What is social engineering?With social engineering, someone attempts to gain access to passwords and other sensitive information not through technical savvy, but by using various psychological tricks to gain your confidence and fool you into granting unwarranted privileges or access to protected data.For example, an individual may pose as a customer service representative for a software company or as IT personnel; they then talk their way into obtaining your data and exposing you to further attacks. Other tactics include impersonating a colleague or potential associate via email or social media. In other situations, they may start out as strangers and then befriend you, gaining enough of your trust to get you to click on a malicious link in an email and download malware to your system. They may also try to find out enough about you to guess your password or your responses to password recovery questions in order to gain access to your accounts. How can you prevent social engineering scams?These types of scams often come as a surprise. They exploit people’s ready tendency to extend trust and accept explanations at face value. However, there are ways to reduce your chances of getting taken in by social engineering. The following are five tips: ?    Raise awareness among your employees. If employees are aware of the risks and get introduced to the tactics commonly used in social engineering, they’re more likely to remain cautious even when approached by charismatic, confident, and seemingly trustworthy individuals. It’s less likely that they’ll accept information at face value. Offer training programs, and demonstrate to employees how sensible preventive measures can better protect them from scams in their personal lives, not only at work. Stress how important it is to pause and think instead of automatically clicking on links or disclosing sensitive information. ?    Devise and enforce a comprehensive security policy. For example, you can institute rules about the kinds of files employees are allowed to download on company devices, and the kinds of information they’re allowed to disclose on social media or in-person (or even just leave out in the open on their desks). Be sure to check up on whether or not they’re taking these policies seriously. Turn lapses into opportunities to once again discuss the consequences of poor security and the importance of caution. ?    Adopt layers of protection. You should have in place a series of checks for confirming identity and detecting impostors. For example, if someone shows up at your office claiming to be a computer technician, your employees would check for appropriate identification and call up the company the technician allegedly works for. Another strategy is to share information or suspicions about hacked accounts; for instance, if one of your employees thinks their email account has been compromised, they should notify everyone else. ?    Pay especially close attention to new employees. Because new employees are less familiar with your company and the people you employ on the outside, they’re more susceptible to getting tricked. ?    Model secure behavior. As a leader within your company, your employees will look to you for examples of safe practices and cautious behavior. If you pick security questions that are easily guessed or get lax about access to your network and servers, your employees won’t take your cyber security initiatives seriously. Remember that there’s […]

What is social engineering?With social engineering, someone attempts to gain access to passwords and other sensitive information not through technical savvy, but by using various psychological tricks to gain your confidence and fool you into granting unwarranted privileges or access to protected data.For example, an individual may pose as a customer service representative for a software company or as IT personnel; they then talk their way into obtaining your data and exposing you to further attacks. Other tactics include impersonating a colleague or potential associate via email or social media. In other situations, they may start out as strangers and then befriend you, gaining enough of your trust to get you to click on a malicious link in an email and download malware to your system. They may also try to find out enough about you to guess your password or your responses to password recovery questions in order to gain access to your accounts. How can you prevent social engineering scams?These types of scams often come as a surprise. They exploit people’s ready tendency to extend trust and accept explanations at face value. However, there are ways to reduce your chances of getting taken in by social engineering. The following are five tips: ?    Raise awareness among your employees. If employees are aware of the risks and get introduced to the tactics commonly used in social engineering, they’re more likely to remain cautious even when approached by charismatic, confident, and seemingly trustworthy individuals. It’s less likely that they’ll accept information at face value. Offer training programs, and demonstrate to employees how sensible preventive measures can better protect them from scams in their personal lives, not only at work. Stress how important it is to pause and think instead of automatically clicking on links or disclosing sensitive information. ?    Devise and enforce a comprehensive security policy. For example, you can institute rules about the kinds of files employees are allowed to download on company devices, and the kinds of information they’re allowed to disclose on social media or in-person (or even just leave out in the open on their desks). Be sure to check up on whether or not they’re taking these policies seriously. Turn lapses into opportunities to once again discuss the consequences of poor security and the importance of caution. ?    Adopt layers of protection. You should have in place a series of checks for confirming identity and detecting impostors. For example, if someone shows up at your office claiming to be a computer technician, your employees would check for appropriate identification and call up the company the technician allegedly works for. Another strategy is to share information or suspicions about hacked accounts; for instance, if one of your employees thinks their email account has been compromised, they should notify everyone else. ?    Pay especially close attention to new employees. Because new employees are less familiar with your company and the people you employ on the outside, they’re more susceptible to getting tricked. ?    Model secure behavior. As a leader within your company, your employees will look to you for examples of safe practices and cautious behavior. If you pick security questions that are easily guessed or get lax about access to your network and servers, your employees won’t take your cyber security initiatives seriously. Remember that there’s […]

One way to do this is by using Windows 10?s built-in PIN system. Here?s how you can set up a PIN number, including how you can change or reset it if need be. Why Use a PIN?Using a PIN offers a few unique benefits over the traditional password. For example, Windows 10 uses the same password as your Microsoft account, which means that if this password is stolen or compromised by a hacker, they can access other services tied to your Microsoft account. If you?re using a PIN to access your PC, the PIN is unique to your Windows 10 device, meaning that a hacker would have to locally enter the PIN, making it a much less risky gambit than using a password. Add a PINFirst, you need to click on the search bar at the bottom of the screen and type Settings. Then, select Sign-in options in the left column. Scroll down to the PIN section in the right column, and click Add. You?ll then be prompted to verify your password. Once you?ve done so, click OK. Next, you?ll be taken to the Set up a PIN page. All you need to do is type your desired PIN in the provided forms. The only criteria required for a PIN is that it needs to be between four and nine characters long, but you need to make sure that it?s not something that can easily be guessed. Be sure to keep these pointers in mind: The longer the PIN, the better the security: You?ve heard all about how using a complex password is a best practice, and the same can be said for your PIN. Make it as long as possible– this makes it more difficult for hackers to guess. Refrain from using PINs from other accounts: Everyone has credit cards that they use a PIN for, but these numbers shouldn?t be used for every single account you have. You should have individual PINs for each of your different accounts. Otherwise, one compromisation could lead to multiple breaches. Use as many different numbers as possible: In much the same way that a password should contain variable letters, you want to stay away from short PINs with largely the same number. Change or Reset Your PINWindows 10 makes it easy to change your PIN. You need to navigate back through Settings > Accounts > Sign-in options, and tap Change underneath PIN. You?ll then be taken to the Change your PIN screen. If you need to reset your PIN, click I forgot my PIN next to the Change button. This will let you reset your PIN. Keep in mind that you?ll need to use your current account password to do so. For more great tips, be sure to subscribe to White Mountain IT Services?s blog.

  Talk to Your EmployeesIt?s not just a question of having your personnel read and sign a document regarding your organization’s IT policies. What you need to do is to also communicate the likelihood of a cyber attack and stress the potential negative impact on the functioning of the organization. Get your employees involved by explaining that they have obligations to the company in this respect. Involve the Whole CompanyIt?s important to include executives and top management. Cyber ?pirates? can aim their malfeasance at traveling executives using free hotel Wi-Fi without encryption. Keep in mind that potential damage and financial rewards can be much larger for cyber criminals if top level management is targeted. Hold Regular Training SessionsTraining in cyber security should be mandatory for all new employees and refresher courses conducted for everyone. Training needs to happen before there?s a problem. Specific rules should be put in place with respect to Web browsing, e-mails, file transfers, application downloads, mobile devices and social networks. Employees should be made aware of suspicious links from unknown sources. They also should be trained to recognize suspicious contacts from individuals posing as co-workers and asking seemingly innocuous questions ? what these persons are really doing is gathering information about the company and its operations. Give your attendees regular quizzes to test their cyber security knowledge ? make it relevant, fun, and rewarding with incentives for good responses. Collect FeedbackEncourage your employees to make it known if they find some procedures too difficult to comply with. For example, if you make it mandatory for everyone to change their passwords on a weekly basis, be aware that they will find less secure workarounds such as writing them down in their personal on-line documents or on post-it notes in their cubicles. Don?t Discourage Your Employees from Reporting an IncidentEven if it transpires that it’s a false alarm, never disapprove or make a joke out of an employee who puts up a red flag. If you do, all you will accomplish is to make the individual think twice before speaking up again. If you think that there are too many false alarms, take a look at your training methodology. Alert Your Workforce Promptly to a ProblemIf you do have an incident, communicate this to your employees as soon as possible. A delay in getting this information out may significantly increase the adverse impact of the situation. Establish PlansOne plan should contain step-by-step instructions about what employees should do if they believe they have encountered a cyber incident. Another plan should provide internal communications and public relations strategies to ensure a prompt and calm response to a cyber attack. ConclusionYou need to defend your business against cyber crime and malware. However, you don?t have to try to do this alone; we have the expertise to help you. Please get in touch with us to learn how you can significantly reduce your organization?s security-related risks from inside and outside sources.

On January 9, 2016, the former scouting director of the St. Louis Cardinals plead guilty to five counts of unauthorized access to a private computer for utilizing a former employee?s credentials to hack into a rival team?s scouting database, opening up the threats of data security to all competitive sports franchises. Christopher Correa, a longtime member of St. Louis? front office, is charged with taking liberties with his former boss? login credentials. The contemporary, listed in the indictment as ?Victim A?, and largely believed to be current Houston Astros General Manager Jeff Luhnow, apparently used the same login credentials as he did when he was a member of the Cardinals? front office. Correa used this information to hack into Houston?s scouting database several times around the MLB First-Year Player Draft last June. The government has subsequently valued the information Correa gained as a result of the hack at $1.7 million. Correa had also accessed employee emails and 188 separate pages of confidential information by using ?Victim A?s? credentials. Since ?Victim A? had universal clearance within his organization?s databases, it gave Correa some useful information on who St. Louis was scouting. Correa has subsequently admitted his crime and was quoted as telling the presiding judge, Lynn Hughes that it was a ?stupid,? thing to do. Sentencing will commence on April 11, 2016. Luhnow recognized the security problem and changed his credentials, which resulted in Correa hacking into the Astros? email-server and getting credentials of two more of the organization?s employees. Despite taking the GM job in Houston in 2011, Luhnow?s lack of password protection put his whole organization?s data infrastructure at risk. He made the following statement shortly after Correa?s plea: I absolutely know about password hygiene and best practices. I?m certainly aware of how important passwords are, as well as the importance of keeping them updated. A lot of my job in baseball, as it was in high tech, is to make sure that intellectual property is protected. I take that seriously and hold myself and those who work for me to a very high standard. Despite his comments, it took a rival hacking into his organization?s database for him to follow industry best practices and alter his login credentials. This situation presents a poignant example of how network security is an end-to-end initiative. It?s just as important for people to follow best practices of password management as it is to have integrated intrusion security and access control solutions for your network. You don?t get three strikes to secure your network against malicious entities that may want to get in. To get more information about the best practices for comprehensive network security, or to speak with our certified technicians about remote monitoring and management or other comprehensive network security solutions, call us today at (603) 889-0800.