12 Days of Christmas Challenge

12 Days of Christmas Challenge!

Not long to go until Christmas, and as part of our festive celebrations, we have created a special rendition of the “12 days of Christmas” to help educate and build awareness about cyber security!

The twelve days will be starting from the 1st of December, we’ll be posting our version of each verse, with cyber security questions for you to answer. We will be selecting a winner from the correct answers each day who will win £10 Amazon vouchers. At the end of the 12 days, we will put all the winners in a prize draw to win a further £120 worth of vouchers!

The first verse will be posted on the 1st of December and every working day until the 16th of December with the announcement of the grand draw on the 17th of December.

Check back here each day for new questions and join in the fun!

It is time to announce the winner of our grand prize! Drum roll, please!

🎉 The winner of our grand prize of £120 worth of Amazon vouchers is… Drw Cannon!

Congratulations to Drw Cannon! We will be in touch shortly about your prize.

Thanks again to all who participated. We hope you enjoyed the challenge as much as we did, and also learnt a bit more about cyber security. Look out for our other competitions in the new year.

Have a fab Christmas and we wish you all a prosperous 2022!

What is Password Spraying & Why You Should Care

What is Password Spraying & Why You Should Care

Read

What is Password Spraying & Why You Should Care

Passwords have been with us for a very long time, in fact, the computer password recently celebrated its 60th birthday, since its beginning in an MIT lab in the fall of 1961.

As we approach 2022, it is estimated that there are well over 300 billion passwords in use worldwide and almost everyone knows the basics of good password security – right?

Well maybe, maybe not, the evidence would say not, the statistics remain shocking.

Here’s just one example; Did you know that more than 23,000,000 account-holders in the UK alone use the password “123456”!

What is Password Spraying

I picked that statistic, not only because it clearly highlights how big an issue bad password security remains, but also because Forbes recently reported on a rapidly rising cyberattack type that very much relates to that statistic specifically.

That attack type is Password Spraying. So, what exactly is it?

The easiest way to explain password spraying is to compare it to a much better-known password attack type, the “Brute Force” attack.

A “brute force” attack targets a small number of accounts with a substantial volume of ‘password guesses’ and is the reason why a longer password is a stronger password – it takes much (much, much) longer to cycle through every password combination for 12 characters than it does for 6 characters.

“Password Spraying” though flips this on its head and targets a huge number of accounts with a small number of “password guesses” – and as you might expect, those “guesses” are the passwords that are most used – such as our friend “123456”.

Protect yourself from Password Spraying attacks

This is a simple one – avoid those commonly used, simple passwords that are the punchlines in a million cyber security memes.

Here’s a list of the 10 most used passwords in 2021 – seriously, if you have an account anywhere that uses one of these – change it now!

  • 123456
  • 123456789
  • qwerty
  • password
  • 12345
  • qwerty123
  • 1q2w3e
  • 12345678
  • 111111
  • 1234567890

It really is that simple.

So, if “123456” is out, what should I use instead?

Password spraying is not the only reason to use “strong” passwords – but it is a good one all the same.

To create a “strong” password, simply follow this simple guide.

  • Longer = stronger: Make your passwords at least 8 characters long, preferably even longer.
  • Complexity: Your passwords should contain at least 1 uppercase, lowercase, numerical and special character.

There are other tricks, such as using a passphrase, but as long as you follow these 2 simple steps your passwords will be drastically more difficult to crack and won’t typically be included in the “guesses” used in Password Spraying type attacks.

Even better, where possible, secure your important passwords with further authentication methods, such as 2-factor authentication or biometrics, such as facial recognition, fingerprint scanning, or retinal scanning.

While much of this information may seem obvious to many, the statistics year-on-year show that it’s still as relevant as it ever was.

Ready to take the first steps toward better cybersecurity?

If you would like to know more about IT managed services that can drastically reduce your cybersecurity risk, get in touch with us.

About the author…

Julian has over 20 years of experience as a technical salesperson for IT Managed Service Providers (MSPs) and likes nothing more than a cup of coffee and a chat about how to cure your IT headaches.

The Top Cyber Security Threats & Tips On How To Defend Against Them

The Top Cyber Security Threats & Tips On How To Defend Against Them

Read

The Top Cyber Security Threats & Tips On How To Defend Against Them

The Top Cybersecurity Threats for Businesses in 2021

1. Phishing

Phishing is a hacking scheme that, in its most common form, appears to be a regular email from a legitimate source, using legitimate-looking links, attachments, business names, and logos. The email aims to persuade the recipient to perform an action, usually clicking a link or downloading an attachment.

Some email-based variations include “whale phishing” that are more targeted and primarily directed at company executives, and “spear phishing” that are targeted against a specific person.

Phishing attacks can also take non-email forms. “Smishing”, for instance, uses SMS messages to garner clicks to dangerous links, while “vishing” uses fraudulent phone calls and voice messages that pose as legitimate companies to the same end.

A more recent form of Phishing attack is “search engine phishing”, where hackers create fake online websites and rank on search engine results to steal user’s information.

In a recent study 86% of organisations reported having at least one user connect to a phishing site.

2. Malware

Malware, also known as malicious software, hacks devices by either slowing them down significantly or stopping them from working entirely. It destroys computer systems through software agents such as trojan malware, spyware, viruses, ransomware, adware, and worms.

Malware can be released into a computer by clicking an infected link, downloading a file or material from an unknown source, clicking a pop-up ad, or downloading an email attachment from an unknown sender.

Once malware is released into a computer system, hackers can gain access to your company’s network where they will usually target passwords, credit card numbers, banking data, personnel files, and other potentially valuable information.

Worryingly, over the last year, 35% of the malware attacks reported by businesses in the UK used previously unseen malware or methods of infection.

3. Ransomware

Ransomware is a specific form of malware that encrypts a user’s computer systems. Once a ransomware attack has been implemented, users can no longer access their systems or files. For users to re-access their systems, they’re required to pay a ransom fee to the cybercriminals.

Ransom transactions are often made through crypto currencies, such as Bitcoin, though cybercriminals may also request other methods of payment, such as Amazon gift cards. The ransom costs can range tremendously, depending on the target. However, many organisations that make the ransom payments still don’t retrieve access to their systems, and even if they do, have no guarantees that the attackers haven’t left other exploits in place, to attack again later.

Ransomware is often spread through a malicious download, often starting with a phishing email and, as such, an attack can be targeted to either individual employees or entire organisations.

Throughout the pandemic, over a third of UK companies reported being targeted by a ransomware attack.

4. Breaches

A data breach occurs when sensitive data is stolen from a system without authorization from the system owner. Confidential user information can include but isn’t limited to credit card numbers, social security numbers, names, home addresses, email addresses, usernames, and passwords.

Breaches may be implemented through point-of-sale (POS) systems or a network attack. A network attack is likely to occur when cybercriminals identify a weakness in a company’s online security system and use the weakness to invade the system. Social attacks are also prevalent, where hackers fool employees into granting access to an organisation’s network. For instance, they may be tricked into downloading a harmful attachment or accidentally giving out login credentials.

Once a data breach occurs, businesses must take immediate action to contain the breach and resolve the issue. Failing to do so may result in a tarnished reputation and regulatory fines.

5. Compromised passwords

Compromised passwords most often occur when a user enters their login credentials unknowingly on a fake website. Common username and password combinations also leave accounts more vulnerable to attacks. Password reuse across multiple platforms can make your systems even more susceptible to hackers, leaving multiple accounts at high risk.

When creating passwords for company accounts you should always ensure that you use unique, hard-to-guess passwords.

However, 51% of people surveyed recently said that they use the same passwords for both their work and personal accounts.

3 Tips to Combat Cybersecurity Threats

1. Acquire the skills

Many organisations, particularly small- and medium-sized businesses, may struggle with staffing the right team to ensure an organisation is protected from the latest cyber threats and able to combat an attack.

Hiring a qualified security engineer or IT security manager can be expensive, so many businesses choose to find a 3rd party cybersecurity provider instead, often combining the outsourcing of IT support and cyber security services to the same provider.

Two advantages of working with an outside organisation are that they can provide 24/7 monitoring for attacks that can occur at any time, and they are experts that stay up to date on the ever-evolving landscape of cyberattacks.

2. Educate your team

Some best cybersecurity practices may seem obvious to most, but it’s important to educate your entire team and ensure everyone is on the same page.

Talk to employees about the importance of strong passwords, how to safely use a shared network, what your internet use guidelines are, and how to handle and protect customer data.

Train your team to recognize phishing attacks by looking for URLs or email addresses that are close but not exact, identifying language with misspellings or that feels a bit “off,” and being extra-cautious of requests for passwords or other personal information.

Even savvy security teams can fall prey to a cyberattack. Giving employees things to look for can help catch an attack quickly.

Cyber Awareness Training services, such as KnowBe4, can be a cost-effective and non-disruptive method to train your staff, using a combination of simulated attacks and targeted training direct to the users.

3.  Have a cybersecurity policy

Your cybersecurity policy should be a living document that is updated as attacks evolve. However, the basics of a policy should include guidelines on protecting devices (including up-to-date operating systems, browsers, firewalls, and encryption), multi-factor authentication (not just strong passwords, but secondary methods of authentication), and data protection (including how to handle customer data and what is appropriate to send via email).

Your policies should be readily available to your employees and reviewed frequently to ensure the entire organisation understands and abides by the proper protocol.

Having a cybersecurity plan is more important than ever. With the number of cyberattacks always increasing, and more and more companies now employing some element of remote workforce, it is paramount that all companies — regardless of size — understand current cyber threats and what to do to prevent and combat them.

Having a plan that is executed thoroughly and reviewed regularly is the best first step to keeping company and customer information safe. Whether you build up in-house expertise or find a trusted outside partner, cybersecurity can no longer be a project set on the back burner. Understanding the latest threats and what to do to prevent them from impacting your organisation is key to protecting your business.

Ready to take the first steps toward better cybersecurity?

If you would like to know more about IT managed services that can drastically reduce your cybersecurity risk, get in touch with us.

3 Strategies Schools Can Apply To Protect Their Data

3 Strategies Schools Can Apply To Protect Their Data

Read

3 Strategies Schools Can Apply To Protect Their Data

Cyber-attacks on our nation’s schools have been increasing over the past few years and have spiked significantly over the past 12 months, with more than a third of primary schools (36%), over half of secondary schools (58%) and three-quarters of further education colleges (75%) reported to have suffered a cyber breach in the past year, according to recent National Cyber Security Centre (NCSC) figures.

In June of this year, the NCSC reported that recent attacks had “led to the loss of student coursework, school financial records, and data relating to COVID-19 testing.”

With the shift to online and hybrid learning, schools have found themselves more exposed than ever and with limited resources to defend their IT infrastructures, most schools are unequipped for the risk posed by today’s ever-evolving threat landscape.

Budget constraints are an ever-present obstacle to maintaining or improving security, and IT administrators also struggle with persuading students and staff to take security seriously.

Let’s look at some strategies schools can employ to make the cybersecurity grade.

Make endpoint security a priority

“Endpoints” refers to devices that users access directly, such as Servers, laptops & desktop PC’s, tablets, phones, etc., so called because it is a literal endpoint on a network.

Endpoint protection has always been a fundamental security practice, but as the network perimeter expands to include home networks, it’s now more crucial than ever. Unfortunately, due to budget constraints, school systems have struggled in this area.

To address this, administrators should consider prioritising high-risk systems and assets, such as data stores or servers, and apply threat detection to alert them of potential threats. If a violation of the school’s security policies is detected, automated actions can quickly contain threats before sensitive data is compromised. Essential mitigations should include a good antivirus solution, spam-filtering (for email accounts) and web-content filtering. You may also consider newer mitigations such as a ransomware protection solution, for example.

If budget remains an issue, schools can also leverage existing technology investments, such as the in-built security capabilities in Windows, Chromebooks and Microsoft365 to enhance protection across lower-risk assets. This is especially useful where IT administrators may not have complete “authority” over remote devices – such as a home user’s own PC – but can require that remote users have their in-built security options activated.

Awareness is key

An often-overlooked fact of cyber-security is that, even when you all the critical policy and technology mitigations in place, the most important defence is the awareness of those who use your systems on a day-to-day basis.

Educational institutions must work on building their security culture to ensure students, staff and administrators are “cyber aware.” Knowing how to identify and report a phishing email, practicing password hygiene and not sharing passwords – which has, unfortunately, become a common practice as the use of collaboration and cloud software has proliferated in recent months.

The fact is cyber-awareness training (CAT) need not be time consuming, disruptive, or expensive. Managed CAT services, incorporating simulated attacks, targeted training and auditing/reporting can be delivered on-going for very low cost – as an example, here at Supreme Systems we’re currently quoting just £2.99 per Teacher/Faculty member per month, and this service includes access to a wealth of resources that can be used for Student education sessions also.

Alternatively, you could take a more DIY approach and take advantage of free resources made available by the NCSC. Take a look here for links to NCSC practical resources to help schools improve cyber security, or here for cyber security training for school staff. While not as effective as on-going services at maintaining awareness, and will require some investment of time, this approach won’t impact already tight budgets.

The importance of good Access Management

With the rise in remote and technology-focused learning, schools must set up strict network access control policies, limiting data access to the people who need it, when they need it.

The statement that non-IT administrators should not have administrative rights on their devices or networks may sound obvious (because it is obvious) but in practice this is all too often not the case.

IT Administrators should have 2 accounts set-up – one with administrator rights to be used only when these rights are needed and their other account to be used at all other times, for everyday activities.

“Starter” & “leaver” processes are another important component to have in place, ensuring old accounts are removed and any passwords that a leaver may have been privy too are changed quickly.

With these policies in place, administrators are in a much stronger position and will mitigate against the risk of frequent turnover of students and staff. When a student graduates or a teacher leaves a position, their access rights can be quickly revoked to minimize the risk of their identity credentials falling into the wrong hands.

Where possible, you should also utilise 2-factor-authentication (also known as 2FA, multi-factor-authentication or MFA), especially for systems that access sensitive information.

Last words

Even before the pandemic, hackers discovered that schools are easy prey and a lucrative source of data and as students have returned to the classroom, the cybersecurity threat has not diminished in the slightest.

Establishing cybersecurity strategies like those above can help schools enhance their cybersecurity maturity and protect students, teachers, staff, and networks.

While many of these may seem obvious, they all require time and management, and some require financial investment too, which can result in them not being implemented at all or, just as bad, “worked around” – this is exactly what the cyber-criminals are banking on.

Ready to take the first steps toward better cybersecurity?

If you would like to know more about IT managed services that can drastically reduce your cybersecurity risk, get in touch with us.

Supreme Systems are holding a cyber-security seminar for Schools & Further Education and have 30 Free seats available on a first come, first served basis. Featuring key note speakers from CyberSecure.School, Cyber Smart & KnowBe4, the event is scheduled for October 20thplease see here for more information and registration.

Contact us