Compliance Services

Direct iT provides full service consulting for various regulatory compliance issues. With a focus on common-sense solutions that are affordable for small businesses while providing enterprise-level security. We help clients meet a number of different regulatory and security standards including:

  • Massachusetts 201 CMR 17
  • HIPAA
  • FACTA / FTC Red Flag Rules
  • SEC
  • Sarbanes-Oxley

Network Security Services for Compliance

  • Vulnerability Assessments: we examine your network, your software, and your procedures and help identify vulnerabilities
  • Security Remediations: We implement a number of different technologies to help make sure your business meet security stards, including:
    • Encryption products for laptops and servers
    • SSL Certificates
    • Firewalls
    • Password policies
    • Ongoing security updates and patches
    • Post-incident forensics and remediations

Written Policies and Compliance Training

  • Written Information Security Policies (WISP) — templates and custom policies
  • Privacy Policies
  • Acceptable Use Policies (AUP)
  • Network Use Policies (NUP)
  • Third-party compliance contracts

Compliance Services Blog

5 Reasons To Stop Using Server 2003 When Microsoft Support Ends This July

winserv2003webOn July 15th, Microsoft will officially end-of-life their popular Server 2003 operating system. Although this operating system is now 12 years old, some businesses are still using Server 2003.  As of July 15th, security updates, bug fixes, and other support may no longer be available.  Direct iT strongly recommends upgrading or replacing any Server 2003 (and Server 2003 R2) systems still in use.

5 Reasons Why Businesses Should Stop Using Server 2003

  • Hacking and Virus Risk –– If criminals are able to take advantage of security holes in Server 2003, they may use that as the entry point with which to attack your business.
  • Compliance Issues — if your business is subject to any regulatory standards regarding data security (such as 201 CMR 17, HIPAA, PCI, Sarbanes-Oxley, FACTA etc), having Server 2003 systems in production will make it virtually impossible to meet these standards.
  • Additional Security Layers Are Expensive — Once Microsoft discontinues security updates, the only way to keep Server 2003 systems secure is to add numerous additional security layers including Intrusion Detection Systems (IDS) and hardware/software firewalls.
  • Hardware and Software Incompatibility — new hardware and software (such as printers, scanners, antivirus, and business software) will be much less likely to continue supporting Server 2003
  • Increased Support Costs — as systems get older and are unsupported by Microsoft, trying to continue backing up, maintaining and monitoring them becomes more expensive and time consuming.

 

Why Secure Email Breaks Spam And Virus Filters

It’s increasingly common for spam and virus emails to be sent using encrypted email, fax-over-email, or other special non-standard email formats.  CrypoLocker, a particularly nasty virus that scrambles your data files and holds them for ransom, is usually transmitted in this manner.  Unfortunately, most spam and virus filters are often completely unable to do anything to help.

Common Email Types That Virus And Spam Filters Can’t Stopemail-encryption

*  Fax attachments

*  YouSendIt links

*  DropBox or Box.net files

*  Encrypted .zip (or other) attachments with passwords (the password you need will usually be in the email)

*  Emails from other secure encrypted email services 

Why Do Security Scans Let These Viruses Through?

Essentially, virus and spam filtering only works on regular emails — in most of these cases the actual message (or spam / virus ) is transmitted some other way, via a special website or attachment. Many of these websites are entirely legitimate (like YouSendIt or DropBox) and there is no difference that the spam filter can see between a legitimate encrypted email and a spam or virus.  Basically, the email filter is usually a box trying to sit “in the middle” and snoop on the email as it travels to you, but the very idea of encrypted email is that it is scrambled (i.e. encrypted) so people sitting “in the middle” of the connection trying to listen in can’t see the actual message.

How Can I Stop It?

Unfortunately, there’s no single easy solution for this, beyond a few common sense ones:

  • Don’t open faxes or secure email messages unless you know who they are from
  • When you do open email attachments, be wary of strange file formats
  • Confirm with the sender that they actually tried to send you something before opening

Top 5 Ways Hackers Are Breaking Into Local Businesses

We’ve compiled a short list of some of the most common ways hackers are breaking into businesses.  Many businesses across the board are being hacked by organized crime rings, often based overseas in places such as China, Nigeria, or the former Soviet republics.   Once they’ve broken into your network, these gangs may then try to use your systems and data for identity theft, spam, or targeted wire fraud (among others). Here’s how they are getting in:

#1 Browser based vulnerabilities

Simply going to websites can make you vulnerable — especially social media, gaming, and online shopping sites.  However,  trusted websites such as banks, local newspapers, large corporations or even government can also be a source of infections, because hackers _love_ to break into the web servers for sites like this and then hide a tiny piece of virus code inside an otherwise-legitimate site.

Adobe Flash, Adobe Reader, Java, and Internet Explorer are some of the most common sources of browser based security holes; it’s a good idea to keep all of these updated. However, even if you keep completely up to date, you still are vulnerable to the next category of attack:

#2 Zero day exploits

“Zero day” is a computer security term that refers to the period of time between when a security hole is discovered and publicized and when that security hole is fixed.  Even Microsoft sometimes takes days or weeks to patch security holes in the Windows operating system; other vendors sometimes can take much, much longer.

#3 Brute-force password worms

Brute-force worms are programs that scan the internet for services (such as web mail and remote desktop) and then start trying everything from a long list of common or randomly-generated usernames and passwords.  Then, whenever a system is successfully infected, the infected system immediately begins helping to scan for and infect more systems.  These are incredibly common; most internet-connected servers get login attempts from brute force worms every single day.

Many services try to protect against this by having a “speed limit” on login attempts; only 1 attempt per second is allowed, or only 5 attempts within 5 minutes, etc;  however, the brute force worms can get around this by trying to login from multiple infected systems at once, and by simply not stopping — 10 infected machines trying 1 password per second each for a month would still equal 25,920,000 password attempts — more than enough tries to guess that “bob”‘s password is “password1”.

#4 Third party password breaches or vendor passwords

Users tend to use the same passwords for everything — this means when you hear on the news that Adobe was breached and 3 million passwords were stolen, there is now a password list available on the black market that has a very good chance of having one of _your_ passwords in it. There are many of these lists available on the internet.

Another common weakness is the vendor password — perhaps the copier guy setup a “copier” account so he could test printing — with a password like “copier” or “password”.  Similarly, phone vendors, firewall or network service vendors, even payroll or accounting companies may have used the same password for hundreds of different clients.

#5 Out of date systems

Keeping your systems updated might seem like a no-brainer, but in many cases even the most diligent companies may have some systems or services that end up being out of date.  Sometimes systems are overlooked or forgotten — people may think a system doesn’t need updating because they think it is behind a firewall, or it is “just part of the voicemail system” or “only used for the accounting”;  maybe a wireless access point used in a basement conference room could be overlooked and forgotten.  It only takes one out-of-date system to give hackers a foothold into your network.

What To Do About It

  • Antivirus, corporate-grade firewalls, and keeping systems updated
  • We also highly recommend undergoing a security audit
  • Finally, training your employees is incredibly important — the most secure systems in the world can’t help if your employees aren’t trained properly

Antivirus is Still Vital – But All AV Is Having Trouble Protecting Against All Threats

As cyber crime grows, so must our defenses against it.  Almost all businesses now find themselves faced with spammers, identity theft rings, botnets, brute-force password worms, ransomware, and constant browser-based infection attempts.  The hackers have a global industry backed by secret internet marketplaces where stolen passwords and identities can be anonymously bought and sold with bitcoin.

Antivirus software increasingly ineffective against common hacker threats

However, many users are still primarily depending on the same old-fashioned PC-based antivirus software to keep their network safe.  In a recent study, Lastline Labs tested common malware/viruses off the internet against all the major commercial antivirus packages;  they found that some viruses were not stopped by any antivirus software, sometimes even when those viruses were a year old while many other viruses infected PCs “in the wild” for weeks or months before antivirus software caught up.  (Click here to see more about Lastline Labs’ findings)

Focus of security industry shifting to detecting, mitigating damage from hackers

Much of the cybersecurity industry is now trying to focus on systems that go beyond just antivirus, such as:

  • Intrusion Detection and Prevention systems detect and stops hackers after they have already broken into your network
  • Vulnerability scanning scans your network looking for possible points of weakness
  • Data encryption can protect your data so that even if hackers get into your network, they can’t access your most important files
  • Penetration testing is where you hire a security expert to attempt to break into your network the same way a hacker would

Does my business still need antivirus software?

If your street was flooding, would you think your house didn’t need a roof anymore?  Yes, you still need antivirus to protect your business – in fact, Massachusetts data security laws pretty much require it; you just might need to do more.  A security audit is often a good place to start pinpointing where you are most vulnerable; then, many companies may want to consider a whole-business security approach that incorporates regular audits and training with technical solutions like security software.

 

Tech News – Massachusetts Data Breach Reports Continue To Rise in 2014

Seal_of_Massachusetts data breach graph

In January and February of 2014, there were 349 reported data breaches affecting the residents of Massachusetts — a 15% increase over last year’s pace. Since 2007,  Massachusetts has required that data breaches involving personal information (such as bank account, credit card, or social security numbers) be reported to the Attorney General’s office. The Attorney General has been collecting statistics from these reports.

 

Then, for 2012, the Attorney General released a comprehensive report on those data breaches — they have since updated their numbers for 2013 and the first couple months of 2014. The 2012 comprehensive report showed a lot of interesting trends in the data — including the fact that stolen laptops were the most common source of the most serious data breaches, and that executives were often involved in data breaches. Mobile device breaches were also a big trend for 2012, with stolen mobile devices being responsible for 26% of the total number of effected residents.

You can read the 2012 report here.   Or, for older reports, see:

2011 breach report

2009 breach report.


Call Direct iT Today!

781-996-4918

One of our IT specialists is waiting to talk to you.

About Direct iT

Direct iT, Inc. is a New England based IT services firm offering products and services for small businesses in Greater Boston, New Hampshire, Rhode Island, and the rest of New England. Cloud, compliance, and document management services are also available worldwide. Many of our customers are along the Route 128 technology corridor.

Direct iT, Inc. Main Offices

39 Emerson Rd. Suite 215
Waltham, MA 02451
Sales: 781-890-4400
Support 781-890-1907
sales@directitcorp.com