by Felicien | Nov 6, 2017 | Education
Equifax has been all over the news lately. Earlier this year, news of the massive hacking of the credit reporting agency has left the company scrambling to try and make sure client data is secured. However, the IRS has issued a recent warning to consumers that tax refund dollars face an increased chance of being stolen thanks to the recent Equifax breach.
The Equifax hack revealed the Social Security Numbers of approximately 143 million Americans, which, according to the IRS, makes them extremely vulnerable to being the victims of tax fraud in the upcoming tax season. This could result in Americans not getting their tax return check at all, with the average return amount cited as roughly $3120. Without a doubt, the cost of the hack will be astronomical.
What’s the Next Step? Beefing Up IRS Security to Reduce Chances of Tax Fraud
Tom Schatz, President of Citizens Against Government Waste recently wrote to the Treasury about the issue. He stressed the fact that the Equifax hacking scandal leaves millions of American’s hard earned dollars up for grabs. Additionally, he urged the IRS to strengthen their lines of defense to prevent fraud proactively.
“During the 2017 tax season, these individuals will be at an increased risk of having their tax returns stolen,” writes Schatz. “And the IRS’s outdated legacy IT systems will only heighten the threat.”
Citizens Against Government Waste is dedicated to driving technological innovation and heightened security within government institutions. The group is a key driver in urging administrations to stop wasting government dollars on outdated IT systems that do not adequately protect client data.
Schatz went on to cite that IRS technology spending needs a complete overhaul, noting that the current system missed 54,175 fraudulent returns totaling in a staggering $313 million American taxpayer dollars.
IRS Stirs the Pot: Announces Multi-Million Dollar Security Contract with Equifax
In early October, amidst warnings of tax fraud and calls for higher security, the IRS made a bold move. The agency announced a $7.25 million contract with Equifax for the sharing of personal information. That’s right, the US International Revenue Service struck a multi-million-dollar personal information sharing deal with the company at the center of the biggest breach of personal data in recent history.
In the contract, the IRS states that Equifax was the only company capable of providing what it deemed a “critical” service. The sharing of personal information between Equifax and the IRS would apparently help verify tax-payer identities to prevent fraud. The critical service contract apparently couldn’t wait and had to implement immediately, despite security concerns.
Government representatives from across the floor we’re quick to condemn the proposed contract.
“In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed,” said Senate Finance Chairman Orrin Hatch in a statement to POLITICO.
“The Finance Committee will be looking into why Equifax was the only company to apply for and be rewarded with this contract,” added Senator Ron Wyden. “I will continue to take every measure possible to prevent taxpayer data from being compromised as this arrangement moves forward.”
IRS Suspends Contract: Newest Equifax Breach Leaves IRS Backpedaling
As you might guess, it didn’t take long for the IRS to change their tune. Mere weeks after announcing this multi-million-dollar info-sharing contract with Equifax, the IRS had second thoughts. While the initial massive security breach might not have shaken their confidence, a second breach of the Equifax website in mid-October left the IRS with no choice but to can the contract.
After noticing that a third-party vendor was running malicious code on their webpage, Equifax quickly shut down the site. This most recent attack involved bogus pop-up windows on the Equifax web page that could trick visitors into installing software that automatically displays advertising material. Following this security concern, it didn’t take long for the IRS to put a hold on their plans to strike the $7.25 million deal with the credit reporting agency.
“The IRS notified us that they have issued a stop-work order under our Transaction Support for Identity Management contract,” an Equifax spokesperson said on Friday.
“We remain confident that we are the best party to perform the services required in this contract and we are engaging IRS officials to review the facts and clarify available options.”
The IRS was quick to explain the suspension as well:
“During this suspension, the IRS will continue its review of Equifax systems and security,” said a spokesperson for the IRS. “There was no indication that any of the IRS data shared with Equifax under the contract had been compromised.”
The contract suspension means that the IRS will temporarily be unable to create new accounts for taxpayers using its Secure Access portal, which supports applications including online accounts and transcripts. According to the IRS, users who already had Secure Access accounts established will not be affected.
What Now? Critics Rejoice and Prepare for Further Investigation
Critics of the $7.25 million contract with Equifax we’re pleased to learn that the IRS had finally decided to put the kibosh on the project.
“From its initial announcement, the timing and nature of this IRS-Equifax contract raised some serious red flags,” said Republican Representatives Greg Walden and Robert Latta in a joint statement. “We are pleased to see the IRS suspend its contract with Equifax. Our focus now remains on protecting consumers and getting answers for the millions of Americans impacted by the original and massive breach.”
For Equifax however, no celebration is in order. Government contracts in areas such as healthcare, law enforcement, social services, and tax and revenue, are major sources of revenue for Equifax. In fact, in 2016, government services made up 5 percent of Equifax’s overall $3.1 billion in revenue, accounting for 10 percent of its workforce solutions revenues, 3 percent of its U.S. information solutions revenues, and 7 percent of its international revenues, according to a regulatory financial filing.
Even worse? The Justice Department has opened a criminal investigation into three Equifax executives who sold almost $1.8 million of their company stock before the original breach was publicly disclosed, according to Bloomberg media.
What Can Taxpayers Do to Stay Protected?
So, as government officials cast shame upon the IRS and Equifax, many American tax payers are left wondering: if my data is unprotected, what can I do myself to make sure I don’t get robbed during tax season? There’s no fool-proof plan or cut and dry solution, but there are some things that consumers can do to stay alert.
Here are a few strategies for keeping a finger on the pulse of what’s happening:
Stay in the know
First and foremost, make sure you’re staying up-to-date on any news related to Equifax and IRS security. Knowledge is power, the more you know about what’s going on, the more strategically you can protect yourself.
File early but prepare to wait
In light of all these security concerns, the IRS will be navigating tax season very carefully. Get your tax documents organized ahead of time and file your claim as early as possible. However, keep in mind that because the IRS will be moving carefully, you’re likely to wait longer than usual for your return.
Get to know the limits of the credit freeze process
Many consumers have already taken action to protect their data and money by implementing credit freezes. However, consumers should be aware that credit freeze tools or other monitoring mechanisms are not fail-proof and even with these systems in place, tax fraud still happens.
Review your most recent tax returns
Take a look at last year’s tax return and study it closely. This will give you a frame of reference and an idea of what to expect this year. Knowing what your tax return usually looks like is a great tool for detecting fraud immediately.
Monitor tax records in real time
The IRS has an online portal that allows taxpayers to see the details of their tax return and other information at any time. However, make sure you remember that signing up for this portal is time intensive and requires handing over a lot of personal information. In light of recent security concerns, holding off on this strategy this year may be wise.
Consider getting a tax PIN
This strategy is only for individuals who have already been victims of tax fraud. However, it’s good to keep in mind in the case that you are impacted by a scam. The IRS offers and IP PIN service, and those who sign up for a PIN are required to use it every tax season moving forward.
Be wary of other scams
It may seem like you have enough security concerns to be thinking about, but consumers must keep in mind that cyber scams happen more frequently every day. Never assume that your data and money are completely safe, because unfortunately, that’s not the case. Be vigilant in detecting phone, email and direct mail scams that claim to come from the IRS. Always think twice before giving out any data.
If you’re looking for ways to better understand cybercrime and how the increased number of hacks and scams is putting your own data and money at risk, reach out to a local team of IT experts for a full run down. Wrapping your brain around cybersecurity can be a headache, but it’s critical in our tech-based world.
by Felicien | Nov 6, 2017 | Education
The latest strain of ransomware — GIBON — is making the rounds; make sure your business knows how to protect against it.
Ransomware is now a household name, and there’s no going back. Even though cybercriminals have been using ransomware for years now, it wasn’t until the global Wanna Cry attack earlier this year that awareness reached critical mass – but that was just the beginning.
A new ransomware strain known as “GIBON” was discovered last week as a part of otherwise conventional phishing campaigns. Hidden in emails, GIBON is distributed via macros that are downloaded and executed on the victim’s computer. Named for a particular user string that it uses when connecting to the target’s command-and-control server, GIBON targets and encrypts every file on the computer regardless of extension. Once complete, all files are left encrypted unless the victim pays the ransom.
Even more worrying, some suspect that this strain of ransomware may be Russian-made, given that its logo is based on that of a Russian television company, and that Russian email addresses are to be used to make the ransom payment. At the moment, it is not known how much the ransom is.
However, as with any strain of ransomware, there are a few key steps you and your employees can take to protect your business:
Be suspicious of emails and attachments from people or companies that you don’t do business with, as most ransomware infections arrive via infected word/xls/zip/exe files.
Backup your data on-site and off-site, and test your backups regularly.
Create a plan for getting infected, and regularly test your plan.
Consult with trusted cybersecurity and IT professionals.
Remember – you don’t have to do this alone. {company} will help you set up robust backup solutions, develop cybersecurity response strategies, and help you protect against threats like GIBON.
For more information about GIBON and how to protect against it, contact the {company} team at {phone} or {email}.
by Felicien | Nov 6, 2017 | Education
GIBON is a new type of ransomware that first emerged on the scene last week and has since been utilized in a wide range of cyber-attacks. The main way this GIBON-variant is spread is by malspam with an attached malicious document, which contain macros that will download and install the ransomware on a computer. This means that through phishing emails, users are tricked or induced into opening a file containing the ransomware, called GIBON after a phrase that appears several times in the code. If the user follows through and opens the attached file, the ransomware then takes over.
We are still working to discover all the details on how GIBON is distributed, we do know that when it is first started, it will connect to the Command and Control Server for the ransomware register a new victim by sending a base64 encoding string with the timestamp, the register string, the version of Windows. Basically, this means it is telling Command Central that your computer is a new victim and has not been infected before.
Once it has locked into your system, it begins to encrypt all your files, regardless of extension. Only the Windows folder is safe. For each file that is encrypted, it will make a READ_ME_NOW.txt file, providing instructions for what you should do and how to get your files back. It instructs the victim to send emails to bomboms123@mail.ru or subsidiary: yourfood20@mail.ru for instructions on payment.
The good news is that there is a decryptor available from BleepingComputer.com to counter this version of ransomware. You still want to be vigilant in protecting yourself and your data on a daily basis. Some things to remember are:
Backup that data. You can never backup too often.
If you don’t who is sending an attachment, don’t open it.
If it appears to be from someone you know, verify that they sent you one before opening.
Install Windows updates as soon as you see them available. They are there for a reason.
Make sure you are using passwords and don’t use the same password on multiple sites or more than once.
Unfortunately, no matter how strong the security solutions, attacks will continue to slip through the cracks. Therefore, MSPs and MSSPs who are looking to fully-protect their clients must implement a proper, reliable backup and disaster recovery (BDR) solution with online and offline backup solutions as the ultimate failsafe against successful attacks. Your data is important, don’t let some hacker take it away.
by Felicien | Nov 6, 2017 | Education
Becoming an A+ compliance manager may not be the most intuitive prospect, but with careful attention to what the role entails and the right IT help, you’ll get there.
While most people assign compliance to the same snooze-worthy category as watching paint dry, it’s actually a very important topic – and to you, the compliance manager, probably a very interesting one. (Much more so than paint drying, which isn’t even a real career.)
Becoming a stellar compliance manager – or compliance officer, depending on organization terminology – isn’t as simple as getting the job and striking off boldly into the sunset, though. Helping an organization remain in compliance requires ongoing, conscientious efforts to understand the compliance requirements of finance, operations, human resources, data security and more. It’s no small task.
The road to becoming an A+ compliance manager is paved with potential pitfalls, starting with misunderstandings about what compliance is or what the role entails, as well as how to carry it out without making enemies and continue to build skills over time. Even seasoned compliance officers may stumble here, so it’s good to take a periodic inventory of what the role entails and whether you’re on track for success.
What Is Compliance?
Compliance is the act of following federal, state and local rules and regulations governing financial institutions, healthcare organizations, insurance firms, and businesses in other industries. Breaking the law, even without intent, can have very serious consequences for a business, including lawsuits, bankruptcy or catastrophic failure. It is a compliance manager’s role to ensure this doesn’t happen, by keeping careful tabs on what goes on across the organization, assessing risks and responding to them appropriately.
Sad to say, compliance officers may also face the unpleasant duty of responding to intentional breaches. Money laundering and tax evasion happen all too frequently at the highest levels of corporations and aren’t uncommon even in small businesses. Ditto insider trading, conflicts of interest and Just Plain Ol’ Shenanigans. While whistle-blower isn’t the most appealing role, it is a necessary one for the health of the organization as a whole.
Given the potential for fines, sanctions, PR nightmares and shuttered businesses, compliance is crucial – and therefore, so are compliance managers.
The Compliance Manager’s Role
A compliance officer’s role is to work with other managers and department heads to identify and manage the risk associated with laws and regulations – more specifically, associated with breaking them, whether by accident or design. The rules are often very specific, allowing for no loopholes or creative explanations (“I didn’t inhale” is very unlikely to fly here, people).
However, this isn’t the only aspect of the role. Compliance managers are also responsible for making sure everyone else in the organization understands the possible risks and can spot potential issues as they crop up – and before they become firestorms of epic proportion. Because around here, we only like firestorms of medium proportion.
Just kidding. All firestorms = very not good. And as a compliance officer, you have a huge role in preventing them entirely. Your role may comprise many different responsibilities, which will differ depending on the type of organization you work for, but as a general rule, you will be expected to:
Identify risks and advise on courses to reduce or eliminate them
Design and implement controls that will manage these risks
Monitor the controls
Draw up regular reports on how well those controls are working, and present them to the C-Suite, shareholders and other stakeholders
Resolve compliance issues as they crop up
Help perform internal audits and hire outside help in performing periodic audits
Update your compliance and auditing procedures routinely
Teach others
Oversee the compliance department, which will vary in size in accordance with the size of your organization
Dual Levels of Responsibility
Before we go further, it’s crucial to understand the two levels compliance managers will have to address:
Level 1: This is compliance with external rules, and may include auditing, paperwork, licensing and so on for the organization
Level 2: This is a system of internal compliance systems that ensure the organization is always within compliance with external requirements
It’s possible that a compliance manager may only be responsible for one of these levels, but whether or not it is officially in the job description, an A+ compliance manager will always have a bead on both levels. That way, if any potential violations crop up anywhere in the organization, you can react immediately.
Transmitting Necessary Information … Without Making Enemies
Let’s call a spade a spade: Compliance managers aren’t likely to be voted Most Popular Employee anytime soon. That’s because they spend a lot of the day saying things such as “This isn’t safe enough,” “This violates XYZ and needs to be updated immediately” and “Oh, you know that system we just spent thousands on? It no longer works according to the new laws. Change it.”
Compliance officers are the messengers that everyone else wants to kill. Or at least, to deny donuts. And let’s be honest, that might be worse.
A good compliance officer’s role is to detect risks, then transmit the information about fixing them to the relevant departments, without causing a lot of friction. Unfortunately, oversight often does just that: cause friction. When you’re responsible for monitoring communication, checking that disclosures are present in all documentation, photocopying or scanning and retaining documentation for the future, reviewing transactions and other managerial tasks, it’s easy to ruffle feathers.
As compliance manager, it’s important you develop routines to automate these tasks so you aren’t always breathing down everyone’s neck. It’s also important to point out failures in compliance in a polite, respectful and gentle manner.
Building the Skills of an A+ Compliance Manager
As the above section should indicate, considerate communication is one of the most important skills in a compliance officer’s toolkit. Others include:
The ability to decipher confusing laws and regulations, and communicate them cogently
Maintaining high ethics
Maintaining impartiality and distance; keeping communication impersonal
The ability to learn constantly
The ability to act without a lot of direction from above
Leadership
Simplifying Compliance in the Short and Long Term
One of the most common slip-ups organizations make is to amass a large number of different services on a range of different platforms. Sure, it makes sense that over time you build up numerous relationships and that those different vendors use different infrastructures to provide their products and services.
The downside for you? That’s dozens of platforms to monitor, hoping no data leaks through the cracks. Dozens of platforms to ensure are in compliance at all times. Dozens of platforms on which something could go terribly wrong before you can stop it – and bring down the entire organization in a minute.
We’ve taken great pains to create a one-stop-shop infrastructure that meets all your IT needs without sacrificing security. Now you can do away with the vendor-du-jour model, and start taking compliance seriously by running all your products and services through a single platform. Say goodbye to compliance nightmares, and hello to A+ compliance manager-hood.
Sure, “Most Popular” might still elude you, but when you work with us, you’ll get the peace of mind that you’re fulfilling your role the best way you can. And that’s worth as much as any popularity contest.
… almost, anyway.
by Felicien | Nov 3, 2017 | Education
The Windows 10 Creators update is in full swing and business owners have been soaking in the benefits. The update has been available since April and so far, it is living up to the hype. The update carries on the Window’s 10 mission to make IT more secure and productive for businesses. As professionals become more connected and continue to take advantage of powerful new devices, the Windows 10 Creators update helps business owners keep up pace with digital transformation.
Heightened Security: Windows 10 Creators Update Offers Enterprise-Grade Security Intelligence Across Devices, Networks, and the Cloud
It’s no secret that the modern cybercrime landscape requires an ongoing and relentless focus on security – especially for business owners. The Windows 10 Creators Update continues to bring new security capabilities to IT administrators to better protect, defend and respond to threats on their networks and devices.
First, there’s the new Windows Security Center that serves as a centralized portal for monitoring, tracking and responding to cybersecurity issues. The Windows Security center allows for one view of all Windows 10 security events making it easier than ever for businesses to keep an eye on network happenings. The Windows Security Center was first released in the Anniversary Update, and links to Office 365 Advanced Threat Protection, via the Microsoft Intelligent Security Graph. This allows IT administrators to easily follow an attack across endpoints and email in a seamless and integrated way.
Next, the Creators Update also adds a variety of new actions and insights in Windows Defender Advanced Threat Protection (ATP). These enhancements help administrators to investigate and respond to network attacks, including sensors in memory, enriched intelligence, and new remediation actions.
Here are some the key improvements to the Windows Defender Advanced Protection system:
Enriched Detection
In the modern cybercrime climate, it’s no secret that the methods and means attackers use are increasingly varied, complex and well-funded. Having reliable and powerful threat sensors to monitor network traffic is critical.
Because cyber threats won’t stop, Microsoft isn’t stopping either. The Creators Update introduces enhanced Windows Defender ATP sensors to detect threats that persist only in memory or kernel level exploits. This will enable IT administrators to better monitor networks and detect threats before they become disastrous.
Enriched Intelligence
Recent Windows developments have already enhanced Microsoft Threat Intelligence (TI), including a recent partnership with FireEye iSIGHT Threat Intelligence. In the Creators Update, IT administrators are given the ability to feed their own intelligence into the Windows Security Center for alerts on activities based on their own indicators of compromise. This added level of insight will enrich machine learning and memory to identify and block malware more quickly and better protect the unique environment of each business.
Enhanced Remediation
The Creators Update also brings new remediation actions in Windows Defender ATP that will give IT administrators the tools to isolate machines, collect forensics, kill and clean running processes and quarantine or block files with a single click in the Windows Security Center, which further reduces response time.
Mobile Application Management: Windows 10 Creators Update Makes On-the-Go and Remote Business Easier
Modern business is defined by anytime, anywhere access. Some businesses have remote employees who work at home or outside the main office. Other businesses have employees who are constantly on the road and still need access to critical network data. Regardless, making sure all team members have access to all the company resources they need is crucial in today’s fast-paced business environment.
One of the most important features of the Windows 10 Creators update is the capacity for dynamic mobile application management. The new feature will help professionals protect data on personal devices without requiring the device to be enrolled in an external Mobile Device Management solution.
Furthermore, in our device-obsessed world, employees use their own devices at work more and more. The Creators Update provides IT administrators with oversight to apply productivity policies to the applications employees use. This helps keep corporate data more secure and keeps employees focused without taking on the added responsibility of managing each employee’s personal devices.
Streamlining Powerhouse: How the Creators Update Allows Businesses to Work Smarter Not Harder
The Windows 10 Creators update implements best-in-class, modern IT tools to streamline business operations and management. While it may be a very exciting time to be in IT, for many business organizations the digital transformation can be overwhelming. For that reason, the Windows 10 Creators Update harnesses the power of the Cloud to bring the very best streamlining tech tools to everyday businesses.
Windows 10 alone has already resulted in a 15% improvement in IT management time for IT administrators. The Creators Update further organizes and optimizes resources and moves tasks to the cloud, allowing users to acquire, provision, support, and secure devices more easily than ever.
Some of the key productivity powerhouses in the Creators Update include:
Cloud-based insights with Windows Analytics.
Recently released Windows Upgrade Analytics were introduced to help users move to Windows 10 more quickly by analyzing their environment to identify app compatibility, device and driver readiness. With the Creators Update, Microsoft delivers additional resources to the Windows Analytics dashboard that will help IT administrators better manage and support Windows 10 devices. The additions to the dashboard will enable organizations to use their own telemetry to provide new insights and ensure compliance on the upgrade, update and device health processes within their organizations.
In-place UEFI conversion
For some time, Windows Users have expressed the concern that they want to take advantage of new Windows 10 security investments like Device Guard on their existing modern hardware, but many of these new features require UEFI-enabled devices. With the Creators Update, Microsoft has introduced a simple conversion tool that automates previously manual conversion and connection methods. Even better? This conversion tool can be integrated with management tools such as the System Center Configuration Manager.
Continued improvements for Windows as a Service
Finally, though consistent Windows updates are beneficial, many enterprise customers have complained about managing the sheer size of the update download. Big updates on an entire network of devices can take up valuable business minutes or hours.
Since the Creators Update, Windows 10 updates will now be differentiated for both mobile and PC devices. Additionally, any updates after the Creators Update will only include the changes that have been made since the last update, decreasing the download size by approximately 35%. Microsoft is also working to improve the System Center Configuration Manager express updates to help reduce the monthly update size by up to 90%.
No matter the shape, size or industry of your business, the Windows 10 Creators Update offers tools for optimizing digital transformation for professionals. Whether you’re looking to tighten security, better manage your employee devices or streamline operations, the Windows 10 Creators Update has features to make your life easier.
Whatever you do, don’t get in the habit of avoiding updates or hitting the “Remind Me Later” button. Staying on top of tech transformations and software updates is critical to maintaining a productive and competitive professional edge.
If you’re wondering how to best implement the benefits from the Windows 10 Creators Update, get in touch with a local technology firm for consultation and guidance. Taking control of your company’s technology is easier than you think.
