03 443 5499

August 2020

Security issues you need to be aware of before considering VoIP
By Jim Carroll

Times used to be simpler when phone lines were just that, but today there are more and more companies moving to the more complicated VoIP (Voice over Internet Protocol) system for their phone lines. This is in part due to advances in technology, but also partly enforced by telecoms companies like Spark suggesting they won’t support the legacy phone lines in future.

While VoIP can work well in the right circumstances due to potential cost, flexibility and number portability advantages – you do need good IT support. In circumstances which aren’t optimal it can end up being more expensive, more complicated and come with a range of security issues which need to be well thought out. Let’s take a look at the four main security issues below.

Denial of Service (DoS)

Hackers can use automatic phone dialler software which rapidly calls you and then hangs up, this is called a DoS attack and keeps your line busy so you cannot accept or make calls. Attacks like this can severely impact any businesses ability to communicate and can be extremely difficult to stop.

A very recent example is the attack on the New Zealand Exchange (NZX) which shows how vulnerable businesses can be. One way to help protect your communication infrastructure is by using Session Border Controllers (SBCs) which act like a VoIP firewall. This protects your network by using a secure connection between you and your service provider and gives you more control over your VoIP calls and voice traffic.

The man-in-the-middle attack (MitM)

This is where someone can easily listen, divert or even hijack selected VoIP calls by putting themselves “in the middle” of the VoIP signalling path. This can happen when weak or no encryption mechanism is used on wireless access points, allowing unwanted users to join your network just by being nearby.

This can be one of the most serious threats, especially for those in industries where discussing private information is of the utmost importance, such as in legal or health sectors. Encryption and authentication protocols such as the TLS (Transport Layer Security) protocol can help with this.

Poor security protocols and passwords

Without good security protocols and strong passwords, system and user credentials are vulnerable to theft – making it easy to hack into online VoIP systems or phone hardware. This can lead to many issues, two of which include:

• Phreaking – a type of hack which steals a service from a service provider while passing the cost along to another person. Commonly this is when your VoIP account is hacked and someone uses it to make calls which you pay for.
• Vishing – where a legitimate number is hacked and then used by a party to call you and pretending to be from a trustworthy organisation, such as your bank, and asking for confidential or critical information.

To avoid this from happening, make sure you use 2 factor authentication where possible to access your online systems, never use your VoIP phone number or extension as the voicemail password (common defaults) and always change the default admin passwords on web based phone hardware.

Caller ID Spoofing

Most VoIP providers will only allow you to use the caller ID of the lines you own, but some allow any number to be presented on their network which can cause problems. It is most commonly used where a business doesn’t present their main number but might instead present a tollfree number or their main number for customer callbacks.

However this means it can also be used to emulate another party or business with the intent to defraud, cause harm or wrongfully obtain something of value. This makes it important to have a mechanism in place which only displays numbers which have been authenticated.

Final Word

VoIP can be great in the right circumstances but people often jump in without considering the extra complications and security issues which don’t exist with a traditional phone line.

It’s best to go into VoIP with your eyes open and be aware of the risks, then you can use it effectively for your needs. If you’d like help setting up VoIP or improving the security of your existing setup then contact your nearest IT Alliance member.

June 2020

The simple why and how of passwords for Kiwi SMEs.

Small to medium size kiwi businesses are increasingly being targeted by unscrupulous hackers, and cyber-criminals which often leads to loss of confidential data, intellectual property and can result in considerable business disruption. Poor password security is one of the key methods these cyber-criminals use to gain access to your systems. We want to highlight some of the fundamental threats you’re facing and guide you through implementing a strong password policy for your business.

Why kiwi SMEs are vulnerable

According to the 2020 Data Breach Investigations Report, over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials. You can see the full report here. The problem is the vast amount of people still using weak or compromised passwords, leaving kiwi SMEs vulnerable.

Why are smaller organisations being targeted these days? Cyber-criminals are not just after big corporations with substantial funds. They are looking for the easiest hack which means focusing on smaller, easier targets is often the strategy. Sometimes smaller enterprises can be identified as not having strict policies in place across all aspects of the business. Larger corporations have entire teams working on policy and procedure or dedicated IT teams consistently managing potential threats. As a Managed Service Provider, we want to help make sure you’re just as covered as these larger businesses. We suggest you establish and implement a strong password policy that employees can refer to.

Password checklist

So, we all know we’re supposed to use “strong” passwords, but what does that mean? We’ve come up with the simple acronym ‘CLOUDS’ to help you remember the most important things to think about when creating passwords:

Characters – Use at least one of each of; lower case, upper case, number and a symbol (e.g. #) or a space
Length – A minimum of 8 characters and ideally 10.
Obvious – Ensure your password is NOT obvious like a birthday or your family and pet names. Hackers can find these details through things like social media.
Unique – Think of something new each time. Do not use a slightly altered version of old passwords. Your old passwords may have been hacked from a website and sold on the dark web.
Different – make sure you use different passwords for different accounts.
Set – The most basic rule; set your own passwords. Leaving the default set up by your IT support is unsafe. You’d be surprised at the huge number of passwords that are simply not set at all.

Remembering your new passwords

Your intentions are good when coming up with the most uncrackable of passwords but now you find yourself continuously hitting the ‘forgot my password’ button and going through the tedious and time-consuming process of a reset. It sounds all too familiar doesn’t it?

We’re moving towards a world where thumb prints and facial recognition technology will alleviate the need to remember a collection of passwords but until we reach that point, we need a reliable solution to remember our passwords. Considering a password manager program is a good option. This gives you the option to store all your passwords in one place and when you’re signed in, they can quickly populate your details when logging into various platforms. There are numerous safe and reliable password managers so ask your local ITA member which one they suggest to suit your needs.

Alternatively, some people use encrypted documents, for example, password protected Excel or Word documents, while others use the ‘remember password’ facility of their web browser. If you use your web browser, make sure it encrypts the passwords and remember you need to log-off if you share computers or leave it unattended. All of these are good options and can help you move away from physically writing down passwords which can be risky and affect business continuity if you lose access to the physical copy.

Is it necessary to regularly change my passwords?

Most experts no longer recommend having to change your password every six months as it hasn’t proved to improve security. However, we do suggest if you have old passwords that you bring them up to date and change these every couple of years. Furthermore, always change your passwords immediately if there are any indications they may have been compromised.

Protecting kiwi SMEs

The best thing you can do is implement a strong password policy for your employees. Have them use the ‘CLOUDS’ checklist when creating passwords and encourage using a password manager. Make it part of your policy that passwords are updated when an employee moves on to ensure your systems remain secure.

The trick to having strong passwords that pass the ‘CLOUDS’ test, is NOT having to remember them. Use one of the techniques above to do the heavy duty remembering for you. Copy and paste as required. Just remember your login password and your password manager password – don’t write those down anywhere!

Recent growth in remote work locally here in Central Otago as well across New Zealand and around the world has seen an increase in the number of these cyber-attacks and has left businesses vulnerable. Across the ITA we continue to see heightened targeting of clients which is why it’s critical to review or implement your password policy immediately. If you have any concerns in this area or want to find out more about keeping your business protected and secure, contact us or your local ITA member.

IT Centre is a founding member of the NZ-wide IT Alliance – www.ita.co.nz

Check out the links below for a contact near you.

May 2020

Why back up your Microsoft 365 data

It’s fair to say that within the Central Otago business community, COVID-19 has really pushed our business into the cloud. Whilst Microsoft provides powerful services within Microsoft 365, it is important to note that comprehensive backup of your Microsoft 365 data is not one of them. Of over 1,000 IT Pros surveyed, 81% experienced data loss.[i] This can be from simple user error to major data security threats like ransomware. The misconception that Microsoft fully backs up your data on your behalf is common and could result in damaging repercussions which is why it’s important to know what areas you are responsible for.

Don’t assume your data is backed up

Have you thought about how your Microsoft data is backed up? “The scary reality is that even though sensitive cloud data is stored in Office documents, an estimated 76% is not being backed up[ii]. In fact, IDC states that 6 out of every 10 organisations still don’t have any form of Office 365 data protection[iii].” Microsoft’s core focus is on infrastructure and maintaining uptime to users but when it comes to data protection, this lies with you.

How might this hurt Central Otago business?

Users accidentally deleting files is all too common. If a file or email is accidentally deleted, Microsoft makes this recoverable for a short period of time. If you go looking for something a few months down the track and realise it may have been accidentally deleted, you’re unlikely to recover this. If you do not have your own automatic back up and the recoverable period has passed, your file will be permanently deleted.

An even greater threat, if you are made vulnerable by any hackers or viruses, again your data is at risk of being lost. Malware and viruses can do serious damage to your business. Not only is your company reputation at risk, but the privacy and security of internal and customer data as well. External threats can find their way in through emails and attachments and you can’t control users accidentally opening these. Having a reliable antivirus is essential but having back up is critical in the case of a serious breach. Regular or automated backups will help ensure a separate copy of your data is uninfected and that you can recover documents or emails quickly with limited downtime.

What does shared responsibility really mean?

Microsoft runs under a shared responsibility model. But what does that really mean? Microsoft data backup will protect you from events such as natural disasters that affect their data centres, hardware or software failures on their part, power outages, operating system errors, etc. Their key focus is on availability and uptime, not your data. This means you are responsible for your Microsoft 365 data including email, OneDrive and SharePoint. It is your responsibility to ensure your data is protected from human error, malicious activity, misconfigured workflows, hackers, and viruses. Basically, Microsoft will ensure availability and access but your job is to protect your data with reliable backup systems and multifactor authentication.

A simple solution to protect you

The solution really can be so simple, cost-effective and provide you with ultimate peace of mind. You’ll need to set up a backup solution via a third-party system. With the move of more company data to being stored in cloud platforms like Onedrive and Sharepoint, this data is no longer covered by business local backup systems as they were when data was located on a file server. It is essential when moving to cloud-based storage systems and when investing considerable amounts in the cloud system setup, to have an automated backup.

Having a backup of your Microsoft 365 data mitigates the risk of losing access to important emails, documents and files for all your users. It is critical and will fill the gap between long-term retention and data protection. We can help in getting this set up for you. You send us a quick email here or you can give us a ring. We would me more than happy to chat this through with you in plain English.

Liked this? Check out:
Multifactor Authentication
The Sharepoint Shakedown

References:
[i] Veeam customer survey, September 2019 3 IDC: Why a Backup Strategy for Microsoft Office 365 is Essential, 2019
[ii] Veeam customer survey, September 2019 3 IDC: Why a Backup Strategy for Microsoft Office 365 is Essential, 2019
[iii] Veeam customer survey, September 2019 3 IDC: Why a Backup Strategy for Microsoft Office 365 is Essential, 2019