Multi-Factor Authentication: Strengthening Online Security

Turn On Your Multi-factor Authentication Article by Mark Niemi – Threat Analyst at Lasco Development Corporation [10/16/2023]This week for Cybersecurity awareness month the focus is MFA and turning it on. While this is somewhat the beating of a dead horse, MFA, or Multi factor Authentication, should be enforced and turned on wherever possible to layer security on top of our authentication processes. MFA is said to stop 80-90% of identity-based attacks, a number that has declined over the past few years. It was once thought to block 99% of identity-based attacks involving the use of a compromised password. The reason for the change is that not all MFA is completely secure, and some forms are stronger than others. Below are some tips to help you select the right options for your organization. Know the Weaknesses During the MFA setup phase, when we’re given an option like email to setup MFA for an account, many of us may not choose the strongest method available. We may be naïve in thinking each option has the same level of security. Options like an Email or SMS make it easier for users to gain access to a code and to copy and paste it in, but we may not realize that these methods can be phished simply by gaining access to a phone’s SMS messages, the phone’s lock screen, or having access to the very same email account that is already compromised. A few attack types based on weaknesses: Sim-swapping – Attacks like sim-swapping give an attacker direct access to a phones SMS message by cloning the devices sim card through 3rd party compromise attacks like social engineering the phone carrier. Push fatigue – MFA Bombing or Push fatigue where an attacker will spam MFA push notifications to the phone in hopes of the victim getting irritated and accepting or allowing access to get the notifications to stop clearing.  Business Email compromise – This is an area of concern since email attacks can be damaging for the account owner and all their contacts and other services with identity dependencies. If an attacker has access to an email address, any service that has been setup with that email address can be reset, also giving attackers access to any MFA codes that are generated for email-based MFA. Pick a Secure Option As SMS and Email are most common methods for MFA setup, a more secure option,  like an authenticator app, will use the device’s current date/time and unique seed to generate a 30-60 second cycled MFA code that does not require internet access. Other options like FIDO or FIDO2- compliant MFA and hardware-based tokens take away the convenience of being able to simply copy and paste tokens, but they become phishing-resistant in a way that would require an attacker to have the device the code is generated from or get the original seed code during setup. As most attacks are remotely administered, the hardware dependent aspect makes it extremely challenging for an attacker to gain access to the codes without being in the physical location or retrieving the seed. More Secure options: Authenticator App – Google, Microsoft and many more make authenticator apps. Choose a well-known one and don’t fall for fake ones in the app stores. They are out there! Hardware Appliance/Dongle – This will be based on the MFA software and will vary. Biometrics with FIDO compliance – This is an area where passwordless authentication is growing. Using a biometric token like a fingerprint or facial recognition offer a uniquely generated token which can be nearly impossible to phish or replicate. The Lesser of Evils Sometimes we don’t have a choice for a more secure option and are at the mercy of whatever we do have access to due to vendor/manufacturer restrictions. In this case, picking the lesser of evils must happen, as having any MFA is still better than having no MFA at all.  In this case, SMS or push notifications can be the best options as they are tied to a mobile device that is harder to replicate or gain access to. Even though SMS is a weaker option there are some protections that can be done to help make your MFA strong. Keep your software updated! – This is a critical step that can apply in all situations but it’s even more important to protect the device. Use a passcode/passphrase – Protect your phone data and access to it by having a passcode. Be Mindful of notification/banners – Some data can be given away on the lock screen or actions can be taken from the lock screen. Keep your banners/notifications away from prying eyes or shoulder surfers. Request a Consult Know when something is wrong – Mobile devices get slow, and batteries weaken, but excessive battery drain, and slowness are also signs of malware. Get in the habit of rebooting your devices and removing unnecessary software to help keep them clean. Additionally, if your phone service stops working, this can be a sign of a sim-swapping attack where your SIM card has been deactivated and the attacker has taken over your cell phone number. More Information https://www.cisa.gov/secure-our-world/turn-mfa https://fidoalliance.org/fido2/

Lasco Partners with Central Savings Bank for Security Training Event

Lasco and Central Savings Bank Speaks to the Community on Security and Fraud Prevention Andrew Gale, V.P. of Technology Services at Lasco presenting to local organization leaders. [Sault Saint Marie, 10/13/2023] – In a collaborative effort to enhance the safety and security of the community at large, Lasco and Central Savings Bank hosted a dynamic evening event. This event brought together business leaders and individuals from the community to delve into the critical topics of cybersecurity and fraud prevention.Andrew, V.P. of Technology Services at Lasco, led the audience through an engaging presentation of a wide range of cybersecurity topics, shedding light on the fundamentals of cybersecurity, the alarming rise of business compromise, and the importance of adopting a strong security culture. He also emphasized the significance of key policies and procedures that organizations should adopt to safeguard their digital assets. “With the growing reliance on technology in today’s business landscape, an understanding of cybersecurity is essential. We want to empower our community with knowledge to protect themselves and their organizations against digital threats,” said Andrew. In a complementary presentation, Andrea from Central Savings Bank shared invaluable insights into fraud prevention and awareness. Her presentation included a mix of tools and techniques that can be applied to organizations of all sizes. She emphasized the need for vigilance, proactive measures, and continuous education to thwart fraud attempts. The event, held at City Hall in Sault Saint Marie, Michigan, was broadcast on Spectrum 189 and streamed on City Hall’s Youtube page. If your organization is looking to partner with Lasco for a similar event or would like to schedule personal training for your employees or board members, check out Lasco’s event page or contact (800) 800-6197.

Paint the Peninsula Pink

Team LASCO showing support for Breast Cancer research and Superior Health Foundation. (Left to Right: Corey, Deborah, Sam, Bob, Mark, Random, Ben, and Leigh) October is Breast Cancer awareness month, and that means it’s time to Paint the Peninsula PINK! The Superior Health Foundation (SHF) uses the month of October to run their month-long Paint the Peninsula  Pink fundraiser, presented by the M.E. Davenport Foundation. Lasco is a proud supporter of Paint the Peninsula Pink! The money raised during Paint the Peninsula Pink goes directly to the SHF Breast Health Fund which provides funding to both men and women in the Upper Peninsula to help with out-of-pocket breast health expenses. There is a need in our community for this funding. In 2022 alone, SHF provided funding to 10 or more people across the U.P. faced with challenging out-of-pocket breast health expenses. Thus far in 2023, more than $5,000 in funding has been awarded to seven people. Everyone should have access to life-saving care! Please support the SHF and help Paint the Peninsula Pink! For more information, please visit Paint the Peninsula Pink – Superior Health Foundation.

Preventing Ransomware in Your Organization

Preventing Ransomware at the Workplace Ransomware attacks continue to be a significant threat to businesses of all sizes. These malicious attacks can disrupt operations, compromise sensitive data, and result in significant financial losses. This week, during the month of October’s Cybersecurity Awareness Month, we’ll explore the importance of taking preventative measures against ransomware, with a particular focus on Multi-Factor Authentication (MFA). Understanding the Ransomware Threat Ransomware is malicious software that encrypts (or locks away) an organization’s data, rendering it inaccessible until a ransom is paid to the threat actors. These attacks have been on the rise in recent years due to the increasing ease of exploiting all sizes of organizations, from small businesses to large enterprises. The costs associated with ransomware attacks extend far beyond the ransom itself. Organizations may incur expenses related to data recovery, legal fees, reputational damage, and lost productivity. Last week we read about building a security culture in your organization; that is the beginning of helping prevent ransomware threats. The Role of Multi-Factor Authentication (MFA) Multi-Factor Authentication, or MFA, is an additional step in securing your organization against multiple threats. MFA requires users to provide two or more authentication factors  before granting access to an account or system. These factors can include something the user knows (e.g., a password), something the user has (e.g., a mobile device or authentication token), or something the user is (e.g., biometric data like fingerprints). MFA plays a pivotal role in enhancing security by adding an additional layer of protection beyond traditional password-based authentication and acts as a formidable deterrent against ransomware attacks. Threat actors often rely on stolen or weak passwords to gain unauthorized access to systems. With MFA in place, even if an attacker manages to obtain a user’s password, they will be unable to proceed without the secondary authentication factor. Real-world examples have demonstrated how MFA has thwarted ransomware attacks, saving organizations from potential data breaches and costly ransom payments. From a cost perspective, the investment in MFA often proves to be significantly more cost-effective than dealing with the aftermath of a ransomware incident. Going Beyond MFA While MFA is a robust defense, it should be complemented by other preventative measures. Regular data backups are crucial, enabling organizations to restore their systems in case of an attack. Security awareness training for employees helps them recognize phishing attempts and other social engineering tactics commonly used by ransomware attackers. Keeping software up-to-date is also essential, as vulnerabilities in outdated software can be exploited by cybercriminals. Ransomware threats are real and pervasive, but organizations can take a proactive approach to safeguard their valuable data and maintain business continuity. Following best practices, like adopting MFA, businesses can significantly reduce their vulnerability to ransomware attacks. Remember, in the digital world, staying secure means staying vigilant. Request a Consult If you or your organization is looking to start a discussion or need help establishing MFA or other best practices, request a consult with an expert and get secure today!

Subsistence and Security in Dickinson County

Food and Fun with the community in Dickinson County Lasco, in conjunction with the Dickinson Area Chamber of Commerce, hosted a Lunch & Learn at the Pine Mountain Resort on Thursday, October 5 for business organizations in the Dickinson Area. Photo showing Ben Chaney with Lasco sharing insight on adapting security into your organization. 10/6/2023 | In a bid to fortify the digital defenses of local businesses, Lasco recently hosted an enlightening seminar on fostering cybersecurity culture in the workplace. The event, held at the Pine Mountain Resort in Iron Mountain, provided to be an educational and gastronomic treat for all attendees. The seminar highlighted key aspects of building a cybersecurity-conscious workforce, with emphasis on a number of core components: Leadership Engagement: Lasco stressed the pivotal role of leadership in setting the tone for cybersecurity. Security Awareness Training: REcognizing that cybersecurity is a collective responsibility, Lasco advocated for comprehensive security training for all employees.  Assessments and Policy Creation: Lasco also delved into the importance of regular security assessments to identify vulnerabilities and the subsequent creation of effective security policies. Apart from the insights gained, attendees also had the pleasure of indulging in cuisine provided by Pine Mountain Resort, making the event a true feast for both the mind and palate. Lasco Remains committed to safeguarding local businesses and communities from the ever-evolving cyber threatscape. With events like these, they continue to empower organizations with the knowledge and tools needed to stay one step ahead in the digital age. Looking to get an event like this hosted for you or your organization? Connect with Lasco to find out how today.

Evolving Your Security Culture

Evolving and Adapting Workplace Security Culture In today’s rapidly evolving digital landscape, the importance of a strong security culture cannot be overstated. As cyber threats continue to advance in complexity, organizations (big and small) must adapt their security practices accordingly. This post is all about exploring the evolving security culture, with a way we can make a positive change today. The Changing Face of Cybersecurity The days of using “password123” as a go-to password are long gone. Cybercriminals have become more sophisticated, employing a variety of tactics to compromise digital assets. As a result, the need for strong and unique passwords is more critical than ever. The Power of Strong Passwords A strong password is the first line of defense against unauthorized access to your accounts. Here are some key elements of strong passwords: Length Matters A longer password is generally more secure. Aim for at least 12 characters or more. For high profile accounts, such as administrators, will want something even longer, such as 16 – 21 characters in today’s standards. Complexity Counts Use a mix of uppercase and lowercase letters, numbers, and special characters to make your password harder to crack. From the NIST Special Publication (800-63B) they report that “the current ability of attackers to compute many billions of hashes per second with no rate limiting requires passwords intended to resist such attacks to be orders of magnitude more complex than those that are expected to resist only online attacks.” Avoid Common Words Steer clear of easily guessable words, such as “password,” “admin,” or your name. Your organization can also implement a word list associated with known breached passwords that prevent any words on the list to be used as a user login. Uniqueness Is Key Never reuse passwords across multiple accounts. Each password should be unique and not contain phrases or sections of previously used passwords. Regular Updates When in doubt, change it out! Change your password periodically, even if you haven’t experienced a security breach. From the 2023 IMB Breach Report, we can learn that “it took nearly 11 months (328 days) to identify and contain data breaches resulting from stolen or compromised credentials, on average, and about 10 months (308 days) to resolve breaches that were initiated by a malicious insider.” Enter the Password Manager Remembering complex passwords for every online account can be a daunting task. This is where password managers come to the rescue. Password managers are powerful tools that securely store and generate complex passwords, making it easy for users to maintain strong security. Key Benefits of Password Managers Enhanced Security: Password managers generate and store strong, unique passwords for each of your accounts, reducing the risk of a security breach due to password-related issues. Convenience: You don’t have to remember all your passwords; the manager does it for you. All you need is a single master password to access your vault. Cross-Platform Compatibility: Many password managers work seamlessly across various devices and platforms, ensuring consistent security. Two-Factor Authentication (2FA) Integration: Most modern password managers support 2FA, adding an extra layer of security to all accounts. Implementing a Password Manager While every organization is different, implementing a password manager across your organization can be a huge benefit and help reduce security risks. Here is a simple guide to getting started with a password manager: Choose a Reliable Password Manager: Research and select a manager that works best for your organization and security requirements. Cloud based password managers are quick and easy to setup, while on-prem keeps all of your data under your own lock-and-key. Install and Set Up: When configuring your password manager, each setup is unique. Some key points are ensuring a strong and unique master password for each user, and enforcing MFA/2FA for all users for login access. REQUEST A CONSULT Importing Existing Passwords: Most managers allow you to import existing passwords from your browser or other tools (or even spreadsheets!) Generate Strong Passwords: When creating new accounts or updating existing ones, let the password manager generate strong, unique passwords for you. Cloud-based password managers sometimes have password lists and watchguards in place to prevent password reuse and using passwords that have previously been involved in a data breach. Enable MFA: Whenever possible, enable multi-factor or two-factor authentication for an additional layer of security. Conclusion In the ever-connected world, the security culture is evolving to combat increasingly sophisticated cyber threats. Strong passwords and password managers are pivotal components of this evolution. By implementing these practices, individuals and organizations can significantly enhance their cybersecurity posture, safeguarding sensitive data and digital identities from malicious actors. Remember, it’s not just about passwords; it’s about a commitment to a safer digital future. If you would like to learn more about other tools and resources your organization can use to amp up your cybersecurity posture, connect with a specialist today!

New Security Training and Dark Web Monitoring Resources

Lasco has adopted new tools to provide additional Security Training and Dark Web Scanning Resources for all of their customers. Lasco is proud to announce the availability of our brand-new security awareness training resource and dark web scanning capabilities. The new resources are the central hub for organizations and their employees to manage their ongoing human security training program and offers a new way for both large and small businesses to engage in an interactive program that will help protect their business from cyber-risks, along with being proactive in monitoring for PII on the dark web. “We are excited to push out a new tool for our current customers and prospective clients to be more proactive about their security posture. The new portal allows an easily accessible interface for management, along with a fun gamification of the security training to help engage end users. l,” says Ben, IT Support Manager. “am looking forward to seeing how we can also implement these new resources internally for our employees and smash some high scores for the training programs.” Features and benefits of the new training resources include: Fresh new look with a familiar-feeling modern interface style Simplified navigation improves user experience Top-notch security upgrades to enhance account protection Updated backend performance makes portal speed and usability second to none Active Dark Web monitoring and reporting The new services are now available. For more information on the how you can enroll in a security awareness training program or dark web scanning, visit our Security offerings page or click here.

Lasco and PFN Form Strategic Partnership

Lasco Development Corporation and Peninsula Fiber Network Join Forces to Deliver Enhanced Network Services [Marquette, MI] – Lasco Development Corporation, a leading provider of innovative tools, applications, and services for financial institutions, is delighted to announce a strategic partnership with Peninsula Fiber Network (PFN) to offer comprehensive network services to Lasco’s valued customers and partners. Lasco Development Corporation specializes in delivering cutting-edge solutions tailored to meet the unique needs of financial institutions and other commercial businesses. With a focus on cyber security, reliability, and customer satisfaction, Lasco has earned a stellar reputation as a trusted technology partner. By combining their extensive expertise and resources, Lasco and PFN are poised to provide an unparalleled level of network services to clients. Peninsula Fiber Network is widely recognized for its high-level services in supporting the state of Michigan’s 911 network. As a leading provider of fiber optic infrastructure and network connectivity, PFN ensures robust and secure communication channels critical for businesses, institutions and emergency response systems. With their vast experience in delivering mission-critical solutions, PFN brings exceptional reliability and performance to the partnership. This strategic alliance between Lasco and PFN will enable Lasco’s customers and partners to leverage PFN’s state-of-the-art network infrastructure and services. The collaboration aims to enhance network connectivity, cyber security, and performance, empowering Lasco’s clients to stay ahead in an increasingly competitive digital landscape. “We are thrilled to join forces with Peninsula Fiber Network,” said Robert Baer, Lasco President. “PFN’s expertise in delivering high-quality network services aligns perfectly with our commitment to providing exceptional solutions to our valued customers. Together, we can elevate the standard of network services available to financial institutions and other partners, fostering growth, efficiency, and innovation.” As part of the partnership, Lasco and PFN will collaborate closely to develop customized network solutions that cater to the unique requirements of Lasco’s clients. The joint offerings will encompass advanced network design, installation, monitoring, and maintenance services, backed by PFN’s state-of-the-art infrastructure and Lasco’s deep industry knowledge. “This partnership represents a significant milestone for both Lasco Development Corporation and Peninsula Fiber Network,” stated Scott Randall, General Manager of Peninsula Fiber Network. “By combining our expertise, we can deliver a comprehensive suite of network services that empower Lasco’s clients to drive digital transformation and achieve their business goals. Together, we are well-positioned to provide the highest level of performance, security, and reliability for their critical communication needs.”   The partnership between Lasco Development Corporation and Peninsula Fiber Network underscores a shared commitment to excellence and customer-centricity. This collaboration will enable Lasco’s clients to unlock new opportunities, streamline operations, and propel growth through cutting-edge network solutions. About Lasco Development Corporation: Lasco has been providing I.T. Services for over 55 years in Michigan and Wisconsin. Focusing primarily on financial institutions and commercial businesses, Lasco performs I.T. Managed Services with a strong focus on Cyber Security. Lasco performs end user support, network management, disaster recovery, cyber services, communications, equipment replacement and consulting.  With these services, Lasco can partner with you to assist you in gaining efficiencies, ensuring your network is secured from cyber events and save you time and resources from managing your network on your own. To learn more, visit www.lascoinc.com. About Peninsula Fiber Network: Peninsula Fiber Network (PFN) is a leading provider of fiber optic-based telecommunications and Next Generation 911 services throughout Michigan, Wisconsin, and parts of Minnesota. PFN delivers robust and secure fiber optic infrastructure, ensuring reliable communication channels for commercial enterprises and critical emergency response systems. To discover more, visit www.pfnllc.net. Lasco Development Corp. | 205 N Lakeshore Blvd, Ste 1A, Marquette, MI 49855

The time to upgrade to the cloud is now.

Is your communications system holding you back? As workforces become more fragmented and dispersed, businesses areseeing an ever-increasing need for more meeting spaces, video, andseamless collaboration to keep teams connected—no matter where theywork from. Upgrading to a cloud-based PBX system offers numerous benefits:* Unify all of your business communications* Easily manage multiple locations* Meet all of your security and compliance needs* And more! Interested in learning more? As a trusted partner of RingCentral, Lasco can get you started on the right foot with your digital transformation.