United States Considers Making Revenge Hacking Legal

For the companies in the midst of high-profile data security breaches, revenge hacking is likely low on their list of priorities. As an activity, hacking isn’t inherently illegal, but there are limits on what is and what isn’t permissible. If you forget the password to your own laptop and exploit security vulnerabilities to gain access to it, this is fine. However, if you do the same to your boss’s laptop and steal information from it, this is illegal. While large companies might hire white hat hackers to test their network vulnerabilities and monitor for unusual activity, these hackers have been largely limited in what they can get away with. Until now.

Under the proposed legislation, the victims of hacking would be legally allowed to take revenge against those who breached their security systems. Revenge could involve anything from hacking their systems back, finding out who they are and even destroying any stolen data and information. The rules would also allow victim companies to deploy beaconing technology that would allow them to find the geographical location of the hacker. This would aid law enforcement in bringing these individuals to justice.

There are some limitations to the bill, and companies that choose to carry out revenge hacks wouldn’t be without liability. Most importantly, revenge hacks would only be allowed to be carried out on US computers, which already limits the reach. Many cybercriminals will route their attacks through systems around the world, which would protect them from revenge hacks. Companies would also have to fill out paperwork and submit this to the FBI’s National Cyber Investigative Joint Task Force. This will help to ensure national boundaries are respected and that any activity wouldn’t infringe on a known investigation. The legislation has also been proposed with a time limit attached. The bill would expire after two years and the United States Department of Justice would have to report to Congress to keep them up to date how the legislation has been utilised.

Liability is also a key issue. If damage was done to a third party system as the result of a revenge hack, the company behind it would be liable, provided there is a trail pointing to the company behind the hack. It is not yet clear how transparent the hacking departments will need to be about their activities.

In the UK, there are currently no plans to work revenge hacking into law, but with ransomware and security breaches on the rise, MPs are under pressure to find a satisfactory solution that will protect businesses, infrastructure and public services from cybercriminals.

9 steps to protect against Ransomware

Security Best Practices

Ransomware attacks start in two main ways. A booby-trapped email with a malicious attachment or via a compromised website; which then work their way down to your endpoints and servers. To stop these attacks, it’s critical that you have advanced protection technology in place at each stage of the attack and combine this protection with good user security practices.

Nine best security practices to apply now

Good IT security practices including regular training for employees are essential components of every single security setup. Make sure you’re following these nine best practices:

Patch early, patch often

The sooner you patch the fewer holes there are for ransomware to exploit.

Backup regularly and keep a recent backup copy off-line and off-site

Offline and off-site means ransomware can’t get to it. With recent back-ups, data loss can be minimised.

Enable file extensions

Enabling extensions makes it much easier to spot file types that wouldn’t commonly be sent to you and your users, such as JavaScript.

Open JavaScript (.JS) files in Notepad

Opening a JavaScript file in Notepad blocks it from running any malicious scripts and allows you to examine the file contents.

Don’t enable macros in document attachments received via email

A lot of infections rely on persuading you to turn macros on, so don’t do it!

Be cautious about unsolicited attachments

If you aren’t sure – don’t open it. Check with the sender if possible.

Don’t have more login power than you need

Admin rights could mean a local infection becomes a network disaster. Stay up-to-date with new security features in your business

Stay up-to-date with new security features in your business applications

For example, Office 2016 now includes a control called “Block macros from running in Office files from the internet”.

Patch early, patch often!

Staying on top of patching is so important that we’ve called it out twice. Don’t let ransomware exploit a patched vulnerability.

 

If you’d like to learn more about how to protect your business against ransomware or any other malware, phishing or cyber-threat, get in touch with us today.

Connected Printers Could Pose Internet Security Risk

Almost every office environment will have a connected printer. While this might bring increased productivity and efficiency to the workplace, it also presents a serious security risk. Hackers are increasingly exploiting the vulnerabilities of the humble office printer in order to launch attacks on businesses. Printers handle so much sensitive data on a daily basis. Think about the things that your company will print day-to-day. From sensitive customer information to financial statements – most of us will hit print without a second thought.

For the past year, security experts have been warning about the dangers posed by the Internet of Things. Letting our devices quietly chatter away to each other in the background might seem like a great idea if you want to automate things like heating and lighting, but left unchecked, these devices can provide a backdoor into your sensitive information. This is something that hackers and security experts are all too aware of.

While many businesses take steps to ensure their network is secure, according to one survey, only 25% of businesses surveyed confirmed that printer network security was a priority. Fortunately, printer manufacturers are stepping in to help raise awareness and stop the problem at the root. HP’s latest generation of enterprise printers, for example, is embedded with plenty of smart security options to help improve security. These printers can detect and self-heal issues meaning that the printers can continue to run in the background without the need for downtime to deal with hacks and attacks.

The threats facing business are continually evolving, which is why it’s important to stay one step ahead of those who would seek to damage your business. Regular and comprehensive security assessments should be a key priority in any business. Small businesses are often guilty of assuming they are too small to become a target, but it’s often weaker security systems that pose a target, rather than the size of an organisation. In the UK, the average cost of a security breach is £3,000, which can be crippling for a small company.

If your company is in need of some IT security advice, why not get in touch with the team here at BCN. We can talk you through our services in plain English and help you make a decision that is right for you and your business.

password policy

Best Practice for Creating and Enforcing a Password Policy

No matter how complex and thorough your company IT security is, human users will always find a way to work around protections. If you don’t have a password policy in place, it’s difficult to ensure that your employees are making smart choices. One of the biggest problems is in password strength, with the majority of employees choosing easy to guess passwords and using the same password for everything. Equifax recently hit the headlines when it was revealed a database could be accessed using the username and password ‘admin’. Although it’s easy to joke about these instances, this is no different to a company employee using their first name followed by the year and assuming this is sufficient for security. If you want to keep your company secure, creating a password policy and enforcing it is essential.

Creating and Enforcing Password Policy

Decide what is secure

Although the conventional wisdom seems to be that passwords need to above 8 characters, and include a mixture of lowercase, uppercase, numbers and special characters, this often leads users into the trap of thinking ‘Pa$$word123’ is a strong password. Before creating a company-wide password policy, it’s a good idea to make sure you know what a secure password looks like. You can try this quiz to test your knowledge of password strength.

Update passwords frequently

In addition to guidelines on password length, you should also set a time limit on how long employees can keep the same password as part of your password policy. Changing passwords too frequently can be just as problematic as never changing them, as employees might be tempted to switch back-and-forth between two passwords just to satisfy your password policy.

Decide if password managers are allowed

Some companies swear by password managers as the best way to enforce password policy. While there are many benefits, there’s also the risk that systems could be compromised if one employee’s password manager is breached. If you do decide to use a password manager, it’s important that employees update their access passwords frequently to prevent unauthorised access.

Don’t write passwords down

If your password policy is leading employees to write down long and complicated passwords, it’s time to re-think. Employees need to understand that writing down their passwords is in breach of password policy. Passwords should be long, but they should also be memorable. For example, using a sentence like ‘y3sterd4yicl!mb3dATr33’ is a very secure password, but will be a lot more memorable than a random selection of letters, numbers and punctuation.

If you need help with your IT security, get in touch with our team today on 0345 095 7000 to discuss your needs.