Beware the Coronavirus Email Scams

COVID-19 is not the only virus associated with the global outbreak. As predictably as night follows day, cybercriminals are using the epidemic as the moment to attack.

While phishing attacks and other forms of social engineering involving remote devices and remote access to company information systems have been a top cybersecurity challenge for years now, the increasing number of coronavirus-based phishing emails is especially nefarious as they prey on the health concerns of the public.

The Attacker Mentality

Most companies are in some sort of varied chaos due to the pandemic, from disaster recovery efforts to struggles with business continuity—the perfect setting for cybercriminals to sneak in. With the majority of enabled workforces moving remote, network traffic is coming from all over the map and IT teams are flooded with making the work from home transition possible. What better time to hide attacks in this varied onslaught of “new” traffic?

In addition, it is only human for individuals to want the latest information on the coronavirus making them all more likely to click on the attacker’s bait. What better place to put an attack then under the guise of “Pandemic Details?”

Cybercriminals aren’t under quarantine and are actively taking these unprecedented times as opportunities to strike.

New Risks from Multiple Angles

Warnings have been sent regarding phishing emails mentioning the coronavirus or COVID-19 outbreak falsely originating from business partners or public health institutions, but as we saw above, many normal cautionary measures are being ignored in the search for more information regarding the outbreak. Phishing emails appearing to be related to remote work or emergency planning are also becoming a popular method to collect employee user names and passwords. Fake Centers for Disease Control and Prevention (CDC) emails or other “official” communications are an especially malicious method to tempt users into opening and infecting their IT systems.

Phishing and social-engineering campaigns using COVID-19 as a lure have greatly increased. According to a recent report, more than 16,000 new coronavirus-related domains have been registered since January. More than 2,200 of them are suspicious and another 93 are being used to serve malware.

Other activities targeting coronavirus fears include fraudulent or spoofed purchase orders for hand sanitizer that can lead to payments or other protective equipment that can result in wire transfers to fraudulent accounts.

Feeding off the public’s ever-growing, legitimate concern over COVID-19, cybercriminals are taking advantage of every avenue for attack, making protecting data and systems a multi-faceted effort.

Your First Defense: Be Aware

Protecting businesses and individuals from potential attacks hiding in plain sight starts with awareness of the heightened risks in their varied forms.

Be careful and take your time to check for phishing attempts in email before opening or clicking. Look closely at who the sender is, scrutinize the subject lines and email content for red flags (example: is it an outlandish claim or obvious scare tactic?), hover over and review links before you click, doubt check links or URLs, and use trusted sources.

Keep confidential information confidential. This means credentials, credit card information, or sensitive data – yours, your company’s, and clients. If you receive a request for username and password, always be sure to check with your IT lead.

When shopping online, use the same method you would checking for phishing emails to vet out any potential fraudulence—double check sellers and product claims, find trusted sources and verifiable reviews, and read all the fine print before handing over any personal information.

Even all the best defense tools and systems still require diligence for the human eye to stay on top of the latest threats as cybercriminals will continue to find new, inventive ways to strike as the crisis continues.

Stronger Security from the Inside Out

Remember, “reasonable security” is still the rule of the day, but enacting and following stricter protocols are important as the pandemic wanes on. Being aware of the recommended practices and security measures is the first step towards better security. See our full list of critical cybersecurity tips for working remote through the coronavirus here.

Stay vigilant—cybersecurity is not immune to the remote work risks from COVID-19.

Committing to your business’s IT security shouldn’t only be a priority during an unprecedented event, like the COVID-19 pandemic. Making sure your infrastructure, mission-critical application, data, and employees are protected is a 24/7/365 job—and managed security partners like Ntirety can help take that burden off your internal IT team and your entire company peace of mind.

We’re here to help win this fight together. Find out how Ntirety’s IT and Security teams can help enhance your cybersecurity posture by scheduling a Security Vulnerability Assessment today.

COVID-19: Managing Cyber Security Risks of Remote Work

With cases of the Novel Coronavirus (COVID-19) emerging in every state, many businesses are taking swift action in an effort to curb its spread.

Teleworking, “remote working,” or simply “working from home,” is a centerpiece of those efforts. While remote working arrangements may be effective to slow the community spread of COVID-19 from person to person, they present cybersecurity challenges that can be different than on-premise work.

If your business is new to these remote work situations, it is crucial to evaluate and ensure your infrastructure, applications, and data are protected—starting with the policies your company already has in place for cybersecurity and business continuity.

Evaluate Current IT Policies

Review your current IT security and similar IT policies to determine if there are any established security guidelines for remote work, especially remote access to company information systems. Some organizations may have policies specifically geared for remote work, while others may provide for contingencies in disaster recovery plans, BYOD (bring your own device) policies, and other similar plans and policies.

It is important to identify where gaps in your security policies may be hiding and cover any vulnerabilities early.

Below is a list of considerations and tips to help guide your business through new cybersecurity challenges your business may be facing with a new remote workforce.

Remote Work Cybersecurity Tips

  • Educating every company employee on security measures (pre-existing or new for remote work) is critical to the safeguard of access to information and mission-critical systems. This can often include confidential information, protected intellectual property, proprietary product information, customer information, employee files, and other personal data.
  • Do not allow sharing of work computers and other devices. When employees bring work devices home, those devices should not be shared with or used by anyone else in the home. This reduces the risk of unauthorized or inadvertent access to protected company information.
  • Company information should never be downloaded or saved to employees’ personal devices or cloud services, including employee computers, thumb drives, or cloud services such as their personal Google Drive or Dropbox accounts.
  • Be sure all employees reboot their computers to ensure that all versions of software are up to date with all necessary patches.
  • Be on the lookout for phishing attacks and other forms of social engineering involving remote devices and remote access to company information systems. There are an increasing number of Coronavirus-based phishing emails going around, preying on the health concerns of the public, with a variety of COVID-19-related topics such as general financial relief, airline carrier refunds, fake cures and vaccines, fake testing kits, and/or claiming to be related to government or charitable organization. With the approval of the economic stabilization package, you must be especially wary of any emails asking you to verify your personal information to receive funds from the government as well.
  • Sensitive information, such as certain types of personal data (e.g., personnel records, medical records, financial records), that is stored on or sent to or from remote devices should be encrypted in transit and at rest on the device and on removable media used by the device.
  • A key to cybersecurity when working remotely is through coordinated visibility of IT systems. Using tools and processes like log review, attack detection, incident response and recovery gives businesses a proactive stance when it comes to protecting data. For companies that don’t have these measures already in place before shifting to a remote workforce, engaging with cybersecurity partners to provide managed services can relieve internal teams already stretched thin from the pandemic. Ntirety’s Security Operations Center (SOC) provides this peace of mind through a trusted services to monitor and mitigate any issues that may arise.
  • Implementing Multi-Factor Authentication (MFA), sometimes referred to as Two-Factor Authentication (2FA), adds multiple layers of access security by going beyond simply asking for a username and password. Users must provide additional credentials, such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or even facial recognition. MFA is also often a requirement to meet compliance standards, which companies must continue to uphold through remote work situations.
  • Virtual Private Networks (VPNs) ensure that internet traffic is encrypted, especially if connected to a public Wi-Fi network. If your organization already uses VPN, make sure it covers all departments and all employees. If your company does not use VPN, it is crucial to the security of your business IT to implement this remote work tool. Learn more about VPN and other IT solutions that make remote work more secure and streamlined here.
  • Additional security measures, such as email filtering, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and User behavioral Analytics just to name a few, can bolster a cybersecurity team by automating some of the necessary monitoring and defense responses. Once up and running, these tools and processes can give time and focus back to internal IT teams to help their company manage the new remote workforce reality COVID-19 has brought upon us all.

Following Best Practices is the Best Defense

Whether working remote or in-office, following and integrating these cybersecurity tips into company-wide IT policies will help protect your business’s data while helping employees protect themselves from coronavirus through social distancing.

Above all–stay vigilant. Cybersecurity is not immune to the remote work risks from COVID-19.

Learn more about ways your business can boost your IT security for the remote workforce and beyond. Contact Ntirety’s IT experts to start building a stronger cybersecurity policy today.

Ransomware Response – The Confluence of Security and Disaster Recovery

If at least one major threat could be taken off the table of the cyber-threat landscape, the world would be a better place.

Eradicating ransomware is a wish list item that the technology industry pushes hard to achieve. Despite valiant efforts, the prevalence of ransomware continues its rise. Even the best technologies, combined with awareness campaigns, can only stem the tide of this threat. It is extremely difficult to prevent these incidents from happening, but we can prevent ransomware from mattering through a focused recovery strategy.

Growing Attack Numbers, Growing Risk

Many have become immune to the shock of these attack stories but the recovery costs remain staggering for this digital plague. Reports indicate that the total estimated cost of US ransomware attacks for 2019 was over $7 billion with the average recovery cost of $1.4 million per attack for an individual organization.

Even industry giants are vulnerable—manufacturer Visser Precision reported in early March 2020 that it was hit by ransomware DoppelPaymer, which began publishing breached data online from Visser customers including Tesla, SpaceX, Boeing and Lockheed Martin. Their case is still ongoing.

Ransomware is a common doctrine for cybercriminals and state-sponsored parties because mobilizing a cyber-offensive army is one of the cheapest threats to leverage and develop. A rogue nation or criminal operation does not need to buy tanks, airplanes, or organize the logistics that come along with an offensive operation—these operations can inflict maximum damage with digital currencies, credit cards, and an internet connection. Cyberwarfare and ransomware attacks have become a great equalizer against enterprise security on the battlefront for global power and influence.

Shifting Definition of “Disaster”

In many ways, the definition of a “disaster” has changed in the IT landscape. At one time, the concept of disaster recovery incorporated absorbable risks, a calculation that IT could put together and plan around. For example, there’s a probability that can be determined of a hurricane affecting a Florida datacenter, a tornado-alley storm knocking out power to a corporate IT center, “Billy-Backhoe” cutting a non-redundant fiber route during nearby construction…

These are disasters that businesses can envision, establish recovery plans for and have a general sense of when they are most likely to occur. Even with the current global pandemic COVID-19 coronavirus, organizations can take proactive measures through cloud-based tools and business continuity plans to combat the potential risks to customers, employees, and the company as a whole before disaster truly strikes.

But Ransomware differs in that it can come any time, from anywhere, and once an attack hits, an outage can effectively shut a business down for days, even weeks on end. The ransomware threat is virtual and therefore mobile and their timing less easily predicted, yet their impact could be as, if not more, impactful than the physical disasters people have long contemplated. Fortunately, some of the same recovery tactics we have long considered can be perfect tools for a speedy recovery – not involving ransom.

Standard Disaster Recovery Services, when offered in an indexed manner can enable restoration to a prior version of an application or environment replicated before infection by Ransomware. Where in usual Business Continuity planning you strive for the lowest tolerable RPO (Recovery Point Objective) and RTO (Recovery Time Objective), whereas in a Ransomware situation a company may accept a longer RPO to lower the RTO. Basically, one would sacrifice some data aggregated between when the Ransomware was placed and when it was triggered. While no doubt there would data loss, the functional recovery of the system(s) could be much quicker—and with no ransom paid. Such disaster recovery planning involves increased storage of version snapshots and may drive up some costs. However, the ever-decreasing cost of storage and the ever-increasing frequency of Ransomware “disasters” will drive a confluence of Security and Disaster Recovery considerations henceforth.

Being thoroughly prepared for any disaster can be outside the bandwidth of internal IT team, which ideally should be focused on more business value driving tasks and initiatives. Even with plans in place, threats at the forefront of the latest IT innovation are often one step ahead of traditional disaster recovery and business continuity strategies.

Working with an IT partner solely focused on formulating and ensuring the most up-to-date DR plans take the burden off internal teams. Ntirety alleviates this stress through a tried-and-true process starting with an in-depth assessment to testing and implementing end-to-end recovery tactics and all the way through 24x7x365 support in case of any issues that may arise. From platform management to continuous data protection and architecture design, Ntirety’s Recovery Services empower you to provide continuous and first-rate service to your customers and stakeholders. Overall, Ntirety aims to deliver true peace of mind.

Ready to make the threat of ransomware one less thing your IT team has to worry about? Start your business on the path to IT resiliency and schedule a Ntirety Vulnerability Assessment today. 

Ntirety Achieves Major Compliance Attestations in First Audit After Merger

Continuing Compliance Excellence

Ntirety is pleased to announce successfully achieving 2019 compliance attestation for PCI, SOC 1, 2, & 3, and HIPAA. With the start of the new year, Ntirety proves to continue upholding high compliance standards after the merger.

See the official press release here»

Beyond Ntirety as an enterprise demonstrating compliance with PCI DSS, this attestation includes certification of our services so clients electing to use these managed services can rely on Ntirety’s AOC to meet specific controls for their PCI requirements.

    • Antivirus/Anti-spyware Service
    • Backup Service
    • File Integrity Monitoring
  • Multi-Factor Authentication
  • Threat Management
  • Vulnerability Scanning Service
  • Web Application Firewall
  • Availability & Capacity Monitoring
  • Patching Service
  • Database Management
  • Vulnerability Management
  • Logging Service
  • IDS/ Service
  • Encryption Service

Meeting all regulations for PCI, SOC 1, 2, & 3 and HIPAA was an opportunity to showcase our people, process and technology. Throughout the assessment cycle, our tireless team stood front and center working with our assessors, Online Business Systems and Linford and Company LLP.

Ntirety’s Hardworking Experts Make Compliance Achievable

Our teams displayed layers of expertise as more than 50 of our SME’s presented our processes and technologies to the assessors, all while their Ntirety peers supported through various efforts over the 4-month period.

This achievement is a great example of the continuing excellence Ntirety brings to the managed IT solutions market. With the focused efforts and support of our cross-functional teams, we forge ahead with other ongoing compliance assessments and continue to deliver exemplary—and compliant—services to reduce risk and increase agility for modern enterprises.

Learn more about Ntirety’s Compliance-as-a-Service solutions.

Ready to get the support and guidance your enterprise needs to meet compliance? Schedule a consultation today.

Security Threats are Changing…Has Your Protection?

Introducing the New Managed Security Service from Ntirety

In today’s enterprise business world, if a company hasn’t gone through or started a digital transformation yet, it’s clear the organization is falling behind. As the enterprise market sprints towards the next iteration of IT, the hurdles ahead are becoming more apparent—but companies may already be stumbling without the proper security to keep up with evolutionary challenges.

To bridge this growing gap between same-old security and what companies need today, Ntirety has created the next generation of protection with our new Managed Security Service. Designed to meet the critical needs of enterprise IT teams, this new offering comes from our extensive research into where the most detrimental gaps arise from, the tools needed to fill them, and how this next generation of security is vital for data and infrastructure protection.

Innovation, Infiltration, Exploitation

Artificial intelligence and machine learning are now more accessible as enterprise tools and creating equally accessible avenues for attacks. Other emerging threats like cryptojacking, cross-site scripting, and compromised IoT devices present critical dangers that previous IT security measures never had to consider. This opens the door for malicious intruders to hack their way in over time. For example, it was recently discovered that a cryptojacking attack targeting a water utility company in Europe was responsible for malware discovered in the background of the company’s industrial control system, quietly disabling the system’s defense tools and taking control of its applications. Opportunities to attack cropping up in new places—from personal devices to enterprise infrastructures—and the risks are often hard to spot until it’s too late.

Internal security concerns are also on rise, whether businesses realize it or not. From unscrupulous employee hacking to unwittingly relaxed practices regarding sensitive information, security risks are spilling from the inside out. Even third-party providers, who have access to other organization’s internal systems, are vulnerable to their own breaches causing a ripple effect for hacker access and have led to several big-name brands becoming the subject of some shocking data breach headlines. From internal risks to access issues, lack of adequate security opens the door for many different avenues for attack.

With the push to adopt new technologies, the focus is often on implementation, but the question remains: is properly securing infrastructure and data becoming an afterthought during these transitions?

More In-Depth Reporting is No Longer a Nice-to-Have—It’s Essential

IT security has come a long way from reactive defenses to proactive detection, but not every Managed Security Service Provider (MSSP) can meet the skyrocketing demands and more advanced standards for effective data protection.

To truly learn from the information captured through log data, companies are craving more context from MSSPs. While quantity of collected logs, alerts, and escalations once met security expectations, staying ahead of future threats now requires quality insights and inferences to make a difference for organizations. Understanding the threat intelligence associated with the events—including potential attribution, motivation, and even next steps of an adversary—is a critical component to security and has become an insight that few MSSPs can provide. The greater understanding of threats and organization’s systems security programs can provide will in turn reduce the waves of arbitrary alerts and notifications. More actionable alerts with less unnecessary interruptions gives companies more focus on their business goals, rather than sort out what notifications need to be taken seriously. Reducing the risk while increasing business agility is formula enterprise companies need to stay ahead.

How Ntirety Managed Security Services Meets This Need: With this new service, enterprise companies gain access to full, real-time reporting of incidences directly from analysts at dedicated Security Operation Centers (SOCs), in-depth explanations of alerts/risks, and recommendations on how to mitigate attacks as they are detected. This expeditious service and accompanying insights are possible in part due to Ntirety’s dedication to understanding each client’s individual needs and challenges. From networks to human bandwidth, Managed Security Services are tailored through close collaborations between dedicated teams. Ntirety truly becomes the reliable, proactive partner enterprises need for comprehensive, customized protection.

Slow, Inefficient Communication Leads to Chaotic Escalations

From big-picture perspectives and proactive measures to the tactile practices necessary to tackle today’s threats, most MSSPs can only cover some of what’s truly needed. Longtime MSSP clients know that most incident response workflows used to start with an email, then included a ticket and the occasional phone call when necessary—a cumbersome system that slowed responses against increasingly insidious infiltrations. But automation, remediation, and chat capabilities have revamped the escalation process to create real-time collaborative war rooms during critical events.

How Ntirety Managed Security Services Meets This Need: To prevent issues before they even arise, our next-generation security offering provides managed detection and automated reactions for rapid responses. This Deep Packet Inspection service—coupled with advanced application policy configuration—keeps networks free from unwanted traffic. Defending networks from edge to endpoint, Ntirety’s modern firewall services amplify the firewall itself, taking IT security to the next level.

See how standard security practices compare to Ntirety’s Managed Security Services

Stay Ahead of Threats–and the Competition–with GLAs

It has become abundantly clear that the threat environment and what companies expect from MSSPs is only expanding. Enterprise organizations require more than just an average Service Level Agreement (SLAs) to not only protect systems from all threats—they also need to consistently gather insights and adjust course for better security as technology risks evolve.

How Ntirety Managed Security Services Meets This Need: Only Ntirety offers an industry exclusive Guidance Level Agreement (GLA). Paired with Ntirety’s Monitoring Insights service, Managed Security builds the next-level layer of protection that simultaneously helps companies achieve better business outcomes. Ntirety’s solutions enable the transformation from reactive to become a future-ready, agile enterprise.

An industry first, Ntirety’s GLAs provide:

  • Three actionable recommendations provided on a quarterly basis (or as dictated by your SOW) to reach desired business results
  • Trusted commitment to availability, performance, security, and cost
  • Business insights reviews on a business-specific basis
  • Commit to a defined, measurable level of quality, availability, or responsiveness

Ntirety Managed Security Services with the included GLA gives enterprise organizations consistent and iterative improvement and optimization over time with the assurance of stability and—most importantly—unmatched security.

Next-Level Threats Demand Next Generation Security

With new risks appearing every day, from internal oversights to malicious hacking, businesses can’t afford to leave IT security as an afterthought. The more advanced technology becomes, the more sophisticated attackers become, leaving enterprises overwhelmed with the complexities of modern IT security. Protection is possible, and detection and insights make prevention achievable with the right proactive partner.

Want to stay ahead of security threats and protect your data? Schedule a Ntirety Vulnerability Assessment today.

Stricter Data Privacy Regulations Start January 2020. Is Your Business Ready for CCPA?

Cybersecurity and data protection are top priorities for the modern enterprise, and the concern is growing for today’s consumers as well. Beyond best practices and self-imposed processes, certain governing bodies can require organizations to meet even higher security standards through different compliance initiatives, such as HIPAA, FERPA, or GDPR. Starting in 2020, California companies will be adding California Consumer Privacy Act (CCPA) to their list of regulatory requirements—and the rest of the country may not be far behind in adopting this new consumer privacy bill.

Recognizing the Need for New Compliance Standards

The need for these new compliance measures are outlined within the bill’s text, stating that “California law has not kept pace with [technology] developments and the personal privacy implications surrounding the collection, use, and protection of personal information.” Sparked by the “devastating effects for individuals” through the “misuse” of data by Cambridge Analytica and other data breaches, CCPA intends to enable California consumers to “exercise control over their personal information” with “safeguards against misuse of their personal information.”

Protecting and empowering consumers is a key component of building trust and long-lasting relationships with customers, but is your organization ready to comply with CCPA requirements?

What is CCPA?

Passed on September 13, 2018 and effective on January 1, 2020, the California Consumer Privacy Act, or AB 375, will require organizations to focus on user data and provide transparency in how they’re collecting, sharing and using such data. This new privacy law grants any California consumer the right to:

  • Know what personal data is being collected about them
  • Know whether their personal data is sold or disclosed and to whom
  • Say no to the sale of personal data
  • Access their personal data
  • Request a business delete any personal information about a consumer collected from that consumer
  • Not be discriminated against for exercising their privacy rights

Like GDPR and other compliance measures, CCPA is designed to advocate and support individual consumers in this ever-evolving IT environment.

Does Your Business Have to Comply with CCPA?

Any for-profit organization doing business in California that collects consumers’ personal data and meets the following qualifiers must comply with CCPA:

  • Has annual gross revenues in excess of $25 million
  • Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

While the current compliance requirements are limited to California, this new privacy law could signal the beginning of a nationwide change, similar to GDPR regulations in Europe.

What are CCPA Requirements?

For businesses that must adhere to CCPA law, compliance breaks down into 5 main requirements:

  1. Data inventory and mapping of in-scope personal data and instances of “selling” data
  2. New individual rights to data access and erasure
  3. New individual right to opt-out of data selling
  4. Updating service-level agreements with third-party data processors
  5. Remediation of information security gaps and system vulnerabilities

Companies already following GDPR guidelines will have a bit of a leg up becoming CCPA-compliant with the two privacy measures overlapping in certain areas. But meeting all the requirements for the new CCPA standards will still take diligence even for those already compliant in other areas—and face new consequences for any gaps.

CCPA Penalties and How to Avoid Them

As with any compliance enforcement, violating the CCPA comes with a price tag. under Section 17206 of the California Business and Professions Code penalties are $2,500 for an unintentional violation, and $7,500 for intentional violations. Yet, the real potential impact for organizations to get hit under CCPA comes from consumers’ ability to sue companies if CCPA guidelines are violated, even without any evidence of actual damage. The new privacy law will allow individuals to recover between $100 and $750 per incident—or greater if there’s solid evidence that damages exceed $750.

Preparing for CCPA—and mitigating the risk of penalties—is possible through steps like data mapping, third-party assessments, revamping internal privacy policies, and studiously monitoring for compliance updates. Designating a risk or compliance lead within organizations to initiate modifications to meet and maintain the CCPA standards is the ideal way to stay on top of not only CCPA but all other necessary compliance guidelines.

But, understandably, not all enterprises can assign new responsibilities or roles to me the upcoming CCPA compliance mandates. Partnering with trusted cybersecurity and compliance experts can lift the new burden of assessments, adjustments, and ongoing maintenance required for California’s privacy bill. Even businesses outside the Golden State must start evaluating their own plans to tackle heavier compliance measures. Engaging with managed IT compliance partners today will save you from scrambling to understand new policies and procedures later.

Ntirety Delivers Leading Compliance-as-a-Service Solutions

As a leading HIPAA-compliant, HITRUST- and PCI-certified service provider with 20 years of industry experience, Ntirety a trusted partner and knowledgeable resource positioned to guide enterprises through the next wave of compliance requirements with CCPA.

Through our unique Compliance-as-a-Service (CaaS) offering, organizations can take advantage of Ntirety’s compliance experts in a number of different ways depending on each individual company’s level of resources, budget, and assistance needed. Ntirety’s CaaS provides guidance from the very beginning, interpreting the often complex and frequently changing compliance requirements and identifying the gaps in current policies and procedures that could led to failing an audit. In-depth advisements help further prepare companies for risk assessments and compliance audits—and free an organization’s valuable time and resources to focus on business goals beyond complying with requirements.

Dedicated to keeping businesses secure and compliant, Ntirety provides a proven track record to help companies avoid penalties, reduce risk, optimize IT costs and enable the future-ready, agile enterprise.

Ready to find your compliance officer? Schedule an assessment to find out what Ntirety can do for your business.


Security Gap Gives Hacker Access to 100 Million Bank Customers’ Personal Information

Capital One is the Latest Enterprise to Hit the Headlines Over a Data Breach

On Monday, July 29, 2019, Capital One Financial Corp. announced that more than 100 million of its credit card customers and card applicants in the U.S. and Canada had their personal information hacked in one of the largest data breaches ever.

Paige Thompson, a software engineer in Seattle, is accused of breaking into a Capital One server and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information. The Justice Department released a statement Monday confirming that Thompson has been arrested and charged with computer fraud and abuse.

As the CISO of a global IT solutions provider, I am always hesitant to comment on these situations because if it can happen to one of the biggest players in the industry, then everyone is at risk. Bad actors have unlimited time, resources and motivations—that’s why advancing a cybersecurity program is critical to every organization’s maturity process. We, the cybersecurity community, must do better collectively.

While the Capital One data breach is staggering with more than 100 million affected, this is just another event in a long list of massive data incidents during recent years, including Equifax, Marriott, Home Depot, Uber, and Target. Adding to the list of compromised information, “improper access or collection of user’s data” like Cambridge Analytica or WhatsApp have also made recent unsettling headlines.

Don’t Wait for Hackers to Find the Vulnerabilities from Within

Court filings in the Capital One case report that a “misconfigured web application firewall” enabled the hacker to gain access to the data. As infrastructures, support structures, and data flows become more complex, the security and need for visibility exponentially increases. Fundamentals like asset management, patching, and user access with role-based access is critical and cannot be over looked.

These pillars of protection are achievable with the help of experienced partners, like the managed security experts at Ntirety, focused on finding and filling any gap in existing infrastructure and applications.

Learn more about how Ntirety’s Managed Security services can be the better shield for your data against hackers. >>

Take Charge on a Personal Level by Using a Passphrase

Even with all the internal work and effort businesses put towards protecting data, consumers should still take precautions and be proactive protecting their identity. Never give personal information out over the phone—even if the caller appears to be from a reputable organization like Capital One. Phishing scams through calls, emails, and text messages are only increasing. Even offers for IT protection from unvetted parties can be attempts to gather or “fill in” additional information for malicious purposes.

One of the quickest ways to boost protection of your personal information is to change your password to a passphrase. Create a great passphrase in three easy steps:

  • Use personally *meaningless* passphrases
  • A pseudo-random mixed 15-character password
  • Pick a minimum of 4 words—RANDOMLY

Simply combining random words (like DECIDE OVAL AND MERRY = Decide0val&andmerry) can build a new passphrase far more secure than “12345” or “password1”.

Let Partners Provide You Peace of Mind Against Security Threats

While every individual should be an active participant in protecting their identity and personal data, enterprise companies can’t ignore the devastating regularity of these hacks and breaches. IT security is a crucial component for any modern business, and equally important is the constant vigilance to keep those security measures validated and updated. Vulnerabilities emerge with every new technological advance, making an experienced partner to keep a steadfast watch necessary to allow organizations’ own IT teams to focus on innovation and business goals.

Ntirety’s Managed Security services bridges the gaps every company faces as systems, tools, and data grow rapidly. Expert monitoring and risk reduction and mitigation from trusted IT partners empower internal teams to focus on pushing business forward. Don’t trust that your basic security is enough to keep your company out of the hacker headlines—get real peace of mind with cybersecurity experts like Ntirety watching your backend systems, infrastructure, and applications.

Schedule a consultation with Ntirety today to proactively protect your data from hacker threats and data breaches.

Top 4 Hybrid Cloud Use Cases

For today’s enterprise business, a wholesale migration to the cloud likely isn’t the right solution. From firsthand experience since the early days of the cloud, we witnessed out a lift-and-shift migration of traditional workloads to cloud services didn’t deliver the expected benefits – whether those were reduced cost, better resiliency, or increased performance. Sometimes, a hybrid deployment could improve the outcome where public cloud alone couldn’t deliver. We thought this might be a transitional state while cloud technologies matured.

Since the early days, public cloud functionality has grown by leaps and bounds – features and functionality have improved at near exponential rates. Even still, public cloud doesn’t often deliver all the benefits companies need or expect. And keeping your IT workloads where they run today certainly isn’t going to improve things either. Instead, a hybrid approach to cloud adoption has proven to be the winning strategy across a variety of workloads and use cases—and that’s why hybrid cloud has become the new normal.

Let’s explore several use cases to highlight some of the benefits that hybrid cloud can provide.

You’re Looking to Optimize Costs

The rise of cloud adoption has proven that all cloud options are not created—or billed—equally.

The public cloud adopted a pricing model similar to a pay-per-use taxi, making it convenient and relatively low maintenance. Although a taxi is logical for short trips, it isn’t cost effective for long term transportation. For traditional workloads that run all the time, the public cloud functions like a taxi with its meter running all the time, unable to turn off. After experiencing the cost of the constantly-running meter with no off switch, more enterprise businesses are exiting the public cloud in search of something more economical.

Leveraging the public cloud to optimize costs requires a bit more work. Applications need to be rearchitected to leverage cloud-native concepts, such as auto-scaling groups, microservices, and application self-healing. This work can’t be ignored, but often the cost of a complete application rewrite is prohibitive, either in time or with lack of know-how. A hybrid approach can allow a more gradual upgrade path by allowing you to thoughtfully choose application components you’d like to migrate to the cloud piece by piece while maintaining more complex or hard-to-rebuild components in their current state. By taking this hybrid approach rather than forklifting all of your applications at once, you can see the benefits of cloud-based services, including a more optimized price tag.

Hybrid environments can also give organizations more control with a custom blend of cloud solutions and dedicated infrastructure. For enterprise businesses, the hybrid cloud often makes better financial sense.

You’re Still Using Legacy Application Components

Well-established enterprise organizations are often overladen with legacy systems and applications but look hopefully to the cloud to help. Unfortunately, the public cloud cannot be their cure-all in many scenarios, such as when a massive amount of data is too expensive to move, locked in too extensively to existing solutions, or demands specific requirements, such as compliant systems. Although a full lift-and-shift may seem appealing, the hybrid cloud is often the better solution for supporting legacy applications on dedicated systems and supplementing with cloud solutions to leverage advanced functionality and services, like machine learning.

However, before making the hybrid cloud shift, companies must dig deeper into current infrastructure to understand the costs and risks of moving elements to the cloud versus simply exposing these applications to cloud services to leverage new functionality. A strategy for each application that considers benefits and risks at this level will prepare a company much better for success in their digital transformation.

Even companies already in the public cloud—especially those might be questioning if they moved too fast—can take a similar step back to evaluate their strategy and find ways in which hybrid cloud solutions can save IT costs and gain better efficiency. Evaluating legacy applications and future IT goals with the guidance and insights of cloud solutions experts is key to making an optimal transformation.

You Need to Support Peak Traffic

The scalability and flexibility the hybrid cloud offers cloud makes it ideal to manage fluctuating traffic levels enterprise companies experience, from the high-peak usage to periods of steady plateaus. The holiday shopping season, sales promotions, or other events can cause rapid demand spikes, which may subside just as quickly once the event is over. Traditional solutions required companies to maintain extra resources to accommodate these peak times, which is an extremely costly option. Remember—the public cloud works like a taxi with the meter always running, but hybrid cloud solutions support these bursts while also supporting the baseline more efficiently.

While some components of your application may need to run all the time, others don’t. Let’s look at an example: Databases function best when they are always operational. Web servers or web services may be much easier to scale out as demand spikes. A hybrid approach to this example application (where the database would remain on a dedicated machine while web services can be rapidly added on demand in the public cloud) represents an approach that provides the right match of platform to application function. Pay-per-use spend on public cloud is optimized based on on-demand usage and can scale rapidly to follow demand spikes (both up and down), while database operations benefit from the stability and reliability of dedicated hardware.

While peak traffic can be predictable for some industries, enterprise organizations should use insights and analytics to best architect their hybrid cloud solutions. Along with upfront research, consistent testing and evaluation of traffic patterns and demand signals are critical for companies to take full advantage of the hybrid cloud.

You Want More Economical Options

A disaster recovery plan is crucial for every enterprise organization but implementing and maintaining one is easier said than done. Traditional disaster recovery plans require you to move entire applications to a dedicated backup environment—an expensive and tedious process. With such a financial burden attached to traditional methods, it isn’t that shocking that 30% of businesses don’t have any disaster recovery plan in place at all.

But building better IT resilience can be more affordable with a hybrid cloud approach. Providing businesses with scalable and more agile options to meet their specific disaster recovery needs, the hybrid cloud presents economic options not available through traditional offerings. For example, taking a traditional workload and creating a failover environment in the cloud can save significant costs. Rather than maintaining the failover environment in a running state, it can be built in the cloud, then snapshotted to storage. With proper scripting to ensure rapid re-provisioning of the environment, costs of maintaining the cloud DR site can be limited to storage costs, saving significantly over the costs of maintaining a full duplicate environment that is always running

Yet just like traditional strategies, the hybrid cloud still requires detailed planning that takes time and expertise. Although some disaster recovery service providers may not be current with best practices in the cloud, finding a capable managed cloud provider is often the key to a more economical disaster recovery plan in the hybrid cloud.

Working Better Together

The hybrid cloud brings multiple platforms together to solve problems—reducing IT costs, optimizing legacy systems, maintaining reliable performance, ensuring resiliency—and working with experienced managed cloud experts allows your business to harness the power of hybrid.

Start exploring how the hybrid cloud can transform your business with a free consultation today.

A Cautionary Tale: Sungard Files for Chapter 11


A Complete Failure for the Disaster Recovery Services Provider

Sungard Availability Services (“Sungard AS”), an IT services provider with more than 40 years’ experience specializing in disaster recovery, announced on April 1, 2019 that it would file for Chapter 11 in early May. With an annual revenue of approximately $1.4 billion, the company serves customers around the globe with tailored recovery services but will now file for bankruptcy in an effort to reduce nearly $1.3 billion of accumulated debt. Although Sungard often promoted their ability to help customers “adapt quickly and build resiliency,” it appears as though they were unable to employ those skills for their own business. The recent headlines surrounding the DR services provider can be viewed as a cautionary tale for other well-established IT service providers lagging to adopt new technologies—and their customers.

But what really went wrong? A long-standing company recognized in the industry announces prepackaged Chapter 11 with creditors in agreeance—this is all a signal of a significant flaw at Sungard.

Changing the Definition of Value in a New IT Environment

Forty years ago, the value or success of a service varied dramatically from what businesses and individuals seek today, and that’s true across industries. As most organizations that were around 40 years ago can tell you, disaster recovery services were often costly, difficult to maintain, reliant on colocation, and complex to execute internally. For over four decades, Sungard provided answers to these DR challenges with expertise and hardware, giving customers a valuable and needed service.

Yet as technology trends took a swift turn, traditional DR services no longer held the same value, and the Sungard business model wasn’t adapting fast enough. Sungard’s own Chief Executive Officer Andrew Stern pointed to the company’s inability to keep up with technology as a main driver of the announcement, stating, “The approach the company had taken to disaster recovery really hadn’t changed in 20 years—and the world had moved on…We had been slow in recognizing the business had to change.”

While Sungard continued to provide the brick-and-mortar infrastructure once necessary for tenable DR services, the introduction of the public cloud offered better control and accessibility for DR plans with significantly less cost. The public cloud brought greater scalability and options to DR services and shifted customers’ perception of value, just as many other industries and providers experienced during their own technology transformations.

“With the advent of cloud-based DRaaS solutions that offered customers more economical and more agile options than legacy approaches, a company like Sungard AS that applied a more traditional model was bound to be challenged,” Amy DeCarlo, GlobalData’s principal analyst of security and data center service. “For Sungard AS to make real progress, the company will need to revisit its core solution set and go-to-market model.” Although outside the organization, DeCarlo surmises that “the company has struggled mightily in recent years” and been increasingly challenged by their own design.

Sungard’s diminished traditional service value combined with more economical public cloud offerings may have resulted in the decision to file Chapter 11, but how the company moves forward after bankruptcy will certainly shape its future viability.

The Best Defense for Businesses and Service Providers

The Sungard story serves as a warning to both service providers and businesses:

  • Service providers should be prepared and invest early to meet customer needs and expectations as they change at the same rapid pace as technology
  • Customers should be aware of how well service providers are actively meeting and anticipating business needs and market trends

Both must continually evaluate how to measure value and proactively adapt to the shifting needs of the industry. To become a laggard in IT, for either customer or service provider, is to plant seeds for new challenges.

Outlooks After Disaster

Although their traditional business model may have been the key driver leading to bankruptcy, Stern stated in the press release, “Our creditors recognize the value in what we’ve built.”

While creditors convey confidence, customers may be asking how Sungard’s Chapter 11 plans will affect them. For IT services dedicated to disaster recovery, any lapse could be catastrophic. Although bankruptcy will restructure the well-established service portfolio familiar to customers, Sungard spokeswoman Karen Wentworth assured, “There will be no interruption to business.”

Maintaining support for current customers is a common pledge from companies after filing Chapter 11, but it can still leave analysts and customers skeptical what to expect as the process progresses or is unsuccessful—increased costs, disorganized service sets, or even collapse?

An Open-Ended Outcome

Sungard’s story shows that the wide-spread adoption of cloud-based solutions, service providers that cannot keep up with technology evolution are at real risk of becoming extinct. While there is no one-size-fits-all for disaster recovery or IT infrastructure, hybrid cloud solutions can address the technology changes rapidly unfolding for businesses across industry. The right hybrid cloud solutions can facilitate the goals of a modern DR strategy to reduce risk, optimize IT spend, and increase business agility. Proactive flexibility and scalability that can change alongside a business’ evolving cloud adoption can be realized most effectively with a hybrid cloud approach.

Worried about your own disaster recovery plan? Start with a free consultation to see what disaster you could be preventing today.

Updated on May 20, 2019

One month from the April 1 announcement that the tenured disaster recovery service provider would file for Chapter 11 bankruptcy, Sungard emerged with a new CEO at the helm, former Broadview Networks leader Michael K. Robinson. Restructuring for the IT company reduced its debt by $800 million and provided $100 million in new liquidity from its creditors.

Only time will tell if new leadership and a dramatic restructuring will allow Sungard to reestablish itself as a name to be trusted for disaster recovery.

IoT Privacy Threats and the 7 Best Ways to Avoid Them   

Things are getting smarter. From manufacturing to healthcare to the everyday devices in houses and cars, nearly every industry is looking for more ways to integrate the IoT’s remote monitoring and tracking capabilities into their everyday operations. For organizations that haven’t adopted IoT protocols yet, it’s only a matter of time until they do. A recent study projected that more than 24 billion internet-connected devices will be installed worldwide in the next two years. That equates to more than four IoT devices for every human on the planet, prompting new concerns about security and privacy—and rightfully so, because with more connectivity and an increasing amount of data being transferred comes more vulnerability.

What does this mean for end-users and organizations 

Without the right protections in place, a hacker could easily gain access to the network-connected devices that surround you every day, changing the temperature in your house or controlling your car stereo. There’s even the potential for these privacy and safety breaches to go beyond mere annoyances, turning the issues into one of life or death. Imagine, for instance, if criminals could use IoT-enabled home devices to track a family’s comings and goings, or if they found a way to hack into an IoT-enabled insulin pump or pacemaker, taking their victim’s health hostage in the process.

Developers must take these risks into consideration as they build products and software that are IoT enabled. Further, CIOs and CTOs should take note—your risk profile has changed. Any deception—whether executed deliberately or by mistake—will likely be perceived as your fault. All of this means that for society to accept your IoT-enabled devices and software, or for companies to accept IoT-enabled devices into their organizations, you must make privacy and safety your first priority—no exceptions.

What are the most common types of privacy concerns?

This is an experiment, and end-users are part of it. 

Much to the delight of those who want to mine data from consumers for advertising or other more nefarious purposes, the IoT is a jackpot of personal data. Every day, consumers are becoming the subjects of behavioral experiments that they didn’t sign up for. Recently, for example, it was discovered that Roomba was sharing information on its customers’ home dimensions with advertisers without asking permission to do so. And much of the United States was infuriated when it was discovered that Facebook data once thought to be private was sold to a political firm in an effort to influence their behavior.

All of this begs the question—if we can’t socialize with our friends online or vacuum the floor without being tracked, what does this mean for the devices in our lives that keep us healthy or safe? Could the biometrics pulled from your fitness tracker be used to determine your fear level, propensity to be intimidated, anxieties related to finances, or more? End-users want to know that when they interact with IoT devices, they won’t become a guinea pig.

More endpoints, more problems. 

To the delight of clever cybercriminals, the IoT also offers more endpoints to attack. If a person hacked into a computer or smartphone that controlled other devices, they may also be able to gain control to those secondary devices. In other words, they can attack an entire network of devices by gaining access to just one.

IoT vulnerabilities are already showing. 

Just after its release, a Google Mini was found to be recording everything it heard, and an Amazon Alexa recently recorded and sent a family’s private conversation to a random contact without permission. Not long ago, Google Home and Chromecast found that some of its user’s locations could be tracked within minutes of clicking on an innocent-looking link they received from phishing scammers. Although all of these issues have since been fixed, we know that they are only a few of the many issues out there—what will be next?

Devices are building more public profiles for their users—and planting the seeds for discrimination.

As users interact with IoT devices, the data gathered from each one is compiled into a profile. If that profile goes public for any reason, the user is then at risk of facing discrimination for employers, insurance companies, and other agencies. While there are laws in place to avoid discrimination against protected classes of people, some experts believe that government agencies aren’t prepared to handle IoT-based discrimination.

This is especially true when you consider how hard it can be to detect and prosecute the most traditional forms of discrimination. It was recently revealed, for example, that roughly 60% of jobs eliminated by IBM in the 1980s were those held by employees ages 40 and over. As IoT-enabled devices become more prominent, there is a fear that this sort of discrimination will go beyond age, race, and sexual orientation to include buying habits, physical activity, and much more. The possibilities for abuse are limitless.

What about compliance?  

Although government agencies are keeping a close watch on IoT technologies and the potential security concerns they pose, most compliance standards for IoT data security and privacy haven’t caught up entirely yet. The European Union now has GDPR, a set of legal regulations that includes guidelines for data collection and personal information processing. Developers should be aware of the ways these new regulations could extend to the IoT. Additional rollouts of more GDPR regulations are expected to come.

Medical devices could be one of the more frightening prospects to consider when it comes to data privacy compliance. Just one IoT breach could involve multiple HIPAA violations. A recent report on penetration and security risks classified the healthcare sector as one of the worst performing sectors when it comes to system security. The FDA has already issued recommendations on how healthcare facilities can ensure their devices stay protected, yet the complexity of monitoring all that data on so many devices is beyond the reach of many individuals and organizations. That’s why protecting user and data privacy is a must for any IoT system to be truly secure and fully accepted.

So, how can developers help protect the privacy of end-users?

1. Build your apps with security in mind.

CTOs and Application Developers must take a deliberate approach to building data privacy and security into every layer of their app. To best protect data across the board, IoT applications should align to the principles of:

•  Data privacy: A stored data record must not expose undesired properties, such as the identity of a person. This one area is a huge challenge for IoT—and IT in general. It was hard before, and now it’s harder.

•  Anonymity: The property of a single person should not be identifiable as the source of data or an action.

•  Pseudonymity: Link the actions of each person with a pseudonym, or random identifier, rather than an identity. This trades off anonymity with accountability.

•  Unlinkability: This qualifies pseudonymity in the sense that specific actions of the same person must not be linked together, effectively protecting against profiling.

2. Encrypt everything.

Use strong encryption across all of your devices and network, and never allow users to export data beyond its native application unless they’re entitled to do so. Your encryption should include:

•  AES-256 symmetric encryption for data stored to disks or archived

•  Bcrypt for one-way encryption of passphrases as needed

•  Mediated access to data classes via capability grants at the user/role level

3. Use role-based authentication and authorization.

User roles should always be defined by capabilities rather than via a structure built on Super Users. Each user in the structure should be anonymized so they are only traceable through event streams with privileged knowledge.

4. Set up multiple access layers, then carefully secure and monitor your data.

Every data store should have mandatory access controls, and those for interfaces and web application services should have discretionary access controls. You should also set up:

•  Firewalls and webs to protect your environment from known threats

•  Logins and permissions for presentation level code

•  SSL and SSH to protect your network

•  Multifaceted passwords or dual authentication where applicable

5. Log everything.

The security applications you use should log all security events within the platform in one centralized place, and you should always have access to an audit trail that provides a reconstruction of events. Audit trails should include:

•  Timestamps

•  Processes and process interactions

•  Operations attempted and executed

•  Success and failure elements in events

6. Be mindful of dependencies.

This is especially important when you are leveraging opensource. Don’t rely on other people’s code to be secure unless you are absolutely sure those individuals can be trusted and you have layered security to protect your organization—and your reputation.

7. Use trusted vendors

From the collaboration tools your organization uses to the infrastructure your products and services are built on, it’s important to partner with vendors that are compliant and put safety first.  Healthcare organizations that work with HIPAA-compliant and HITRUST-certified vendors, for instance, can expect to be exposed to fewer risks due to the rigorous and standardized methods of securing protected health information that these vendors must endure.

Ensuring IoT privacy and security can be a big undertaking, especially for smaller companies with limited IT resources that are already spread thin. That’s why many successful organizations are partnering with managed hosting providers. These expert teams can help keep business data private and secure without having to add costly resources, and allow organizations to transfer some of that risk to a trusted partner and expert.

To learn more about how we can help you protect your customer or patient data with simple, streamlined, and fully-managed hosted solutions, schedule a consultation today.