Current Recommendations

All digital devices and services in your organization should be accounted for and managed by a staff member or contractor. Never assume and always verify accountability.

Weak passwords are among the most attacked vectors. We recommend the implementation of enforceable, server-based password policies tailored to your company’s operations and compliance requirements.

Read More

We recommend staying apprised of breach reporting laws in your state. Colorado revised statutes for breach notification can be found here:

https://codes.findlaw.com/co/title-6-consumer-and-commercial-affairs/co-rev-st-sect-6-1-716.html

Colorado Attorney General FAQ page:

https://coag.gov/resources/data-protection-laws/.

Computers must be left on and awake (not in sleep mode) overnight to obtain the latest security updates. Failure to do so may cause them to be compromised and therefore your organization to suffer a breach.

Also known as, cybersecurity insurance. Your policy should be comprehensive. Below are some of the questions on a typical cyber insurance application:

• Revenue (expected over the 12 months)
• Does the organization assign a person responsible for information security?
• Does the organization hold mandatory cybersecurity training with all employees at least annually?
• Does the organization encrypt all external communications containing sensitive information?
• Does the organization encrypt sensitive information stored on the cloud?
• How often does the organization perform backups of business-critical data?
• How often does the organization apply updates to critical IT-systems and applications (“security patching”)?
• Do you enforce Multi-Factor Authentication (MFA) for all employees, contractors, and partners on the following?
• Does the organization have an incident response plan – tested and in-effect – setting forth specific action items and responsibilities for relevant parties in the event of a cyber incident or data breach matter?
• Has the organization filed any claims due to a cyber event in last five years? If yes, attach loss detail herewith.
• Has the organization ever been a party to any of the following:
  1. Civil or criminal action or administrative proceeding alleging violation of any federal, state, local or common law?
  2. Is there currently any pending litigation, administrative proceeding or claim against the named applicant, organization and/or any of the prospective insureds?
• During the last three years, has the organization suffered loss of business income as a result of unscheduled system downtime?
• During the last three years, has the organization suffered a security breach requiring customer or third-party notification according to state or federal regulations?
• Does the organization verify vendor/supplier bank accounts before adding to their accounts payable systems?
• Does the organization authenticate funds transfer requests (e.g. by calling a customer to verify the request at a predetermined phone number)?
• Does the organization prevent unauthorized employees from initiating wire transfers?
• Are all internet-accessible systems (e.g. web-, email-servers) segregated from the organization’s trusted network (e.g. within a demilitarized zone (DMZ) or at a third-party service provider)?
• Do agreements with third-party service providers require levels of security commensurate with the organization’s information security standard?
• How often does the organization perform backups of business-critical data?

Cybersecurity Essential Control Checklist:

• Firewall:
  • Perimeter and Internal required
• Antivirus
• Backups:
  • Must be encrypted
  • Must have a backup/copy stored off network
  • Periodic testing to restore from backups required (At least annually)
• Encryption:
  • Encryption at rest for laptops/Desktops/Mobile devices required
• Multi-Factor Authentication:
  • Required for:
    • All Remote Access
    • All Privileged Access
    • Desktop/Laptop Login
    • Incident Response Plan:
      • Must be tested
      • Must contemplate response to vendor/3rd party outage, data breach, and/or cyber-attack where applicable
    • Vendor/3rd Party Management:
      • Vendor/3rd party vetting process which contemplates the following:
        • Cyber security maturity of vendors against either an accepted applicable cyber security standard (Ex: ISO 27001/2, NIST CSF, HIPPA, etc)
        • Criticality of systems, products, and services provided by vendor/3rd party to operations
      • Vendor/3rd party incident response planning which contemplates the following:
        • Vendor’s RTO for provided systems, products, and services the insured is reliant on for operation following a cyber security incident
        • Communication and notification timeframes, responsibilities, and process in the event of vendor/3rd party outage, data breach, and/or cyber-attack where applicable
    • Training:
      • Must have cyber security training for employees at least annually
      • For applicable employees, must have Data Privacy Training at least annually
    • Vulnerability scanning & Patch Management:
      • Mean Time to Patch (MTTP) for critical patches of at most 30 days required
    • If SCADA/OT in use:
      • SCADA/OT systems and applications must be segmented from systems and applications unrelated to those operations (Ie: Segment network by business function)
      • SCADA/OT systems and applications reliant on EOL or legacy hardware/software must be segmented from Non-EOL/legacy systems and applications
    • If software/application provider/developer:
      • Must have process to track use of 3rd party components in software which contemplates response to vulnerabilities/bugs in those components
      • Must have product incident response process in place to respond to vulnerabilities and/or security issues discovered in their products both during the development process and after production release.
      • Vetting process for tools used in the development lifecycle
      • Must perform product security testing, which may include:
        • Penetration testing of products
        • Static Analysis Security Testing
        • Dynamic Analysis Security Testing

Employees accidentally clicking on a phishing e-mail or downloading an infected file or malicious application is the number one method by which cybercriminals attack systems. Training your employees continuously with phishing simulation is one of the most important protections you can put in place.

Read More

Small and medium-sized businesses are just as vulnerable to cybercrime as large companies. We recommend monitoring cybercrime web sites and data for your specific credentials (email addresses, passwords, etc.) Once the presence of your personal information is detected, you will be notified so you can change your password(s).

Read More

Even the most methodical plans for preventing security incidents can fail. We recommend the creation and maintenance of a cyber response plan customized for your organization with the goal of minimizing the damages, downtime, and financial losses for your organization.

Read More

If your office, along with computers and data, were to be seriously damaged or destroyed, how much downtime could your company tolerate? What about the disappearance of data stored in the cloud? We recommend the creation and maintenance of a disaster recovery plan for your company which is in line with your recovery time objectives.

Read More

DNS hijacking is a compromise that allows hackers to redirect your web searches to their servers. Your internal DNS servers must be devoid of such a vulnerability.

Domain Squatting, also known as cybersquatting, is registering and using an Internet domain in bad faith and with intent to profit from an established trade name belonging to someone else. Technical Framework leverage tools to search for rogue domains similar to yours or those that incorporate your trade name. We then work with the proper authorities to shut down the rogue domains.

We recommend the domain which handles your email be configured with DMARC and SPF records.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that is designed to give email domain owners the ability to protect their domain from unauthorized use (known as email spoofing). The purpose of implementing DMARC is to protect a domain from being exploited in business email compromise attacks, phishing emails, email scams, and other cyber threat activities.

Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of an email. This measure specifies what email servers are allowed to send email from your domain. It helps ensure that someone cannot create an email server and send it as your domain unless you have authorized them to do so in your DNS records.

Your employees have access to a wide variety of confidential and important electronic information. Phishing e-mail messages are often used to trick recipients into sharing sensitive information – senders often pose as a legitimate business or trusted contacts. We recommend filtering links and attachments in inbound email and using encrypted email for the transfer of sensitive information.

Read More

Thousands of computers are lost or stolen in the USA every week. Without full disk encryption, the thief can easily access the data on your drive by bypassing your Windows or Mac login prompt at startup. We recommend full disk encryption for all PCs and Macs, especially laptops.

Geo IP Filtering a.k.a. Geo Fencing or Geo Blocking is a setting which blocks certain countries according to IP address of origin. This method can be circumvented by determined hackers but nonetheless blocks a significant number of “casual” hacking attempts.

IoT, short for “Internet of Things”, is a global network of connected smart devices such as cameras and smart TVs. IoT Security is concerned with protecting such devices as each one is a potential vulnerability and entry point to the network. Technical Framework provides IoT device discovery and security services.

Read More

Always use and assign accounts with the least privilege required to accomplish the task. Never log in as an administrative-level or root-level user unless your work requires it.

Mobile devices should be backed up regularly, encrypted, and be equipped with remote wipe capabilities in case of device loss or theft. It is also vital that your organization has an acceptable device use policy, especially if you allow BYOD (Bring Your Own Device).

Read More

Multi-factor authentication (MFA) is a security authentication process in which an individual computer user’s credentials are verified to grant them access to a secure environment. We insist that our clients use two-factor authentication for their e-mail and other sensitive services.

Read More

Absence of a well-maintained, continuously updated network firewall is analogous to leaving the front door of your office wide open, not to mention allowing your end-users to roam any website on the Internet with impunity. We recommend the implementation and maintenance of a business-class firewall appliance as a part of your overall cybersecurity strategy.

Read More

We recommend storing all sensitive info such as SSN, credit cards, passwords, etc., in a password manager as opposed to standard applications.

An endpoint can be a desktop PC/Mac, server, laptop, smartphone, tablet, thin client, or other specialized hardware such as POS terminals and smart meters. We recommend actively monitor such devices for security risks, plus updating malware protection and security patches as necessary.

Read More

Information Technology progresses at breakneck speeds. Quarterly reviews of system status, budgets, necessary adjustments, and emerging technologies are necessary to keep pace.

One of the reasons the WannaCry virus was so devastating is because it was designed to locate, corrupt, and lock backup files. This is why we recommend our clients use properly gapped backups. A gapped backup is one that is disconnected from your network and thus cannot be impacted by ransomware.

Read More

Data brokers sell your personal data on the Internet, which can lead to a compromise that spreads throughout your organization. Use services such as Optery to discover and remove your personal data from data brokering websites.

Role-Based Access (RBAC) is the practice of assigning system access to users based on their roles within an organization. We recommend creating and assigning only the minimum privileges required for each of your team members in order to minimize both accidental and malicious actions.

Recycling equipment with stored data can result in a cybersecurity disaster. We recommend a process by which all data storage components such as hard drives, data cards, flash storage, etc., are uninstalled and either physically or electronically shredded prior to recycling equipment.

Read More

Remote access to the workplace should be allowed only by way of an encrypted VPN (a virtual private network). IPsec and SSL VPN technologies are common and included in gateway security devices by top vendors such as Sonicwall, Fortinet, Sophos, and Watchguard.

Read More

We recommend conducting an IT risk assessment annually or more frequently if needed. The result of the assessment should be a list of security risks prioritized according to severity. Mitigation of the vulnerabilities should be scheduled according to the availability of financial and human resources.

Read More

Your home WIFI should be segmented into trusted and guest, without the ability for devices on one to communicate with the other. All IoT and personal devices should be connected to guest, and critical corporate devices should be connect to the trusted WIFI. All home devices should be updated with the latest firmware or software frequently. PCs, Macs, tablets, phones, and home servers should have strong virus protection. Disconnect devices from the Internet if they are used only occasionally. Implement security lockdown for digital assistants.

Virtual private network technology protects communication when accessing the Internet using public networks and WIFI such as in airports and cafes. Among top providers for VPN services are NordVPN, ExpressVPN, and ProtonVPN. We recommend the use of a VPN on all devices which exchange traffic with the Internet, including web browsing, email, and document exchange.

A vulnerability scan exposes potential security weaknesses in your IT infrastructure. Penetration testing simulates a cyber attack to confirm or reject the findings of a vulnerability test.

With regard to public cloud file sharing, Technical Framework recommends using only reputable, zero-knowledge services. Zero-knowledge means the provider of the file sharing server knows nothing about what you store and cannot read your data. A list of file sharing services which are zero-knowledge by default can be found at https://www.cloudwards.net/best-zero-knowledge-cloud-services/

Google Drive, Dropbox and OneDrive/Sharepoint are not zero-knowledge services by default. However, third-party products such as Boxcryptor can be incorporated to encrypt files before they are uploaded, thereby achieving zero-knowledge security.

Adult content, online gaming, gambling, and file-sharing sites for movies and music are among the top online searches and are “clickbait” hunting grounds for hackers. These are web sites you do NOT want your employees visiting during work hours on company-owned devices. If your employees are visiting infected web sites, they can not only expose you to viruses and hackers but also expose you to legal hassles.

Read More

Microsoft will cease to provide security updates for Windows 7 on January 14, 2020. As soon as Microsoft stops supporting Windows 7, any computers with the operating system still installed will no longer receive protection from cyberattacks. Of course, if you use your computers for business, you’ll be an even greater target for hackers.

Extended Support Licensing

Extended Support Licensing will allow Windows 7 computers to receive updates for three additional years. If it is impossible for you to upgrade or replace your Windows 7 computers to Windows 10, you will need to purchase Windows 7 Extended Support Updates (ESU’s), which according to Microsoft, costs $50/pc/yr for Windows 7 Professional edition. This price is subject to change and the licenses are subject to availability. Licensing costs will increase annually. Technical Framework will assess a procurement labor cost to the licensing purchase based on time spent.

Should I replace or upgrade?

If your computer is close to, or more than four years old, we recommend replacing the PC. Note that if upgrading a PC to Windows 7 fails or becomes problematic due to age or hardware health, resulting in replacement of the PC, your cost will include time incurred for the failed upgrade and the replacement labor. When making a Windows 7 upgrade request, please advise as to whether you would like an upgrade attempt on the existing PC or a replacement.