveness of these hacks. In this case the technology is artificial intelligence.

When we talk about artificial intelligence, we are talking about having a machine that learns as it is continually exposed to threats. This will work to solve common issues at first, but as these systems advance, and are exposed to user behaviors, they will be able to replace access management systems. Since the AI will be constantly monitoring systems, as well as user behaviors, workplace roles, and common actions, it will be able to recognize a person without, the need for password-protected accounts and creating ubiquitously secure endpoints. If the system recognized any deviations, an additional form of authentication such as biometrics would grant or deny access. 

Cost will initially be a factor for businesses, especially small and medium-sized businesses, but as large companies begin to truly trust these platforms, they will have viable endpoint-protection systems for small businesses. 

Cybercrime Accelerates with 5G

5G and beyond will bring a lot of changes to the user experience, of course, but it will also make huge changes to cybersecurity. Before long, the AI systems that are being developed to thwart today’s cyberthreats will become essential systems for the sustainability of mobile computing. Just think about how much cyberthreats have multiplied over the past decade after the jump from 3G to 4G. The jump to 5G isn’t going to any less dramatic.

It will be crucial for cybersecurity professionals to be able to leverage systems that are both ubiquitously available to search through large streams of data while also being capable of learning on the fly in order to ascertain what data is potentially malicious and what data is less so.

Luckily there are still years before these types of systems will be needed. Unfortunately, there are enough threats out there to be a major problem going forward. The IT professionals at Coleman Technologies can help you protect your hardware and data. Give us a call at (604) 513-9428 today!

The URL

Before we get into the manipulation of the URL, let’s define its parts. 

The first part of the URL is called the protocol, which tells the computing network which language is being used to communicate on said network. Most of the time, the URL will use the protocol “HTTP”. The HyperText Transfer Protocol makes it possible to exchange web pages. Other protocols that are used include File Transfer Protocol, News, and Mailto. 

The second part of the URL is the ID and password, which makes it possible to access secure servers on the network. This part is typically removed because the password will be visible and transfer unencrypted over the computer network.

The third part of the URL is the server name. It allows users to access information stored on specific servers whether through a domain or the IP address associated with the server. 

The fourth part of the URL is the port number. This number is associated with a service and tells the server what type of resources are being requested. The default port is port 80, which can be left off the URL as long as the information that is being requested is associated with port 80.

Finally, the fifth, and last, part of the URL is the path. The path gives direct access to the resources found tied to the IP (or domain).

Manipulating the URL

By manipulating parts of the URL, a hacker can gain access to web pages found on servers that they wouldn’t normally have access to. Most users will visit a website and then use the links provided by the website. This will get them to where they need to go without much problem, but it creates their own perimeters.

When a hacker wants to test the site for vulnerabilities, he’ll start by manually modifying the parameters to try different values. If the web designer hasn’t anticipated this behavior, a hacker could potentially obtain access to a typically-protected part of the website. This trial and error method, where a hacker tests directories and file extensions randomly to find important information can be automated, allowing hackers to get through whole websites in seconds. 

With this method they can try searching for directories that make it possible to control the site, scripts that reveal information about the site, or for hidden files. 

Directory traversal attacks, also known as path traversal attacks, are also popular. This is where the hacker will modify the tree structure path in a URL to force a server to access unauthorized parts of the website. On vulnerable servers, hackers will be able to move through directories simply.

What You Can Do?

Securing your server against URL attacks is important. You need to ensure that all of your software is updated with the latest threat definitions, and keeping a detailed configuration will keep users in their lanes, even those who know all the tricks. 

The IT experts at Coleman Technologies can help you keep your business’ IT infrastructure from working against you. Call us today at (604) 513-9428 for more information about how to maintain your organization’s network security.

Let’s start with where we are now. History is best told on a timeline, so let’s start from the present. Cybercrime today is profiting over $1.5 trillion each year, and that figure continues to climb. Some have predicted that this figure will nearly quadruple by 2021. Security breaches are up by 67 percent over just the past five years.  

How is this figure climbing so quickly? Well, let’s examine the most popular form of cybercrime: phishing. The method that cybercriminals are using are able to deploy all types of malware, yet also has data-stealing abilities. Whether that data is your sensitive personal information, or login credentials to your bank account, phishing gives a cybercriminal direct access. The worst part for people who have fallen victim, is until something dramatic happens, they are clueless that they have even become a victim. Phishing attacks have led to billions of records being exposed, stolen, or corrupted each year.

Cybercrime has become a real concern for all business owners. So how did all of this start?

The Beginning 

This information Coleman Technologies is about to reveal may be hard to believe, but cybercrime was Bob’s fault. This trillion-dollar criminal trend is the result of a research project held by a man named Bob Thomas. Bob Thomas made the observation that a program is able to move across a computer network, leaving a trail behind. He then proceeded to write a code that was named “Creeper”. This code resulted in a program that was designed to travel between Tenex terminals on the ARPANET. The message that came across? “I’M THE CREEPER : CATCH ME IF YOU CAN”. 

The research project sparked the attention of email inventor Ray Tomlinson. Tomlinson altered this program into a self-replicating one. This resulted in the first computer worm. Immediately after this discovery, he wrote an additional code which was titled “Reaper”. This chased down the Creeper code, and deleted it; which resulted in what was effectively the first antivirus software. 

So how did Bob’s experiment start all of this? Well, in the 1980s Soviet hackers considered the applications of this experiment. Academics designed applications that could be used to infiltrate other networks. This ideology quickly spread, and in 1986 German hacker Marcus Hess hacked into an internet gateway which was hosted at the University of California at Berkeley. This hacked connection was then used to piggyback onto the ARPANET. He hacked into a total of 400 computers, including mainframes hosted at the pentagon. 

How did this turn into such a profitable “business”? Hess planned on selling the secrets found on these computers to the Soviet KGB. Before he was able to do so, he was caught by the group effort put forth by the FBI and the West German government. His conviction was the first of its kind -- cybercriminal activity sentencing. The abnormality of the case resulted in a 20-month suspended sentence. 

At the same time as this was occurring, computer viruses started to become a serious threat. With the exponential growth of the internet, there were more connections that viruses could infect. The virus started to become a real problem.

The Middle

In 1988, Robert Morris woke up and decided he wanted to see just how big the internet had become. Morris, a software engineering student at Cornell University, wrote a program designed to spread across various networks, work themselves into Unix terminals, and begin replicating. The software replicated so quickly that it actually slowed down the early Internet, which caused major carnage. This carnage become known as “the Morris Worm”. Morris’ worm resulted in the formation of the Computer Emergency Response Team, known as US-CERT today. Morris was the first person convicted under the Computer Fraud and Abuse Act (CFAA). This act was introduced with the intentions to protect against unauthorized access. 

After Morris’ worm was handled, viruses began being developed at an absurd rate. The antivirus industry, which started in 1987, began to grow as a result. By the time the Internet was an accessible user-product in the 1990s, dozens of solutions were available to prevent devices from being infected. These solutions scanned the binaries on a computer, and tested them against a database of known virus-code. There were major problems with this protection method, such as the abundance of false positives. They also had a tendency to use a lot of the systems’ resources to scan for these viruses. Remember how slow dial-up used to feel? Your anti-virus could have been the culprit. 

The mid-90’s to late-2000’s were a prospering time for the world of viruses. While the figure was estimated to be a few thousand known viruses in the mid 90’s, that figure was estimated to be around five million by 2007. These different malware strains were either worms, viruses, trojan horses, or other forms. By 2014, 500,000 different types of strains were being created daily. This time truly was the malware boom. 

Who was stopping this boom? Well, nobody. Cybersecurity professionals needed to make an effort. Antivirus solutions simply couldn’t keep up, and while they might detect malware, they had a hard time preventing it. Innovations in cybersecurity developed quickly. First, endpoint protection platforms (EPP) that didn’t just scan for known code, they also scanned for code similarities. This meant that unknown viruses could be detected.

The End?

With advanced malware defeating endpoint protection regularly, it was time to further innovate cybersecurity measures. The timeline innovators had was cut short with the deployment of WannaCry. WannaCry was, at this point, the most devastating piece of malware that existed. WannaCry even shook the world of the most capable security professionals. It encrypted the data on a computer and forced the computer owner to pay in Bitcoin to regain access to these files. This deployment sparked an explosive increase in the cybersecurity industry. It was time for cybersecurity to surpass the capabilities of cybercriminals, instead of being constantly behind.

The only way anyone was able to determine if they were being infiltrated was to have a transparent network. Administrators began using endpoint threat detection and response (EDR) services to monitor their networks. This solution is still cutting edge by today’s standards. While this isn’t the end for cybersecurity, EDR services are extremely capable of keeping malware out of your network. 

If you would like to learn more about cybersecurity, or are interested in keeping your business’ data safe, call Coleman Technologies today. Our professionals can be reached by calling (604) 513-9428.

Leverage Authentication Measures

One of the first steps to securing your network against threats is to create strong authentication procedures. Most of the devices with permission to access your network will already have an authentication system in place, based on a password. If the passwords used are strong enough, this can actually mitigate most threats - but you still have to worry about the ones that this doesn’t discourage. Leveraging something called multi-factor, or two-factor, authentication can help minimize the chance of something slipping past your security.

Two-factor authentication works in a relatively straightforward way. As with most login systems, a username and password are entered - but instead of being granted access, the user is asked for another credential. This is usually a randomly-generated code that a specialized authentication app will generate. Mobile devices are popular to use with 2FA, as their convenient nature makes them more likely to be available when needed. In order for a user to leverage their mobile device, the 2FA system administrator has to authorize it.

Tip: Make sure that you don’t let your password best practices slip, even if leveraging 2FA. Your passwords still need to be sufficiently complex. If you are one of those who find remembering different passwords difficult, consider using a password management system in conjunction with your 2FA. 

Protecting Your Business’ Computing Environment

Whether you use a Local Area Network or a Wide Area Network, the security practices that you need to deploy are fairly predictable. Once you’ve seen to your authentication needs, you need to combine three approaches to security into one all-encompassing strategy: your software-based security, your physical security measures, and your security awareness and best practice training.

Software-Based Security

There are many examples of how software can help keep your business’ network secure. From firewalls to content filtering to antivirus to spam detection, each of these tools protect your business data from a different kind of threat. You may even want to consider adding encryption to your email solution to make it a lot less likely that the contents of your messages will be intercepted.

Tip: If you aren’t sure which solutions are the right ones to implement, think about how your data moves about your business. The more insight you have into how your data operates, the more effectively you will be able to plan its protections.

Physical Security Measures

Somewhat ironically, we seem to have become so focused on our digital security that it can sometimes seem like we forget that there are very real reasons to protect our physical locations and infrastructure, as well. Consider the damage a bitter ex-employee could do in moments, should they manage to get into your server room. It has become fashionable to leverage biometric authorization measures to protect your server room - and there’s a lot to be said about a good, old-fashioned surveillance system, complete with alarms and cameras (as well as some updates to make this system considerably less old-fashioned).

Tip: Bring in a consulting professional to help you determine your physical security needs. Not only does this save you time by eliminating work you would otherwise have to do for yourself, it ensures that your system will be designed by an experienced professional that knows what will work best in different situations.

Security Awareness and Best Practice Training

Would you be surprised to hear that your employees are likely your biggest vulnerability? Of all of the pieces that make up your network security, the people who use your technology are the leading cause of security issues. With the number of ways that your business could be attacked, your staff needs to be educated on how to identify them and avoid them.

Tip: Both businesses and individuals have experienced difficulties with phishing and it adversely affecting them, so it makes sense to begin your training there. Not only is it a common issue, it is conceptually very simple to grasp, so it is a good starting point before moving on to increasingly complex concerns. The more your staff knows about how they can resist attacks, the more likely they’ll be able to do so if the needs arises.

Remote Solutions Via the Cloud

Modern organizations need to contend with potential threats to their network infrastructures, as businesses always have in some form. The difference is that issues can now come in on the mobile devices owned by their staff, and company resources can be routinely accessed from outside the business’ area network.

This has helped contribute greatly to the growth of cloud computing technologies - although the relative cost savings don’t hurt either. Using the cloud, your staff can access their work data and applications from a remote location, while the resources stored in the cloud are kept secure by the platform’s baked-in security and privacy.

Mobile devices have also been a disruptor to business-as-usual, which means that businesses need to plan on leveraging them if they don’t want them becoming a distraction. Designing a Bring Your Own Device policy and enforcing it through mobile device management solutions is an effective and secure way of reaching a compromise and minimizing the time wasted by mobile devices in the workplace.

Tip: Remember that cloud services are inherently scalable, so you don’t need to worry about overreaching your capabilities. However, you also don’t want to waste capital that doesn’t need to be spent. Auditing your resources is an effective way to identify and eliminate redundant costs leeching from your budget.

Network security can be complicated, but it is an absolutely crucial element to your technology strategy if you want to have any success. Coleman Technologies can help take care of the technical side of things for you, and help teach better habits to your staff. To learn more, keep reading our tips, and reach out to us at (604) 513-9428.

May

May 2, 2019 - Citrix

Conferencing and digital workplace software company, Citrix, revealed that hackers gained access to the company’s network between October 2018 and March 2019. Data stolen included Social Security numbers, financial information, and data of current and former employees.

May 3, 2019 - AMC Networks

1.6 million users of AMC Network’s Sundance Now and Shudder streaming services had their data left exposed through a database that was left unsecured. Names, email addresses, subscription details were compromised. 

May 9, 2019 - Freedom Mobile

Freedom Mobile, a Canadian mobile provider had an estimated 1.5 million customers’ personal and financial information left exposed on a third-party server. The types of data left exposed included names, email addresses, mailing addresses, dates of birth, and credit card information.

May 13, 2019 - Indiana Pacers

The legal team behind the National Basketball Association’s Indiana Pacers was the victim of a major phishing attack. Employee and customer names, addresses, dates of birth, Social Security numbers, passport numbers, driver’s license numbers, medical insurance information, card numbers, digital signatures and login information. No number of affected individuals has been given by the team.

May 14, 2019 - WhatsApp

WhatsApp has experienced a security flaw that provided access to an Israeli government surveillance agency, NSO Group. NSO Group had limited access to the microphone, camera, and WhatsApp message text of the app’s 1.5 billion users. 

May 20, 2019 - Instagram

Facebook-owned Instagram, fell victim to a data breach that exposed more than 49 million Instagram influencers, celebrities, and brands’ Instagram information when an Indian-based social media marketing company left it exposed. 

May 24, 2019 - Canva

The 139 million users of Canva, a cloud-based graphic design tool, had their names, usernames, and email addresses exposed when hackers infiltrated their server. 

May 24, 2019 - First American Financial Corporation

First American Financial Corp., a leading title insurer for the U.S. real estate market, had 885 million customers’ Social Security numbers, bank account numbers, mortgage and tax records, wire transaction receipts, and driver’s license images compromised for all customers as far as back as 2003.

Other May breaches: Inmediata Health Group, Uniqlo, Wyzant, Flipboard, Checkers (the fast food chain).

June

June 3, 2019 - Quest Diagnostics

Almost 12 million patient records have been compromised when hackers took control of the payments page of AMCA, a major payment vendor for Quest Diagnostics. Data such as financial account data, Social Security numbers, and health information (ePHI) were left exposed.

June 4, 2019 - LabCorp

In the same hack, LabCorp announced that 7.7 million of its customers were impacted. 

June 6, 2019 - Opko Health

In the same attack, Opko Health had 422.600 customer and patient records compromised. 

June 10, 2019 - Emuparadise

The gaming website Emuparadise had their users’ IP addresses, usernames, and passwords exposed in a data breach. 

June 11, 2019 - Evite

More than 100 million users of the Evite event planning app have had their information put up for sale on the dark web. Information that was stolen included names, email addresses, IP addresses, and cleartext passwords. Some even had their dates of birth, phone number, or postal address exposed.

June 11, 2019 - Total Registration

Kentucky-based Total Registration, a facilitator of scholastic test registrations had their entire service compromised. Victims, who were mainly students who had registered for PSAT and Advanced Placement tests, had their names, dates of birth, grade level, gender, and Social Security number exposed. 

June 12, 2019 - Evernote

A security vulnerability in Evernote’s Web Clipper Chrome extension gave hackers access to the online data of over 4.5 million users. Exposed data includes authentication, financial, all private communications, and more.

June 20, 2019 - Desjardins

Over 2.7 million individuals and 173,000 businesses had their data stolen by a single Desjardins employee. Canada’s largest credit union, the hack resulted in the exposure of names, dates of birth, social insurance numbers, addresses, phone numbers, and email addresses of customers

Other June breaches: Oregon Department of Human Services, U.S. Customs and Border Protection, EatStreet, Dominion National

July

July 17, 2019 - Clinical Pathology Laboratories

Due to the AMCA breach that affected Quest Diagnostics, Opko Health, and Labcorp, Clinical Pathology Laboratories had 2.2 million patients’ personal and medical information exposed with an additional 34,500 patients’ credit card or banking information breached. 

July 18, 2019 - Sprint 

A still unknown number of Sprint customer accounts were hacked through Samsung.com’s “add a line” website. Some exposed information included names, billing addresses, phone numbers, device types, device IDs, monthly recurring charges, account numbers, and more. 

Other July breaches: Maryland Department of Labor, Los Angeles County Department of Health Service, Essentia Health, Fieldwork Software, Los Angeles Personnel Department

August

August 5, 2019 - Poshmark 

The online marketplace, Poshmark, has announced that they’ve been hacked. Usernames and email addresses of an unreported amount of clients have been exposed in the breach. Poshmark has nearly 50 million users.

August 5, 2019 - Stock X

The online fashion-trading platform had its over 6.8 million user accounts exposed. Data that was out there included customer names, email addresses, usernames and passwords, shipping addresses, and purchase histories. 

August 9, 2019 - CafePress

A data breach at CafePress, a custom t-shirt and merchandise company, exposed the names, email addresses, physical addresses, phone numbers, and passwords of over 23.2 million customers. 

August 15, 2019 - Choice Hotels

Hackers left over 700,000 guest records exposed in a coordinated extortion attempt on the Choice Hotel chain. Stolen information included names, addresses, and phone numbers. 

August 16, 2019 - Biostar 2

VPNMentor and independent security researchers uncovered a data breach containing over a million individuals’ facial recognition information as well as the unencrypted passwords and usernames of 27.8 million individuals exposed from Biostar 2, a biometric security platform. 

August 27, 2019 - Hostinger

Hostinger, a web hosting company sent out an email to their 14 million clients who had their information hacked through an API server. As a result, first names, usernames, email addresses, IP addresses and hashed passwords were exposed.

Other August breaches: Presbyterian Healthcare Services, State Farm, MoviePass

Before your business has its network breached, data stolen, and reputation irreparably harmed, call the security professionals at Coleman Technologies to do a full security assessment. We can help you keep your data and reputation intact. Call us today at (604) 513-9428 to learn more. 

Fortunately, there is: password management systems.

What Are Password Management Systems?

A password manager is effectively what it says on the box: it’s a program that keeps track of your passwords for you. While these are available for individual users, we are more concerned with those that are meant for businesses to leverage.

These solutions have a reputation for being complicated and time-intensive to set up. However, this no longer has to be the case, and it is now more important that you find a solution that offers the features that every business needs to prioritize.

What to Look for from a Password Manager

During your search, you will want to make sure your chosen password management system offers the following features:

Security

While this may seem obvious, not all of your password management options will necessarily offer the same protections or follow the same practices. For instance, standalone password managers are inherently more secure than those tied to another solution, like a built-in one in your browser of choice.

These separate solutions usually have additional features to assist your security as you use them. Good password managers will remind you of best practices if too many saved passwords are the same or too weak and will require multi-factor authentication to be accessed in the first place. It also wouldn’t hurt to find one that also notifies you when you’re due to update some of the passwords you have saved.

It should also never save one password: the master password used to access the solution itself. That is still the user’s responsibility.

As far as behind-the-scenes security is concerned, you should find a password manager that is itself protected by a variety of security features, like encryption, role-based access, and secure cloud storage.

Storage Considerations

Determining where your credentials are kept by the password manager is another important detail to keep in mind, largely as an extension of your security considerations. Does your password manager save your passwords to the cloud, or are they kept natively on the device? Either approach has its pros and cons.

If the cloud is leveraged, your credentials will be available to you on any of your devices… but this does put your credentials in the crosshairs if that cloud solution was ever breached. If you keep your credentials stored locally, you won’t risk losing them in a cloud storage breach, but they are still vulnerable. For instance, if that device fails, there go your passwords.

Generally, this won’t have much impact on the solution you choose, as most enable either option, if not a combination of both.

User Friendliness

As difficult as your password manager should make things for cybercriminals, it should make simple for your legitimate users - starting with adding and removing them to the business’ accounts. They should find it easy to change their password as needed, and your password manager should automatically log a user into a website or application. If it senses that there are not currently credentials for that site, it should offer to save them.

Coleman Technologies has plenty of experience dealing with password security, which means we’re familiar with password managers and maintaining them. If you’d like assistance with selecting, implementing, and utilizing one in your business, let us know! We’re just a call to (604) 513-9428 away.

Give Me the Short Answer - What’s Phishing?

Phishing is where you get an email that looks like an actual legit email. The goal that a cybercriminal has is to trick you into giving them a password or access to an account (like to PayPal, Facebook, or your bank) or to get you to download malware.

The problem with phishing emails is how real they can seem. A phishing attempt for your PayPal information can look just like an everyday email from PayPal.

Even worse, often phishing emails try to sound urgent. They make you feel like you have to take action quickly, or that a bill is overdue, or that your password has been stolen. This can lower the user’s guard, and force them into a sticky situation.

How to Spot a Phishing Attack

Like I said, it’s not always going to be obvious when you get phished. Even careful, security-minded, technical people can fall victim because phishing is just as much of a psychological attack as it is a technical one.

Still, there are some practices you and your staff should use:

Always Use Strong, Unique Passwords

This can solve a lot of problems from the get-go. If your PayPal account gets hacked, and it uses the same password as your email or your bank account, then you may as well assume that your email and bank account are infiltrated too. Never use the same password across multiple sites.

Check the From Email Address in the Header

You’d expect emails from Facebook to come from This email address is being protected from spambots. You need JavaScript enabled to view it., right? Well, if you get an email about your password or telling you to log into your account and it’s from This email address is being protected from spambots. You need JavaScript enabled to view it., you’ll know something is up.

Cybercriminals will try to make it subtle. Amazon emails might come from This email address is being protected from spambots. You need JavaScript enabled to view it. or emails from PayPal might come from This email address is being protected from spambots. You need JavaScript enabled to view it.. It’s going to pay off to be skeptical, especially if the email is trying to get you to go somewhere and sign in, or submit sensitive information.

Don’t Just Open Attachments

This is nothing new, but most malware found on business networks still comes from email attachments, so it’s still a huge problem. If you didn’t request or expect an email attachment, don’t click on it. Scrutinize the email, or even reach out to the recipient to confirm that it is safe. I know it sounds silly, but being security-minded might build security-mindfulness habits in others too, so you could inadvertently save them from an issue if they follow your lead!

Look Before You Click

If the email has a link in it, hover your mouse over it to see where it is leading. Don’t click on it right away.

For example, if the email is about your PayPal account, check the domain for any obvious signs of danger. Here are some examples:

• Paypal.com - This is safe. That’s PayPal’s domain name.
• Paypal.com/activatecard - This is safe. It’s just a subpage on PayPal’s site.
• Business.paypal.com - This is safe. A website can put letters and numbers before a dot in their domain name to lead to a specific area of their site. This is called a subdomain.
• Business.paypal.com/retail - This is safe. This is a subpage on PayPal’s subdomain.
• Paypal.com.activecard.net - Uh oh, this is sketchy. Notice the dot after the .com in PayPal’s domain? That means this domain is actually activecard.net, and it has the subdomain paypal.com. They are trying to trick you.
• Paypal.com.activecardsecure.net/secure - This is still sketchy. The domain name is activecardsecure.net, and like the above example, they are trying to trick you because they made a subdomain called paypal.com. They are just driving you to a subpage that they called secure. This is pretty suspicious.
• Paypal.com/activatecard.tinyurl.com/retail - This is really tricky! The hacker is using a URL shortening service called TinyURL. Notice how there is a .com later in the URL after PayPal’s domain? That means it’s not PayPal. Tread carefully!

Keep in mind, everyone handles their domains a little differently, but you can use this as a general rule of thumb. Don’t trust dots after the domain that you expect the link to be.

Training and Testing Go a Long Way!

Want help teaching your staff how to spot phishing emails? Be sure to reach out to the IT security experts at Coleman Technologies. We can help equip your company with solutions to mitigate and decrease phishing attempts, and help educate and test your employees to prepare them for when they are threatened by cybercriminals.

“Unknown Hack”

On May 8, 2019, almost a year to the day after the first transaction was made, an Amazon spokesperson claimed that the company had completed investigating the compromised accounts, and had been the victim of an “extensive” fraud. The extent of the fraud was large enough where two banking companies, Barclays and Prepay Technologies (who is a partial subsidiary of Mastercard) are caught up in the crime.

Ultimately, Amazon neglected to disclose the true scope of the hack, but a report by Bloomberg indicated that over one billion dollars were dispersed to merchants in 2018 via Amazon Capital Services U.K. While there is currently no figure provided by the company, if large portions of that money was subverted, it could rank as one of the largest hacks in the history of online commerce, and certainly the biggest fraud that has involved Amazon. 

Amazon, which has a business model built to be largely automated, has done a remarkable job of keeping personally identifiable information from being hacked over the years, but in today’s threat-persistent culture, even the most secure companies can have situations happen to them that jeopardize their ability to complete financial and information transactions, regardless of how much they invest in cybersecurity.

Phishing Attacks

Just because this article mentions a major fraud involving the world’s largest online retailer in no way means that hackers have moved on from trying to hack small businesses. Small businesses face the majority of hacking attacks, mainly because they have the least amount of security to thwart. In fact, if Amazon can fall victim to phishing attacks, it’s not a stretch to believe that your company is susceptible. With millions of phishing messages sent every day, many of which target small businesses, having a strategy to educate your staff is extremely important.

The best way to go about doing that is to be proactive. Getting your staff to understand that they are on the front lines of a never-ending cyberwar and what they need to learn in order to keep themselves, and your organization free from the serious risks that come from falling victim of phishing attacks. Some things you can prioritize:

• Annual education and training - Have a comprehensive plan in place to educate new and current staff that is updated and required annually.
• Having strong passwords - Since phishing is a form of social engineering, the hackers on the other end of the phishing attack are simply looking for access. Having strong passwords will keep them out much longer than weak ones. 
• Avoid shadow IT - Make it clear that all software has to pass through IT first, before it is downloaded onto a workstation. It may seem inefficient at first, but the company will be better off vetting a software solution before it gains access to your organization’s network.
• Provide cloud storage - When people are constantly on the move and have a lot of responsibilities, they will often upload their work into their personal cloud-based file storage. This can be risky behavior, even if the employee’s motives are solid. Keep your company’s data hosted on its own infrastructure.

With these four tips you can go a long way toward protecting your business, and your staff, from the detrimental characteristics of a phishing attack.

If you need help with your organization’s cybersecurity, or if you simply want some help outlining a strategy to use, contact the IT professionals at Coleman Technologies today at (604) 513-9428.

Support for these two titles ends on January 14, 2020. If your business has neglected to upgrade away from the technology after Microsoft ended mainstream support in 2015, time is finally running out in which to do so. It is important to have a strategy to move to a more up-to-date operating system. By not completing a full migration away from these titles your business will not have the protection it needs to keep your company’s data secure. Vulnerabilities will begin to present themselves pretty quickly and you will see your ability to maintain data security wane. Let’s take a look at these titles, and what needs to happen to successfully remain secure.

Windows 7

Windows 7 is one of Microsoft’s most popular operating systems of all time, and is still used by millions of people from all over the world. In fact, it wasn’t until last December that Windows 10, Micrsosoft’s latest OS, passed Windows 7 in number of users. The software giant has started a major ad campaign to inform people of how to upgrade away from Windows 7 as soon as possible.

The most obvious option is to upgrade your business’ workstations to Windows 10. Windows 10 is constantly supported, offers many features that Windows 7 is incapable of, and features a profile that isn’t significantly heavier so most systems that you have will run Windows 10 effectively.  If you are in a position where you need to move over a lot of workstations, our consultants can help you calculate the best route forward. 

Another option Microsoft provides is called Microsoft 365. This cloud-based service deliberately targets the millions of Windows 7 users as it doesn’t require huge capital costs to move to Windows 10. At Coleman Technologies, we can help you determine the pricing of a migration either to new onsite infrastructure or a hosted solution. Either way, your business will need to have upgraded before January 14, 2020.

Windows Server 2008 R2

In addition to Windows 7, in January 2020, Microsoft will be retiring the entire Windows Server 2008 R2 suite. If your business utilizes Windows Server 2008 R2 for data and application hosting, you will need to have a plan in place to upgrade prior to the end of support date. Just like Windows 7, Microsoft will stop delivering security patches to Windows Server 2008 R2, meaning that there is a very real possibility that your organization could go without security updates if you fail to upgrade.

Microsoft has since released two new versions of the Windows Server software, as well as implemented a cloud-based option in Azure. It might be able to help you save money with cloud-based server management, but you won’t know for sure if it’s the right call to make without talking to the IT professionals at Coleman Technologies. Call us today to find out more at (604) 513-9428.

Let’s explore some of the risks that the IoT can present.

The Security Issues of the IoT

The Internet of Things has added utility to many devices, expanding their potential in ways that would otherwise be impossible. This has only been further augmented by the access to personal devices that many employees enjoy through Bring Your Own Device policies.

However, these benefits have come with an assortment of considerable risks alongside them. Devices that are a part of the IoT are notoriously vulnerable to many cyberattacks, which means that they could potentially be used as a point of access to your business’ network. From there, a cybercriminal has plenty of opportunities to create issues - whether that’s by stealing your data, hijacking your devices to be used in a botnet, or whatever their goal may be.

This problem is only exacerbated by the tendency for IoT devices to go without updates, whether through the negligence of the manufacturer or of the consumer. Without these updates, security flaws go unresolved, and the devices are thereby left vulnerable.

Consider how many devices are now manufactured that connect to the Internet. Smart watches and other wearables, smart speakers and televisions - really, almost anything with the word “smart” in its name - we have more or less surrounded ourselves with the Internet of Things. This includes the time we spend in the workplace, despite many of these devices not being visible on the network to IT. As a result, it has become almost impossible to track all the devices that attach to a network, which has developed into a new issue for businesses.

Shadow IoT

Thanks to the public demand for convenience and advanced functionality, more and more IoT devices are being manufactured all the time. If any of these devices makes its way into your office without the knowledge and approval of IT, you have a shadow IoT problem.

If you do, you aren’t alone.

In 2017, 100 percent of organizations surveyed by an IoT security firm were found to have consumer IoT devices on the network that qualified as shadow IoT. Another report, from 2018, stated that one-third of United States, United Kingdom, and German companies have over 1,000 shadow IT devices on their networks every day. Combine this with the security shortcomings discussed above, and you have a recipe for a cybersecurity disaster.

You may remember the Mirai botnet, which struck back in 2016. This botnet was built up of over 600,000 devices at its peak and focused primarily on IoT devices. Once these devices were identified by Mirai, they would be attacked and infected, adding more computing power to the botnet. Mirai is far from the only example, too… cybercriminals have been known to hack into IoT devices to gain network access, spy and listen in on conversations, and otherwise prove themselves to be a nuisance.

How to Minimize Shadow IoT

Clearly, shadow IoT isn’t a good thing for any organization. There are a few things you can do to help protect your business from the security issues that shadow IoT can cause.

• Accept IoT devices in the workplace. If your employees really want to use one of their devices at work, they’re going to. Instead of shooting down requests to bring in these devices, make it easier for your employees to do so through the proper channels - and make sure your employees are aware of these channels. Openness and cooperation can be effective tools as you try to get your team on the same page you’re on.
• Keep IoT devices separate. To better protect your network, you will want to consider utilizing a dedicated Wi-Fi network for IoT devices, configured to allow them to transmit the information they generate while blocking any incoming calls to them. This will help prevent threats from being transmitted to IoT devices.
• Seek out potential threats. Not all shadow IoT necessarily can be found on an organization’s network, as over 80 percent of the IoT is wireless. This means that you need to be monitoring your wireless signals for shadow IoT devices and networks.

Your business’ security is important - too important to be undermined by an insecure consumer device that was brought in without your knowledge. You need to get out ahead of shadow IoT, as well as the other threats that could do your business harm.

Coleman Technologies can help. Our professionals are well-versed in cybersecurity best practices and how to use them to your benefit. To find out more about what we can do for your business, reach out to us at (604) 513-9428.

Outdated software is an issue that all businesses have to deal with. The fact that so many organizations don’t routinely update their software solutions is pretty telling. For one, many businesses simply don’t have the resources at their disposal to make sure maintenance is performed on a regular basis. Granted, unless a business has taken substantial steps toward upgrading away from software that has reached its end of support date, they will have to suffer the consequences.

What Does “End of Life” Mean?

End of Life, also known as End of Support, is a term that is used to identify software that is not updated or patched after a specific period of time has passed. Certain Microsoft products can utilize the Extended Security Update, but only for a maximum of three years, meaning it’s more efficient and cost-effective to upgrade away from your old systems before they reach the end of support date.

What You Need to Do

How would your business be affected by a potential security breach? Since you won’t be receiving security patches or updates, you’ll need to consider this possibility. Following a major security breach, you’ll be forced to upgrade your systems anyway, so not only will you have those costs, but you’ll have to deal with the fallout of a data breach. It’s never too early to start taking preventative measures and think about the future of your infrastructure, as well as who will be responsible for the management, maintenance, and upgrading of your business technology.

Before Windows SQL Server 2008’s End of Support date arrives, consult this list of upcoming end of support dates and take the necessary steps to upgrade your technology. It’s better to do so now than wait until it’s too late.

We Can Help

Worrying about your business’s IT infrastructure is something that you simply don’t have time for. A managed service provider like Coleman Technologies can help you achieve affordable and accessible technology support, including the updates and patches needed to maintain network security. We can even help monitor your infrastructure for potential End of Support software that will soon be outdated. To learn more, reach out to us at (604) 513-9428.

Profitable Types of Data

Believe it or not, even a small business with a handful of clients has data worth stealing. You’re in business to make money, and by virtue of this fact, you likely collect and store financial information. In fact, you collect a ton of valuable data. The type of data that hackers are looking for.

In addition to all of the financial details you collect, there is also all of the contact information regarding leads, clients, and customers. With so many emails and phone numbers stored on your infrastructure, hackers can have a field day. They will have all the information they need to steal funds, distribute malware, and create unpleasant situations for your business.

The Unpredictability Factor

Not all hackers have any specific goal in mind when they hack you. Sometimes all they want to do is make your life miserable. The unpredictability associated with hackers is one of the most dangerous parts of them, as they can take advantage of any overlooked vulnerabilities to create a problematic situation for you.

The Impact of Security Negligence

If your business falls victim to a hacker, it’s certain to affect your business' operations. In some cases, it could be subject to compliance fines that could break your budget and put your business at greater risk. Furthermore, you could lose access to important data that makes your business work, threatening its future and all but guaranteeing that recovery can never happen. Therefore, the importance of protecting your network can never be overstated.

Coleman Technologies can help your business implement the security solutions needed to maximize protection from threats. To learn more about what we can do for your organization, reach out to us at (604) 513-9428.

Unfortunately, most attacks still come in through email, and can slip by your users. Even the most complex cybersecurity platforms used by massive corporations and governments can be foiled by a simple phishing attack, and your end-users are your last line of defense.

How Can an Employee Fall Victim?

Phishing attacks are designed to look real. An email might come in looking like a valid message from Paypal, a bank, a vendor, or even from another employee or client. Hackers use several tricks to make the email look real, such as spoofing the address or designing the content of the email to look legitimate.

Unfortunately, if the user clicks on the link in the email or downloads the attachment, they could open themselves and your company up to whatever threats contained within.

Commonly, this leads to stolen sensitive information, or installs malware on the device, or grants the hacker the ability to log into the user’s bank account.

While having strong IT security can reduce the amount of these phishing attacks that come in, a percentage can be tricky enough to bypass your firewalls and content filters, exposing your staff to situations that could your whole endeavor in

Educate Your Employees

It’s important to teach employees how to catch a phishing attack. We recommend sharing the following steps with your staff, or even printing them out and posting them around the office:

1. Carefully hover (don’t click!) over links and see if they go to a legitimate URL. If the email is from Paypal, a link should lead back to paypal.com or accounts.paypal.com. If there is anything strange between ‘paypal’ and the ‘.com’ then something is suspicious. There should also be a forward slash (/) after the .com.   If the URL was something like paypal.com.mailru382.co/something, then you are being spoofed. Everyone handles their domains a little differently, but use this as a general rule of thumb:
   1. paypal.com - Safe
   2. paypal.com/activatecard - Safe
   3. business.paypal.com - Safe
   4. business.paypal.com/retail - Safe
   5. paypal.com.activatecard.net - Suspicious! (notice the dot immediately after Paypal’s domain name)
   6. paypal.com.activatecard.net/secure - Suspicious!
   7. paypal.com/activatecard/tinyurl.com/retail - Suspicious! Don’t trust dots after the domain!
2. Check the email in the header. An email from Amazon wouldn’t come in as This email address is being protected from spambots. You need JavaScript enabled to view it.. Do a quick Google search for the email address to see if it is legitimate.
3. Always be careful opening attachments. If there is an attachment or link on the email, be extra cautious.
4. Be skeptical of password alerts. If the email mentions passwords, such as “your password has been stolen,” be suspicious.

Phishing Simulation

Another great tactic is to have regular phishing simulations. This is where we create a series of fake phishing emails (don’t worry, it’s safe), and randomly send it to your staff. When someone falls for the attack, we send them educational information to help them prevent being tricked by a real one.

We’ve found this to be very effective, without taking a lot of time out of an employees already busy day.

Are you interested in helping to protect your staff from falling victim to phishing attacks? Give us a call at (604) 513-9428.

How Blockchain Has Been Shown to Be Vulnerable

Let’s face it… blockchain technology is a human invention, which means that there are going to be some flaws.

Admittedly, the concept behind the blockchain makes this hard to believe: every transaction made through the blockchain, financial or data-based, is given a permanent, designated “block” in the chain. Before the transaction is completed, the rest of the network needs to approve this new block’s validity. The block is then added to the chain, where it cannot be altered and provides an unchangeable record of the transaction - to undo it, a new block would be created. It is only then that the transaction is completed.

While this method may seem foolproof, even “unhackable”, this just isn’t the case. In March of 2014, cybercriminals managed to steal $450,000,000 worth of Bitcoin through a transaction mutability vulnerability, and in June of 2016, cybercriminals managed to steal approximately $60,000,000 by leveraging a recursive calling vulnerability.

Additional Blockchain Vulnerabilities

Again, as a human creation, there are going to be some flaws in blockchain platforms. One investigation revealed that some blockchain and cryptocurrency platforms had over 40 vulnerabilities.

51% Vulnerabilities

Many of blockchain’s vulnerabilities have more to do with the nature of the platform as well. One such vulnerability is known as a 51% vulnerability, and is associated with mining cryptocurrencies. Let’s assume you are a cryptocurrency miner. If you manage to accumulate hashing power that exceeds more than half of what the blockchain contains, you could leverage a 51% attack to manipulate the blockchain to your own advantage.

Naturally, more popular blockchains, like Bitcoin, are far too expensive to be practical targets, but smaller coins are much more affordable to attack and can be lucrative for hackers. In 2018, 51% attacks were leveraged against less popular cryptocurrencies, netting the attackers approximately $20 million.

Security of Private Keys

Using a blockchain requires a user to have a private key. Naturally, if this key were to be stolen, those cybercriminals who stole it would be able to access and tamper with that user’s blockchain. What’s worse, because the blockchain is decentralized, these kinds of actions are difficult to track and even harder to undo.

Breach Examples

As you might imagine, most breaches involving a blockchain are in some way tied to an end user. In 2017, a fraudulent cryptocurrency wallet service was left up for months as the cybercriminal responsible allowed people to funnel their cryptocurrencies into it before stealing $4,000,000 - out of a reported total of $2 billion being stolen since 2017 began. In January 2018, it was disclosed that hackers stole private keys with malware, taking over $500,000,000 in NEM coins (a now-effectively-worthless cryptocurrency established by a nonprofit).

If hackers are able to steal from a purportedly “unhackable” technology, what’s to stop them from stealing from your business?

Cybersecurity solutions from Coleman Technologies, that’s what. We can set up the security solutions your business needs to protect its data, and monitor your systems to detect breaches preemptively, preventing a security issue from happening. To learn more about what we can do, reach out to us at (604) 513-9428.

What Makes Spear Phishing Different?

As a rule, spear phishing is a much more precise and personalized process. To keep to the “fishing” analogy, a generalized phishing campaign casts a wide net, trying to snare as many victims as possible with their scam. Utilizing vague and generic language, the ‘typical’ phishing attack is made to appear to come from a large organization, informing the user of some need for the user to take action, resulting in the hacker gaining access to the user’s information. This methodology makes the typical phishing attack fairly effective against many people, while simultaneously easier to spot if one knows the warning signs.

By comparison, spear phishing is far more precise. Instead of trying to find value in the quantity of targets snared in a trap, spear phishing takes the opposite tack. Using a highly targeted approach, spear phishing attacks are directed toward a specific individual within an organization.

This specified approach means that the generic messages that many phishing attempts leverage simply won’t be enough to fool the intended target. Instead, the hacker has to play investigator, seeking out as much information as they can about their intended target. Where do they work? What is their position in the company? Who do they frequently communicate with? Once the hacker has collected enough information to create a convincing message, they will typically spoof an email to their target. This email will usually contain some reference to a known contact or some in-progress project to make it more convincing and will request that the recipient download a file via a provided link.

However, while the link will direct to what appears to be a Google Drive or Dropbox login page, it is just another layer to the deception. Entering credentials into this page will give them right to the hacker for their use, breaching the user’s security and putting the entire business at risk in one fell swoop.

What Methods Do Spear Phishers Use?

Due to how spear phishing works, the messages sent by hackers need to be as convincing as possible. Combining extensive research with some practical psychology, a hacker has more ammunition to power their attacks.

As mentioned above, spear phishing is far less generic than the average phishing attempt. By referencing specific people, things, and events that mean something to the target, or appearing to come from an internal authority (a manager, perhaps, or even the CEO), the hacker can create a message that is less likely to be questioned. If the hacker writes their messages without any spelling or grammatical errors, as many spear phishers do, it only becomes more convincing.

These hackers are so reliant upon their target being fooled; many will purchase domains that strongly resemble an official one. For instance, let’s say you owned the domain website-dot-com. If a hacker decided to pose as you to launch a spear phishing attack, they might purchase the domain vvebsite-dot-com. Without close inspection, the switch may not be noticed - especially if the hacker creates a good enough lookalike website.

Am I A Target?

Of course, the research that a hacker has to do to successfully pull off a spear phishing attack is extensive - not only do they have to identify their target, they also have to figure out the best way to scam this target. Generally speaking, a hacker seeking to leverage spear phishing will focus their efforts on anyone in an organization who could potentially access the information that the hacker wants but isn’t high up enough in the organization to question an assignment from above.

Or, in more certain terms, a business’ end users.

In order to minimize the chances that a spear phishing attack will be successful against your company, you need to make sure that everyone subscribes to a few best practices. For example:

• Pay attention to the finer details of an email. Is the message actually from This email address is being protected from spambots. You need JavaScript enabled to view it., or does the email address actually read This email address is being protected from spambots. You need JavaScript enabled to view it.? Did Christine/Kristine include any attachments? As these can be used to spread malware via email, you should avoid clicking on them unless you are certain the message is legitimate.
  
  
• Is the message written to sound overly urgent? Many phishing messages, especially spear phishing messages, will try to push an action by making it seem as though inaction will lead to a critical issue. Another warning sign to look out for: any deviation from standard operating procedures. Don’t be afraid to question a sudden switch from Google Drive to Dropbox - it may just be the question that stops a spear phishing attack.
  
  
• Speaking of questioning things, don’t hesitate to make sure that any messages you suspect may be spear phishing aren’t actually legitimate through some other means of communication. A quick phone call to the alleged sender will be well worth avoiding a data breach.
  
  

While spear phishing is a considerable threat to your business, it is far from the only thing you need to worry about. Coleman Technologies can help your business secure its IT solutions and optimize them for your use. To learn more, subscribe to our blog, and give us a call at (604) 513-9428.

Today, many of the largest and most lucrative companies in the world, Google, Apple, AT&T, Amazon, Verizon, Facebook and Microsoft are all, more than manufacturers of computer-based goods and services, data brokers. These data brokers create services that they then sell to advertisers that allow them to target you based on the information these companies have of you, which can accurately tell how and what to sell you.

Since nearly everyone has a near-ubiquitously-connected experience there is a lot of data collected, bought, and sold every year and it’s big business. Facebook, a company whose main revenue stream is from selling advertising, made a net profit of nearly $16 billion in 2017. This tells us that if you have people’s data, you have people’s hopes, fears, and dreams, which means you can pretty easily get someone to pay you for access to that information.

For small businesses it’s much less lucrative. In fact, all the data your organization needs to keep, is probably necessary to simply do business, not to sell to advertisers. Facebook voluntarily gets a lot of personal information from every one of their users, as where the typical small business often has to strategize to just get a name and a phone number. The information that is sensitive (mostly customer information that you collect) has a lot of value to the people looking to steal it. So while you aren’t making billions of dollars selling consumer profiles, it is still a mightily important part of doing business, and needs to be secured.

Is Data a Commodity?
Technically speaking, it isn’t. Since a commodity’s value is based namely on its scarcity and the amount of capital that needs to be put up to create it, in both resources and labor, the data that is being purchased isn’t really a commodity. In lieu of the dissolution of the U.S. Net Neutrality laws, this has created the argument in the U.S. that since now it’s up to the telecommunication companies how they want to manage (or more accurately bill) data consumption, that they would throttle and tier service, something that isn’t possible with a true commodity, where there are laws prohibiting those types of practices.

On the other hand, Internet access is something that a majority of the commerce requires, and delivering data is in itself an expensive endeavor (infrastructure spending, development, utility costs, etc.) so telecoms, who are seeing their would-be profits syphoned by over-the-top content providers, and publicly demonized as a result of a very public lobbying effort to gain control of the ability to implement some sort of prioritization strategy, have to find a strategy to sustain their ability to get a workable return on their investments.

Securing Your Organization’s Data
Regardless of what your view of data is, it’s an important resource for your organization, and as mentioned above, it needs to be secured. For one of your company’s most important resources, data can be lost relatively easily, so there needs to be a concerted effort to keep your network and infrastructure free from the threats that could put your data at risk. At Coleman Technologies, that’s what we do. We ensure organizations like yours get the professional IT expertise you need to work efficiently, effectively, and securely in what is the most turbulent time in computing history. With the litany of threats your business faces everyday, you need experts that have your back. We offer:

• Backup and disaster recovery: With a comprehensive backup and disaster recovery system in place, all of your organization’s data is safe, redundant, and able to be restored on demand.
• Proactive monitoring and management: By keeping a dedicated eye on your network and infrastructure, our technicians can be proactive.
• Patch management: By keeping all of your organization’s software up to date with the latest threat definitions, you can ensure that your software isn’t going to be a problem.
• Access control and threat detection: By having full control over who can access what, and a complete view of the entire network, we can keep people who aren’t supposed to see certain information from accessing it.
• Training: Most times, your own staff is responsible for data breaches and malware. We can train you all on what to look for to ensure that you are doing your best to keep your network and infrastructure free from threats.
• Around the clock support: If three out of every four businesses deal with phishing emails, and over 95 percent of all phishing emails deliver ransomware, chances are that if a mistake were to be made, you will need immediate IT support. Our support and help desk can remediate a lot of your security issues to keep downtime to a minimum.

With data such a major part of doing business today, ensuring you have the right solutions and support in place to be confident that any situation you face will be managed before it becomes a problem is in itself a benefit. Call Coleman Technologies at (604) 513-9428 for more information.

As we begin, it is important that we acknowledge that the Android operating system has been granted FIDO2 certification. In other words, the FIDO (Fast IDentity Online) Alliance has given the Android OS their seal of approval in regard to the authentication standards that the Alliance has set.

What Does This Mean?

In very simple terms, any Android device running 7.0 or higher with the latest Google Chrome update installed can be used as part of a two-factor authentication strategy - more specifically, as a security key. This includes the support that FIDO2 offers for onboard fingerprint scanners as a means of identity authentication. Currently, this authentication standard is only supported by Android, with no indication of Apple devices incorporating it.

In no uncertain terms, this all means that passwords may soon be phased out.

Abandoning Passwords

Passwords have been the standardized form of authenticating one’s identity for quite some time, despite the potential issues that are present with them. How often have we seen just how many ways a determined cybercriminal has to obtain a password? Between insecure databases filled with credentials and unfortunately successful phishing schemes, millions of accounts have been exposed - and that isn’t even taking all the times an insecure password was guessed into account.

The biggest weakness that any password has is the fact that it can be shared at all, that someone other than the owner can use it. Over any other reason, this is why FIDO2 is likely to become as popular as it is expected to be. When was the last time you successfully shared a thumbprint with someone, after all? Furthermore, FIDO2 keeps all of the information that is pulled from its biometrics onboard the device, keeping it safe from being stolen on the Internet.

As an added bonus, FIDO2 won’t allow the user to input their fingerprint’s biometric data into websites that don’t have sufficient security measures in place.

How to Use Your Android Device as a FIDO2 Security Key

In order to leverage your Android device as a security key, you need to make sure that it meets a few benchmarks. First and foremost, you’ll need to be running at least Android 7.0, with the latest version of Chrome installed. You will also need to have Bluetooth activated, and a Google account with two-step verification enabled.

This is somewhat simple to do. Logging into your Google account, access the Security section. Here, you’ll find the option to activate 2-Step Verification. After a short process, your smartphone will work as a security key.

Authenticating Google Sign-Ins with Your Phone

As long as you have enabled both Bluetooth and Location on your mobile device, any Google service you try to access will prompt you to confirm the sign-in attempt via your phone. This process is exceptionally simple - all you have to do is press Yes on your phone and wait. Once you’ve done so, you can confidently access your Google account, securely. As more developers adopt FIDO2, this enhanced security will only appear more often.

What do you think of this new authentication method? Share your impressions in the comments! While you’re there, let us know if there are any other tips you’d like us to cover!

The GDPR (In a Nutshell)

Under the GDPR - which came into effect on May 25, 2018 - any companies that have collected data on a resident of the European Union are then responsible for protecting that data. Furthermore, the GDPR grants these residents a far higher level of access and control over the data that organizations possess.

How United States Citizens Have Reacted

According to a poll, data privacy has become a bigger priority for 73 percent of respondents, 64 percent stating that they felt the security of their data was worse than it has been in the past. 80 percent want the ability to learn who has purchased their data, while 83 percent want the ability to veto an organization’s ability to sell their data in the first place. 64 percent also stated that they want the ability to have this data deleted.

How the Government Has Reacted

Governing bodies at different levels have had different reactions to these demands. For instance, the state of California has already passed the Consumer Privacy Act (CCPA) - a piece of legislation that the House of Representatives' Consumer Protection and Commerce Subcommittee isn’t too fond of, as its position is that there needs to be a singular piece of legislation at the federal level to protect data. As of right now, data privacy is addressed in a combination of state laws and some proposed federal laws.

One of these proposed laws, the Data Care Act, spells out that (in addition to promptly alerting end users to security breaches) a service provider cannot legally share a user’s data without the receiving party also being beholden to the same confidentiality standards. Others include the Information Transparency and Personal Data Control Act, which requires transparency and personal control over data, the Consumer Data Protection Act, which could throw executives in prison for abusing data, and the American Data Dissemination Act, which sets a deadline for the government to enact privacy requirements upon businesses.

However, when the Consumer Protection and Commerce subcommittee met to discuss the prospect of a federal privacy law (which it was agreed was necessary), there weren’t any representatives for the average consumer - the ones whose data is really at stake. This reflects the hearings held last year by the Senate, also without consumer representation. Instead, technology companies were invited to participate during both sessions.

Small Business Concerns

That being said, there is very little support among the committee for any regulations that are at all similar to the GDPR. One reason for this: the fear that small businesses will not find themselves able to afford the added cost of compliance.

For instance, there are a variety of potential burdens that such a measure could potentially impose upon small and medium-sized businesses. These burdens include:

• All-encompassing overhauls that would result in lost business
• Business failure due to inadequate budgets to make the demanded changes
• Impeded growth after regulations are put in place
• Prerequisites becoming too great to start a business in the first place
• Costs passed down to SMBs from larger companies for technology services

It is worth noting that if your organization does business with people from the EU, you are responsible to adopt the privacy rules of the GDPR.

What do you think? Are laws like these necessary, especially given the cost they could put on small businesses? Have you had any data privacy concerns in the past? Share your thoughts in the comments.

Birth of the Internet

The first Internet was born on college campuses. It was built by intellectuals, for academics, without the massive list of considerations that now accompany software development. It spread quickly, of course, and somewhere, pretty early on, it was decided that by being able to support commerce, the Internet could become one of the west’s greatest inventions.

This came to fruition in 1984 when the first catalogue was launched on the Internet. This was followed by the first e-store (at books.com) in 1992, and the first software to be sold online (Ipswitch IMail Server) in 1994. Amazon and eBay launched the following year and the Internet has never been the same.

By then, the academic uses for the Internet had multiplied, as well. By the time Amazon launched, many colleges and universities were offering students access to the Internet as an important part of their continuing education. Boy, was it ever.

Today, you’ll be hard pressed to find a classroom (outside of the poorest school districts in the country) where every classroom isn’t Internet-ready.

College Internet Needs and Cybersecurity

This stands true in university and college circles, as well. Campuses today are almost completely connected. You’ll be hard pressed to find a place on a modern campus that, as long as you have security credentials to do so, you can’t gain access to an Internet connection. In a lot of ways, it is the demand for access that makes network security a major pain point for the modern college. Firstly, having to protect computing networks from a continuously variable amount of mobile devices is difficult. Secondly, the same attacks that plague businesses, are also hindering IT administrator efforts at colleges.

Colleges themselves aren’t doing anyone any favors. According to a 2018 report, none of the top 10 computer science degrees in the United States require a cybersecurity course to graduate. Of the top 50 computer science programs listed by Business Insider only three require some type of cybersecurity course. Moreover, only one school out of 122 reviewed by Business Insider requires the completion of three or more cybersecurity courses, the University of Alabama. Regardless of the metric, it’s clear that learning cybersecurity is not a priority for any school.

Are There Cybersecurity Problems Specific to Colleges?

The short answer is no. That’s why it's so important to get people thinking about cybersecurity any way they can. No industry can afford to have the skills gap between people that hack and the people looking to stop them grow any wider. This is why, no matter what you do (or plan on doing) for a living it’s important to understand what your responsibilities are and how to get them into a place that can help your organization ward off these threats from outside (and sometimes inside) your network.

Many colleges have turned to companies like Cyber Degrees to help them not only educate the people utilizing the college’s networks to why cybersecurity awareness is important, but also help people understand that with the rise of cybercrime and hacking-induced malware, that cybersecurity has become a major growth industry with many facets. In 2015, the Bureau of Labor Statistics found there were more than 200,000 unfilled cybersecurity jobs in the U.S. With curriculums not prioritizing cybersecurity, and with threats growing rapidly, imagine how many are unfilled today. As demand rises for competent individuals to fill a multitude of jobs in the computer-security industry, colleges need to do a better job prioritizing cybersecurity training.

For the business looking into protecting itself, look no further than the cybersecurity professionals at Coleman Technologies. Our knowledgeable technicians work with today’s business technology day-in and day-out and know all the industry’s best practices on how to keep you and your staff working productively, while limiting your exposure to risk. Call us today at (604) 513-9428 to learn more.