Three Cyber-Security Challenges of the Internet of Things (IoT)

Three Cyber-Security Challenges of the Internet of Things (IoT)

The Internet of Things (IoT) is in every facet of our everyday existence, and they’re not going away anytime soon. It has become a revolutionary concept but also a security minefield. It is estimated that by 2020 there will be more than 50 billion web-connected devices all of which represent a portal to the network which can be hacked or compromised giving access to our most intimate moments and information. Many connected devices in any one system grants access to many points of entry for nefarious purposes. IoT comes with many benefits offering one integrated information system aimed at improving the quality of life and driving new business models. However, along with those benefits are also security challenges that IoT faces.

Here are three cybersecurity challenges of IoT.

Updates & Patches

Devices need to be updated regularly to remain up to date with cyber-threats. When the device is left unpatched the risk of a cyber-attack increase. Only 49% of companies offer remote updates for their smart “things.” Many of the people who develop low-end devices do not have the funds to give continuous device support. Leaving the consumer vulnerable to an unsupported device that is only as secure as the day purchased, containing security defects, and left fending for themselves against cyber threats. At the same time, the IoT vendors may not be technically savvy enough to develop such security updates.

Lack of Experience

Devices are more than often created by consumer goods manufacturers not PC hardware or software businesses. Many lack the experience of knowing how to properly secure devices and keep them safe from prying hackers. The main hindrance to designing secure IoT products is the fact that there is a shortage of experienced security experts who specialize in IoT.

Device Awareness

Being aware of all the IoT devices on the network especially a corporate network is the first step in applying the necessary cyber security measures. Many of these devices remain unmonitored within enterprise environments not seen as a threat to the network but the reality is that this opens a gateway for cyber-attacks. This leaves a hole in the network that needs to be secured becoming a vulnerability that can easily be exploited because these devices are the weakest link and are not secured.

Holiday Shopping: Best Practices for Shopping Safely Online

Holiday Shopping: Best Practices for Shopping Safely Online

Have you ever considered that you could be a target for a hacker? The holidays are around the corner meaning that this is the season for scammers to get to work. Identity theft and scam prevention services reports that approximately 15 million Americans have their identities used fraudulently each year with financial losses totaling upwards of $50 billion.

Here are four tips to help keep you safe while you shop.

Never click on links in an email

Clicking on the link instead of manually typing in the retailer’s website can redirect you to a scam site. Fake emails are designed to look like retailer’s in hopes you’ll give them your personal information. In fact, email phishing scams remain the most widespread method of stealing information. Although I am only referring to one form, it is important for you to be aware of the many other forms phishing presents itself as.

Best practices:

  • Check for odd spelling and bad English grammar
  • Beware of links
  • Be leery on too good to be true deals
  • Avoid redirected sites
  • Keep your security software up to date

Use Wi-Fi connections that you know

What is so wrong about using public Wi-Fi? Although public Wi-Fi can be convenient when you are at your favorite coffee shop browsing your news feed, public Wi-Fi is not secure even if it is password protected making it a major security risk. You are still an easy target for a hacker to eavesdrop on your online conversations, transactions, and personal information. Essentially, all that is really needed is for you and the hacker to be on the same Wi-Fi.

Best practices:

  • Always verify the SSID (service set identifier otherwise known as Wi-Fi name) with the business hosting
  • Use a VPN (virtual private network) if in a dire situation

Shop on secure sites only

Your browser is the door to the internet and the front line of defense against security threats. Securing the front line will keep hackers from walking right through your front door. How do you let the deals come in while keeping the hackers out? Keep a close eye on your address bar making sure it always shows an icon of a locked padlock. This ensures that the site is using SSL (secure socket layer) encryption HTTPS:// (instead of just HTTP://) adding an extra layer of protection by encrypting your data.

Best practices:

  • Shop from familiar websites that you trust
  • Research unfamiliar sellers to make sure they are legitimate
  • Always update your browser

Avoid Fake phone apps

As you scroll through your phone’s app store you find an app that claims to help you find the best deals, it shows a good score, and has the most popular brands. Up to 75-80% of the top free apps on Android or iPhones have malicious software known as malware, giving hackers easy access to not only steal your personal information but a gateway to your everyday life. They can now snoop on your conversations, steal passwords, track your location, credit card information, and even use your phone’s camera to spy on you. Worse of all, these apps continue to work while they do their magic profiting from your device without you even knowing.

Best practices:

  • Do your research before downloading apps
  • Delete apps that do not make sense
  • Read the reviews
  • Review app permissions
  • Do not download apps from third party sources
Axiom Cyber Solutions Wins Runner-Up for Launching Las Vegas Award

Axiom Cyber Solutions Wins Runner-Up for Launching Las Vegas Award

Dr. Samir Pancholi and the Launching Las Vegas Committee are proud to announce the winner of the third annual Launching Las Vegas award, Wedspire. Launching Las Vegas was created in 2015 to celebrate those who work hard to build up Vegas and support our community. The annual contest has awarded $2,500 to local businesses since its inception.

Hundreds of votes were cast as community members came out in full force to recognize their favorite of three nominated startup companies: Wedspire, Axiom Cyber Solutions, and Fuelixer. All companies were chosen for their dedication and contributions to the Las Vegas entrepreneurial community—and they epitomize the hard work and passion Las Vegans are known for.

Axiom Cyber Solutions was awarded second place and a $250 cash prize. Axiom Cyber Solutions is a Las Vegas cyber security company focused on providing holistic, enterprise-class cyber security solutions to small-to-medium businesses. They’re dedicated to protecting businesses most at-risk of attack by providing a firewall backed by the SecureAmerica Threat Defense Platform, antivirus, and Endpoint Detection and Response for a low monthly subscription cost.

“We are honored to have been selected as one of the Launching Las Vegas finalists,” responds Troy Wilkinson, CEO of Axiom Cyber Solutions. “We would like to thank Dr. Pancholi for establishing the award and recognizing the startup businesses of Las Vegas. Thank you to all of our supporters for their votes.”

About Dr. Pancholi & Launching Las Vegas: Dr. Samir Pancholi is a Las Vegas-based cosmetic surgeon and owner and director of a thriving practice. As a local business owner himself, Dr. Pancholi understands the challenges and rewards of starting your own company—and he created the annual Launching Las Vegas award in 2015 to celebrate, honor, and support fellow entrepreneurs and the Las Vegas business community as it expands. Visit drpancholi.com or call 702.363.0240 to learn more about Launching Las Vegas. Dr. Pancholi is available for interview upon request.

What is Firewall-as-a-Service?

What is Firewall-as-a-Service?

The firewall is one of the most important components of cybersecurity. The firewall sits at the edge of the internet connection filtering everything going into and out of the business.

One of the biggest gaps in any company’s cybersecurity strategy is constantly updating the firewall against the latest threat. Once a new threat or vulnerability is identified in the world, hackers have a new tool to break into your business. Your risk only increases until you patch your firewall against that threat. This is the cornerstone why Axiom was founded.

Not only do we provide proprietary Axiom technology that can process packets faster than other chipsets on the market, we fully configure the device for every business because no two businesses are the same. We then manage that device so that as new configurations become necessary, such as VPN tunnels or open ports, our experts can make those changes securely, so you don’t have to worry about accidentally leaving a backdoor open to hackers when changes are made.

The devices are monitored 24/7 by certified cybersecurity experts for indicators of compromise (IoC) as well as breach activity and attacks such as DDoS or ransomware. Our engineers monitor uptime and will reach out to the client if we see an outage, a major attack, or an advanced persistent threat.

Most importantly, our devices are updated more than 52,000 times per year. Because we fully manage the firewall, we can provide the most broad-spectrum updates in the industry. Behaviors, signatures, definitions, access control lists, heuristics, black lists, block lists, encryption algorithms and much more can be updated without the need to restart the device. Because of this advance in technology, we are able to reduce the amount of time from identification of a vulnerability to patching against it down to minutes rather than months.

Our updates originate from the SecureAmerica Threat Defense platform which is Axiom’s proprietary big data analytics engine that brings in multiple threat feeds from open and closed sources of vulnerability and hacker information. The platform then creates an update that is specific for our customers and pushes it out in real time. Our clients also become sources of threat intelligence. If their device sees a “Zero Day” attack, our firewall will send that to the platform and the update creation process begins. Within minutes of a client seeing a new threat, every Axiom customer is protected against it.

Axiom also provides real time feedback through our customer portal. This allows business owners and executives to get a real time look into what may be hitting their company. For IT administrators, there is a dashboard feature coming soon that will give full local visibility into logs, configurations, connections, and prevention statistics. Each month, the designated executive will receive summary reports so that you understand the tremendous value Axiom brings. When’s the last time your firewall emailed you to let you know it’s doing its job?

One of the benefits of Firewall as a Service is the need for less staff to manage it. Cybersecurity staff members can be costly and hard to find. Cybersecurity jobs are plentiful and employees to fill these roles are increasingly hard to find. Axiom can save businesses thousands of dollars in staff dollars alone. Another benefit is lower TCO or “total cost of ownership”. Because the hardware is included in the monthly subscription, there’s no large outlay of capital. Next generation firewalls can cost hundreds or thousands of dollars depending on throughput. With Axiom, you get the right device for your business at a low monthly subscription you can afford.

Another benefit is the unlimited change requests and support. Our engineers are here 24/7 to assist with whatever changes are needed and any tech support questions about our device or platform.

Call today to see if you qualify for a trial of the Axiom Firewall as a Service. Once you get your first monthly report of all the threats and attacks Axiom is able to prevent, we’re confident you’ll want to keep us in place.

What is a Botnet and Why Should I Care?

What is a Botnet and Why Should I Care?

If you’ve seen the news this week, you’ve no doubt seen articles about a botnet called “Reaper”, “IoT Reaper” or “IoTroop” that is enslaving vulnerable smart devices like wireless routers, security cameras, and DVRs. While botnets are interested to cyber-security professionals, I’m sure the news made many people think “what the heck is a botnet and why do I care about it?”

In a simple explanation, a botnet is an army of internet-connected devices or computers that have been infected by malware and are now under the control of hackers. The malware is designed to infect devices and create an army of devices that can be enlisted to create distributed denial of service (DDoS) attacks like the one last October that took much of the East Coast offline. Botnets also can be used to steal data, send spam emails, or just simply allow a hacker to access the device and the internet connection it uses.

You may also hear the term “zombie” in connection with a botnet and that is simply because the malware lives on the compromised device and often the owner of the device is unaware of the infection of that the device is being used in attacks.

So what is it about this particular “IoT Reaper” botnet that has created such a buzz in the cyber-security industry? The sheer number of devices that are vulnerable, over 378 million, that can be brought into the botnet that has many worried. The hackers behind “IoT Reaper” are currently exploiting at least nine different vulnerabilities across different device manufacturers and appear to be adding to the list of vulnerabilities as they are found. Plus, like the Mirai botnet, “IoT Reaper” is a worm that jumps from one infected device to the next to spread the infection.

So all of that sounds scary, is there anything that can be done to prevent getting your devices enlisted into a “zombie” botnet army? YES!

As always, make sure that you don’t keep default username/password combinations on your internet connected anything. Also, check to see if your smart device manufacturer has released any firmware or security patches to close the vulnerabilities that are being abused by the botnet. Another great way to protect your IoT network is to place firewall protection at your internet connection but it’s also important to make sure that you keep your firewall up-to-date as well because threats are always evolving!

Is Your Cannabis Business Safe from Hackers?

Is Your Cannabis Business Safe from Hackers?

If you’re in the cannabis industry, you would have heard about the cyber-attack earlier this year that brought down MJ Freeway, one of the largest cannabis compliance software systems in the industry.

This should have been a wake-up call for everyone that hackers are targeting the industry for a variety of reasons: profit, notoriety, or political statement.

Despite the seriousness of the MJ Freeway cyber-attack, today we’re still finding many businesses in cannabis are not taking cyber-security seriously, leaving themselves wide open to an attack that could bring their operations to a grinding halt.

If you’re not taking steps to ensure your cyber- and data-security is airtight, here are some real consequences your cannabis dispensary could be facing with a cyber-attack:

Patient and Customer Data

When you accept medical patients and clients, do you store their personal information on your servers or in the mythical, magical cloud?

If you do, then your data is at risk if you do not take steps to ensure your cyber-security and data security strategy is strong and impenetrable by hackers.

These talented hackers can target your systems to steal your customer information, and use it against you by holding it for ransom like they did for HBO or sell it on the Dark Web, or worse, delete it so you cannot recover the information.

There is no worse way to compromise your cannabis business’s integrity than having to tell your customers you’ve lost their data.

The recent Equifax hack demonstrated the value of personal information on the Dark Web. Hackers can relatively easily steal your data to sell to other unscrupulous individuals who will use the information for identity theft.

If you collect data that is regulated under the Health Insurance Portability and Accountability Act (HIPAA) and have a cyber-security breach, you’ll face serious finds from Health & Human Services.

Ransomware is the hot new cyber-crime trend that netted cyber-criminals hundreds of millions in ill-gained profits by encrypting business’ data and holding it for ransom, which puts businesses between a rock and a hard place: Do you pay the cyber-criminals to get your data back or do you start over from scratch?

Point of Sale (POS)

While credit card theft is not a large area of concern for many, there are still vulnerabilities within point-of-sale (POS) that need to be addressed.

POS systems are connected to the internet via servers and need to be protected and separated from the rest of the network to ensure that if a hacker gets into your back-office, they can’t move into your POS network.

There are plenty of examples of the theft of credit card data from POS systems infected by malware (Sonic, Whole Foods) but there also are verified cases where hackers have been able to change product prices for purchases after compromising a POS system. For example, instead of selling a product for $100, a hacker could change the price to $1 before checking out, costing you big money and allowing a hacker to take advantage of you big time.

Grow Operations

Grow Operations are increasingly sophisticated and use complicated internet-connected devices and HVAC systems.  Not taking the time to adequately secure you networks to ensure a hacker can gain access could allow them to gain access to your HVAC and change your room temperature and destroy your crop.

The sad and scary news is, your competitor may be the brains behind hacking your unsecured connections and data. Some companies are hiring hackers to destroy your business through a cyber attack and put you out of business.

The Target data breach was orchestrated when hackers jumped from the building’s unprotected HVAC systems into the company’s network and then into the point-of-sale system. This shows that not only are the HVAC systems vulnerable, but the HVAC system could be a your point of vulnerability that will allow a cyber-criminal access into your entire computer network.

Keep Asking Yourself This Question

Keep asking yourself this question for your cannabis retail operation: “What harm could a hacker do?”.

The answer is a lot and if any of these thoughts keep you up at night, contact Axiom Cyber Solutions or our partner, Hardcar Security, to discuss how you can achieve peace of mind and proper cyber-security protection for your cannabis business.

Axiom Cyber Solutions Nominated for Launching Las Vegas Award

Axiom Cyber Solutions Nominated for Launching Las Vegas Award

For the third year in a row, the Launching Las Vegas award is celebrating Vegas-based startup companies—and voting for the 2017 contest is officially open for public voting. Launching Las Vegas, was created to honor the hard work local startups and entrepreneurs devote to helping Vegas shine as a hub for business.

Axiom Cyber Solutions is honored to have been nominated along with two other Las Vegas start-ups for the third annual award.

“I’m proud to see Launching Las Vegas grow and evolve as our business community diversifies,” says Dr. Samir Pancholi, creator of the award. “I am continually inspired by our local entrepreneurs, and it has been an honor to spotlight and support these stellar businesses over the last few years.”

The winner of the 2017 Launching Las Vegas award will be chosen via an online voting system, Tuesday, October 17, 2017 through Thursday, November 2nd, 2017. Users will be able to vote for their favorite startup company once per day through the duration of the contest.

“Our voters will have a difficult time choosing from our talented group of nominees this year. I encourage everyone to spread the word, vote every day, and help support local business,” emphasizes Dr. Pancholi. “I wish our nominees the best of luck and look forward to continually finding new ways to support and elevate our incredible community.”

Another Day, Another Data Breach – Should We Just Get Used to It?

Another Day, Another Data Breach – Should We Just Get Used to It?

It seems like we can’t go a week without news of a data breach affecting a major company: Target, Home Depot, Yahoo (all 3 Billion account holders), HBO, Equifax (3 times), Deloitte, Sonic, Whole Foods. With the prevalence of personal information being exposed and stolen, people often wonder should we just get used to having our data breached? Should we get used to the fact that cat photos on Facebook are more secure than our social security number?

In short, no! We should never simply accept that the companies are not responsible for the security of the data they collect about us. We should be upset when our data is breached and demand action so that companies begin to take data security seriously. And one of the worst things about data breaches is that nearly all of them end up being far worse than initially reported.

The Equifax hack occurred because the company failed to install a patch for vulnerable systems for over six months after the patch was released. The Security & Exchange Commission (SEC) which ironically issues regulations telling other companies to clean up their technology infrastructure and can fine them for failing to take the necessary cyber-security measures suffered a data breach of its “Fort Knox” system called EDGAR which companies use to file all the important stuff about the business like quarterly earnings, merger & acquisition, IPOs, market news, and more. And Deloitte’s email administrator failed to secure his/her account with two-factor authentication and hackers were able to get in with privileged, unrestricted administrator access and steal millions of email records, many with sensitive information.

With the onslaught of lawsuits and regulatory inquires against Equifax will teach businesses anything, it is that our lawmakers and the people they represent are tired of having their data compromised and soon we can hope there will be real, tangible changes in how businesses consider data security. In its most recent shareholder packages for at least five years, Equifax did not mention data security once as a company priority. This must change and any business that collects personal information must be serious about the protection and should they fail, there must be repercussions because the theft of data can lead to real harm to individuals.

The news of the credit card data breach at Sonic has made many wonder, how are credit cards still getting hacked? The credit cards themselves are fairly secure but when the point-of-sale (POS) system used to process the credit card transaction is compromised, there is little the new chip technology can do to protect the consumer. USA Todayattributes part of the problem to the increase in the use of technology by businesses without the budget and skillset required to secure those new internet-connected POS systems. Companies need to ensure that they not only invest in the new systems but also hire the technical staff or find a trusted partner, like Axiom Cyber Solutions, to ensure that the POS systems are properly protected. Companies that take credit cards need to consider PCI requirements and ask the question, “If I get breached and lose the ability to take credit cards, can my company survive?”

Don’t get used to having your data breached. Demand that businesses protect your data and encourage your lawmakers to consider new legislation that would allow regulation of data security standards and penalties for data breaches.

Forget Everything You Knew about Safe Passwords

Forget Everything You Knew about Safe Passwords

Last month, the father of the 2003 NIST password guidelines said that he got it wrong and the way we are creating passwords to be a completely random string of characters and the frequency we change our passwords is making it harder on all of us but easier for cyber-criminals to crack.

The complexity of the old password guidance led to many bad password habits such as just replacing letters with the equivalent in numbers (‘o’ for zeros, e for threes, etc) and letters for characters (@ for a, $ for s) so that they could more easily be remembered. In fact, it was found that the standard eight-character password with special characters could be cracked faster than a 20-character password without special characters.

The old requirement to change passwords so often also led to many users simply reusing their passwords on multiple sites which again, made things easy for cyber-criminals when there was a breach. There has not been any evidence that your password becomes more hackable because it’s in use for more than 90-days. Plus, when we were forced to change our password too frequently, many times users would just shift one letter in the password which cyber-criminals quickly caught on to.

And believe it or not, a completely random password that does not use words are actually easier for hackers to crack than long, weird words or phrases that you can easily remember.

New guidelines throw everything we’ve been told to the wind like using a mix of upper & lower case letters, the use of special characters, and changing your password frequently. Now the password experts say that we should make our passwords long and memorable. Using a phrase that is unique to you, in conjunction of special characters if you are forced to use them (within the phrase, not within words), will make it harder for hackers and their cracking software to compromise your passwords.

Also, think about the system you are accessing and whether or not it needs a strong, unique password or is it ok to reuse a password for a site that just has your name, email, and password? For instance, do you really mind it if a hacker got access to your online recipe lists?

You might think that the password to your online bank is the most important password but you may be surprised to find that your email and social media passwords may be more sensitive because of the “Forgot Password” feature in systems that would allow a hacker that compromised your email account to reset your online banking access.

But passwords and one-time multi-factor authentication (like a SMS), are not bullet-proof protection as they can be hacked and hijacked. A recent, terrible example of account take-overs has been in the crypto-currency space where hackers are compromising email and mobile telephone accounts and emptying crypto-currency wallets. Users will need to continue to be vigilant and take every precaution to secure their most sensitive accounts.

What You Need to Know about the Equifax Breach

What You Need to Know about the Equifax Breach

Data breaches are bad but the Equifax data breach may be one of the worst. When hackers stole the data on potentially 143 million American consumers from the credit reporting bureau they took everything they needed to unlock the identities of 44% of the American population. And ironically, Equifax was one of the companies that other companies turned to when they were breached. As their website states: “You’ll feel safer with Equifax. We’re the leading provider of data breach services…”

Hackers reportedly used a website vulnerability to steal everything from social security numbers to credit card numbers from May until the breach was discovered on July 29thmeaning the hackers had access for at least two full months. No reason for the delay in informing the public has been given but in some recent large investigations law enforcement has requested companies to wait to disclose the information.

What makes this data breach one of the worst, even though the scale isn’t as large as say Yahoo’s 500 million, is that consumers did not have to directly give their information to Equifax, instead it was provided to them by nearly every bank, credit card, and loan company to make credit decisions. So if you have ever applied for a credit card, loan, or mortgage, your data may have been compromised.

As standard with breaches, Equifax has offered free credit monitoring services for a year if you sign up by November 21st whether your data was accessed or not. But wait, don’t leave and sign up right now! A caveat to signing up for Equifax’s offer of free credit monitoring service from TrustedID, which is also owned by Equifax, is that the terms of service of TrustedID states that if you sign up you cannot partake in any class action lawsuits against the company. And not wasting any time at all, two Oregon residents have filled a lawsuit against Equifax alleging negligence in securing the personal information of consumers.

While a nice gesture and possibly giving Equifax some legal relief as people scramble to sign up for credit monitoring, the data stolen from Equifax can be sold on the DarkWeb for years to come to steal identities. There is no expiration date on information like name, address, date of birth, and social security number… all of which the hackers took. Consumers will need to remain vigilant in checking bank account information and making sure their identities are not stolen for the near and far future. Signing up for a credit monitoring service is definitely a good idea, perhaps not with TrustedID, but as you look, try to find one that doesn’t just look for new account creation. Find a service that monitors open accounts for changes as well as new account creation. You can also look into identity protection insurance services, such as LifeLock, as an additional layer of protection.

As a notable side note: Questions have been raised about the sale of $1.8 Million in stock by three executives of Equifax following discovery of the breach before it was disclosed to the public. The company reports that none of them knew about the breach. That does make one question the cyber-security incident reporting policies of such a large organization.

(AP Photo/Mike Stewart)