National Cybersecurity Awareness Month: The Top Cyber Treats of 2022 and How CREG Systems Can Help

It’s October, so it is time for pumpkin patches, apple picking, cold weather, and more! October is also National Cybersecurity Awareness Month, launched in 2004 by the National Cyber Security Alliance and the U.S. Department of Homeland Security. 

What is National Cybersecurity Awareness Month?

When Cybersecurity Awareness Month began, the awareness efforts centered around advice like updating your antivirus software twice a year to mirror similar efforts around changing batteries in smoke alarms during daylight savings time. Over the years, National Cybersecurity Month has developed to change with technology. 

According to reports, the most common tactics hackers use to carry out ransomware attacks are email phishing campaigns, RDP vulnerabilities, and software vulnerabilities. However, CREG Systems is Northern New York’s most trusted and experienced resource that is prepared to prevent ransomware attacks on your business. 

What are the Top Cyber Threats of 2022?

We at CREG Systems seek to educate the public about how to maintain their network health. We do so by providing educational materials, like this article. We also assess your network and provide recommendations and services that will strengthen your security. Contact us today to protect your data. Meanwhile, here are some common threats that CREG Systems recommends you watch out for:

  • Ransomware
    • Ransomware has been a growing threat in recent years. Several high-profile attacks demonstrated to cybercriminals that ransomware was profitable, driving a rapid increase in cybercrime groups operating this malware. On average, ransomware claims a new victim every ten seconds worldwide, and ransomware cost businesses around $20 billion in 2020, an increase of 75% over the previous year.
  • Misconfigurations and Unpatched Systems
    • Security misconfigurations arise when security settings are not defined and implemented, or when default values are maintained. Usually, this means the configuration settings do not comply with the industry security standards such as CIS Benchmarks or OWASP Top 10. Misconfigurations are often seen as an easy target, as they can be easy for attackers to detect.
    • Misconfigurations can be much more than an accidental firewall rule. Some of the most common misconfigurations are unpatched systems, broken access control, sensitive data exposure, and vulnerable and outdated components. Attackers can purchase tools from deep web marketplaces to scan for these vulnerabilities, much like a penetration testing contractor could do for your organization.
  • Credential Stuffing
    • Credential stuffing happens when an attacker uses stolen credentials from one organization to access user accounts at another organization. These credentials are typically obtained in a breach or purchased off of the dark web. You may have seen news stories about Disney Plus accounts getting hacked, yet Disney found no evidence of forced entry. This is because credential stuffing simply involves logging into a victim’s account with their username and password.
  • Social Engineering
    • Social engineering isn’t the breach of a system, but rather the compromise of a person, which causes them to release confidential information unknowingly. This most commonly takes the form of an email phishing attack in which the individual is tricked into downloading malware or giving up their credentials. Typically, social engineering is the first step in a multistep cyberattack.
    • What’s more concerning is that over 70% of social engineering and phishing incidents are discovered by external parties. This means that when employees are falling for the bait, they usually don’t realize they’ve been hooked. On top of that, attackers are constantly coming up with new ways to evade automated security tools.

How can CREG Systems help?

CREG Systems ensures that the data you share and store is secure and protected, which pledges efficient operation and credibility to your organization. Our certified and highly trained staff will meet your needs and plan a security system roll-out strategy that best fits your goals.

  • Hardware & Software
    • Keep your data safe by using the most up-to-date security software and hardware.  Make sure you are secured through NEXTGEN firewalls, use sandboxing for extra protection, and ensure you have a defense at the gate.
  • Multi-level Protection
    • From your desktop to the firewall, each device in your organization should have segmented and multi-layered protection. Usually, you can stop a data breach before it threatens your vital information.
  • Insider threats
    • While many organizations have multi-layer security systems and data protection in place, there could still be other risks to consider. Former employees can be a threat to your cybersecurity.  Be sure to remove any access they may have and their data as soon as they leave the organization.  Be sure to teach employees about the importance of security and have regular testing to ensure your data is secure.
  • Good Cyber Habits
    • Be sure to keep your information backed up but, never keep your backups online.  Be sure to keep your systems updated and double-check apps to determine if they are corrupt or not. Limit access privileges and use two-factor authentication.  Preventing cyber threats is better than curing them.

What Steps can you Take Now?

  • Enabling multi-factor authentication
    • Multi-factor authentication (MFA) is a cybersecurity measure for an account that requires anyone logging in to prove their identity in multiple ways. Typically, you will enter your username and password and then verify your identity by another method, like fingerprinting or responding to a security question.  
  • Using strong passwords and a password manager
    • Password managers are pieces of software that often take the form of apps, and browser plugins or they might be included automatically in your browser or computer operating system. With a few clicks, you can generate new, secure passwords that are long, unique, and complex. These passwords manager automatically store your passwords and can autofill them when you arrive at the site. 
  • Updating software
    • Always keep your software updated when updates become available and don’t delay. These updates fix general software problems and provide new security patches where criminals might get in. You can be sure the bad guys are always looking for new ways to get to your data through software, so updating your software is an easy way to stay a step ahead.
  • Recognizing and reporting phishing
    • The signs can be subtle, but once you recognize a phishing attempt you can avoid falling for it. Before clicking any links or downloading attachments, take a few seconds (about 4 seconds) and ensure the email looks legit. Here are some quick tips on how to spot a phishing email: 
      • Does it contain an offer that’s too good to be true? 
      • Does it include language that’s urgent, alarming, or threatening? 
      • Is it poorly crafted writing riddled with misspellings and bad grammar?

Our staff are trained and certified as Certified Information Security System Professional (CISSP), Certified Ethical Hacker, and Certified Wireless Network Administrator and holds CompTIA A+, CompTIA Network+, CompTIA Security+, Windows Server, and Microsoft Exchange certificates. In conclusion, our staff is the best equipped to deliver you the best cybersecurity in the North Country.

NDAA and TAA Compliance: A Complete Guide

In 2019, the U.S. federal government implemented the John S. McCain National Defense Authorization Act 2019 – Section 889 which prohibits the sale, purchase, and use of a wide range of security surveillance and telecommunications equipment that’s manufactured by Chinese vendors and their subsidiaries in any type of government building or federal-funded project.

Hikvision and Dahua Banned by US Government

As of October 22nd, 2021, the United States House of Representatives passed a bill that will eventually ban Hikvision and Dahua manufactured devices from both being imported and sold. The bill was later signed by the president shortly thereafter. According to the reasoning written into the specific bill, the ban comes due to the heightened national security risk of such devices. These companies are also included with three additional Chinese companies: Huawei, ZTE, and Hytera. On top of such a ban brought about by section 889 compliance, companies that are considered OEM in relation to any of the original Chinese manufacturers will be subject to new restrictions and scrutiny in relation to federal use.

Why are they banned in the United States?

According to the United States Government in the NDAA bill, companies like Dahua and Hikvision feature an inherent risk to national security. After more than a few occasions of discovered security breaches, those representing intelligence agencies and national security see the devices as an avenue for the Chinese government to infiltrate the US through cybernetic espionage. Furthermore, due to companies like Hikvision partnering with the Chinese military to develop more advanced militaristic solutions, lawmakers see it as a safe assumption to take action against the manufacturer and companies similar to Dahua and Huawei. Ergo, section 889 compliance will be enforced at the federal level. Both of the latter companies have also made similar commitments to the Communist Government. This has also given Congress ample reason to restrict contractors and government entities to a list of NDAA-compliant cameras.

What is NDAA?

National Defense Authorization Act (NDAA), effective August 13, 2019, section 889 outlines the prohibited use of certain video surveillance equipment and components manufactured by the following vendors:

  • Hikvision Digital Technology Company
  • Huawei Technologies Company
  • ZTE Corporation
  • Hytera Communications Corporation
  • Dahua Technology Company

What is TAA?

TAA refers to the Trade Agreements Act, which is to foster fair and open international trade. TAA requires that products are produced or undergo “substantial transformation” within the United States or a designated country. These countries include: Countries that have reciprocal trade agreements with the United States, including Canada, Mexico, and Australia, countries that participate in the World Trade Organization’s Government Procurement Agreement, also including Japan and many European countries, and countries designated as “least developed,” such as Afghanistan, Bangladesh, Laos, and Ethiopia.

Why You Should Be TAA Compliant

The Trade Agreements Act (19 U.S.C. & 2501-2581) of 1979 was enacted to foster fair and open international trade, but more importantly, it implemented the requirement the U.S. government may acquire only U.S.-made or designated end products. This means specifically that GSA must only accept U.S.-made and/or TAA-compliant products while under the MAS program. This requirement has still left many GSA contract holders confused about its true meaning.

How Does This Affect Me?

When concerning federal agencies and contractors, manufactured products by Dahua, Hikvision, Huawei, other banned companies, and those that use them as original equipment manufacturers (OEM) must remove such devices from use immediately to be NDAA Section 889 compliant. In addition, those that are federal contractors for the United States government will no longer be considered for business if such a measure is not internally taken. Furthermore, specific replacements may be more difficult to ascertain primarily due to the NDAA bill banning Hikvision and Dahua. However, CREG Systems has a massive catalog of security cameras, recorders, and more for you to choose from. In addition, our professionals are ready to help you find the best solution for your needs if you need to replace your device with a product under a different brand. We can still provide you with each of our presented products and can also fully follow NDAA section 889 compliance

CREG Systems

At CREG Systems, we take pride in using only NDAA and TAA compliance equipment for your camera and surveillance needs.  CREG Systems supports NDAA compliance across its product lines and has a full suite of trade-compliant devices, with many currently used in government, defense, and a range of commercial applications.

Kari’s Law and Ray Baum’s Act: What are they and how do they impact your business?

In February 2020, Kari’s Law went into effect.  As of January 2022, Ray Baum’s Act started to be enforced. While both laws directly impact all businesses in different industries, many do not know what they mean. It is important to know whether your business is in compliance or not with these laws.

Kari’s Law

This law was named in honor of Kari Hunt, who was attacked and killed by her estranged husband in a motel room in Marshall, Texas in 2013. Ms. Hunt’s 9-year-old daughter tried to call 911 for help four times from the motel room phone, as her mother had taught her to do. Tragically, the call never went through because she did not know that the hotel’s phone system required dialing “9” for an outbound line before dialing 911. This law was signed on February 16, 2018, and officially went into effect on February 16, 2020. The new FCC rules require the implementation of direct 911 dialing and on-site notification capabilities in multi-line telephone systems (MLTS) (which encapsulates both circuit-switched and IP-based/cloud serviced phone systems). This means that when a 911 call is placed on an MLTS, the system must be configured to notify a “central location” (on-site or off-site) where someone is likely to see/hear the notification. This law will apply to manufacturers, sellers, lessors, and any business that installs manages, or operates an MLTS.

Ray Baum’s Act

On March 23, 2018, the President signed the RAY BAUM’S Act into law. This act was named in honor of Ray Baum but is also an acronym that stands for Repack Airwaves Yielding Better Access for Users of Modern Services. This act requires that the dispatchable location is conveyed with a 911 call, regardless of the technological platform used which includes calls from multi-line telephone systems (MLTS). This act defines “dispatchable location” as the street address of the calling party, and additional information such as a room number, floor number, or similar information necessary to adequately identify the location of the calling party. This law didn’t go into effect until January 6, 2021, for all fixed MLTS, including fixed interconnected VoIP, fixed telephony, and fixed Telephone Relay Services.  This act has come to light in an effort to emphasize the importance of sharing precise location information to emergency services when someone dials 911. This in turn gives first responders valuable information so they can more accurately pinpoint the exact location where the emergency is occurring.

The National Suicide Prevention Hotline and 988

988 has been designated as the new three-digit dialing code that will route callers to the National Suicide Prevention Lifeline. While some areas may be currently able to connect to the Lifeline by dialing 988, this dialing code will be available to everyone across the United States starting on July 16, 2022. When people call, text, or chat 988, they will be connected to trained counselors that are part of the existing National Suicide Prevention Lifeline network. These trained counselors will listen, understand how their problems are affecting them, provide support, and connect them to resources if necessary. The current Lifeline phone number (1-800-273-8255) will always remain available to people in emotional distress or suicidal crisis, even after 988 is launched nationally.

How can CREG Systems Help?

CREG Systems takes pride in maintaining compliance. We provide emergency notification solutions for a wide variety of businesses—from federal, state, and local agencies to single-site businesses, and healthcare organizations. We’ve helped many facilities move from traditional phone systems to more sophisticated communications that ensure accurate notification of critical information on the right communications device to assist in an emergency.  Our emergency notification solutions can help your organization meet and exceed the requirements of Kari’s Law and Section 506 of Ray Baum’s act.

World Backup Day: Why are Backups Important and How can CREG Systems Help?

March 31st is World Backup Day!

Have you backed up your data recently? Large amounts of valuable data are lost every day because people fail to follow one basic procedure: Backup data. World Backup Day – March 31st – is set aside as a reminder to back up your files, even if it’s only once a year.  For those with backup technology in place, World Backup Day should be a reminder of the importance that digital information plays in our daily lives, to check up on existing backups to make sure they are being properly made and that they can be easily restored. For those not currently backing up their data regularly, the day should bring into focus data security. Perhaps take the time to consider the impact losing your data forever would have, then take action.

What is a Backup?

A backup is a secondary copy of data.  Backups may include things like company or client data, emails, text messages, or even family photos. Regardless of the type of data, a backup is a copy of the original which is used primarily as a safeguard against loss or destruction of the original copy.

Why Should I Backup my Data?

Making backups of collected data is critically important in data management. Backups protect against human errors, hardware failure, virus attacks, power failure, and natural disasters. Backups can help save time and money if these failures occur. If you’ve ever deleted an important file, lost an important email, or found out the hard drive on your computer is broken, you can probably understand why having a backup is worthwhile. But thinking beyond just a broken hard drive there are several important reasons to keep accurate and up-to-date information in a safe place. Consider the ever-growing number of ransomware cases popping up around the world and particularly the threat that small business owners face when targeted by these attacks.

Benefits of Backups

Imagine you turn on your laptop for work on a Monday morning and the screen is blue. You turn it off and quickly restart your computer, but still, the screen is blue (commonly known as BSOD or Blue Screen of Death amongst PC repair technicians). You have a sudden panic feeling as you realize all of the presentations for current and potential customers are on this laptop. Sure, all the long-term records and important data are on a company server, but now you’ve lost dozens of hours of work and there’s little chance you’ll get it back. This very real scenario is just one pitfall of avoiding backups. Having backups allow you to work without fear that a document, database, or presentation will disappear. Backups also provide insurance against malicious acts such as employees or outside actors, as well as accidental data destruction.

How to Backup Data

There are a wide variety of backup solutions available, from no-cost options to complex redundant servers placed in your physical workspace. Backup solutions come in a few major categories:

Cloud– Cloud backup refers to any data that is stored offsite from the original and generally refers to using a third party with redundant data storage to keep the data. Cloud has amazing reliability (the data never goes away as it is stored in multiple locations with an array of protections as well as availability). The data is accessible from anywhere and on any device. One example of cloud storage is Google Drive. Google Drive is an online storage folder that allows you to store data off of your hard drive and on a series of hard drives which are protected by world-class security and redundancy mechanisms.

Onsite Server– A much more traditional approach to backup is simply keeping a secondary device (a computer, external hard drive, or an on-location network storage device (NAS- Network Access Storage) in the same location as the original data. This approach is low cost and has the benefit of being managed by the data owner. The downside is that if something goes wrong in the original location, (fire, flood, theft, blackout) the data may be destroyed along with the original data. This option is low cost when applied using a flash drive, and data could easily (and cheaply) be backed up to multiple locations (physical flash drives, stored in multiple locations).

Managed Cloud– Think iCloud from Apple or Samsung Cloud. These services are frequently offered at no cost (or pay when you reach a data limit) and are built into the device. Under settings for your device search for iCloud or Samsung Cloud. You’ll see what’s currently being stored, what data limits you have, options to expand those limits (for a cost) and you have the option to pick what is backed up.

Before You Begin: Keep in mind that backup solutions must take into account any and all data protection laws or regulations (such as CMMC, federal/state supply chain contracts, or HIPPA) which are required of your organization.

How can CREG Systems Help?

CREG Systems can automate backups on-site and in the cloud. As part of our managed backup service, we will copy and backup your data, creating a snapshot of your systems that can be used for recovery and restoration in the event that something goes awry.

For example, if malicious code found its way into your network and corrupted files before they could be removed, we can use our backups to restore your system to the way it was before. By backing up data daily and storing them on on-site servers, at a separate location, or on the cloud, we can provide you the peace of mind that comes from knowing your information is safe – even if the unexpected happens. Simply put, a data backup is just a copy of files from your computer or device. Keeping a backup of your important business files and data is essential for several important reasons.

For optimal protection, it is best to defend your data using what we at CREG Systems call the 3-2-1 rule. Put simply, the 3-2-1 rule states that you should:

  • Keep at least three copies of your data (so no single event will destroy all copies).
  • Store the data in at least two different formats (i.e. disk, tape, cloud, etc.).
  • Keep one copy offsite to protect against fire, flood, theft, and other physical disasters.

In honor of World Backup Day this year, make a pledge to ensure at least one backup exists of your most critical data. Start small if this is a new endeavor, such as using a flash drive to backup records. Or go for something more ambitious if you feel comfortable, for example, you can head to Microsoft OneDrive or Google today and sign up for a free account. Although the storage limits are low for free accounts you can quickly get the hang of backing up your data. Good luck and go back up those valuable files!