New York DFS Unveils Final Cyber Security Regulations

The final cyber security regulations unveiled by Gov. Andrew Cuomo and the New York Department of Financial Services (DFS) went into effect on March 1st.

In a nutshell, financial services companies in the state of New York must maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of their information systems, and detect and respond to identified cyber security events. They will also have to maintain risk-based minimum standards for technology systems.

The new rules stipulate that companies must enact:

  • Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.
  • Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing.
  • Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events.
  • Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.

Many banks and insurers already have cybersecurity programs in place but the new regulation now makes them mandatory.

If you already have a cyber security program, congratulations! If your organization needs assistance getting a strategy in place, Neovera can help. With our vast cyber security services portfolio and expertise, we can ensure you meet each regulation and help your company increase its security posture with an affordable solution.

 

How to Prepare for a Ransomware Attack

By now you’ve surely heard of ransomware, a type of cyber attack when “cyber kidnappers” take your computer or network hostage and infect a computer or computer system with a virus that locks all the files and programs. The only way to unlock the files and read them again is to use a key or code, which is given upon receipt of the ransom payment.

So how do you prepare for a ransomware attack?

Planning, planning, planning. You must have a plan and assume the worst can and will happen. According to the Herjavec Group, the amount paid out by victims of ransomware in just the first three months of 2016 came to a total of $209 million. The report suggests that at that rate, the total cost of ransomware is set to reach $1 billion for all of 2016.

Here are some quick tips:

  • Build a comprehensive backup solution, backup often, and test the solution. Backup your computer and file systems, drives, etc. in the cloud – one that will not be infected or linked to your current computer system. You may even create a full backup to a removable drive of some kind. The bottom line is if your files get encrypted, you don’t have to pay the ransom – you just restore the files. Most businesses back up, but some have not tested whether or not these backups work in an emergency.
  • Have a disaster recovery plan. If creating the backups is the beginning of the plan, have steps to continue implementation. Who will be responsible for removing the virus and reestablishing the file system? Is it someone in your IT department? Is it a contractor or third party? Always know what which steps to take – this will keep things running smoothly, and most importantly avoids a sense of panic in a tough situation.
  • Use a layered security approach, with all endpoints protected, as well as protection at the mail server and gateway. If you can stop these things from ever showing up in an end user’s mailbox, you’re ahead of the game.
  • Educate your employees. One of the most popular vehicles for ransomware is a phishing email telling the user they have an invoice that requires payment. If employees recognize such emails, they will know not to open or respond to them, but instead report them to their information security team.
  • Run risk analyses, and patch vulnerabilities, especially on browsers, browser plugins, and operating systems. Information security teams should be savvy enough to continuously run penetration tests to hunt for vulnerabilities.

Planning and taking quick action are the best ways to avoid a serious problem from ransomware. If your organization is not sure where to start, a cyber security provider like Neovera can easily help you create a cyber security strategy that will increase your cyber security posture and protect your business from the consequential costs and reputation damage caused by ransomware and other cyber attacks. So plan accordingly and take action now to make sure you’re in the clear when disaster tries to strike.

Neovera Launches Secure Performance Hub Solution in Collaboration with Equinix

Securely Accelerates Cloud, Network & Application Performance for the Enterprise

RESTON, Va.–(BUSINESS WIRE)–Neovera, Inc., a leading provider of cyber security services and enterprise cloud solutions, today announced the launch of its Secure Performance Hub solution in collaboration with Equinix, the leading data center and interconnection company. The solution provides secure high-speed, high-capacity direct connections to any public cloud provider. With Neovera Secure Performance Hub, enterprises can easily create hybrid environments between their internal data center(s) and public cloud environments to ensure optimal application and workload performance across global network environments.
“Enterprises looking for a secure, end-to-end fully managed Performance Hub solution can take advantage of the numerous benefits Neovera offers without deployment hurdles or incurring a CAPEX burden on their budget,” said Ryan Child, President at Neovera. “We’ve bundled co-location, power, cross connects and servers into one simple offering, and deliver it with 24×7 continuous support provided by Neovera’s Joint Security Operations Center (JSOC) located in the LEED & SSAE16 SOC-1 Type II Equinix Data Center in Ashburn, VA.”

Neovera’s Secure Performance Hub empowers enterprises to deploy business critical applications in multiple public cloud infrastructures, with industry-leading security, availability, and performance that today’s businesses demand. As a result, Secure Performance Hub provides globally consistent network security and quality of experience to users—all while potentially lowering Total Cost of Ownership.

“As more and more enterprise customers look to incorporate cloud deployments in their overall IT infrastructure, it’s crucial that they have a secure and high-performance solution with direct access to multiple cloud providers,” said Greg Adgate, vice president of global technology partners and alliances. “Equinix is pleased to be working with Neovera to provide solutions that enable enterprises to solve real-world challenges and advance their IT initiatives in a cost-effective manner.”

About Neovera

Neovera is a trusted provider of complex hosting solutions, leveraging over 15 years of unmatched technical expertise in enterprise cloud solutions, cyber security, and infrastructure management services. Headquartered in Reston, Virginia, Neovera’s clients range from start-up and non-profit organizations, to global media, healthcare, education, and financial institutions. Our goal? To help our clients achieve the highest return on their IT investment, ensuring convenience, superior support, and security of their mission critical systems and data. Learn more at www.neovera.com.

Read full press release here.

Neovera Joins F5 Networks UNITY Partner Program

Neovera’s Secure Performance Hub solution creates strong foundation for F5 partnership, empowering enterprises to deploy business critical applications in multiple public cloud infrastructures.

RESTON, Va. – Neovera, Inc., a leading provider of cyber security services and enterprise cloud solutions, today announced it has joined the F5 Networks UNITY™ Partner Program. In joining F5’s Partner Program, Neovera has gained access to the sales and marketing tools—as well as the training and services—necessary to provide the best possible service and support to its customers.

“Through the Neovera Secure Performance Hub solution, customers are able to meet the ever-increasing bandwidth and implementation demands expected in today’s enterprise market,” said Ryan Child, President at Neovera. “Our customers value our commitment to providing best-of-breed solutions, so we view the addition of the F5 product line as a wise investment of our time and resources.”

In partnership with F5, Neovera’s Secure Performance Hub empowers enterprises to deploy business critical applications in multiple public cloud infrastructures, with industry-leading security, availability, and performance that today’s businesses demand. As the only managed services and cyber security provider that can assemble, design, deliver and manage Equinix Performance Hub and F5 application delivery and security products as one simple, highly secure, and affordable solution, Neovera is able to lower costs for their users by pushing applications, data and processing closer to the edge of their enterprise network.

“F5 is pleased that Neovera has joined our UNITY Partner Program,” said Aldo Dossola, VP, North America Channels at F5 Networks. “Neovera’s innovative solutions create new experiences that enable customers to achieve maximum return on their investment. This new partnership is equally beneficial for both F5 and Neovera as it allows for mutual expansion of our markets.”

About Neovera

Neovera is a trusted provider of complex hosting solutions, leveraging over 15 years of unmatched technical expertise in enterprise cloud solutions, cyber security, and infrastructure management services. Headquartered in Reston, Virginia, Neovera’s clients range from start-up and non-profit organizations, to global media, healthcare, education, and financial institutions. Our goal? To help our clients achieve the highest return on their IT investment, ensuring convenience, superior support, and security of their mission critical systems. Learn more at www.neovera.com.

F5 and UNITY are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries. All other product and company names herein may be trademarks of their respective owners. The use of the words “partner,” “partnership,” or “joint” does not imply a legal partnership relationship between F5 Networks and any other company.

Read the full press release here.

Snapchat Spectacles: A Brewing Security Storm

Snapchat Spectacles have been making waves recently, and it’s not just due to their unique delivery system. With any innovative device there comes a series of questions and concerns from the purchasing community at large. Now, Snapchat Spectacles have turned the wearables model on its head and, while receiving praise for the product’s design and overall vision, the company is dealing with a number of potential security issues affecting consumers and unsuspecting passers-by.

Snapchat Spectacles work as follows: the glasses capture 10-second video that transfers wirelessly to your Snapchat account. Simple enough, but while early adopters across the country shoot and post their live action videos, many fail to realize that a major security issue is in play. When these videos are filmed and posted to the Snapchat account, Snapchat Spectacles capture metadata that includes location tracking and facial and voice recognition. Now it should be stated that the same privacy regulations for the Snapchat application apply to the Spectacles. However, using an application isn’t inherently the same as wearing a pair of video-taking glasses; sooner or later there will have to be additional and different security measures. Until that happens, a lot of protected user data could be at risk.

Now this isn’t the industry’s first foray into “wearables” – an easy comparison can be made between Snapchat Spectacles and now-defunct Google Glass. In theory, the idea was simple – a pair of glasses that could capture images and video, while allowing the user to view media on the glass themselves. While they were meant to revolutionize, they fell flat in a big way. One significant difference in their model is that Snapchat has an audience willing to be early adopters – in the US alone around 41% of 18-34 year olds use Snapchat. Another is the price point – while Google Glass stood at a whopping $1,500, Snapchat Spectacles are marked at a much more reasonable $130.

Snapchat Spectacles are very much in their infancy but already are posing a number of pressing security questions for the company and users alike. Until those questions are answered, understanding the security implications that come along with new and innovative products is a major step toward cyber security awareness on a user and business level.

Financial Services Sector: Defend Your Cyber Security

As an entity in the financial services sector, are you doing enough to protect your data and hard-earned money from cyber crime? Whichever your role may be in the financial services sector – small bank, credit union, money manager, investment adviser – the status of your cyber security protection plan is paramount to sustaining continued growth while still adhering to regulatory compliance standards. As it stands currently, the SEC is the governing body of the financial industry, but their cyber security measures are limited. Congress eventually joined the fight, passing The Cyber Security Information Sharing Act that outlines the government’s communication avenues about cyber security, and the Cyber Security National Action Plan, allocating more money toward fighting cyber crime.

So, what can be done in order to decrease the cyber attack risk for financial services firms? Below are key points from PwC’s article “Turnaround and transformation in cybersecurity: Financial services”:

  • Being aware of security protocols/standards of third-party vendors and holding them accountable: Whether they handle your HVAC or security system, connectivity to IoT and having proper cyber protocols in place is the difference between continued growth and stopping short due to a surprise hack.
  • Keeping up with the rapidly evolving, sophisticated, & complex technologies: Cyber security protection cannot just be one firewall, or anti-virus program; a multi-step, internal and external facing managed and monitored system is the answer – for now.
  • Understanding that an increase in mobile device usage means a larger, more inclusive cyber security plan: Over 30% of users have been attacked because of their mobile device usage. The assumption that cyber attacks only occur on desktops is a thing of the past.
  • Tracking, understanding and protecting from security threats outside the country: State-sponsored attacks and hackers from outside US jurisdiction use their location to their advantage. Be vigilant in your cyber security protection protocols and stop them before they even start.

This isn’t rocket science – the financial services sector has an obligation to their clients to provide every available security measure when it comes to protecting the assets that have been entrusted unto them. Now, the points above speak to ideas like employee education, pre-planned disaster recover options; it’s a lot for any company to take on in-house, especially if they don’t know where to start. Having a cyber security management and monitoring firm such as Neovera provide 24x7x365 support and protection for your vulnerable data is the difference between proactive and reactive organizations. Be proactive when it comes to cyber security protection – your clients will thank you.

The Trouble Behind a Secured User Experience

User experience and security – not the most harmonious of relationships. Few companies have been able to truly marry the two; meanwhile, the majority of organizations battle it out, sacrificing security for look and feel, or new products are pushed to the wayside because there isn’t a compatible security plan. News continues to break in the wake of the recent Yahoo! data breach – most notably, Marisa Mayer’s conscious decision to sacrifice security for streamlined looks and new product development. This is an extreme case in which millions of accounts were stolen in an egregious online attack, but it points to the constant battle between two factions. At what point do you risk user experience for a more robust security protocol, or threaten the accounts under your protection to give those same users an unforgettable online experience?

Though there are two distinct camps in the user experience and security discussion, there is a telling real-life event that occurred involving Google and Yahoo! in 2010. According to the New York Times’ account, Chinese military hackers breached a number of computer systems and online accounts owned by US technology behemoths. Google dove headfirst into ensuring an attack of this magnitude would never occur again. Co-founder Sergey Brin sprang to action and immediately made cyber security his top priority by hiring hundreds of security engineers and investing in security infrastructure. It should be noted that both user experience and security are able to peacefully coexist. Yahoo!, however, was slower to adopt the needed changes, and Marisa Mayer’s entrance did little to help the situation. After she took over Yahoo! in 2012, new product development became a sole focus despite looming security threats that had yet to be fixed since the initial attack. Though Yahoo!’s internal security teams pushed for changes, their suggestions were met with extreme pushback and more often than not were completely overridden in favor of a streamlined user experience.

The types of responses and response times behind an online attack or breach are key to comprehending the backbone of any company. User experience is important, granted, but there is an argument to support security as a part of the user experience. With one in five small businesses experiencing an attack, and 60% of those going out of business because of the blow, the time is now to work on improving the relationship between the user experience and security for your company’s future. With 24x7x365 management and monitoring solutions that are customized to every business’s needs, Neovera will ensure the safety and security of your data without impeding on future business goals.

Yahoo! Data Breach Impacts Millions

Yahoo! has most recently been in the news for its $4.83 Billion purchase price upon a finalized agreement from Verizon. It would be a huge boon for the two tech giants, and frankly, considering the news of late about Yahoo!, they need all the help they can get. Unfortunately that help definitely didn’t come from hackers in 2014 – in the largest breach of its kind, at least 500 Million users’  account details were stolen over two years ago. Yahoo! never reported the breach until last week when the details were leaked on the web. Not only does this pose a major issue for the hundreds of millions of Yahoo! users affected by the breach, but it opens up questions about the purchase and frankly, whether it’s even going to happen.

When the breach happened a few years ago, Yahoo! never issued a statement of any kind to its users or the media. Claiming that a state-sponsored actor is to blame for this vulnerability in the system, the company has begun working with law enforcement to get to the bottom of the situation. Meanwhile, the information released ranges from usernames, emails, passwords, and security questions and answers. Yahoo! is maintaining that the passwords were all encrypted with bcrypt but there have been other reports stating that some may have been released in an unencrypted format.

Yahoo! is keeping a tight lid on most leak details – they haven’t released which state-sponsored actor is responsible or if there are even any leads. And while they have scrubbed the security questions from the affected accounts, they are only suggesting that people change their passwords. To be clear: changing your password should be a first step for any user who owns a Yahoo! account, or any other affected by a data breach. Even if it was encrypted, changing a password takes seconds out of your day and will save you a great deal of potential headaches in the future. Protecting your cyber security position should be at top-of-mind with each click of the mouse and every IoT interaction. But, mistakes happen – let Neovera take care of those missteps with 24x7x365 cyber security monitoring and management services based on your company’s unique needs and requirements.

Email Scam Targets the IRS & Healthcare

To reiterate from past coverage: the IRS will NEVER contact someone through means other than the US Post Office. Due to a new email scam, more and more users are falling victim to correspondence that seems to be coming from the IRS about an unpaid medical coverage fee. Delving further into this most recent farce reveals that many users are continuing to make the same choices over and over again that ultimately hurt their cyber security standing and vulnerable data.

Now, here are the red flags to watch out for in this IRS/healthcare email scam:

  • You received an email from the IRS: You will never receive communication from the IRS via electronic means. It will always be through the Post Office. Because they’re old.
  • You received an attachment called a “CP2000 notice”: Same thing as above – while a CP2000 is used to inform the tax filer that income numbers don’t match between what was reported by the filer and a third party, this communication will always be sent by the Post Office.
  • There is an address included in the email where the user should send the payment, along with a payment link: the IRS would not illicit payments from tax filers to a P.O. Box; more importantly, they wouldn’t include a direct payment link in an email because they don’t communicate via email to begin with!

All of these red flags have very obvious solutions so that potential email scam victims won’t fall prey to this most recent attack. User education, especially within a company, is paramount to the larger part of a cyber security protection solution. Not only will Neovera, as your chosen managed and monitored cyber security protection service, be able to provide 24x7x365 coverage of your vital networks and data, but you will have the extra security of arming your employee’s with the knowledge to stop a cyber attack in its tracks.

Data Breach Affects 68 Million Dropbox Users

Another day, another data breach – this time Dropbox, popular cloud storage behemoth, announced that over 68 Million user email addresses and passwords were dumped on the Internet. What’s interesting is that the information is from a previous attack in 2012 at which time Dropbox reported that only email addresses had been stolen. Whether they did not know the passwords had been compromised or just didn’t disclose remains to be seen.

The data breach experienced by Dropbox is connected to two previous attacks, one on their own site in 2012 and another on LinkedIn that was spoken about at length on this site. As mentioned previously, the 2012 attack was thought to have only contained email addresses – instead, this most recent attack shows that not only did it include stolen passwords, but that trove of information was the release that occurred this week. Now, the way that the attackers were able to get in is rather interesting. It didn’t involve a unique cyber attack, physical connection or anything of the sort. The only thing they needed was an employee’s password, which was the same they happened to use at Dropbox and LinkedIn. Remember the data breach that occurred at LinkedIn receently? Exactly – they were able to use the same password, enter the site under the employee’s information and take whatever they wanted at their leisure within the user database.

So, how is Dropbox handling the situation? Beside urging users to change passwords if they haven’t done so (use these stories as incentive), Dropbox is taking steps to ensure that a future data breach is less likely to occur. The company’s security standing was, and is, strong – passwords were encrypted and they were in the process of upgrading the encryption from SHA1 to a stronger standard called bcrypt. This data breach just goes to show that even the stronger of the technology companies are sensitive to cyber attacks. Stronger protection on the user and business end is key – that includes strong, unique passwords, and multi-factor authentication; unfortunately Dropbox failed to heed the everyman’s warning that passwords should never be reused.