Following is a list of our current baseline cybersecurity recommendations.
Your organization may need additional protection depending on your industry’s regulations, such as HIPAA, PCI-DSS, SOX, GLBA, or ITAR. Initial consultation is complimentary.
All digital devices and services in your organization should be accounted for and managed by a staff member or contractor. Never assume and always verify accountability.
Aggressive Password Protocols
Weak passwords are among the most attacked vectors. We recommend the implementation of enforceable, server-based password policies tailored to your company’s operations and compliance requirements.
Colorado Breach Notification Laws
We recommend staying apprised of breach reporting laws in your state. Colorado revised statutes for breach notification can be found here:
Colorado Attorney General FAQ page:
Computers Left On and Awake Overnight
Computers must be left on and awake (not in sleep mode) overnight to obtain the latest security updates. Failure to do so may cause them to be compromised and therefore your organization to suffer a breach.
Cyber Security Awareness Training
Employees accidentally clicking on a phishing e-mail or downloading an infected file or malicious application is the number one method by which cybercriminals attack systems. Training your employees continuously with phishing simulation is one of the most important protections you can put in place.
Dark Web Monitoring
Small and medium-sized businesses are just as vulnerable to cybercrime as large companies. We recommend monitoring cybercrime web sites and data for your specific credentials (email addresses, passwords, etc.) Once the presence of your personal information is detected, you will be notified so you can change your password(s).
Data Breach and Cyber Attack Response Plan
Even the most methodical plans for preventing security incidents can fail. We recommend the creation and maintenance of a cyber response plan customized for your organization with the goal of minimizing the damages, downtime, and financial losses for your organization.
Disaster Recovery Plan
If your office, along with computers and data, were to be seriously damaged or destroyed, how much downtime could your company tolerate? What about the disappearance of data stored in the cloud? We recommend the creation and maintenance of a disaster recovery plan for your company which is in line with your recovery time objectives.
DNS hijacking is a compromise that allows hackers to redirect your web searches to their servers. Your internal DNS servers must be devoid of such a vulnerability.
Domain Squatting Protection
Domain Squatting, also known as cybersquatting, is registering and using an Internet domain in bad faith and with intent to profit from an established trade name belonging to someone else. Technical Framework leverage tools to search for rogue domains similar to yours or those that incorporate your trade name. We then work with the proper authorities to shut down the rogue domains.
Email DNS Security
We recommend the domain which handles your email be configured with DMARC
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that is designed to give email domain owners the ability to protect their domain from unauthorized use (known as email spoofing). The purpose of implementing DMARC is to protect a domain from being exploited in business email compromise attacks, phishing emails, email scams, and other cyber threat activities.
Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of an email. This measure specifies what email servers are allowed to send email from your domain. It helps ensure that someone cannot create an email server and send it as your domain unless you have authorized them to do so in your DNS records.
E-mail Security and Confidentiality
Your employees have access to a wide variety of confidential and important electronic information. Phishing e-mail messages are often used to trick recipients into sharing sensitive information – senders often pose as a legitimate business or trusted contacts. We recommend filtering links and attachments in inbound email and using encrypted email for the transfer of sensitive information.
Full Disk Encryption
Thousands of computers are lost or stolen in the USA every week. Without full disk encryption, the thief can easily access the data on your drive by bypassing your Windows or Mac login prompt at startup. We recommend full disk encryption for all PCs and Macs, especially laptops.
Geo IP Filtering a.k.a. Geo Fencing or Geo Blocking is a setting which blocks certain countries according to IP address of origin. This method can be circumvented by determined hackers but nonetheless blocks a significant number of “casual” hacking attempts.
IoT, short for “Internet of Things”, is a global network of connected smart devices such as cameras and smart TVs. IoT Security is concerned with protecting such devices as each one is a potential vulnerability and entry point to the network. Technical Framework provides IoT device discovery and security services.
Always use and assign accounts with the least privilege required to accomplish the task. Never log in as an administrative-level or root-level user unless your work requires it.
Mobile Device Security Policy
Mobile devices should be backed up regularly, encrypted, and be equipped with remote wipe capabilities in case of device loss or theft. It is also vital that your organization has an acceptable device use policy, especially if you allow BYOD (Bring Your Own Device).
Multi-factor authentication (MFA) is a security authentication process in which an individual computer user’s credentials are verified to grant them access to a secure environment. We insist that our clients use two-factor authentication for their e-mail and other sensitive services.
Absence of a well-maintained, continuously updated network firewall is analogous to leaving the front door of your office wide open, not to mention allowing your end-users to roam any website on the Internet with impunity. We recommend the implementation and maintenance of a business-class firewall appliance as a part of your overall cybersecurity strategy.
Password Manager & Digital Vault
We recommend storing all sensitive info such as SSN, credit cards, passwords, etc., in a password manager as opposed to standard applications.
Proactive Monitoring, Advanced Endpoint Security, Patching
An endpoint can be a desktop PC/Mac, server, laptop, smartphone, tablet, thin client, or other specialized hardware such as POS terminals and smart meters. We recommend actively monitor such devices for security risks, plus updating malware protection and security patches as necessary.
Quarterly Technology Reviews
Information Technology progresses at breakneck speeds. Quarterly reviews of system status, budgets, necessary adjustments, and emerging technologies are necessary to keep pace.
One of the reasons the WannaCry virus was so devastating is because it was designed to locate, corrupt, and lock backup files. This is why we recommend our clients use properly gapped backups. A gapped backup is one that is disconnected from your network and thus cannot be impacted by ransomware.
Removal of Personal Information from Data Brokers
Data brokers sell your personal data on the Internet, which can lead to a compromise that spreads throughout your organization. Use services such as Optery to discover and remove your personal data from data brokering websites.
Role-Based Access (RBAC) is the practice of assigning system access to users based on their roles within an organization. We recommend creating and assigning only the minimum privileges required for each of your team members in order to minimize both accidental and malicious actions.
Secure Hardware Disposal
Recycling equipment with stored data can result in a cybersecurity disaster. We recommend a process by which all data storage components such as hard drives, data cards, flash storage, etc., are uninstalled and either physically or electronically shredded prior to recycling equipment.
Secure Remote Access
Remote access to the workplace should be allowed only by way of an encrypted VPN (a virtual private network). IPsec and SSL VPN technologies are common and included in gateway security devices by top vendors such as Sonicwall, Fortinet, Sophos, and Watchguard.
Security Risk Assessments
We recommend conducting an IT risk assessment annually or more frequently if needed. The result of the assessment should be a list of security risks prioritized according to severity. Mitigation of the vulnerabilities should be scheduled according to the availability of financial and human resources.
Secure Work-From-Home computing
Your home WIFI should be segmented into trusted and guest, without the ability for devices on one to communicate with the other. All IoT and personal devices should be connected to guest, and critical corporate devices should be connect to the trusted WIFI. All home devices should be updated with the latest firmware or software frequently. PCs, Macs, tablets, phones, and home servers should have strong virus protection. Disconnect devices from the Internet if they are used only occasionally. Implement security lockdown for digital assistants.
VPN (Virtual Private Networking)
Virtual private network technology protects communication when accessing the Internet using public networks and WIFI such as in airports and cafes. Among top providers for VPN services are NordVPN, ExpressVPN, and ProtonVPN. We recommend the use of a VPN on all devices which exchange traffic with the Internet, including web browsing, email, and document exchange.
Vulnerability Scans & Penetration Testing
A vulnerability scan exposes potential security weaknesses in your IT infrastructure. Penetration testing simulates a cyber attack to confirm or reject the findings of a vulnerability test.
Zero-Knowledge Cloud File Sharing Services
With regard to public cloud file sharing, Technical Framework recommends using only reputable, zero-knowledge services. Zero-knowledge means the provider of the file sharing server knows nothing about what you store and cannot read your data. A list of file sharing services which are zero-knowledge by default can be found at https://www.cloudwards.net/best-zero-knowledge-cloud-services/
Google Drive, Dropbox and OneDrive/Sharepoint are not zero-knowledge services by default. However, third-party products such as Boxcryptor can be incorporated to encrypt files before they are uploaded, thereby achieving zero-knowledge security.
Adult content, online gaming, gambling, and file-sharing sites for movies and music are among the top online searches and are “clickbait” hunting grounds for hackers. These are web sites you do NOT want your employees visiting during work hours on company-owned devices. If your employees are visiting infected web sites, they can not only expose you to viruses and hackers but also expose you to legal hassles.
Windows 7/2008 and PC/Server Upgrade Advisory
Microsoft will cease to provide security updates for Windows 7 on January 14, 2020. As soon as Microsoft stops supporting Windows 7, any computers with the operating system still installed will no longer receive protection from cyberattacks. Of course, if you use your computers for business, you’ll be an even greater target for hackers.
Extended Support Licensing
Extended Support Licensing will allow Windows 7 computers to receive updates for three additional years. If it is impossible for you to upgrade or replace your Windows 7 computers to Windows 10, you will need to purchase Windows 7 Extended Support Updates (ESU’s), which according to Microsoft, costs $50/pc/yr for Windows 7 Professional edition. This price is subject to change and the licenses are subject to availability. Licensing costs will increase annually. Technical Framework will assess a procurement labor cost to the licensing purchase based on time spent.
Should I replace or upgrade?
If your computer is close to, or more than four years old, we recommend replacing the PC. Note that if upgrading a PC to Windows 7 fails or becomes problematic due to age or hardware health, resulting in replacement of the PC, your cost will include time incurred for the failed upgrade and the replacement labor. When making a Windows 7 upgrade request, please advise as to whether you would like an upgrade attempt on the existing PC or a replacement.