October 2016
Cybersecurity is the protection of information systems from theft or damage to the hardware, software, and information on them, as well as from disruption or misdirection of services they provide.
Advantage Futures IT Department dedicates significant time and resources to implement cybersecurity practices. The team’s vital tools include sophisticated firewalls, network design (VLAN vs. VRP), high speed switches, Wi-Fi and passwords to protect clients. Advantage’s cybersecurity protocols create safe and secure network and perimeter.
Advantage IT support from 17 full-time staff provides second and third shift 24/6 coverage. This team of experts includes network engineers as well as server, front-end and iSeries specialists with decades of experience in security and network infrastructure.
Chief Technology Officer Tom Guinan, Senior Vice Presidents Pinkesh Patel and Patrick Mead, Senior Network Engineer Chase LaPlaca and IT Specialist Sandip Patel discuss cybersecurity:
Q: WHAT IS A FIREWALL AND HOW HAS IT EVOLVED?
CHASE: Firewalls historically act as the first defense against unwanted internet traffic. Today’s devices play a larger role in comprehensive cybersecurity. This foundational instrument remains an important tool to block unwanted traffic and threats.
Firewall also involves the Virtual Private Network (VPN) connections encrypting data in transit ensuring neither your server nor your home computer become exposed. All data traversing the VPN tunnel is encrypted.
Stateful inspection is a protection mechanism used within our firewalls. Data entering our firewall must establish connection to a server or it will be blocked or discarded. For example, if you trade through the internet and not via a server through a recognized port, the firewall will automatically discard the data as a function of real-time protection for Advantage.
TOM: The ACL, or access list, is another important firewall function. The ACL limits access to the internet from certain devices. If someone tries to visit an unfamiliar website, the firewall will block it by default. If you are going to a website not previously cleared, IT requires notification to list the site as safe. Occasionally, some websites must be re-added to the list after network upgrades or equipment replacements. This prevents access to and more importantly from unwanted sites.
CHASE: Firewall software monitors all visited websites. If a client on our network receives notice Advantage has blocked this site, the site is deemed malicious. Filters continuously operate on our firewalls to protect against outgoing and incoming hazards.
Our firewalls run application filters to authenticate files downloaded from the internet by confirming with third party websites or vendors the file is safe. Wildfire, the current gold standard in firewalls, searches for customized malware within header, attachments or anything similar and sends it or blocks it while notifying you of the block. Its goal is to block malware before it enters our network. Advantage is reviewing this new generation of firewall service.
TOM: Technology advances attempt to keep pace with bad actors and their malicious intent. Advantage goes to great lengths to prevent hackers who disrupt businesses without financial gain. Patrick Mead and Chase LaPlaca spend considerable time researching, analyzing and setting security protocol at Advantage.
Q: WHY EMPLOY LOGICAL SEPARATION ON THE ADVANTAGE NETWORK?
PATRICK: A VLAN is a form of logical network separation similar to having a group of computers in the same room. These machines can talk to everyone in their room. It is sometimes necessary for a system to talk to a machine in another VLAN or other room. A VRF effectively cuts the network into pieces and prevents access to its resident systems from outside the VLAN. This is done without the overhead of a firewall. It appears as if each client has their own network. Clients who choose this level of separation benefit from security and network anonymity.
TOM: Logical separation limits the opportunity for viruses to spread. Malicious viruses infect anything connected to a corrupted device. VRFs restrict the scope of a problem so it cannot affect the entire network. Advantage has a multi-tenant environment with numerous clients and employee users. VRFs add high levels of protection and permit problems to be isolated and contained.
Q: TELL US ABOUT THE ARCHITECTURE OF THE EDGE ROUTERS ADVANTAGE MAINTAINS. HOW FAST ARE THEY COMPARED TO COMPETITORS?
CHASE: The edge switches Advantage deploys are Cisco Nexus 3548. Our research confirms it to be one of the fastest layer three switches on the market. We continually perform gear refreshing to make traffic faster and try to remain on the cutting edge. We constantly seek new ways to improve performance.
PATRICK: We confer with vendors about Cisco Nexus 3548 and remain confident it stands in a class of its own. Cisco built the switch for our industry; it remains the premier piece of equipment.
TOM: There does not have to be a trade-off between security and speed. Advantage wants the best of both worlds, so we isolate trading traffic from non-trading traffic.
Q: WHAT IS THE DIFFERENCE BETWEEN PASSWORDS, PASSCODES AND PASSPHRASES? WHY IS IT MORE SECURE TO USE A PASSPHRASE?
SANDIP: Passwords can be simple and are typically under ten characters. Passphrases are more complicated to crack because they are longer and contain spaces between words. Passphrases should be something personal—a favorite lyric or movie name. Most cracking software will not piece together the same string of words, i.e. “Sky Full of Stars Avengers.”
TOM: Passwords used to be limited to 4-12 characters. Many sites now allow 32 characters with spaces for more secure passcodes. Using numerals where possible (i.e. “2” in place of “to”) between words and inserting spaces instantly makes it more secure. Making passwords/passcodes more complicated is important in the cybersecurity chain.
Q: THE FBI AND OTHER CYBERSECURITY EXPERTS SAY THE HUMAN ELEMENT IS THE WEAKEST LINK. WHAT STEPS CAN BE TAKEN AT HOME OR WORK TO BE MORE CYBER SECURE?
TOM: Articles about cyber fraud or cybersecurity say the end user is the biggest vulnerability. Advantage focuses significant time to create a secure architecture and perimeter. The IT Department educates firm employees and network users about effective cyber practices. The FBI recently conducted a seminar on cybersecurity breaches for Advantage employees. Everyone is a link in the cybersecurity chain and must be alert and suspicious of anything unexpected or unusual.
PINKESH: Be cautious emailing or surfing the internet. Do not click on links or open attachments from anyone you do not know. Fraudulent phishing emails often appear to come from large organizations, use generic greetings, request personal information (credit card, bank account, password, PIN, username or security questions) or instruct you to click on a link. There is often an urgent nature requesting immediate response. Organizations such as the IRS, banks or payroll vendors never request personal information in an email. With your personal information, scammers can access your accounts, lock you out of your network and change your passwords and security questions. Best practice is to delete the email and report it to the institution (IRS, bank, credit card company, etc.).
To minimize risk of viruses and malware on your home or office setup, use the following guidelines:
Maintain a dedicated workstation for online banking and payments. Do not use a shared workstation and avoid logging in to public workstations. Do not have your workstation save your password.
Keep anti-virus software up to date at all times.
Install anti-virus and anti-spyware programs from reputable sources.
Do not download a file or attachment or click on a link in response to a warning received from an unknown program you did not install. This could be a dormant virus or malware collecting and sending information to a hacker.
Always keep software and applications on your computer up to date. This includes Microsoft Office software and Operating System’s security updates. Criminals are constantly trying to exploit vulnerabilities from installed software (browsers, office editing applications and web apps like Java and Flash).
Enable pop-up blockers on your internet browser.
Never disable your firewall. It is the protective layer between your workstation and the internet.
Do not open a link or attachment from someone you do not know. Be sure you can verify the source before opening attachments or clicking links in an email, instant message or social media post.
Keep your system up to date by manually updating or setting automatic system updates.
If you purchased previously used equipment, wipe the hard drive clean and only acquire software from reputable vendors. Used software and hardware may be infected with a virus or malware.
Q: WHAT ABOUT WI-FI SECURITY?
PINKESH: Best practice is to change default passwords on hardware. These devices usually have default admin login/passwords to help with installation and change configuration. If the manufacturer of the equipment is known, a person could potentially sign in and access your network. The default login can be obtained by a simple search on any search engine and could be as common as “Admin/Admin.” Change the default logins and default network name (SSID). Enable strong encryption on the SSID like WPA2 (WPA2-PSK) with AES encryption. You can also hide the SSID, apply MAC ID filtering, utilize static IP over DHCP or have guest logins. Some measures depend on equipment features.
Do not leave your Wi-Fi open. There was a case where an individual left their Wi-Fi open and a neighbor logged into the network and committed illegal activities. Police arrested the Wi-Fi owner. Eventually, authorities inspected the router and realized the criminal workstation was owned by the neighbor accessing the unsecured Wi-Fi. Without password protecting the network, the criminal neighbor gained Wi-Fi access.
Q: ANY OTHER TIPS ON WI-FI SAFETY?
PINKESH: Avoid using free Wi-Fi in public locations or be sure to verify the network with staff. If you need to use Wi-Fi, turn off file printing and file sharing. VPN is another option. If you are not setup with a company VPN, you can get a third party vendor. Always keep your system patches and security upgrades current. Use two-factor/dual authentications for emails on public Wi-Fi and erase the network when finished.
Q: ANY OTHER SUGGESTIONS TO REDUCE EXPOSURE OR IMPROVE CYBERSECURITY PRACTICES?
PATRICK: Good tools exist to help manage your security. I use and recommend Dashlane. This application tracks, changes and updates passwords and notifies you when the same password is used for different sites. You only need to remember one master password.
Q: CAN THESE TOOLS BE HACKED?
PATRICK: The browser saves passwords locally on your machine and sometimes in clear text. Dashlane encrypts passwords and stores them on a website on a Dashlane server. Access is portable so you can login from your iPad or smartphone. It is far more secure and a better mechanism for storing passwords.
TOM: Law enforcement will tell you it is safer to use these services for password management than trying to remember simple passwords. While it is not a perfect science, it is a better choice. Passwords stored with a service are encrypted at the site and are much more secure than using something local. In this day and age, no one should be writing their passwords on sticky notes.
Q: HOW OFTEN DO YOU RECOMMEND CHANGING YOUR PASSWORD?
TOM: Advantage policy is to change passwords every ninety days. Law enforcement recommends as often as every thirty days. If you use a more secure password, you can change it less frequently. More complex passwords require less frequent updates.
SANDIP: Never save passwords or credit card information on web browsers. For example, Google Chrome will ask if you want to save your password or your credit card information. While this may help you log in or check out faster, it is safer to decline and enter your information every time. The convenience is not worth the associated risks.
PATRICK: Take note, browsers save passwords in clear text.
TOM: Do not perform confidential tasks on Wi-Fi over an unsecured network. If you do your banking from the Advantage office, you are on a protected network behind a firewall. If you do banking from home, make certain it is password protected and keep a secure Wi-Fi password. You are vulnerable to hackers and thieves when you use public Wi-Fi.
CHASE: Advantage’s Wi-Fi is physically separate from our production network to protect users.
TOM: Be wary of social media. Law enforcement agencies warn about unknown people friending you on social media platforms. You may create a link to a bad actor if you allow unknowns to join your social network. If you do not know the person, think twice about accepting an invitation.
SANDIP: On LinkedIn, for example, you may receive a request to link up with an unfamiliar person. If you accept the request, this person can see your level of employment and executives at your company. They can then obtain their contact information to use for possible malicious purposes. You should also keep your Facebook profile private so people outside your network cannot view personal information or know your current location.
PINKESH: Be careful with the apps you download on your phone or devices—many request access to your Wi-Fi, contacts and personal data. For example, keyboard applications record everything you type, from “hi” to bank account or credit card numbers. You do not know what information is collected and how it is used. Perform research before installing an app.
SANDIP: You are better off downloading and using a Google certified keyboard versus a free third party application software not certified by a trusted company.
TOM: We try to enforce locking your computer before leaving it unattended. Set your computer to automatically lock after five or ten minutes. If you are leaving long term, log out completely.
