Blog : Security

Protecting your computers and your future too

Protecting your computers and your future too

For 14 years we’ve worked harder than the competition to offer I.T. support that not only keeps all of your I.T. infrastructure working and working well, but to also offer that piece of mind that comes from knowing we’re on your side.

We build relationships that mean we both get the most out of working together. We can’t thrive as a businesses without our clients thriving as a business.

This is as important now as it ever has been, as more and more of our day to day business is done via computers and the internet and convergent disruption changing the business landscape beyond all recognition. Now more than ever modern businesses need to trade on the internet as their primary platform and those that don’t will get lost in the noise. We see a lot of businesses recognising they need a platform on the internet but in actual fact just end up adding to the noise with many switching potential buyers off.

They realise they need to have a presence on platforms like LinkedIn, Twitter, Instagram and Facebook but have no idea how to separate themselves from the pack and thereby end up adding to the already crowded middle.

The key we have found is to offer great free advice, doing this without de valuing your time or giving away hard earnt trade secrets can be difficult.

But in truth the issue goes deeper than just getting a message out there that’s a little different to the rest. It’s creating that different message and creating a different service for your clients and with that different service delivering different results. From start to finish being different, being better than the competition.

We’ve done this for over 14 years and so are as well placed as anyone to work closely to make sure your technology delivers not only for you and your team but for your prospects and clients too. Who ever we work with on whatever level we deliver not only amazing I.T. support services but future results for your business. We look constantly to make sure the systems you use are creating the desired results for you and those you support with your products and services.

Our traditional I.T. support contracts offer system monitoring (among many other amazing business benefits) so each month we’ll look to see how improvements can be made to your systems, improving productivity and team efficiency thereby creating amazing experiences for your clients and prospects.

And our Growth partnership services provide a working platform for us once a month or every quarter to sit down and spend time going through results with a fine tooth comb and producing better more amazing results after each meeting.

 

To find out more about either of these services please give us a call on 01937 586888 or click on the relevant link below.

I.T. Hardware and Infrastructure Support

Business Growth Partnership

The importance of Encrypting your data

The importance of Encrypting your data

Data breaches are on the increase, in fact data breaches are the hackers new preferred way of making money from the information they find and can use to extort you. And to fan the flames the Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued.

Therefore it is worth seriously considering encrypting any sensitive data to best protect yourself from 1. breaches of your data and 2. regulatory action from the ICO.

The basics

  • Encryption protects information stored on devices and in transmission.
  • It is a way of safeguarding against unauthorised or unlawful processing of data.
  • Organisations should consider encryption alongside other technical and organisational measures, such as Endpoint protection on all devices and servers.

What the Data Protection Act says

Principle 7 of the Data Protection Act states:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

What is encryption?

Encryption is a mathematical function using a secret value — the key — which encodes data so that only users with access to that key can read the information.
In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures.

Example

An organisation issues laptops to employees for remote working together with secure storage lockers for use at home and locking devices for use outside the home. However there is still the risk of loss or theft of the devices (eg whilst being used outside of the office).

Therefore the data controller requires that all data stored on laptops is encrypted. This significantly reduces the chance of unauthorised or unlawful processing of the data in the event of loss or theft.

Encryption in practice

Information is encrypted and decrypted using a secret key (some algorithms use a different key for encryption and decryption). Without the key the information cannot be accessed and is therefore protected from unauthorised or unlawful processing.

Whilst it is possible to attempt decryption without the key (by trying every possible key in turn), in practical terms it will take such a long time to find the right key (ie many millions of years) that it becomes effectively impossible. However, as computing power increases, the length of time taken to try a large number of keys will reduce so it is important to keep algorithms and key sizes under consideration, normally by establishing a review period.

Encryption should be considered alongside a range of other technical and organisational security measures.

Organisations will need to ensure that use of encryption is effective against the risks they are trying to mitigate, as it cannot be used in every processing operation.

Organisations should consider the benefits that encryption will offer as well as the residual risks and whether there are other security measures that may be appropriate to put in place. A Privacy Impact Assessment will help document any decisions and the reasons for them. This can also ensure that the organisation is only using the minimum of personal data necessary for the purpose.

The importance of good key management should also not be underestimated. Organisations should ensure that they keep the keys secret in order for encryption to be effective.

Encryption can take many different forms. Whilst it is not the intention to review each of these in turn, it is important to recognise when and where encryption can provide protection to certain types of data processing activities.

Encryption is also governed by laws and regulations, which may differ by country. For example, in the UK data owners may be required to provide access to the key in the event they receive a court order to do so.

Not all processing activities can be completely protected from end to end using encryption. This is because at present information needs to exist in a plain text form whilst being ‘actively processed’. For example, data contained within a spreadsheet can be stored in an encrypted format but in order to be opened by the spreadsheet software and analysed by the user it must first be decrypted. The same is true for information sent over the internet – it can be encrypted whilst it is in transit but must be decrypted in order for the recipient to read the information.

When is encryption useful?

When processing data, there are a number of areas that can benefit from the use of encryption. The benefits and risks of using encryption at these different points in the lifecycle should be assessed separately. The two main purposes for which data controllers may wish to consider using encryption are data storage and data transfer. These two activities can also be referred to as data at rest and data in transit.

Recommendation

Data controllers should have a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it.

For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or within an attachment) should be sent encrypted or that all mobile devices should be encrypted and secured with a password complying with a specific format.

Data controllers should also be aware of any industry or sector specific guidelines that may recommend a minimum standard for encrypting personal data.

I.T. Hardware and Infrastructure Support

Article adapted from ICO

Apple’s macOS High Sierra allows root access with no password

Apple’s macOS High Sierra allows root access with no password

Firstly we’d like to point out that Security experts warn the public not to try and test the issue locally or remotely, as there is a risk of increasing the attack surface.

It all started on Twitter, a software developer claimed it was possible to obtain root access on Apple’s High Sierra without a password. A pretty strong claim if your understand exactly what Root access to a system affords you.

Lemi Orhan Ergin in his initial tweet, directed his findings directly to Apple.

The issue Lemi discovered in High Sierra is a serious one, Root access to a system allows you to play God and gives every permission possible to make changes. At this point, it’s not clear if High Sierra is the only OS affected. That said our tests in house have failed to reproduce the error on any other version of Apple’s recent OS releases.

High Sierra users need to address this issue urgently, as the root password bug is exploitable remotely, including in Applications such as VNC and Apple Remote Desktop.

However for those wanting to test their own systems proceed with caution, testing locally will open systems up to remote attack. Especially via Screen Sharing.

“By testing this vulnerability on your own computer, you’ll end-up creating (or modifying) a persistent root user account on your system. The danger here is that, by creating such an account, it will affect remotely accessible services such as Remote Desktop,” explained Bugcrowd’s Keith Hoodlet, Trust and Security Engineer.

“By testing this vulnerability on your own system, you remove existing safeguards around the root (i.e. God-mode) user – enabling passwordless root access to your system. Given the level of access the root account has, it has many (and wide-ranging) potential security impacts, including remote access through various services. We have internally confirmed that it adversely affects the Screen Sharing service.”

Apple have today released an Update to address this rather serious Security hole in it’s software, and we would suggest you install at your earliest convenience.

Apple has released Security Update 2017-001 to address what they call a “logic flaw” that allowed the abuse of the root user account locally and in some cases, remotely. All macOS users are encouraged to install the patch immediately.

After the patch is installed, if the root user is required (it shouldn’t be), the account will need to be re-enabled and have its password reset.

A pragmatists guide to Cyber Security

A pragmatists guide to Cyber Security

This week as part of Leeds Business Week we had 20 people booked on a free seminar we delivered at The Pit in Leeds City Centre.

It was a good bunch of people in attendance and after the seminar we had a really good chat about Cyber Security and there were some amazing questions about the future of cyber security and the best practices for protecting their businesses.

The reason we worked with Leeds Business Week to deliver this seminar was to increase awareness of where we find ourselves in the fight against hackers, viruses, malware and ransomware.

The truth is we are losing the fight and the hackers from countries such as China and Russia are out in front and we are trying to play catch up. Traditional methods of protecting users are out the window, with modern techniques concentrating on remedy and pretty weak firewalls, plus it doesn’t help when the NSA practically gift their Ransomware tools to the general public.

Security applications now seem to be moving towards anticipating user behavior in an effort to combat infections and security breaches. But with all of this and the most sophisticated software in the world the best strategy is to make sure that should you suffer a data breach it’s as small as possible and you can get back on your feet as soon as possible.

This follows two paths in a nutshell.

  1. Backup
  2. Device Protection

In terms of backup we suggest a method that achieves the following

– Previous versions

If your data is somehow corrupted by an infection or anything else for that matter it’s important to have a backup that keeps previous versions, this is probably the most important part of keeping successful backups.

– Email reports

It’s one thing putting a backup in place and it’s another keeping an eye on it to make sure it’s running properly. We’ve seen many a failed backup when it’s time to use the data and therefore the client has nothing. Email reports keep you in the loop and alert you to backup failures.

– Offsite copies

If something should happen to your offices then it’s important to have a copy of your data offsite to restore, burst pipes, fire and theft happen to a business on average every 7 minutes. And Ransomware attacks are successful every 40 seconds.

Now we come to device protection, and you might not like this, as we mentioned before the hackers are currently winning and the software and hardware protection available is somewhat lagging behind. But if your using free antivirus software you’re leaving yourself open to attack, literally.

These products are free for a reason and while part of that reason is to sell you their more expensive product that actually offers a small amount of protection they are far far behind the leaders, you need to protect your offices with a robust Endpoint UTM solution. Don;t worry about what that means, just give us a call

01937 586888

I.T. Hardware and Infrastructure Support

Yahoo! Tripled it’s quota on what was already largest data breech in history.

Yahoo! Tripled it’s quota on what was already largest data breech in history.

This week Yahoo announced that what was already the largest data breech in history was in fact 300% bugger and that in fact all of it’s 3 billion users had their data obtained. Not the 1 billion it revealed late last year.

On Tuesday the company announced that the breach previously disclosed by the company in December was in fact much higher than originally expected. Yahoo claim that following its acquisition by Verizon in June, it obtained new intelligence while investigating the breach with help from outside forensic experts.

And believes the stolen customer information did not include passwords in clear text, payment card data or bank account information.

I have to say this seems to be the new normal, hackers are looking for information and poor security is the same as leaving the door open, we’re no doubt going to become a stuck record on this one but as well as amazing I.T. Support in the Leeds area we offer we work with over 150 companies to secure their data and protect their networks.

If you’d like a free no obligation chat to discuss your companies Security needs please get in touch.

Free Consultation

The cost of Noncompliance to your Business

The cost of Noncompliance to your Business

The cost of Noncompliance of regulatory frameworks, PCI DSS, HIPAA and SOX is fast becoming a very real concern for SMEs. Where previously it was assumed that only bigger organisations have to deal with the fall out of Security breaches data and security is fast becoming a very real concern for Businesses of all sizes, the data we hold and the growth in the data we hold has meant that even the smallest companies can create very real and costly problems for their clients, financial institutions and Governments.

These problems also will be the obvious direct consequences and not so foreseeable indirect consequences.

No matter how noncompliance is discovered whether by an audit, or as the result of a breach, the effect can be devastating for a business. When a breach occurs, its impact often extends well beyond the fines levied it can include the cost of finding the root cause of a breach, remedying it, and notifying anyone affected.

The cost multiplies when legal expenditures, business-related expenses, and loss of revenues from damaged brand reputation are factored in.

If you think you might not be protecting your Business and clients as we as you could or should please give us a call

01937 586888

 

 

GDPR and your Client Data

GDPR and your Client Data

Ah GDPR. Makes you want to go back to paper and pen, while a lot is being made of the impending Doom of GDPR being enforced from May 2018 onwards we might be freaking out a little.

Or we may not only time will tell.

Yesterday morning while meeting with my good friends and business associates at a weekly Business Breakfast I take part in we got to discussing GDPR, it’s impact on businesses in terms of how they hold their data, likelihood of penalties for SMEs and the impact to marketing activities. To skip to the end ; I decided to read up a little more on GDPR and how we could help companies make sure the data they hold is complaint with the rules.

It was clear there was a lot of uncertainty in the room regarding the changes and unease at how people would ensure they don’t fall foul. In short the guidance covers

  1. holding data in a secure and lawful way.
  2. acquiring and processing that data in a lawful way.

So in terms of how we (Aurora Tech Support) can help your business, we can make sure in our capacity as I.T. Support and Solutions provider that you and your business secure the data you hold and store within the law and the guidelines of GDPR.

If you’d like to discuss further please book a FREE consultation below

https://auroratechsupport.co.uk/freeconsultation.php

Fines of up to £17m or 4% of turnover for Companies neglecting their security and leaving systems open to cyber attacks

Fines of up to £17m or 4% of turnover for Companies neglecting their security and leaving systems open to cyber attacks

The Government announced today that they will fine Companies up to £17m or 4% of turnover for neglecting their security and leaving systems open to cyber attacks.

The Government will target the transport, health and energy sectors. The Department for Digital, Culture, Media and Sport (DCMS) has announced. The plans make sure that those providing essential services are taking strong enough measures to prevent downtime as a result of a Cyber Attack.

The Department for Digital, Culture, Media and Sport have announced that the minimum expected standards are monitoring for threats, processes to detect cyber attacks, staff training in cyber security, and measures for quick recovery of systems after an attack. Something our Cyber Security protection covers (click here).

If a business was victim to a Cyber Attack and was found by the Department for Digital, Culture, Media and Sport to have fell short of the new standards, they could be fined by these new rules.

The Minister of State for Digital and Culture, Matt Hancock has said “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.”

Recent Major cyber attacks, including WannaCry which crippled large parts of the NHS and other major ransomware attacks that hit many of the world’s largest firms.

The Government have encouraged Businesses and public providers to respond to the DCMS plans.

Another week another leak, Swedish Government suffers major Data Leak

Another week another leak, Swedish Government suffers major Data Leak

Today Swedish Prime Minister Stefan Lofven confirmed at a press conference that his administration had likely exposed the personal information of millions of Sweden’s citizens.

Back in September 2015 the Swedish Transport Agency outsourced its database and IT service management to private companies in the Czech Republic and Serbia. What seems to have happened is the Government started uploading its Data to the Private companies Cloud Servers where it was accessible to individuals outside of Sweden without the relevant security clearance.

The Data compromised consisted of the names, photos, and home addresses of Swedish citizens being held by the Swedish Transport Agency (STA). And as if that wasn’t bad enough the data was also still available to STA IT workers back in Sweden just after they had been laid off, so any disgruntled ex employees could download to their hearts content.

THEN….

In March 2016 this information was made available to Marketing Companies (no I don’t know why this information should be sold off either) however this time the information included those with protected identities, i.e. Military Personnel and Witness Protection. The Swedish Secret Service noticed the mistake and notified the STA.

ARE WE GETTING THERE? … NO, NO WE’RE NOT

The database Admins emailed employees identifying all of the information that is supposed to be protected, and they asked vendors to simply remove it from their databases.


The moral of the story here is clearly that you need to be very careful who you instruct to secure your data.

Now don’t get me wrong, mistakes happen but data should always be properly encrypted and clearance to use that data needs to be properly managed, whatever your companies needs Aurora Tech Support can help.

Get in touch

I.T. Hardware and Infrastructure Support