Breaking Down Multi-factor Authentication

There are the three factors that you have to choose from when protecting your systems and data.   Those factors are:

Traditionally, we all have been using just the something you know factor with our usernames and passwords that we use day-in and day-out.  The problem with only using this method in various situations such as using a VPN, is that passwords can be guessed or easily compromised especially if you do not have diligent password rules in place.

The something you are factor can be effective but it has been proven repeatedly, that face-recognition, retina scanning and even fingerprint access comes with its own set of issues.  This is also the highest cost solution and the most unreliable as well.

The last factor is something you have.  This can come in the form of a key fob that gives you a timed code to input after your traditional password or a smartphone app that will give you a temporary code so you can gain access to critical systems securely.

Multi-factor authentication is picking two of three options listed above.  Usually, the first factor will be the something you know factor in the form of a username and password.  I highly recommend your second factor to be something you have.  Why?  It is a low-cost and effective solution helping protect the pathway into your entire environment.

The other major benefit in multi-factor authentication is the one that people typically do not notice right way.  It makes your organization more efficient by ensuring that systems/applications are not compromised.

Contact me today at (585) 292-5070 x278 if you are interested in raising your security posture by going to a two-factor authentication solution for your critical data and applications.

Contact Jim Nelson Today!  Learn more about our Information Security Services

Getting You on the Correct Path with Cybersecurity Policies and Procedures

By now, I imagine you’ve been facing pressure from either an auditor, regulatory body, or even a customer saying that you need to have a ‘Cybersecurity Policy’ in place.  There is very little to counter that argument.

Square, meet Round Hole

There will always be common aspects of a security policy that are necessary to include, but every policy should be customized to your environment.  Here are some simple questions that you need to answer:

  • Is your business regulated (HIPAA, Dept. of Financial Services, FERPA, etc.)?
  • Who is your audience?
  • What kind of sensitive data do you deal with and what kind of format is it in (Paper, electronic, both)?
  • Do you have systems that need to be updated on a regular basis?

If you don’t know all the answers to the above questions, a Risk Assessment will draw all of this out for you and help you craft a custom policy to your business.  There are also occasions when you need to quickly put a policy or procedure in place, but keep in mind you should never implement a policy for the sake of checking a box.

If it is not measurable, it does not exist

The goal of security policies is to define the main security objectives and the security framework for an organization.  The existence of current and accurate policies along with a formal process for ensuring they are communicated, reviewed, and updated regularly is crucial to protecting sensitive and regulated information.

Below is a process for implementing policies:

  • How are policies and procedures monitored for effectiveness and how frequently?
  • How are policies and procedures measured in terms of the results they achieve?
  • How are policies and procedures disseminated to all faculty and staff?
  • How often are the policies and procedures revised and updated?
  • How will important and relevant content be included?

Finally, relax

Overwhelmed yet?  Don’t worry, we are here to help.  Innovative Solutions can help you determine what policies you should have in place, help you create them, and give you an implementation plan that makes sense for your business.  Call 585.292.5070 x278 and speak directly to our Chief Information Security Officers to start the conversation.


Why You Need A Risk Assessment and Where You Should Start

A common question that I am always asked is “Why do I need to have a risk assessment?”  The answer will forever and always be the same: Because you don’t know what you don’t know.

Now, risk assessments can be an intimidating process and sometimes even feel over-whelming.  You just have to remember that the goal is to find out where you can mitigate potential issues in your business.

If you are not sure where to start, consider having a Vulnerability Assessment performed on your network.  Also, have your Policies and Procedures looked at for gaps, and if you don’t have any currently in place, get recommendations on which ones your type of business needs.  Maybe even, start with a social engineering test, such as a Phishing Campaign, to see if you need to build up your Security Awareness Program.

We recommend every client engage us periodically for this comprehensive review, in which we evaluate your organization’s most pressing cybersecurity considerations. We’ll look at your current state, what safeguards you already have in place, and make recommendations about how to make your organization more secure from cyber threats.

Your Information Security Risk Assessment includes:

Don’t fall victim to a cyber attack.  Call 585.292.5070 x278 and speak directly to our Chief Information Security Officers to start the conversation.

Unlock the answers to Information Security.

Contact us today!

Is email phishing just an I.T. Issue?

Look at any news source today and you are bound to see yet another article on how Phishing is affecting businesses of all sizes in the U.S. and overseas.  With the amount of money that is being spent on protecting networks and end points, why is phishing such an easy way to disrupt operations or even worse, steal and corrupt your data.  The answer is easy, people are the weak point.  

Did you know that…

  • 1 in 131 emails contained malware, the highest rate in 5 years *
  • Ransomware damages are up 15X in the last 2 years, expected to worsen **
  • Business Email Compromise scams, relying on spear-phishing emails, targeted over 400 businesses every day *

How do you stay protected?

The solution to phishing is also easy, Test and Train your employees consistently.  Have a Phishing Campaign performed on all the e-mail users of the company.  See who would be willing to click that link or even supply credentials.  The next part is training those same employees on how to spot a phishing e-mail because as we all know, e-mail filters will not stop all of them from reaching us.  It’s all about raising Information Security Awareness consistently and often.

Innovative Solutions can help your business test employees with a Phishing Campaign and with training materials to help raise consistent awareness.

Learn More about Phishing Campaign services    Contact us today!

Statistic Sources:
* Symantec
** Cybersecurity Ventures

Everything You Need To Know About The WannaCry Ransomware Attacks

On Friday, May 12, a ransomware variant titled “WannaCry” infiltrated several UK-based National Health Service locations. Since then, it has spread across 200 countries and infected more than 200,000 endpoints.

Three WannaCry Facts You Should Know

Fact 1

WannaCry is a ransomware variant that leverages a known Microsoft SMB vulnerability (EternalBlue).

Targeting unpatched Windows operating systems (Windows XP, 8, Vista, 7, 2012, 10, and Server 2003). Infected users experience file encryption in exchange for a $300 bitcoin ransom. The malware has been documented propagating laterally, rapidly infecting affiliated endpoints.

Fact 2

Microsoft has since released a patch to fix legacy operating systems (Windows XP and onward).

While a patch to remove the underlying vulnerability (Windows Vista and onward) had been issued on March 14, delays in applying security updates, and lack of support by Microsoft for legacy Windows versions have left users vulnerable.

Fact 3

A short-term “kill-switch” was identified that prevented the infection of additional systems.

Since then, new variants of the malware, which lack the kill-switch, have been reported. As of May 15, 2017, the threat is still prevalent and at large.


WannaCry Details and Misconceptions

Important information is getting lost amongst the online clutter – take the time to eliminate all WannaCry misconceptions.

  • The most common WannaCry variant uses IPC$ shares and SMB resources to propagate.
  • WannaCry leverages the exploit EternalBlue – the vulnerability drops an executable onto the targeted system and conducts a beacon check for the kill-switch domain. If it doesn’t receive a response, then the malware executes the ransomware routines.
  • WannaCry installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (Source: Malwarebytes)
  • On the LAN, it scans for all enumerated addresses within its LAN with an open port 445 & 139 (i.e. the SMB port).
  • On the internet, it scans for random IP addresses to see if it has an open port 445. If it finds one with an open port, it scans all devices in the same /24 IP range (i.e. IP addresses that share the first three octets) as the found address.
  • WannaCry kills SQL Server, Exchange, MySQL and installs TOR on the endpoint.
  • When the ransom demand-time elapses, the malware writes up to 1GB of free space on host-disk and then deletes the file.
  • A variant of WannaCry has been previously documented before this instance.


A Cost-benefit Analysis Can Help When It Comes To Ransomware

We live in the real world and often we work for companies looking to maximize their profits. It is practical for them to perform a risk-based cost benefit analysis to determine whether to pay or not. To pay or not should be a business decision based on which option is most cost effective. Consider these variables: 

Question 1

What will happen if you lose your data?

Is the data or system critical in nature? What is the potential impact to the information system, the business process, or the organization? Are there adequate backups and a recovery process to minimize operational interruptions?

Question 2

What is the relative cost associated with paying?

Most ransom demands are meant to be reasonable to incite you to pay.

Question 3

What is the probability that your data will be decrypted?

An “unethical” extortionist could receive payment and choose not to decrypt your data.

Question 4

What are the chances this will happen again?

An attacker could leave malware on your systems in the form of a backdoor, which they could use to compromise you for additional ransom. An attacker could also spread the knowledge that you are willing to pay, inciting other cybercriminals to attack you.


A Good Strategy Is the Key

WannaCry is a good reminder that security threats are often unknown and unpredictable. The only way to maintain effective defense is through a comprehensive and flexible security program.


Defense in depth is the best approach to protect against unknown and unpredictable attacks. Effective anti-malware, diligent patching and vulnerability management, and strong human-centric security are essential.


There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.


Raw data without interpretation cannot improve security, and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but provides visibility into your threat landscape.


Organizations can’t rely on an ad-hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.


Not sure where you should start? We can help…

Call us at 585.292.5070 to speak directly with one of our information security experts.  If you don’t want to call, you can always contact us via email.


Cyber security: How to thwart 2017’s biggest threats

Each year, hackers and thieves find devious new ways to compromise your information technology. Innovative Solutions has been on the case for years, and we’ve helped dozens of clients guard against increasingly sophisticated cyber attacks. Often, a business knows they need to take decisive action, but they’re not sure where to start. So this year, we’ve organized our cyber security services into three main programs to sync up with your needs.

Program I
Cyber Security and Information Assurance Consulting

Services to assess your current state and deliver a detailed recommendation of any gaps we find. We hit every base, from staff training to disaster recovery.


Program II
Cyber Security Technical Assessment and Analysis

A series of a tests to see what happens when we attempt to break into your system. If you think you’re secure, you may be right. Or you may be surprised. Either way, with this offering, you’ll know. And you can take action.


Program III
Cyber Security Industry-specific programs

A series of services that tackle issues unique to different sectors, from banking to healthcare.

It can be rough out there—we can help you be fully prepared.

In a world where the threat is real, make sure your information is as secure as possible. These three cyber security programs will make it easier for you to get started on a path to peace of mind.

LEARN more about each program

 Contact us TODAY to get started  

Higher Ed Information Security 101

A byte-sized course in data protection for college administrators

It’s a long-held mystique: colleges and universities are often seen as secure, self-contained worlds free from the kinds of risks facing other sectors, like corporate America and government agencies. But when it comes to information security, campuses everywhere have extraordinary challenges. From compliance with regulations like HIPAA to faculty and staff training on safe digital habits, there are dozens of considerations higher-ed administrators should get a handle on.

At the heart of information security: Data.

What types? Where and how to store it? How to dispose of it? Here are four vital steps to take to secure your data.

1. Define what qualifies as “sensitive data”
Be clear and specific in laying out what constitutes “sensitive” for personnel. Create a data classification system (such as Public, Confidential, Sensitive) with clear definitions, and describe how each classification should be handled.

2. Determine where to store data—and show everyone how to comply
Some campus administrators might not explain to faculty and staff where they should safely store sensitive information. Even if they have a secure way to store data, they don’t enforce it. Often, without clear direction, personnel will choose storage locations of their own. The Cloud. Their local hard drive. A shared server. They may think they’re using a secure location, but they’re exposing your school to a possible breach. Set up a storage system with safeguards, and communicate the policy campuswide.

3. Store only what must be preserved
School records sometimes are sometimes perceived as sacred artifacts. But that’s not necessarily true. If your institution isn’t required to keep certain records, dispose of them safely. Sure, it can be time-consuming. But the less data you have on hand, the better. Follow your local laws and statutes to determine what you have to keep. And implement a procedure for safely destroying what you don’t need.

4. Hold the keys to information closely
Access to information can become sloppy over time. A staffer transfers to a different department but still has access to data from a former role. A professor leaves your school but continues to have access to record systems. Or, some employees may have access to student information because job descriptions and data access aren’t well aligned. Develop a policy that defines who should have access to which data, and monitor access as people change positions—or leave the school.

Fully protect your institution. Find out more.

Data policy is a critical consideration in cybersecurity for the Higher Ed sector. But that’s just the tip of the iceberg. Are faculty and staff regularly trained on digital habits to avoid? Is your administration up to speed on current regulations and laws governing privacy? Does your protection cover each of the seven layers of security vital to network security? Get answers to these questions and more.

Contact Us Today


  • This field is for validation purposes and should be left unchanged.