My Internship with Axiom Cyber Solutions

My Internship with Axiom Cyber Solutions

Axiom Cyber Solutions is a Las Vegas-based managed cybersecurity company that aims to provide simple solutions to major problems for small to medium sized businesses and beyond to help them fight back against cyber-criminals. At least, this is what they’ll tell you when you first meet Troy, Shannon, or anyone else on the Axiom team—but this is only part of their story. Yes, Axiom is a company that provides high quality cybersecurity to those who need it most—small businesses—but I’ve learned over the duration of my internship that they are so much more than that. The best way for me to explain is to tell you about all of the people who impact and are impacted by Axiom:

The Employees

The saying goes “A company is only as good as its people”—if this is true, then Axiom is golden. Though there are only a few of them, the Axiom staff is comprised of some of the hardest working, dedicated people you’d ever hope to meet. Working for a start-up has its challenges, but you’d never know that looking at the faces of these employees. From talking to Jade upon your arrival at our offices, to discussing the intricacies of the technology with Adam, Axiom team members are friendly people who only want to help you.

A lot of young professionals seek a company with a distinct, welcoming culture to start their careers, and you’ll find exactly that at Axiom Cyber Solutions. Though we all have our own space in our own offices, everyone’s door is always open for questions or advice. Something I’ve really enjoyed is being able to collaborate with so many different minds on various projects, and the team atmosphere is extremely strong within Axiom.

The Customers

A company may only be as good as its people, but companies would be obsolete without their customers. From a local indoor playground run by an awesome couple (just like Troy and Shannon) to exciting casinos in downtown Las Vegas, Axiom has a wide range of customers whom they work diligently to keep happy and protect. These customers are people who recognize the growing threats of cyber-crimes like ransomware and DDoS and know that they want high quality, cutting edge protection from them—for a price that fits their budgets.

The Community

In my ten weeks in Las Vegas working as an intern for Axiom, I probably encountered most of the local, small business owners and professionals from the numerous networking events I experienced. Something that I really admire about Axiom is their commitment to being involved in the local Las-Vegas community as well as communities across the country. Not only have they helped several companies do things like pay their ransom for ransomware attacks, replaced hacked PBX systems with secure ones, and mitigate DDoS attacks on a company’s opening day, but you can tell that they genuinely care about the people they help protect by the ways they interact with their clients. Axiom cares about people’s data and protecting the community that surrounds them is their superpower.

The Families

Axiom is not only a family of employees and customers, but we are a part of each other’s families as well. Troy and Shannon Wilkinson are the CEO and President of Axiom Cyber Solutions, but they are also the proud parents of three sweet girls—Mackenzie (5), Kayleigh (3), and Abigail (2). Both Troy and Shannon’s mothers come into the office regularly to talk with the employees and even sit in on a meeting or two while the girls will come and draw pictures on office windows to brighten everyone’s day. It is clear that the Wilkinsons eat, sleep, and breathe Axiom.

But Axiom is not just about the Wilkinson family—they care about other employees’ families as well. Be it going to birthdays, barbecues, or baptisms, you can see that Axiom is a family of families.

Me

I have learned so much from the two months I’ve been an intern here. From having to google what the heck ransomware was on my first day to being able to explain different variants of it to friends and family, I’ve come a long way in my knowledge of cybersecurity. But I’ve learned more than just what different cyber-threats are or how to program a firewall—I’ve learned things like how to network, what it means to be a part of a team, what it feels like to be proud of your finished product, and how you’ll never know something unless you ask. Of course, there is so much more for me to learn, but I am happy that I started my professional career with Axiom Cyber Solutions. This is a place that, to me, will always feel like home.

 

Hailey Carlson, Axiom Cyber Solutions 7/22/2016

Phone System Security: What to do When Hackers Come Calling

Phone System Security: What to do When Hackers Come Calling

Most everyone is aware that hackers are trying relentlessly every day to get into your company’s private network so they can steal your and your customers’ important data that would be harmful to your company if it were to fall into the wrong hands. But something most people are not aware of is the fact that phone systems are incredibly vulnerable to attack—and they can be a hacker’s fastest link into your private network.

PBXs, or private branch exchanges, are phone systems that allow for communication out of and across a large number of phones in a single organization. Companies have made a turn toward digital IP PBXs over traditional Analog systems because it is easier for them to have everything—computers and telephones—connected in one network. Analog PBXs only provide telephone services, requiring the company to find their own provider to deliver a separate connection to the internet; however, with IP PBXs both internet and phone are connected and come into the company from the same provider via one wire—making things more connected and easier to use for the company.

Unified Messaging

Along with the increased connectivity between telephone and private networks, there are some additional advantages to choosing an IP PBX including lower costs both upfront and for traditionally expensive calls, as well as increased ease-of-use and accessibility for employees via unified messaging. Unified messaging, or unified communication, simplifies and connects all forms of communication—text, voicemail, email, video conference, fax, etc.—and allows them to be handled in a single mailbox that the user can access from anywhere. This can be via an app that allows you to check your voicemail remotely, or via an email attachment with a soundbite of the voicemail. This allows users to be connected to their office telephones from anywhere.

However, with all of this network connectivity, there are some potential drawbacks as PBXs are among some of the most vulnerable office equipment out there.

Threats to your PBX

Many people are unware of the vulnerabilities that their phone systems pose to their company and consequently, these people leave their phones unprotected—and hackers are well aware of this knowledge deficit. Criminals can ring up a huge phone bill by making unapproved domestic and international calls, costing your business big bucks if gone undetected—and that’s just the minor threat PBX hacking can pose!

With the vulnerabilities of unprotected IP PBX phone systems, it raises the question—if my private network and my phone network are connected, wouldn’t it be easy for hackers to get into a private network via the connected, weakly-protected phone system? The short and simple answer is yes.

The greatest and most dangerous threat to your company is when hackers use your vulnerable phone system to hack into your private network—where you store your customer, employee, and financial data, among other vital things. This is the information computer hackers long to take from every company that they can, and weakly protected phone systems are the best direct channels to getting that information from your business.

Protecting your PBX

Though the revelation of yet another point of entry for hackers into your business might be pretty disconcerting, there are some simple defenses you can put in place in order to better protect your company’s PBX system and consequently all of your sensitive data.

  • Use strong authorization codes or passwords. Each phone and/or user should have their own individualized login and password in order to strengthen the security of the PBX. Many providers of PBX systems leave user passwords at their default settings or simply make them something easy to guess like the user’s birth date or extension number, thus leaving the door wide open for hackers to easily guess and check in order to infiltrate the system. Use of complex, hard to guess authentication codes/passwords is a simple step that allows for less risk to threaten your phone system security.
  • Delete or deactivate unused accounts. Say an employee leaves your company for whatever reason, her phone’s inactive voicemail box is now an unmonitored entry point for hackers to sneak into your company through your phone system. Deleting extra passageways for hackers takes little time to accomplish and can be a major benefit to your company’s cybersecurity.
  • Frequently check your outgoing voicemail to ensure that it is in fact your voicemail message. One way hackers ring up your phone bill is by changing your outgoing voicemail message to something like “Yes, I will accept the charges,” then the hacker collect calls this compromised number, charging it on the company’s dime. By not only checking, but changing your voicemail regularly, you can prevent this type of threat to your company. Though this is more of a minor threat, you could save your business thousands of dollars in phone bills by checking something as simple as your outgoing message.
  • Restrict or monitor certain types of phone calls made to/by your phones. Consider restricting international or long distance calling destinations if your company does not require contact with them regularly. You can set this up either directly into your phone system, or by having your provider notify you of attempts of this kind.
  • Use Firewalls to protect your data. By having your phone system shielded by a strong firewall, you are providing your company’s phone system with the best possible defense. Intrusion detection will notify you of any attempts or breaches to your phone system and is a key feature this firewall should have; a next-generation firewall will be the toughest one for a hacker to attack.
    • Axiom provides a PBX system that has a built-in firewall and we encourage our users to put an additional Axiom SecureAmerica® Next-Generation Firewall in front of that in order to protect your phone system two-fold. Learn more about Axiom’s PBX from our CEO, Troy Wilkinson, here.

Though an unexpected route for hackers to take, securing your phone system is not only key to keeping calls and other means of communication safe from attack, but your private networks and all of the dignified information they store as well.

If you’d like to find out more about securing your phone system or private network, give us a call at (800) 519-5070 or visit our website at https://axiomcyber.com/ to speak with one of our IT experts.

Hailey R. Carlson, Marketing Inter, Axiom Cyber Solutions 7/21/2016

Image Source

Cybersecurity in Gaming: DDoS & Hacking Threats

Cybersecurity in Gaming: DDoS & Hacking Threats

Cyber-threats plague our society today in every area of our lives that involves technology. Be it work, school, or play, we are always surrounded by technology that could potentially be hacked or attacked at any moment, leaving us vulnerable. One of the industries where protecting against these cyber-threats has been an issue for many years is gaming—and with Pokémon Go all over the news this week, there is no better time to address cybersecurity in the gaming world.

Smartphone threats, ‘Gotta catch em all’

Pokémon Go is all people have been able to talk about recently—with over 7.5 million downloads in the U.S. alone within its first week of launch, the game is wildly successful and obviously entertaining. But with its emergence as one of the first augmented reality games for your smartphone, it has exposed users to a herd of cyber threats because of the full level of permissions it has been asking of users who sign up with their Google accounts. Not only that, but with “Pokémon Masters” sharing their location in order to play with and battle other users, this is the biggest database of people’s current locations created from a game. Thankfully, Pokémon has released a patch in an app update to lessen the amount of permissions they can access to just your Google user ID and email address. However, prior to this fix, they were privy to all of the information listed in Figure 1 below.

 

PokemonGoPermissionsAccess_viaInverse

Figure 1: Pokémon Go Permissions before 7/12/16 patch via Inverse

Though the company may have had no intentions of using this information in a malicious way, had a hacker gotten into the app on your phone or through the Pokémon Go servers, they could have used all of this information to their advantage. This is one of the issues with gaming on smartphones—you must be careful of the permissions you allow otherwise you could be a victim without even knowing it.

Online and Console Gaming, A DDoS minefield

Cyber-threats are not only prevalent in the smartphone gaming world, but they are also rampant in online and console gaming as well. While these segments face many threats, but two of the biggest threats are DDoS and hacking. DDoS, or distributed-denial-of-service, attacks occur when massive numbers of corrupted systems attack a single target. These malicious sources flood the target with bad traffic, preventing (or denying) service to the site for genuine, honest users. DDoS can also include denying service via wiping out entire databases full of user information or attempting to change a user’s password too many times, thus locking him or her out. The primary way it affects video games is by overloading the servers with malicious traffic, thus bringing them down, making them inoperable. As you can see below in Figure 2, in the first quarter of 2016, the overwhelming majority of DDoS attacks across the internet were targeted at the gaming industry.

gaming in ddos info Q1_2016

Figure 2: First Quarter 2016 DDoS Report by Industry via Statista

 

While these are shocking numbers, this is nothing new for the gaming world. Online and console games have been the primary targets for gaming DDoS attacks for years.

Earlier this year, well-known DDoS attack group, Lizard Squad, launched an attack on World of Warcraft and Diablo III online game provider, Blizzard. Servers were down for several hours leaving players restless and angry. DDoS is a cyber-crime that is easy to commit and difficult to combat, so getting their servers up and running again took much time and effort on Blizzard’s end.

Lizard Squad also led DDoS attacks on Christmas two years ago that affected both Microsoft and Sony, providers for Xbox and Play Station consoles respectively. Lizard Squad warned of the attack in the months leading up to the holiday—tauntingly asking how ‘Live’ and ‘PSN’ (the games’ online networks) were doing. It is difficult to fight these kinds of attacks because having traffic come from so many locations, especially with people the massive amounts of people who received the consoles as gifts for Christmas all logging on around the same time as the attackers, to weed out the good traffic from the bad.

Hackers: threatening your phone, laptop, and console

In addition to DDoS attacks, all platforms of gaming are threatened daily by hackers. Late last year, Steam, one of the world’s most powerful online gaming companies, admitted that 77,000 of its players’ accounts were hacked every month.

One of the scariest aspects of hacking is the information that hackers are able to take. PII is readily available because these users provide so much personal information just to sign up and play; so when game systems are attacked, users’ data is vulnerable to being stolen and possibly even sold on the internet. These players include people of all ages, so parents of young gamers should talk with their children about the amount of information they provide when registering for different games they play.

Many games ask for sensitive information such as a birth date, home address, and credit card information. Unless the game is specified for a specific age level (i.e. “Rated M for mature”) then they should not need your birthday information. Having access to your home address could lead malicious cyber-criminals to your right to your front door, exposing you to some serious physical trouble in the real world. And the only reason a credit card number should be needed is if you’re paying to play that game—though some ask for it even though they’re “not going to bill you anything.” This information should not be given out carelessly because, should it fall into the wrong hands, it could be detrimental to your personal cybersecurity—possibly even leading to hackers using this information to steal your identity.

Gaming Cybersecurity, Be careful where you download

Nobody who loves gaming will stop just because there are threats to the industry; however, by taking steps to personally protect yourself as well as being aware of what dangers are out there, you can better enhance your own personal cybersecurity.

Though all aspects of cybersecurity require layers of protection, many of the threats that gamers face are caused by the gaming platforms they use, and there is little they can do personally to defend against attack. The best way for players to protect themselves is by only downloading legitimate games from trusted sources. If you are unsure about the security and validity of a game, you should not download it. Downloading mobile games form third party providers can leave your smartphone vulnerable to attack and the same goes for computer downloads negatively affecting your laptop. While it is slightly more difficult to download games freely on consoles like Play Station and Xbox, it is still possible. The best way to prevent a malicious game from infecting your device is by only downloading legitimate, verified games.

Hailey Carlson, Marketing Intern, Axiom Cyber Solutions 7/15/2016

Image Source

Beware: Pokémon Security Vulnerability Allows Access to User’s Entire Google Account

LAS VEGAS— With over 7.5 million downloads since launch on July 6, 2016, Pokémon Go is a wildly popular game but Axiom Cyber Solutions wants to warn users of the security risks of the app connected to user’s Google accounts.

Currently, the app offers the option to connect with a Pokémon Trainer Club account or a Google Account. A large percentage of users are choosing to connect with their Google account, not knowing that they are giving the app permission to their entire Google account including documents and photos to email messages and search history, and even items stored in the cloud. A patch is being worked on by the app developers to restrict the app permissions to only basic Google information and the developers insist that so far the app has only accessed basic information, there is still a risk to users.


Ahead of the patch, users can restrict access to their Google account information through their Google Account. To change the app permissions, go to “My Account” on Google (https://myaccount.google.com/) and navigate to “Connected Apps and Sites”. Select “Manage Apps” and then on the Pokémon Go app, and select “Remove Access”.


Android users must also be wary of third-party download sites that are offering malware-infected versions of the app. Security research firm Proofpoint has found a version available from a third-party site that was packaged with a remote-access Trojan (RAT) which would give a hacker full control over the phone once activated.

Image Source

What Would Happen if We Didn’t Think of It as Data…?

What Would Happen if We Didn’t Think of It as Data…?

What level of “digital trust” is there in your company?  To put it another way, how confident are your customers, employees and partners that your business will safeguard what THEY have entrusted to YOU?

As the battle intensifies to protect the confidentiality, integrity and accessibility of digital information, one thing is clear: companies large and small who do not make digital trust a priority will not be around in the future. In today’s world, cybersecurity is not only an expectation, but a demand from those who make your company possible.

Time for a Commercial Break

Take 60 seconds and watch this commercial from Acura:

https://www.youtube.com/watch?v=DfvpF4RRGAE

 

It is not a commercial about the elegance, comfort, or price of Acura’s luxury line of cars. It is a commercial aimed at increasing their customers’ trust by focusing on the safety and security of what is most important to them. They drive this home with their tagline “When you don’t think of them as dummies, something amazing happens.”  And it’s a great way to publicize that they are “The first luxury brand to be awarded top safety ratings across its entire model line.”

In short, what they are saying is this:

“You can trust us because we’ve made the security of what’s important to you a priority to our business and we’ve got the awards to prove it.”

What if We Didn’t Think of It as Data?

Companies that aren’t seriously investing in cybersecurity technology and training are still looking at their data like a car company might look at a crash test dummy – just something to be used for making business decisions – instead of information they have been entrusted with from other parties (be it customers, employees, or business partners) to protect.

In March 2016, HfS Research and Accenture surveyed 208 enterprise security professionals across a range of geographies and vertical industry sectors.  Their results were just released in the report “The State of Cybersecurity and Digital Trust 2016.”

The key objective of this survey was to learn how cybersecurity threats are perceived and countered within the enterprise, with a goal of understanding the state of cybersecurity and the steps the enterprise should take to foster digital trust throughout the extended enterprise.

One of their notable findings was that “While 54 percent of respondents agree or strongly agree that cybersecurity is an enabler of digital trust for consumers, 36 percent believe their executive management considers cybersecurity an unnecessary cost.”

Question: “Would you feel confident in entrusting what is important to you with the companies of those 36% who don’t believe their executive management make the security of it a priority?”

If enough answer “No” to this question, what will inevitably happen to that business?

The Threat Grows Bigger But The Budget Grows Smaller

These security professionals were also asked about their concern for the future of cybersecurity threats. See their response to the following question:

How concerned were you during the prior 12 months of the following threats and how concerned are you moving into the coming 12 to 18 months? (responses citing Major or Critical Threats only)

Note that they saw all threats as increasing. Compare this outlook, however, to how well positioned they find themselves to handle threats:

How prepared are you [your staff] to handle each of the following?

Question: “With whom would you rather entrust your business?”

One last telling response from this survey was to this question:

Which of the following are the biggest inhibitors to your organization’s security provision? (single biggest inhibitor)

Of course, budget is always going to be a limiting factor for any business initiative. However, that, along with the lack of the Corporate/ Executive Level making it a priority, doesn’t bode well for those companies in the face of an increasing cybersecurity threat.

Businesses Need to Change Their Thinking

The problem in business (and cybersecurity) is that we use the impersonal word “data” to describe something of personal value. Just look at how the word “data” is defined:

data

1:  factual information (as measurements or statistics) used as a basis for reasoning, discussion, or calculation

2:  information output by a sensing device or organ that includes both useful and irrelevant or redundant information and must be processed to be meaningful

3:  information in numerical form that can be digitally transmitted or processed

                                                                Source: Meriam-Webster.com

 

It’s no wonder that when executive management considers protecting “data” – andbudgeting for cybersecurity – they see it as just another expense (and for some, an unnecessary one) rather than protecting something they’ve been entrusted with to protect.

Consider for a moment how a cybercriminal sees data.  To him/her it is simply a commodity with no concern for whom it belongs or how they are affected by what he/she does with it. The table below gives more of an idea about this.

The cybercriminal is only concerned with “Why it’s done.”

In order to build digital trust, businesses must be concerned about “Who is impacted” – to stop looking at “data” as an impersonal commodity and more as an asset that beenentrusted to them by someone.

In addition, businesses need to look at cybersecurity as a way of strengthening their company’s position in the market (just as Acura has done).

Instead of “just another expense,” the security of the information you’ve been entrusted with needs to be one of your core business initiatives.

As the Accenture/HfS Research report states, “State-of-the-art in cybersecurity is anapproach, a mindset—not an implementation or technological end-state.  It evolves and adapts as the value of assets shift and the type or level of threat changes.”

If a company is to remain viable and competitive in the near future, executive management needs to “quit looking at it as data” and see their digital information as a valuable asset whose loss or destruction impacts others. If your company cannot be trusted to keep it safe, it will be given to one that can be.

Smartphone Security—Who’s watching you while you’re taking selfies?

Smartphone Security—Who’s watching you while you’re taking selfies?

A man told me the other day that he had a “near-death” experience—was it a close call at a red light, a bit of rougher-than-usual turbulence on an airplane, or even swimming in shark-infested waters? Nope. He forgot his phone in a meeting right before the business closed for the day.

While the statement is a bit melodramatic on the surface, the sentiment is probably true for the greater majority of us—we can’t live without our smartphones. They give us information on breaking news and the weather, provide us with entertainment, and allow us to stay in contact with loved ones from anywhere. Smartphones are great.

But with the wealth of information we store on these little pocket-sized computers, they are perfect targets for hackers looking to find out any information about us. Between logging into emails, bank accounts, and even having your card information stored via a virtual wallet app, if hackers got their hands on your smartphone, they’d have access into your entire world with the ability to wreak havoc as they pleased.

Recently, smartphones have become the new target for hackers over PCs which have less personal information stored on them. This is bad news for the 68+% of US adults who own smartphones—not to mention the massive amount of children and teenagers under the age of 18 who use these devices as well.

When your phone falls into the wrong hands, it can mean the end of your personal cybersecurity, and with innovations in technology, hackers are not only able to hack into phones in their physical possession, but they can also get into them remotely without you even knowing it. They can even hold your phone and everything on it hostage. With such dauntingly increasing threats to your phone, it is important to educate yourself on the threats facing yourself and other smartphone users today.

Hacking

The top two smartphone producers today are Apple and Android. Android is credited for having an open and adaptable operating system where users can easily create and add their own applications—but with such an open OS, this leaves them severely vulnerable to hackers even with their rigorous app regulations and checks.

One student was able to include a 1-pixel x 1-pixel preview screen in his Google Play store app that allowed him to have access to the camera on a smartphone without the user’s knowledge, even when the screen was turned off. He did this to prove just how easy it is for hackers to be able to get into your smartphone undetected. Were he a malicious person, he could have hacked into any user’s camera on a phone that had this app, and taken intrusive snapshots of them throughout their daily lives. The creator of this app said that the fact that his app worked so well and the camera was operational without notifying the user was “scary” and “inexcusable.”

Though only the Android users might be worried up to this point, iPhone users, don’t be fooled—though Android phones have been the most vulnerable in the past, new malwares such as XCodeGhost are increasing at terrifying rates, making you just as vulnerable as your Android-loving friends.

Ransomware

Many people are worried about hackers looking at them through their phones, but something just as scary has been on the rise in cyber-crimes targeting smartphones. Ransomware, the cybercrime poster child of 2016, has increased in smartphone attacks 400% over the past year.

Hackers get into your phone via malicious apps or fictitious pop-ups and lock you out from your phone entirely until you pay up. Sometimes even when you do pay, these cyber-criminals still won’t allow you to regain access to your phone. Four major groups—Small, Fusob, Pletor, and Svpeng—made up 90% of these ransomware attacks in one year, and it is terrifying that there are so many people being affected—4 million US Android users last year alone—by such a small number of hackers.

What you can do to protect yourself

Between hacking into your phone to undetectably control your camera and taking your smartphone hostage, it is safe to say that we all need to start taking action to protect our phones and the sensitive information we store on them. Here are a few ways to strengthen your smartphone security:

  • Only download apps from the Google Play or iOS App StoresWhen you stray from legitimate, well-checked applications, you leave your phone vulnerable to attack and downloading seedy or unreliable apps is one of the quickest ways to make your phone a target from cyber-criminals.
  • Be wary of what permissions apps request access to on your phone—Especially if you do stray from the approved app stores for whatever reason, be careful of which permissions different applications are asking your approval. For example, a legitimate weather app probably doesn’t need access to your microphone or camera and could be a red flag.
  • Download a smartphone antivirus—Taking multiple steps in your personal cybersecurity is key to staying protected. When you have an antivirus on your phone as well as on all computers and other devices you connect your phone to, you are further strengthening the security of your important information.
  • Educate yourself and others on the importance of personal cybersecurity and current threats—When you learn of some new ransomware or malicious application, tell someone—tell everyone for that matter. The majority of us have smartphones, so it is likely that you can help not only yourself but your friends and family members as well. Staying up to date on what the hackers are trying to do to steal your information is the best way to stay ahead of them.

Smartphone cybersecurity is one of the newest security challenges we are facing today. Smartphones are still evolving and being developed to centralize our data and make life easier for us—but because this can also make it easier for hackers to get into your phone and steal your information, it is important to get and stay protected.

Hailey Carlson, Marketing Intern, Axiom Cyber Solutions 7/6/2016

Image Source