Ransomware Response Procedures

Ransomware is a type of malicious software that encrypts your files and demands a ransom to restore them. It can cause serious damage to your data, your privacy and your finances. If you discover that your computer has ransomware, you need to act quickly and follow these 10 steps:

  1. Disconnect your computer from the internet and any other devices. This will prevent the ransomware from spreading to other machines or contacting its command-and-control server.
  2. Identify the type and variant of ransomware that infected your computer. You can use online tools such as ID Ransomware or other reputable sites to upload a ransom note or an encrypted file and get information about the ransomware.
  3. Check if there is a decryption tool available for the ransomware that infected your computer. Some security researchers and companies have created free tools that can decrypt some types of ransomware. You can find a list of such tools on various security-related websites, like Avast, Emsisoft, Kaspersky, McAfee, Trend Micro, or other solutions.
  4. If there is no decryption tool available, try not to pay the ransom. It may not be possible to recover the encrypted files, so you may feel the need to pay the ransom. Paying the ransom does not guarantee that you will get your files back, and it may encourage the attackers to target you again. Moreover, you may be breaking the law by funding criminal activity.
  5. Remove the ransomware from your computer. You can use an antivirus or anti-malware program to scan your computer and remove any traces of the ransomware. You may need to boot your computer in safe mode or use a bootable USB drive to run the scan.
  6. Restore your files from a backup, if you have one. The best way to recover from a ransomware attack is to have a backup of your important files that are stored offline or on a separate device. If you have such a backup, you can quickly restore your files after removing the ransomware from your computer.
  7. Change your passwords and enable multi-factor authentication. The ransomware may have stolen your credentials or installed a keylogger on your computer, so you should change your passwords for all your online accounts and enable multi-factor authentication where possible.
  8. Update your operating system and applications. The ransomware may have exploited a vulnerability in your software to infect your computer, so you should update your operating system and applications to the latest versions and apply any security patches.
  9. Educate yourself and others about ransomware prevention. The best way to avoid ransomware is to prevent it from infecting your computer in the first place. You should learn how to recognize phishing emails, avoid clicking on suspicious links or attachments, and use reputable security software.
  10. Report the incident to the authorities and seek professional help if needed. You should report the ransomware attack to the relevant authorities in your country or region, as they may be able to assist you or investigate the attackers. You should also seek professional help from a trusted IT expert or a security company if you need assistance with removing the ransomware or recovering your files.

Disabling or Uninstalling Unnecessary Services and Apps in Windows 10

Windows 10 is a powerful and versatile operating system that offers many features and functionalities. However, not all of them are necessary or useful for every user. In fact, some of the services and apps that come preinstalled or run in the background can pose security risks or slow down your system performance.

In this blog post, we will describe which unnecessary services and apps you should disable or remove from Windows 10 for security reasons. We will also explain how to do it safely and easily.

What Are Windows Services?

Windows services are programs that run in the background and provide essential functions for the operating system, such as networking, security, printing, etc. They usually start automatically when you boot up your computer and run until you shut it down.

What Are Windows Apps?

Windows apps are applications that you can install from the Microsoft Store or other sources. They are designed to work with the modern user interface of Windows 10 and offer various functionalities, such as games, productivity tools, social media, etc.

Why Should You Disable or Remove Unnecessary Services and Apps?

There are several reasons why you may want to disable or remove unnecessary services and apps from Windows 10:

  • Security – Some services and apps may have vulnerabilities that can be exploited by hackers or malware. For example, the Remote Desktop service can allow remote access to your computer if it is not configured properly. The Bluetooth service can expose your device to wireless attacks if you don’t use it. Some apps may also collect your personal data or display unwanted ads.
  • Performance – Some services and apps may consume a lot of system resources, such as CPU, RAM, disk space, etc. This can affect your system speed and responsiveness, especially if you have a low-end device or multiple programs running at the same time.
  • Privacy – Some services and apps may send your data to Microsoft or other third-party servers for various purposes, such as diagnostics, feedback, advertising, etc. This can compromise your privacy and expose your online activities to others.
  • Storage – Some services and apps may take up a lot of disk space on your device, especially if they are rarely used or updated. This can limit your available storage space for other files and programs.

Which Services and Apps Should You Disable or Remove?

Continue reading “Disabling or Uninstalling Unnecessary Services and Apps in Windows 10”

10 Steps to Securely Configuring Windows 10

Windows 10 is the most popular operating system in the world, but it also comes with some security risks. If you want to protect your data and privacy, you need to configure Windows 10 for security. Here are 10 steps you can follow to make your Windows 10 more secure.

  1. Update Windows 10 regularly – Windows 10 updates often include security patches and bug fixes that can prevent hackers from exploiting vulnerabilities in your system. To check for updates, go to Settings > Update & Security > Windows Update and click on Check for updates. If there are any available updates, install them as soon as possible.
  2. Use a strong password and a PIN – A strong password is one that is long, complex, and unique. It should include a mix of uppercase and lowercase letters, numbers, and symbols. A PIN is a four-digit code that you can use to unlock your device instead of typing your password. To set up a password and a PIN, go to Settings > Accounts > Sign-in options and choose Password and PIN. Make sure you don’t use the same password or PIN for other accounts or devices.
  3. Enable BitLocker encryption – BitLocker is a feature that encrypts your hard drive, making it unreadable to anyone who doesn’t have the right key. This can protect your data in case your device is lost, stolen, or hacked. To enable BitLocker, go to Settings > System > About and click on Device encryption. If your device supports BitLocker, you will see a Turn on button. Click on it and follow the instructions.
  4. Use Windows Defender Firewall and antivirus – Windows Defender Firewall is a feature that blocks unauthorized network connections, preventing hackers from accessing your device or data. Windows Defender antivirus is a feature that scans your device for malware and removes any threats. To use Windows Defender Firewall and antivirus, go to Settings > Update & Security > Windows Security and click on Firewall & network protection and Virus & threat protection. Make sure they are both turned on and up to date.
  5. Enable two-factor authentication – Two-factor authentication is a feature that adds an extra layer of security to your online accounts. It requires you to enter a code or use an app on your phone after entering your password, verifying your identity. To enable two-factor authentication, go to Settings > Accounts > Sign-in options and click on Security key or Windows Hello. Follow the instructions to set up your preferred method of two-factor authentication.
  6. Use a VPN service – A VPN service is a feature that encrypts your internet traffic, hiding your IP address and location from prying eyes. This can protect your privacy and security when you use public Wi-Fi or access geo-restricted content. To use a VPN service, you need to download and install a VPN app from the Microsoft Store or a trusted website. Then, launch the app and connect to a server of your choice.
  7. Disable unnecessary services and apps – Some services and apps that come with Windows 10 may not be essential for your needs, but they can consume resources and pose security risks. To disable unnecessary services and apps, go to Settings > Apps > Apps & features and click on the service or app you want to uninstall or modify. You can also go to Settings > Privacy and review the permissions that each app has access to.
  8. Use a secure browser and extensions – A secure browser is one that protects your online activity from trackers, ads, and malicious websites. A secure extension is one that enhances the functionality of your browser without compromising your security or privacy. To use a secure browser and extensions, you can choose one of the following options:
    • Use Microsoft Edge, which is the default browser for Windows 10. It has features like SmartScreen, Tracking Prevention, InPrivate mode, and Password Monitor that can improve your security and privacy.
    • Use Google Chrome, which is the most popular browser in the world. It has features like Safe Browsing, Incognito mode, Password Checkup, and Sync that can improve your security and privacy.
    • Use Mozilla Firefox, which is the most privacy-focused browser in the world. It has features like Enhanced Tracking Protection, Private Browsing mode, Lockwise, and Monitor that can improve your security and privacy.
  9. Backup your data regularly – Backing up your data is a feature that copies your files to another location, such as an external hard drive or a cloud service. This can protect your data from accidental deletion, corruption, or ransomware attacks. To protect your data regularly, go to Settings > Update & Security > Backup and click on Add a drive or Backup options. Choose where you want to store your backup files and how often you want to backup.
  10. Educate yourself on cyber threats and best practices – The most important feature for securing your Windows 10 is your own knowledge and awareness. You need to learn how to recognize and avoid common cyber threats, such as phishing, malware, or social engineering. You also need to follow best practices, such as using strong passwords, updating your software, and locking your device when not in use. You can find more information and tips on how to secure your Windows 10 on the Microsoft website or other reputable sources.

How to Report Smishing to Your Cell Phone Service Provider

Smishing is a type of phishing scam that targets your cell phone through text messages. The goal of smishing is to trick you into clicking on a malicious link, downloading a harmful attachment, or revealing your personal or financial information.

Smishing can be very dangerous and costly, as it can expose you to identity theft, fraud, malware, or unwanted charges on your phone bill. It is important to know how to report smishing to your cell phone service provider if you receive a suspicious text message.

Here are the step-by-step instructions for reporting smishing to your cell phone service provider:

Continue reading “How to Report Smishing to Your Cell Phone Service Provider”

Understanding the NIST Cybersecurity Framework


The Cybersecurity Framework Set was an optional standard created by the National Institute of Standards and Technology under the United States Commerce Department. This set of guidelines for private sector companies is intended to help them be  better prepared in identifying, detecting, and responding to cyber-attacks. It also includes some guidelines on how to prevent and recover from a cyberattack.

The NIST Cybersecurity Framework is intended to address the lack of standards when it comes to cybersecurity. As with almost everything else that deals with technology, there are currently major differences in the way companies are using technology to detect and remediate attacks from hackers, malicious users, and ransomware.

With the complexity and frequency of cyberattacks growing each day, the task of detecting and preventing cyberattacks has gotten too difficult and complex to be left to chance, and a lack of a strategy among most organizations only makes this effort more difficult.

Continue reading “Understanding the NIST Cybersecurity Framework”

Cloud Security Best Practice

There are several things you can do to improve the security of your online cloud environment. Protect your business assets by enabling specific controls when available.

  1. Access Control – Enable Multi-Factor Authentication (MFA) and Conditional Access when possible. This means requiring not just usernames and passwords to access your critical cloud-based systems, but also requiring multi-factor authentication. Instead of allowing user access with just something you know (password), also require a user to prove their identity with something they have (cellphone) or something they are (fingerprint). You may also be able to enable conditional access, which allows an administrator to add additional requirements to your login process, like only allowing you to log into the cloud environment using an authorized laptop, from a specific location, etc.
  2. Improve Security Posture – Use the tools available from your cloud provider to improve your overall security posture. Microsoft Azure offers a secure score rating, showing you recommended actions and comparing your security profile to other tenants. This can drive security changes that you may not even know are possible and provide instructions specific to your environment.
  3. Secure Your Applications – Train your developers in security best practices such as Security Development Lifecycle (SDL) and test for common development issues using OWASP as a guide. Encrypt everything possible, including all internal and external connections. All data that is stored or processed should also be encrypted. Your backups should be encrypted and stored in a secure location away from the production data. Review your relationships with all vendors to make sure it is crystal clear who is responsible for all aspects of your security. You are responsible for everything unless it is specifically stated otherwise in your vendor contract.
  4. Understand and Mitigate Risks – Use best practice guidelines to identify threats and build processes to protect all your systems from known threats, detect any attacks that malicious groups may use in an attack in your environment, and respond to threats and attacks before your systems can be compromised. You should utilize a security information and event management (SIEM) system to collect the logs from all systems. Once the logs are in a central location you can build alerts when specific events occur, as well as identify risky behavior before the systems can be compromised.
  5. Maintain Network Security – Even through the cloud moves systems outside of your on-premise environment, the proper configuration of your firewall is still very important. Controls still need to be in place to protect the perimeter, detect hostile activity, and respond to all possible threats. A web application firewall (WAF) protects web apps from common exploits like SQL injection and cross-site scripting. Using concepts like virtual networking and subnet provisioning, you can micro-segment your network to provide additional security as you work toward zero trust networking. Enable your endpoint firewall, like Windows firewall, to properly protect the endpoints as they move outside your protected on-premise network.

While protecting your company assets from a constantly evolving threat landscape can seem an impossible (and expensive) task, some basic security processes can start you down the path towards a best-practice security environment. Don’t try to do everything at once. Start simple with the goal of constant improvement.

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Online Risks for Children

Children face tremendous risks while they are accessing the internet. Parents are often worried about their children while they access online services and social media, without really understanding the risks or what they can do to mitigate the risks. Many parents feel that some online interactions are safer than others, without really thinking through the risks.

Let’s discuss some of the risks and what you can do to help protect your children.

  • Cyber Bullying – This is a fairly common problem, where children bully other children using various social media platforms, like Twitter and Facebook. This can seem fairly trivial to an adult, but children are more focused on social media and it can be devastating for a small child to be constantly receiving messages about themselves being different or not worthy of friendship or interaction. This can lead to social isolation, depression, and even suicidal thoughts.
    • The best action for a parent is to monitor their children’s social media messages and help filter the incoming messages to make sure you have an opportunity to filter out the harmful messages so they can be deleted, reported, or explained.
    • It is also important to monitor your child’s outgoing messages to make sure your child is not the source of problems for other children and their parents.
    • Explain to your child what cyber bullying is and why it is important to speak with you if they see messages that upset them or make them feel uncomfortable.
    • Don’t trivialize these events. Just because they seem unimportant to you doesn’t mean they don’t seem important to a young mind just starting to understand social interactions and online communication.
  • Radicalization – As you may have heard recently with news stories about a child or young adult that was convinced to join an extremist group or terrorist organization, it is possible to convince someone to commit violent attacks by inundating them with social media content and targeted messages to convince them a specific group or organization must be physically attacked.
    • Young minds are much more susceptible to this type of online radicalization than older people, so it may not sound like a real risk. It happens all the time and can start with altering their political alignment, which seems minor, all the way up to instigating a physical attack on a minority or other groups while they are at a school or other function.
    • Once the child is convinced their extreme political, social, or religious views are accepted by the online community, it can be very difficult to convince them to reject those views.  That is why it is important to monitor the online forums and content your child is exposed to, so you can help explain why those views are extreme or incorrect. You need to provide guidance to them about where to get moderate content and an accurate education to prevent a path to extremism.
    • If you feel the content is potentially criminal or dangerous, you can report the content to the police.
  • Identity Theft – While most children don’t have access to credit cards or cash, they are still the target of criminals. Children have identities, and those identities can be stolen and sold on the black market for people looking for new identities used to commit crimes like applying for credit cards, jobs, government benefits, etc.
    • Some studies have shown children are much more likely to have their identities stolen than adults. Children are not as savvy as adults in determining when someone is lying to them, and they are more likely to do what an adult tells them to do, so it can be easier to steal from children.
    • Talk to your children about what types of information to not share with strangers, including their last names, addresses, telephone numbers, birth days, etc. Explain the best ways to communicate online, and monitor communications to help identify issues before it leads to a crime.
  • Inappropriate Content – The internet is full of uncensored content tahat is considered dangerous to young children.  You can find shocking, violent, and pornographic material with a few simple internet searches, and you know what terms can get you to that content. A child may search for seemingly innocent terms that could result in a traumatic result. You don’t want them to stumble across violent acts that could include death, torture, or other despicable acts of violence.
    • Use the content filters. Many browsers include a “Kids” mode that helps block this type of content, so check your browser settings. Many search engines allow for a “Safe” mode to limit objectionable content. While no filter will be 100% effective, it can be helpful to make it much harder to be exposed to inappropriate content.
    • Being present when your child is conducting an internet search can be very helpful. This is your opportunity to help them learn how to correctly use a browser and search engine while also helping them with their search terms to quickly find the correct content.
  • Scams – Young children will often believe everything you tell them, and cyber-criminals have a lot of experience telling outlandish stories to scam people. It can be easy to dupe a child into telling them sensitive information or convincing them to send money to their online account using mom’s credit card or Venmo account.
    • Scams targeting children are often related to events in their world, like gaming scams where an online “friend” asks your child to buy them online gold in their favorite game and their “friend” will then send them extra lives.
    • An online message offering them a free Xbox if they just provide their address and phone number to enter an online contest seems like a sensible offer to a child, but an adult might ask a few questions before they give away information. A child will provide any information that is requested because they just want to win.
    • Discuss these types of requests with your child and make sure they know they should always come to you before engaging in these types of conversations.
  • Grooming – Children can be lured into some serious and dangerous situations in the physical world, so we are careful to teach our children not to talk to strangers, get into cars with strangers, take candy from strangers, etc. Then we allow our children to access the internet where millions of strangers have access to them. While we like to think that most people are good and don’t have malicious intentions with your children, you have to accept there are thousands of people online that see your child as an opportunity to groom your child to get what they want.
    • Grooming is just convincing someone to change their views and accept what they are being told is the better path, which is often specific to sexual activity. This can include convincing your child to ignore what mom told you and send nude pictures to them. It could escalate to having the child secretly meet with them, which could lead to sexual assault.
    • Children don’t have fully formed minds and can be convinced to do things that seem obviously bad or truly dangerous to an adult. Talk with your child and make sure they understand what conduct is allowed, and what is not allowed. You never want your child exposed to sexual content.
    • Children should be educated about what types of behavior is strictly prohibited and when they should come to you for help. If they report someone is asking for unusual or dangerous content, you should take that information seriously and do what is required to block their access to your child. You should also consider reporting the activity to the police.

There is a theme here: Spend some time with your children and make sure they know you are available to them as a resource to help them safely use the internet. You were not born with the knowledge of how to safely use the internet or communicate with strangers, and neither were our children. Make sure you provide an education and provide basic guidelines on how to use social media, how to interact with people on the internet, and what online activity is acceptable.

Tips for Parents

  • Limit Access – Don’t allow online activity 24×7, make sure there are well established expectations around offline and outdoor activities. This can mean turning off Wi-Fi or unplugging network cables to promote compliance.
  • Use Parental Filters – These programs can be installed on your child’s computer and only activities and content you allow are enabled on the computer. These filters aren’t 100% effective, but they can provide a baseline to help guide acceptable behaviors and report on attempts to bypass the filter.
  • Regularly review browser history – Your child’s computer will log all internet access so you can review what content was accessed by your child. This log will not always expose exactly what was done or discussed while on that site, but can be a good conversation starter with your child.
  • Find child-friendly solutions – There are child-friendly websites for many online activities, like email, social media, video sharing, educational content, etc. Check with other parents or teachers to see what they recommend or use to help decide if it will work for your family.
  • Communicate – Make sure your children know you are available to them when they want to discuss what they are experiencing online, both good and bad stuff. Find the time to ask them about what activities they are performing online, from gaming, homework, and talking to their friends. Don’t be afraid to listen to how they communicate with friends, teachers, remote family members, and strangers. Offer guidance to improve communication or celebrate with them when they make the correct choices.

Windows Security Checklist for Home Systems

While your IT Department may have a handle on enterprise security, not everyone is technical enough to feel confident that their home computer systems are secure from attack. Many people wonder where is the best place to start, what steps they can take that will make the most impact, and which systems are most likely to need attention.

While there are literally hundreds of settings you can alter and fine tune to adjust your specific system settings, we are going to focus on general security actions you can look into, each helping build a general security mindset that will hopefully get you started without feeling overwhelmed. As you begin with general security changes, you will become more confident in your abilities and less worried that you are breaking anything.

General Considerations

  1. Router – All the devices on your home network communicate with the router. This is the device usually supplied by your internet provider, that allows your home computers to access the internet. This is the access point where most attacks are going to come from, so you want to start here to make sure you have a secure connection to the internet.
    • The router has an administrator-level account, and you must change the default password so that an attacker can’t access your router and disable any security settings.
    • You’ll also want to check if the router is updated with the latest firmware. As vulnerabilities are discovered, the router vendor will provide updated software and you want to make sure your router is patched. This can usually be configured so the router will automatically install new patches, but sometimes this must be manually performed. You’ll want to make sure you investigate these settings and configure them appropriately.
    • You should also disable remote administrator access to your router. This will prevent an attacker from logging into your router unless they are directly connected to the router from your home network. If you need help from your internet provider, they will contact you anyway, so you can grant them access if you need their remote help.
    • You can search the internet with the specific make and model of your router to get the user’s manual or recommended settings.
  2. Wi-Fi Security Settings – Many routers include Wi-Fi, which allows your home computers to connect to the router wirelessly so you can easily access the internet. You’ll need to check the security on your wireless network to enable the basic security features.
    • In Security Settings, create a name for the Wi-Fi network (SSID) and a complex password, and then select a type of encryption, like WAP2. Do not name your Wi-Fi network something that can easily be associated with you, such as your last name or address.
    • When possible, you’ll want to use AES on top of WPA2. Advanced Encryption Standard is a newer encryption standard that should be available on routers built after 2006.
    • Wi-Fi Protected Setup (WPS) was created with the intention of making the user experience easier and quicker when connecting new devices to the network. It works on the idea that you press a button on the router and a button on the device. This makes both devices attempt to pair automatically. You’ll want to disable this feature, if possible, because it has a history of security issues.
    • You can also sometimes create a separate guest Wi-Fi network, if supported by your router. A separate guest network has some advantages, like not having access between the two networks. It not only provides your guests with a unique SSID and password, but it also restricts guests from accessing your primary network where your connected devices live. You never have to disclose your main Wi-Fi network password to guests or visitors since they only need to know the guest Wi-Fi password. You can easily change the guest Wi-Fi password when your guest leaves without having to log all your other devices back into the network.
    • You might also want to consider the Wi-Fi signal power. If people can detect your Wi-Fi from across the street or in a nearby home, there is a risk that they will also attempt to log into your network. You can sometimes adjust the router signal strength or physical placement of the hardware to reduce that risk.
  3. System Update – Now that you have a relatively secure network, you can start looking at the devices connected to that network. It used to be a network used from a laptop or desktop computer, but today you can have a multitude of devices that are connected for internet access. You can have a smart thermostat, doorbell camara, video game console, cellphone, coffeemaker, etc.
    • For each system involved, you’ll need to log into the device and make sure you understand how to check for firmware and operating system updates and attempt to configure the device to automatically check for and apply vendor updates, if possible.
    • For each system involved, review the available security and privacy settings to make sure the device meets recommended settings. Vendor websites are a good resource to help you complete this step.
    • This might also be a good time to determine if the device really needs internet access. If the device is using internet access just to allow you to remotely access the device from the internet, for example, you need to ask yourself if you ever plan on using this feature. If you don’t need the feature, you may be able to disconnect the device from your network and reduce your overall risk profile.
  4. Security Suite – For your major devices like laptops and desktops, you should install and properly configure anti-malware and anti-virus software. There are various free versions available, so research a few vendors and find a solution that meets your needs. Make sure you use a vendor that you can trust.
    • Installing an anti-virus solution with default settings is rarely enough to really protect your computer. You’ll want to look at the available settings and properly configure the solution to provide the security you are expecting. Many vendors will guide you to using the best settings.
  5. Installed Programs – Review each program installed on the computers on your network and determine if those programs are still needed.
    • Maybe you installed a game a few years ago and haven’t used it since that one boring weekend. Now is a good time to uninstall or delete all the unneeded programs that are not essential.
    • If the program doesn’t look like something you need, and an internet search doesn’t answer the question around why it is installed, now is a good time to remove the program. It can be difficult to research something you don’t recognize, but a good internet search should answer your questions.
    • Now that you know what should be installed, a periodic check would help you quickly recognize when something new and unauthorized has been installed. If you do a periodic visual scan of installed applications every couple of months, this will be an easy security check to keep the device as clean and secure as possible.
  6. Program Updates – On your computer, you probably have several programs installed that you may not use very frequently. This could include word processing or spreadsheet suites, but it might also include specialized utilities or even games. All of these need to be patched because vendors periodically update their software to add new features and remove security vulnerabilities.
    • Check each application to see if patching can be automated. There should be a way to manually check for updates, but an automated check will make this process much easier.
    • If the program is older or doesn’t support regular updates, you should consider uninstalling or deleting the application. Each situation is unique, but you need to evaluate the risk if that one old program were compromised and allowed remote access to your computer.
  7. Password Hygiene – Now is also a good time to determine if you need to change your passwords. Easy to remember passwords are usually easy to guess passwords. You should really think about what makes a good password and make sure you change all your passwords to meet current best practice guidelines.
    • You can read more about selecting a better password here. You’ll want to select a really good and unique password for every account. You may need a password manager to store all your passwords, which can encourage longer and more random password selection.
    • Never use the same password for two different accounts. If you are using the same password for LinkedIn as you use for Netflix, if one account is compromised the attacker can use that same password to log into potentially sensitive information from a different account.
    • If you haven’t changed the password recently (within the last 90 days) then change the password now. That will make sure that starting today you are following best practice with your password selection.
    • If you hear one of your online accounts may have been compromised, don’t wait for the service to contact you with the bad news. It takes only a couple of minutes to change a password.
    • If you no longer use the online service, see if the online account allows you to delete or disable the account to reduce your online risk profile.
  8. Firewall Rules – Each computer you use probably has a firewall installed. The Windows Firewall is rarely used and it can be a great tool for limiting online access to your computer. You can essentially use the Windows Firewall to block remote access to your computer using specific ports and protocols, which can make a remote attack very difficult. It can be a little technical on how to configure the Windows Firewall correctly, so make sure you do your research and take notes on any changes you make so you can undo the changes if you find something has stopped working.
    • You can read more about how to get started with the Windows Firewall here. Don’t be afraid to do some internet searches to find some recommended settings.
  9. File Backup – So you have your home network secured, and the devices on that network are also more secure, and the accounts used to log into those devices are more secure. That is all great news, and you can continue to improve on that security as you learn more and have more technical confidence. But you are not completely safe, because a determined attacker is probably more technical than you and knows more tricks to successfully attack your systems. All is not lost, because you can create a fail-safe plan for recovery even if your files are deleted, scrambled, or encrypted to prevent your immediate access.
    • Backup your important files to a safe location. You can manually backup your files to an external disk drive or thumb drive. While not perfect, it can be a cheap and effective way to keep an external copy of important files where an attacker can’t find them. Just be sure to remove the external drive every time you finish the manual backup. Some people store the external drive in a fireproof safe.
    • An online backup service can make automated backups to a secure folder on the internet fast, easy, and low cost. While the amount of space available and cost can vary widely, a little shopping around can allow your entire family to back up their computers for about $100 a year. That is an inexpensive insurance policy if things go sideways.
  10. New Devices – While all the about steps will take some time and energy, you have to remember that this isn’t a one-time effort. As you add new devices to your home network, you have to review these steps again to make sure the new device isn’t the weakest link in your home network.

Protecting your family starts with taking responsibility for your home security, and that includes your home network. If you perform all these steps, you are well on your way to a safer and more reliable home network.

5 Reasons to Consider Insider Threats

If you look at studies about how businesses really operate, you’ll find statistics that indicate many users share their passwords with friends and coworkers and that about a 1/3 of terminated employees still have access to their former accounts.

That should concern your company leadership team as well as IT management. Organizations spend a lot of time and money implementing security controls in an effort to manage user permissions, and they still don’t always get them correct.

Another statistic that should worry you is the growing instances of insider incidents in the past couple of years. The rate of attacks attributed to internal employees has risen sharply, with some statistics showing a 44% increase in these types of difficult to detect and highly effective kinds of attacks. If this can happen in your organization, what about your business partners, suppliers, and consulting companies?

Facts to Consider:

  1. The cloud doesn’t make detection easier – Most technology professionals will tell you that cloud-based applications make it even harder to detect malicious activity. Insiders with malicious intent can gain temporary or permanent access to your most critical applications in a cloud environment (IaaS, SaaS, PaaS) and cause havoc.
  2. Trusted Access Means Easier Attacks – Just because your key employees might need elevated permissions to perform their daily functions doesn’t mean they should be doing whatever they want whenever they want. Management needs to build structure to normal daily activity and structure alerts and reporting around abnormal behavior. This allows management to ask questions and detect fraud before major damage can happen.
  3. Guard Sensitive Data – Sensitive data (employee data, employee data, credit card data, corporate secrets, etc.) is usually the target of malicious attackers, even insiders. They may want to collect and sell the information to competitors, foreign governments, protesters, or to other hackers to help them with their future attacks. They could just want the data for blackmail, thinking they can never be fired if they hold copies of all your sensitive data.
  4. Breaches Happen Slowly – Data breaches rarely happen in one night, with a hacker breaking into your network and stealing your data while you sleep. Data stolen by insiders usually happens over weeks, months, or even years. You also probably won’t detect that data has been copied or deleted overnight. It can take many organizations months or years to even detect that something is wrong.
  5. Insider Threats are Huge – If a trusted and valuable employee turns rogue, just think of all the systems, file shares, data, and files they have access to each day. If they decided to start stealing your files and data, how long might it take for you to detect their activity, or even if you did detect something was wrong, how long would it take before you suspected that valued employee?

How to identify an insider threat: Continue reading “5 Reasons to Consider Insider Threats”

Disaster Recovery Planning

In your business, you are probably the only one tasked with understanding what types of disasters can strike your business and the task of planning to prevent those disasters from bringing down the business. As Alan Lakein said many years ago, “Failure to plan is planning to fail”. As an information technology professional, one of your many tasks is to understand the risks to your business systems and plan to prevent or overcome those risks from impacting your business.

About 40% of businesses do not re-open after a disaster and another 25% fail within one year according to the Federal Emergency Management Agency (FEMA). Similar statistics from the United States Small Business Administration indicate that over 90% of businesses fail within two years after a disaster.

Continue reading “Disaster Recovery Planning”

Cybersecurity Tips for Your Family

You often see cybersecurity tips and techniques for corporate environments, but what about tips for your friends and family? What are the basic ways your family can stay safe while online? Share these tips with you friends and family, including your older family members.

The important thing to remember is the internet is a collection of people from all over the world, including criminals. They will prey on the weak and uninformed to steal everything from them, and a little awareness can prevent someone you care about from being a victim of crime.

  • Think Before Clicking – While using the internet on your personal computer, tablet, or cellphone always think before you click that link in an email or text message. Do you know where that link with take you, and does it contain potential malware? Links in mails and text messages that claim to be password recovery solutions or links to online bank statements are among the most popular methods used by hackers to trick you and gain your personal information. When in doubt, don’t click suspicious links.
  • Use Strong Passwords – People have a tendency to underestimate the importance of passwords and will often select weak passwords. Your password is much like the deadbolt used to secure your home. That security feature is something you need to use in order to keep criminals out of your house. Your password is the deadbolt to your online accounts. You should select a long and complex password for your online accounts, and each account should have a unique password. Don’t use weak passwords or the same password on two or more accounts. A strong password is one that is really hard for someone to guess and is at least 10 characters long, with lots of numbers, letters, and symbols.
  • Use a Password Manager – A password manager is a program that saves all your passwords in one place, and those passwords are secured with encryption. You can access them with one long password. This makes it easy to create very long complex passwords for every online account, and you don’t have to worry about remembering them or writing them down. For those people that are technology averse, you can get a password book at the local bookstore to jot down their passwords. While not as easy as one on your device, it may be a suitable alternative for some people.
  • Set up Multi-factor Authentication (MFA) – If I can guess someone’s password, there is nothing that keeps me from logging into your account as you, but just setting up MFA makes that type of attack really hard. When possible, enable MFA on all your online accounts. It is a simple way to prevent unauthorized access to your accounts. MFA is usually a message or code copied from your cellphone as a second method of authenticating you to a website. It sounds much harder to use than it really is, and it can save your private data from being stolen.
  • Apply Updates – When a vendor is notified that there is a security issue with their software, they will usually issue a patch within a few weeks to block those types of future attacks. You should frequently check for patches for your devices and apply them as soon as you can because this will help keep the bad guys out of your laptop, tablet, or cellphone.
  • Use Anti-Virus Software – You can do everything correctly and you still might get malware onto your laptop. A good anti-virus program can be your last line of defense to block the execution of the malware and save your data. While not 100% effective, it is a layer of defense that can save you at the very last second when you really need help.
  • Avoid Debit Cards for Online Payments – When paying online, avoid using a debit card. If the debit card number is stolen, a fraudulent charge can empty your checking account, causing other payments to fail. Yes, you can work with your bank to have the fraudulent charges reversed, but this can take several days. During this time, you may not have access to other sources of cash, leading to major headaches.
  • Social Media is Dangerous – Reading and posting on social media sites can be educational and informative. It can also be very dangerous. People often aren’t who they say they are, and they will attempt to commit fraud. They will lie to you to steal your money, identity, or personal data. Limit what you say on social media. Avoid sharing personal details, like your home or work address, birthdays, information about your children, sensitive photographs, or images of identifying documents like airline tickets or driver’s licenses. Even a picture of your house key can invite an unwanted visitor to your home.
  • Backup Your Data – If it is important to you, you should have a copy of the data somewhere safe. All those pictures on your cellphone could be deleted by malware in seconds. Tax documents could be encrypted and you might have to pay thousands to get them back. By making a copy of the data, usually by copying the data to the cloud, you can avoid those concerns and feel safer in the process.

Just having a brief conversation about these topics with someone you care about can help them avoid a major issue down the road. Wouldn’t you rather answer a few questions about how to avoid phishing emails than a few questions about how to get their deleted files back?

How To: Blur You Home on Google Street View

Google Maps is a very helpful tool for navigating and finding your destinations around most of the world today, but some people want to live a life without strangers keeping tabs on what you are doing while at home. Does the world need to see what your home looks like or who might be visiting your home? Traditionally, people could just drive or walk past your home and take a look for themselves, but now anyone on the planet can easily visit your home, so why give away your privacy? This brief post will provide simple instructions on how to blur your house on Google Maps.

People used to consider their home a private place, but is it really private anymore if anyone in the world can search your address and take a look whenever they please? Google, and other map services, make this easy.

This is the camera pointed at your home.

There is an easy solution. Just ask Google to blur your home in Google Street view. Here’s what you need to do:

  1. Go to Google Maps and enter your home address.
  2. Go to street mode by dragging the small yellow human-shaped icon, found in the lower right-hand corner of your screen, onto the map in front of your home address.
  3. With your house in the viewfinder, click on “Report A Problem” found in the lower right-hand corner of the screen.
  4. Center the red box on your home, and select “My Home” in the request for blurring field.
  5. Fill in the required field for the reason for the request (For example, you could cite privacy concerns).
  6. Enter your email address and “submit”. They use a reCAPTCHA verification service, so click “I am not a robot” before submission.
  7. Check back to see when your request has been completed.

It can take months for Google to respond, which you can assume they are using this time to verify your connection to this address (they know enough about you that they should be able to confirm your address is about 2 seconds). They could respond back with a request for more information, forcing you to start all over, but they normally respect your request and immediately blur the selected site in Street View.

You can make similar requests to other mapping applications.


  1. You must have a connection to the address before the map service blurs the images. You can’t start blurring the entire planet.
  2. The blur applied to the pictures is only the street-level images. Satellite and other images will not have a blur applied, which is fine because they have limited privacy concerns.
  3. The blur is permanent. There is currently no way to have the blur removed, even if you buy a house at a currently blurred site.

Effective Disaster Recovery Planning

In your business, you might be the only one tasked with understanding what types of disasters can strike your business and assigned the responsibility of planning to prevent those disasters from bringing down the business. As Alan Lakein said many years ago, “Failure to plan is planning to fail”. As an information technology professional, one of your many tasks is to understand the risks to your business systems and plan to prevent or overcome those risks from impacting your business.

About 40% of businesses do not re-open after a disaster and another 25% fail within one year according to the Federal Emergency Management Agency (FEMA). Similar statistics from the United States Small Business Administration indicate that over 90% of businesses fail within two years after a disaster.

Understand The Risk

Do you fully understand the risks to your business? Have you looked at the systems your business uses and depends on each day and thought about what would happen if those systems were unavailable? Have you thought about the common risks for the area? These risks could include tornadoes, earth quakes, hurricanes, floods, etc.

Maybe there are man-made risks unique to your location, like frequent power outages, dangerous break-ins, poor building construction, etc. Each of these unique threats can be just as dangerous as natural disasters. You don’t want someone stealing your servers or hard drives in the middle of the night, or cracks in the walls leading to mice chewing through your network or power cables.

Written Plan

You need to think about each of the risk scenarios, and write down your plan for how you and your team would address each scenario to keep the business up and running with minimal down time. You may have to adjust the plan to address concerns about cost and time, and there may be periodic changes as systems and risks change.

  1. List of Employees (what they do, when they do it, why they do it, etc.)
  2. Inventory Systems (office equipment, servers, laptops, etc.)
  3. Office Space Requirements (you will need space to restore your systems, but can everything be done remotely, or will the users need office space to access restored systems)
  4. Insurance and Budget Concerns (who will provide money during an actual recovery)
  5. Share The Plan (make sure you aren’t the only one with a copy of the plan, and make sure the plan can survive the disaster)


Just like database backups aren’t useful if you can’t restore them, a Disaster Recovery Plan is worthless if you can’t implement the plan. You should conduct a formal test at least once each calendar year, testing if the plan will work for one or more of the scenarios you are planning against. The test should be a realistic as possible, and make sure you have a method of measuring the level of success.

There will be issues, like a system that wasn’t included in the written plan or a technical issue that you didn’t know existed. An issue could be something a simple as unknown system passwords or a missing software installation key. But that is what a test is all about. You have to test to find those little things that were forgotten or unknown, and then update the written plan to make sure it isn’t an issue during the next test. Eventually you will have everything you need addressed in the plan, and the next test will go smoothly. That means in the event of an actual disaster, when your team is confused and under an elevated level of stress, you are more likely to get these core production systems up and running quickly.

Don’t allow your business to fail because of an interruption you could have resolved with the proper planning and some simple testing.

Hacking Attack Prevention Tips

The volume and sophistication of cyber attacks has increased in the last several years, and you should be worried if you have done enough to protect your personal and business assets from attacks by hackers on the internet. Companies of all sizes, including even small government agencies, have all been the target of malicious hackers lately.  With increased publicity comes increased awareness by the general public about how dangerous data breaches can be so there has also been increased interest in preventing hacker attacks.

Just to be clear, any device with internet access is subject to attack. This includes your cellphone, tablet, and laptop. With the increase in small devices with internet access, like thermostats, toasters, video cameras, etc. the huge numbers of devices subject to attack has made securing all devices from all attacks a huge undertaking.

There are a few things that you can constantly do to minimize your risk of an attack from a random attacker looking for an easy target.

  1. Apply Updates – No system is immune from flaws in the software and firmware used by your device. Flaws are found every day, sometimes in systems that have been working correctly for many years. When these flaws are found, patches are released to remove the vulnerability and make the system safer. Once a vulnerability is found and made public, many hackers start looking for system specifically missing the vendor patch so they can successfully attack the vulnerable system and gain entry into the system so they can collect your money.  The easiest way to prevent these easy attacks is to apply vendor updates as soon as they are available.
  2. Password Security – Passwords are the key to access into your systems. The more complex the key, the harder it is to bypass the lock. Use complex passwords (at least 10 characters long, include uppercase, lowercase, numbers, and at least one special character), don’t use the same password on more than one site or application, and change your passwords often. If possible, enable multi-factor authentication. This allows you to use a username and password (something you know) with a special code sent to your cellphone (something you have). If a hacker steals or guesses your password, he still has the extra hurdle of getting the code from your cellphone. While not foolproof, it will slow down casual attacks.
  3.  Email Phishing Awareness- Everyone knows email is the easy entry point for malware into your business and personal systems.  We all have email accounts, and we often read and respond to email without really spending time to verify the email was sent from the person we think it was sent from before we open the attachments or click on embedded links. Hackers know this and target you with fake emails intended to get users to allow malware into their systems or to provide credentials that can be stolen before we realize what happened. Training on how to spot and delete phony emails is important.
  4. Anti-Virus Software – A good anti-virus program will help protect your system from virus programs, malware, phishing attacks, drive-by downloads, malicious attachments, and ransomware. You should use anti-virus software on all systems, including servers, laptops, desktops, and even MacOS and Linux systems. While no tool will make you 100% safe from malware and other attacks, they will stop most automated attacks with little or no work required from the user.
  5. Network Segmentation – When a hacker attacks an exposed endpoint, that endpoint is rarely the intended final target. The target is the entire network, with your laptop as the entry point so they can move from your laptop to any other endpoint, including servers and databases that contain company assets, customer data, bank accounts, credit cards, etc. Network segmentation is attempting to build virtual walls around groups of systems to prevent uncontrolled access between laptops and servers, and to better protect those systems that contain sensitive data. This is work normally done by a trained IT staff.
  6. File Backups – While you may still be a victim of a successful attack even if you make just one mistake, the impact of that attack will be much smaller if you have consistent backups of your important data. A ransomware attack can encrypt all the files on your laptop and cost you thousands of dollars to recover them from the hacker. With a simple backup of your files, if you are attacked with ransomware, you can format the drive and reinstall your operating system, then recover your files from the backup without paying the hacker any money.
  7. Detection and Alerting – Building systems into your network that will alert you when an abnormal condition exists is important to alerting you as an attack is happening. Having a system that collects and analyzes system logs (SIEM) and can alert you in real-time as malicious activity is occurring is essential to reacting to an attack before they have compromised your network. Most social media sites will also alert you to abnormal or suspicious activities, so don’t ignore those messages.

While you will never be 100% protected from cyber-attacks as long as you use the internet, it is important that you learn how to protect yourself to reduce the risk of a successful attack.

Windows Sandbox in Windows 10

Added to Windows 10 version 1903 (May 2019 Update), Microsoft introduced the Windows Sandbox feature. Windows Sandbox feature helps you run programs in isolation without affecting your Windows 10 host. The Sandbox feature is designed to allow you to test unknown or suspicious programs in an environment that cannot make changes to the Windows 10 host or the data on that host machine.

Using the Sandbox

Step 1: Launch typing “Windows Sandbox” in the Start/Taskbar search field and then hitting the Enter key.

Step 2: After the Sandbox is launched, copy and paste the program setup file that you want to run into Sandbox. You can also use the Edge browser in the Sandbox to download the program you want to test.

Step 3: Run the setup file and install any program. Use the Start menu in the Sandbox to launch any program. Use any program like you would do in the regular desktop environment.

Step 4: Once you are done testing the program, just close the Sandbox to delete any program installed in the Sandbox. This will also delete any data from the Sandbox. Any program or file that you downloaded during the Sandbox session will be removed permanently.

Note: If you cannot find the Windows Sandbox, it’s likely because the feature is turned off or you don’t have a version of Windows 10 that includes this feature.

Don’t be Stupid

Are you a man in IT that thinks a women can’t do your job? Do you think that what you do (writing software code, creating database objects, or managing a project) is just too hard for a woman? Yes, there are still people who believe this and they are also stupid and sexist. This interesting article explains why this outdated thinking is stupid, and where this type of thinking it still exists today.

This is “Amazing” Grace Hopper. She took leave from Vassar to join the Navy, where she invented or helped invent the entirety of all modern computer science, including nearly every wimpy-ass tool your wimpy ass laughingly refers to as “coding.” Compared to her, you’re nothing but a little kid playing with Tinker toys. Tinker toys she invented, by the way.

You want to see hardcore programming? I’ll show you hardcore programming:

This is what real hardcore coders do. No compilers, no syntax checkers, just a teletype machine and a bunch of fucking switches that change the computer’s memory and registers directly.

And you know what? For her, that was luxury. She and all the other early computer programmers–almost all of whom were women, by the way–started out programming by plugging patch cords into plugboards, because that’s how they rolled.

Women have a long and important history with technology, and your time would be better spent on improving technology instead of wasting time thinking men are better than women.

How to Be More Productive

Wake Up With More Energy

Many people feel tired in the morning not because they didn’t sleep enough but because they have low blood sugar. Stabilize you blood sugar and get more/better sleep. Right away, a lot of people will go from feeling groggy to feeling alert when they wake up.

Double Your Reading Speed in Five Minutes

Write down a sentence, any sentence that has eight to 12 words and fills a single line on a page or screen. If you read it by starting your fixation on the first word of the line and ending on the last word, you’re wasting about 50 percent of your peripheral vision on margins. Instead, simply make your starting point two or three words in from the left side and your ending point two or three words in from the right side; you will double your reading speed. You can try this by underlining that portion of the sentence as a guide. You still see the edges of the text, but you’ve eliminated the margins. Continue reading “How to Be More Productive”

8 Small Business Cybersecurity Tips

There are about 80 million businesses worldwide who meet the “small or medium business” (SMB) definition. Businesses with less than 300 employees can’t always afford someone to tell them what they can do to develop a more mature security posture or how to educate employees to be smarter about their cybersecurity practices. Most of the successful cybersecurity attacks are with small businesses and small government entities. Since the average cyberattack will cost them about $200k and a ransomware attack can force them out of business, we should talk about the basics of cybersecurity defense.

  1. Make sure you require complex passwords for every system. This means changing any vendor default passwords, not allowing simple or common passwords, and teaching your employees how to select a good password.
  2. Configure Multi-Factor Authentication (MFA) on all accounts. Just by requiring MFA to access business accounts you can prevent about 99% of all online attacks. The hackers might steal or guess your password, but it is much harder to access something like your cellphone.
  3. Use a separate account for performing administrative tasks for all your on-premise and cloud business accounts. Use this new account to only perform administrative actions, not to browse the internet or check email, and your risk of account compromise is significantly reduced.
  4. Install, properly configure, and use an antivirus solution that accesses the cloud to better protect your systems from the internet threats. This includes all your user computers and all servers.
  5. Backup your important files to the cloud. Using an automated solution to automatically backup your files to the cloud can prevent a successful ransomware attack from locking you out of your critical files.
  6. Don’t allow your users to configure email auto-forwarding rules in O365. If your account is hacked, one of the first things the attacker will do is configure auto-forwarding rules to exfiltrate your data to their systems across the internet. If you prevent this activity, it will slow down the attack and allow you more time to react. With alerts configured, you will get an email when the attacker attempts to create a new rule, giving you notice that an attack is underway.
  7. Use your available online tools to get tips and suggestions. Things like the Microsoft O365 Secure Score can be a really helpful source of useful tips and techniques for leveraging many more security settings to improve your overall security, and these tips are free just for having an O365 account.
  8. Educate your users about the threats on the internet. Billions of users have internet access, and not all of them have your best interests in mind. Warn users about sharing too much personal information on social media, discuss how to identify phishing emails, and provide guidance on who they need to contact if they aren’t sure about clicking on a link.

You need to think about how you use the services and systems that you have access to each day and determine what data you share has value, what processes are at a high risk, and how a malicious user might monetize your activity. A little work today can pay big dividends during an attack.

Follow these simple tips to start getting some confidence around your security posture, and build on each item as threats and systems change.

Responding to Ransomware Attacks

In the event that your personal computer or even the computers on your corporate network fall victim to a successful ransomware attack, an effective response plan determine the difference between disaster and successful recovery. If you are impacted by a company-wide malware infection that takes down multiple endpoints, it could mean a permanent business closure if you are unable to recover critical data.

We will discuss  how you might respond in the beginning of an attack to help remediate any issues before you make some wrong decisions.

How to respond to a ransomware attack

If preventative measures fail, like hardening your systems from Mimikatz attacks (links here and here), making users more cybersecurity aware with Security Awareness Training tips, and all the Windows 10 hardening tips didn’t work, then your organization should take the following actions immediately after identifying a successful ransomware infection.

If you have an Incident Recovery Plan, execute the notification process and get all the teams required started communicating and remediating the systems impacted by the attack.

1. Quarantine Infected Systems

The majority of ransomware attacks will include a function to scan the target network, identifying other systems on the same network that can also be targeted for attack, and then encrypting all the files stored on network shares or other computers as the attackers movers laterally across the network. To help contain any  infection and to prevent the ransomware from spreading to all infected systems the infected systems must be removed from the network as soon as possible. This will significantly slow the spread and buy you time for analysis and troubleshooting before everything is rendered useless.

Note: This includes blocking them from wired and wireless network access.

This will also help prevent infected system from access resources like internal email, backup systems, employee record systems, critical databases, etc.

2. Block Internet Access

Every system on the network may already have the malware copied to the system and it just might not have started the encryption process yet because it hasn’t been able to access the command and control server on the internet. Disconnect all systems from the internet. Those that are still working will not start encrypting the drives, and those already encrypting have been removed from their ability to communicate to the safe systems by the step listed above.

Note: This includes blocking internet access from wired and wireless networks.

Now you have known bad systems (they are actively encrypting the user files or have already encrypted all the user files) isolated from the network (can’t see other systems on your network) and are blocked from the internet (can’t see other systems on the internet). You also have suspected good systems that are blocked from accessing the internet and are disconnected from the bad systems. You can now verify those clean looking systems are definitely clean and return them to normal as you are sure they are not infected. More about that in Step  5 below.

3. Identify Ransomware

Identify the “brand” of ransomware that has infected your systems. While this might seem strange, there are many types of ransomware from many different malware groups. Knowing which one has infected your systems could help you better identify the methods used in the attack, how to stop the spread, and how you might be able to get your data back without paying a ransom.

There have been instances of law enforcement agencies shutting down a  ransomware authors “business” and releasing the decryption keys. Also older  ransomware from groups that no longer are actively infecting new systems have sometimes released their decryption keys.

You can visit a  website like this to help identify which malware has infected your systems so you can get help stopping, removing, and decrypting your locked files. To get a better understanding of the volume of internet threats that exist today, a visual threat map can be helpful. This threat map from Fortinet helps visualize the threats in a more “real-time” visual presentation.

4. Disable Scheduled Tasks

You  should immediately disable any automated or system-scheduled maintenance tasks such as user or system clean-up routines, log deletion tasks,  deleting old backup files, etc. because these automated tasks can remove files you might wish you had later, might be something  your forensic teams might need, or you might perform an action that could prevent a successful remediation from the ransomware attack.

5. Remove Ransomware from Infected Systems

You can use available antivirus tools to identify and successfully remove the ransomware from your computer. If you are already using anti-virus and it didn’t stop the infection, this is probably a good time to investigate your current configuration issues or get a better solution. Once you have scanned and cleaned the system, it is ready to restore your files.

Once you find the right software to scan and detect the malware, run the scanner on all your systems, not just the infected systems. You might think you know which systems are infected, but the scanner can help you determine which systems are actually infected.  You want to do the clean-up and remediation just one time, so do it right the first time.

6. Don’t Pay the Ransom

Note: Only restore your files to systems that you know are clean.

I realize you may not have an option if your critical business files are encrypted, you don’t have good backups you can recover, and you can’t find a free decryption tool. If backups are unavailable or damaged and there is no free decryption tool available, you will be tempted to pay the ransom and recover your files. Just remember you may pay the ransom and still not get your files back. These people are criminals looking for easy money, they are not in the business of being your friend.

While paying the ransom may seem like an easy answer, only consider paying the ransom if all other options have been exhausted and the loss of data will likely result in your company going out of business. Paying the ransom might also get you into trouble with the law, so be very careful and consult an attorney.

7. Restore Your Backups

Note: Only restore your files to systems that you know are clean.

Hopefully you were able to jump right past Step 6 (Don’t Pay the Ransom) because you know not to pay a ransom to a criminal because it only encourages them and finances their next attack. You don’t need to pay the ransom because you either don’t need the files that were encrypted, you were able to find a free decryption tool, or you had good backups ready for you to use.

Restoring backups can take a long time, be difficult to perform, and you still might lose some data. If you have been verifying your backups, practicing the restore process at least once a year, and have a well documented process the effort will be less likely to fail.

If your user files are also backed up to the cloud using a tool like OneDrive, this might also be useful and a quick way to restore a user’s personal files including documents, music, and pictures.

8. Restore Network

Now that you know which systems are clean, the cleaned machine can have access to the internet and other network resources. The infected machines can be cleaned one at a time, files can be restored, then the systems can be returned to the proper network.

Don’t forget to restore internet access for the clean systems. Once you have verified your backup files won’t be over-written, the log files are intact, and what files are required for the audit and forensics teams are saved, you can re-enable scheduled tasks that you have reviewed and know are safe to enable.

9. Change Passwords

Now that you know someone has had access to your systems, you can’t be sure they did not steal your user and system passwords. Have all users reset their passwords. Reset the passwords for all service accounts, accounts used to run scheduled tasks, the KRBTGT account (used by Active Directory), and any enabled accounts used by your systems. Make sure all administrator-level users also change their passwords. Do a full inventory of accounts, looking at the last time the password was changed, and either change the password or disable the account.

10. Investigate Intrusion

Things are now back to normal. Users are back onto their computers, the files are all back where they should be, and users are back to work and not on the telephone with you. That doesn’t mean you are done.

You have to look at what happened so you can make sure it doesn’t happen again.

  • How was the ransomware able to get past your computer controls and be easily installed onto a user’s computer without being detected? Was it a user bypassing a control (authorized or unauthorized), or did the ransomware just not get stopped by any existing security control?
  • Are there changes required to your anti-virus software to make it a stronger defense against ransomware? Is it time to remove the existing solution and replace it with something more powerful or can you just change the configuration of the solution you already own to make it work better?
  • Do you need to make changes to the hardening of your Windows 10 devices to make it harder to bypass your security controls and encrypt the users files?
  • Do you need to alter or improve your corporate firewall controls? What about the security of your remote users and they way they connect to the Virtual Private Network (VPN)?
  • Do you need to make changes to your network to make it harder for software running on the user’s computer to get access to systems like Domain Controllers, Database Servers, File Servers, Web Servers, etc.?
  • Do you need to change the way you perform (or don’t perform) backups of user and system files? How about changes to the way you restore files? Do you have adequate documentation of the procedures used for backing up and restoring files?
  • Do user accounts have the correct level of authorization? Maybe now is a good time to remove elevated permissions from normal users, limit who has elevated permissions, and lock down the use of all admin-level accounts?


If you need help, now is the time to really get some help figuring out the changes that can help prevent a repeat of the security event. A ransomware incident can stop a company from normal business for days, weeks, or forever.  It can chase away customers, compromise business critical data, and cost you a lot of money to remediate.

Looking at the steps required now can help you practice and plan for a future incident. Careful planning, remediation of security gaps, and technical training can help prevent a successful ransomware attack, shorten the remediation timeline, and help promote confidence in your Information Technology team.

Helping Prevent Mimikatz Attacks

Mimikatz is a hacking tool that can be used to attack your endpoint in an attempt to “steal” any passwords that may exist on your Windows device. It can also play a role in internal penetration testing or red team exercises to test an attack on your network devices. Mimikatz is very effective and in a lot of cases it can lead to lateral movement and eventual escalation to domain control.

You should also consider that Mimikatz can only dump credentials and password hashes if it is executed as a privilege user like the built-in local administrator account. If you are logged into your Windows device as a local administrator, Mimikatz can be run and it probably will disclose your password.

Once of the things Mimikatz requires to run successfully is the debug privilege. The “Debug Privilege” is a permission that determines which users can attach a debugger to any process or to the kernel. By default this privilege is given to Local Administrators, but it is highly unlikely that a Local Administrator will need this privilege unless you are a programmer or have a specific reason to need this permission.

To help prevent Mimikatz from running successfully, just remove this “Debug Privilege” permission from all users. Mimikatz requires this privilege as it interacts with processes such as LSASS. It is important to set this privilege only to the specific group of people that will need this permission and remove it from the Local Administrators. The SeDebugPrivilege can be disabled by defining the policy to contain no users or groups.

Continue reading “Helping Prevent Mimikatz Attacks”

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Cloud Comparison: AWS vs. Azure vs. GCP

Three vendors, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP),  dominate the public cloud computing market. When it comes to infrastructure as a service (IaaS) and platform as a service (PaaS), these three huge vendors have a significant lead on other contenders in the field. Lets talk about the services provided and compare the major features offered by each vendor.

Many IT experts recommend that enterprise teams evaluate their public cloud needs to match specific applications and workloads with the vendor that offers the best fit for their needs. Each vendor has particular strengths and weaknesses that make them a good choice for certain projects.


Compute is described as the processing power that the cloud service offers to support your business workloads. In general, the more compute power offered the better is can be for your business. Since more compute can cost more money, the price also plays a significant role in understanding the offered compute power.

Startups can find the cloud-based compute model most beneficial because this approach allows them to order extra compute power anytime they want without worrying about long-term installation, maintenance, and hardware costs. You can start small and move to more compute power as required to keep compute costs as small as possible.

AWS – Elastic Compute Cloud: Amazon’s flagship compute service is Elastic Compute Cloud, or EC2. Amazon describes EC2 as “a web service that provides secure, resizable compute capacity in the cloud.” EC2 offers a wide variety of options, including a huge assortment of instances, support for both Windows and Linux, bare metal instances (currently a preview), GPU instances, high-performance computing, auto scaling and more. AWS offers a free tier for EC2 that includes 750 hours per month of t2.micro instances for up to twelve months.

Azure – Virtual Machines: Microsoft’s primary compute service is simply known as Virtual Machines. Azure supports Linux, Windows Server, SQL Server, Oracle, IBM, and SAP. Like AWS, Azure has an extremely large catalog of available instances, including GPU and high-performance computing options. Azure has also added instances optimized for artificial intelligence and machine learning. Azure has a free tier with 750 hours per month of Windows or Linux B1S virtual machines for a year.

GCPCompute Engine: Google’s catalog of compute services is somewhat shorter than AWS or Azure. Their primary service is called Compute Engine, which includes both custom and predefined machine types, per-second billing, Linux and Windows support, automatic discounts, and carbon-neutral infrastructure that uses half the energy of typical data centers. GCP offers a free tier that includes one f1-micro instance per month for up to 12 months.

Continue reading “Cloud Comparison: AWS vs. Azure vs. GCP”

Defending Against Mimikatz in Windows 10

A offensive security tool developed by Benjamin Delpy in 2011 is named Mimikatz.  Mimikatz is a free tool that tries to scrape the memory of the target computer looking for the process responsible for Windows authentication(LSASS) to reveal cleartext passwords and NTLM hashes that the attacker can then use to attack other computers on the same network. The attacker can then escalate their account privilege either by authenticating with the clear text credentials they just stole or by simply passing the stolen hash.

Mimikatz has been used by nation-state attackers, the first known case being the 2011 hack of the now-defunct Dutch certificate authority DigiNotar.  The attackers issued bogus certificates for Google and used them to spy on the Gmail accounts of several hundred thousand Iranian users. Mimikatz has since been used by many malware creators to automate the spread of their worms, including the NotPetya attack and the 2017 BadRabbit ransomware outbreak. Mimikatz will likely remain an effective offensive security tool on Windows platforms for many years to come.

Mimikatz exploits Windows single sign-on (SSO) functionality to harvest credentials. Until Windows 10, Windows by default used a feature called WDigest that loads encrypted passwords into memory, but also loads the secret key to decrypt them. WDigest has been a useful feature for authenticating large numbers of users on an enterprise or government network, but also let Mimikatz exploit this feature by dumping memory and extracting the passwords.


Microsoft has reacted (somewhat slowly) to Mimikatz by publishing changes to address the security vulnerabilities identified, but you must apply the patches and recommendations below to address this security issue.

Continue reading “Defending Against Mimikatz in Windows 10”

Deciding on Microsoft Intune


Many companies are trying to figure out how to handle their mobile device management at their business. Many will buy a product that performs some or all of the functions they need, or at least they think they need. As their needs mature or as requirements change, they may need to change the solution to a different product. I think the full-featured product that many companies need is Microsoft Endpoint Management, also known as Microsoft Intune. Intune is Microsoft’s answer to mobile-device management for Windows centric companies, and it is so very simple to use.

Intune will allow you to enroll all your Windows 10, macOS, iPadOS, and Android devices. Once a device is enrolled, it can be configured, applications can be installed, and devices can be wiped when they no longer need to be managed.

As you can imagine, effective configuration and application management across all business devices, including advanced security settings on multiple operating systems, using one powerful and easy-to-use interface will make support and training much easier, and your business will save money and time.

It is a popular and cost effective cloud-based tool that gives all employees access to corporate applications on their assigned endpoint,  along with conditional access to corporate data, and is simplifies the deployment of those settings, applications, and access to sensitive data to easily support hundreds or even thousands of employees with very little hands-on work by your technology team.

If you have your technology team buying and manually building laptops as you hire new employees you already know how difficult, time consuming, and manual that process can be, even if you have automated some of those steps. You need to deploy a new application to all employees? Simple, just send someone to all your users and they can install the software from a network share or flash drive. Maybe you have automated some of these steps and you deploy the new software via GPO? How long does it take for your remote workforce to finally make a VPN connection to the corporate network to get the new software? How easy is it to determine who is still missing the new software package or has installation errors?

  • How easy would it be to implement 10-20 new security settings to all your users laptops overnight?
  • How easy will it be to remove software they aren’t supposed to have installed, even if you can detect it exists on their laptop?
  • Do you have an accurate and up-to-date asset inventory of user laptops and what software is actually installed?
  • Are you able to detect missing patches to the OS and all the installed software for every user?
  • Can you make sure users are even trying to install patches on their laptops?

Remote workers that never connect to the corporate network make this management process even more difficult.

Do you have a solution to this issue? I think Microsoft Intune may be the solution to your problem, and it may already be included in your O365 licensing.

Let’s talk about some of the reasons I like Microsoft Intune.

Continue reading “Deciding on Microsoft Intune”

%d bloggers like this: