Mortgage Software Solutions Blog

Can Your Mortgage Business Use BitLocker Without TPM?

Bitlocker_vs_TPM_.jpgThe theft of a computer can be bad news for your mortgage business. It's not just the cost of replacing it; insurance should cover that. It's the prospect of letting confidential information into the hands of thieves. Confidentiality is vital to the mortgage business. Even computers sitting on desktops can be stolen.

Encrypting the entire disk drive helps to protect against data theft. As long as a user isn't logged in and active, thieves won't be able to read anything on the drive. It just needs to be set up once and after that, it's transparent. A logged-in user sees files just as if they weren't encrypted.

BitLocker for Full Disk Encryption

On Windows, there are several ways to do this. Windows 10 Professional and some older versions include a tool called BitLocker. An open-source alternative called TrueCrypt used to be available, but it's no longer supported and may have uncorrected problems.

There's a limitation on BitLocker, though. It requires a hardware device called the TPM, or Trusted Platform Module. The TPM provides an extra layer of security by storing passwords and keys in a secure form. Not all computers come with one, but some machines let you add one. It's logically tied to one computer and won't disclose its information if moved to another one. Windows 10 requires a version 1.2 TPM.

The way the encryption works may need a little explaining. You access the encrypted disk by logging in, but your password isn't the encryption key. The actual key is a long string of characters, and the TPM is needed to get it.

BitLocker Without TPM

It's not clear whether a TPM really makes BitLocker much more secure. If someone steals a computer, they're usually stealing the motherboard, disk drive, and TPM all at the same time. If your computer doesn't have one, it's still possible to use BitLocker, though it takes extra work.

The TPM provides other security benefits, though, so it is worth having. It checks if a drive or the boot loader has been tampered with. It lets the user store passwords and other credentials safely. Some older computers, however, don't support it.

Security Options

You can set up BitLocker to write a USB key, or you can have it require an additional password. If you use the USB key, you'll have to insert it each time you boot the computer. This approach may provide better security, since it requires an external device or piece of information. You can also use one or both of these options, if you do have a TPM, for the highest possible security.

BitLocker, even without a TPM, provides a reasonable level of security, but only if the user is careful. Don't carry the USB key around in the same bag as the computer (or permanently plugged into the computer). That defeats the whole point of having it. At the same time, don't lose the key.

If you're worried about losing the USB key, you can set up your Microsoft account so that you can get a recovery key if you ever need to. This creates an additional risk at the same time, since someone could conceivably steal it from the account. If this is a concern, you can print out the key, put it in a locked box, and delete it from the server. (Don't store a written copy of either your recovery key or your Microsoft password with your computer!)

Keep it Safe

Whichever approach you prefer, having an encrypted drive is significantly safer than having an unencrypted drive. If someone steals a laptop computer with customer information, it's better if the thief gets only the hardware. Requiring BitLocker on all Windows computers that your business uses gives security a strong boost. Even if not all of them have TPM hardware, they still benefit from encryption. Just make sure employees don't take shortcuts that undercut the benefits.

Access Business Technologies provides secure cloud hosting services for the mortgage industry. Our state-of-the-art vulnerability management solutions, like DeviceGuardian™ and DocumentGuardian™, help provide you with the added security you need against mortgage cyber-attackers. This type of added security can be especially crucial when used with computer equipment utilized in mortgage operations. For more information, please contact us.

Learn More

Topics: encryption bitlocker

6 Reasons You Need MortgageWorkSpace® With Business Intelligence

MortgageWorkSpace_now_featuring_Business_Intelligence.jpgWith all the changes going on in the world of technology today, it's apparent to us that mortgage companies need more (and better) data to drive their business and security decisions. With MortgageWorkSpace® now featuring Business Intelligence, mortgage companies can easily obtain, organize, and act on that information from the cloud-based platform they know and love.

Business Intelligence gives you insights into your business, unlike any you’ve had before. Collecting huge amounts of data is a good thing, but it is only useful if you can interpret both structured and unstructured data. Understanding the data you collect allows you to analyze your business and use the insights from that analysis to create and take advantage of new business opportunities.

Here are six reasons why Business Intelligence is the perfect tool to help you maximize the advantages of Big Data.

1. Business Intelligence can create new business opportunities.

Business Intelligence can provide you with reports and process analytics that you mine from your online presence. It helps you manage how your business performs and make adjustments to your business strategies, such as product placement and pricing.

Predictive and prescriptive analytics are two of the common uses of Business Intelligence. These tools can help you increase your knowledge of your customer base, learning what types of incentives would help retain customers and who your strongest brand promoters may be.

2. You can gather Business Intelligence from data collected from sources outside and inside your business.

The most compelling Business Intelligence combines external data from your particular market segment with data mined from your own internal departments, like financial data and operations information. Combined Business Intelligence can suggest new markets, analyze how your services might appeal to certain market segments, and gauge the effectiveness of your current and proposed marketing plans.

3. Business Intelligence can provide relevant facts and figures.

Business Intelligence provides relevant facts and figures but in a meaningful and useful way. In addition, powerful software programs can present your Business Intelligence information to you in rich graphics, with features that allow you to organize the collected information in the way that makes the most sense to your business.

4. If you have been looking for Business Intelligence software, specifically designed for mortgage companies, you can relax.

MortgageWorkSpace® is the only software specifically designed for mortgage companies. And, in a very exciting development, software giant Microsoft partnered with MortgageWorkSpace® to feature their Power BI software inside the MortgageWorkSpace® portal.

5. MortgageWorkSpace® helps you use your Business Intelligence while you manage your mortgage business.

MortgageWorkSpace® is a portal that helps you manage your devices, your users, the software you use to run your mortgage business, and the data that your business collects. It allows you to do everything you need from one location. You can deploy and manage your loan origination software to all your branches and by department. And now, you can access Microsoft's best-in-class software, Power BI, from inside the portal.

6. Power BI is the tool set for a mortgage company.

PowerBI is Microsoft's suite of tools that helps you analyze data from finance, sales, operations, and other areas of your business and your market. Most significantly, Power BI is a cloud-based platform that includes powerful dashboards that now give you data in real-time. Through Access Business Technologies’ cloud hosting providers, you will have everything you need to interact with your customers anywhere.

Appropriately enough, Microsoft named them Real-Time Dashboards. The talk is that the Real-Time Dashboards are so powerful and fast that you will be able to receive customer perceptions while they are still in your office (or, presumably, online). Best of all, Power BI users do not need special technical expertise to create useful graphics that help them visualize their business's data. The new power of this Microsoft tool is taking MortgageWorkSpace® to a whole new level.

If you want to learn more about the latest changes to Microsoft's Power BI, read CMSWire’s article by David Roe from August 12, 2016, entitled "Microsoft Power BI Dashboards Deliver Real-Time Data."

If you are looking for a way to stop mortgage cyber-attackers and boost your vulnerability management solutions, we can help. To talk more about Power BI or the other tools available to your mortgage business, please contact us.

Learn More

Topics: ABT MortgageWorkSpace Business Intelligence

7 Common Questions About Multi-Factor Authentication (MFA)

Multifactor_authentication_MFA_.jpgAs data security professionals, it's clear to us why mortgage companies should be using multi-factor authentication (MFA) in their businesses. Yet many mortgage firms are still resistant to adopting this technology for fear that it will only complicate processes and slow productivity. However, the benefits of this added security far outweighs the additional effort it requires.

Here are answers to seven of the most commonly asked questions about MFA that you should consider before ruling out multi-factor authentication for your mortgage business.

1. What is MFA?

Multi-factor authentication (MFA) combines two or more independent authentication factors. For example, suppose your website required your clients to enter something only they would know upon login (password), something they have (like a one-time smartphone authentication token provided by special software), and a biometric identifier (like a thumbprint). It is pretty hard for a mortgage cyber-attacker to have all three of those items, especially the biometric identifier.

2. That seems like overkill. What is the point of all that security?

The goal of MFA security systems is to create layers of authentication that defend against hackers trying to breach your system's defenses. If a hacker breaches one authentication layer, there are one or two more still holding the line. MFA makes breaches more complicated and time-consuming for hackers.

When you consider that a breach of your security system exposes your mortgage clients to identity theft and fraud, protecting them with a layered system of security only makes sense. Old-fashioned security measures are no match for today's cyber criminals.

3. Are there typical multi-factor authentication systems I should consider?

Yes. Some systems require swiping a card at login and entering a pin. Others require the username/password and then an additional one-time password that the system generates and sends to the client's phone. This system is popular with banking websites, and using such a system would benefit mortgage companies as well. Other authentication systems require the user ID, the user's fingerprint, and the answer to a security question. Still others require users to first download a virtual private network (VPN) that has a valid certificate and then log in to the VPN in order to access the network.

It’s best to discuss your unique situation and security needs with an IT professional to determine exactly what type of multi-factor authentication will work best for you.

4. So, mortgage companies are vulnerable to such full-scale hacker attacks?

Absolutely. As computer processing speeds have increased, the scale of attacks on financial institutions and other businesses has increased. In addition, there are new hacker tools that can crack password codes more easily than ever before.

The GPGPU, for example, is a general purpose graphics processing unit. GPGPUs can conduct calculations that would normally be done on a CPU at a higher rate: 500,000,000 passwords per second!

Another tool, known as rainbow tables, can crack 14-character passwords (even those with alphanumeric characters) in less than three minutes. It is not hard to see that one-layer password protection and even two-layer protection are no longer good enough.

5. I still don't get it. How does MFA work?

Multi-factor authentication throws a few roadblocks in the hacker's pathway. Location factors are one way for a security system to identify a person's identity. For example, work schedules and location can determine whether a user is who he says he is. Time is another example of a security layer. If a person uses his phone at a job in the US, it is physically impossible for him to use it again from Europe 15 minutes later. These are especially helpful in online bank fraud and, by extension, mortgage company fraud.

6. Sounds like something the mortgage industry should consider. Are there any legal or legislative considerations?

Yes. The Federal Financial Institutions Examination Council (FFIEC) issued a directive for multi-factor authentication in the banking sector. We believe that the mortgage industry and the regulators are moving toward a place where mortgage companies will be subject to the same information security standard as the banking industry, meaning mortgage companies will need to implement this technology to maintain security compliance.

7. How do I know what MFA layers would be good for my mortgage business?

You can read more about MFA. For instance, read this buyer's guide for MFA products.

If you want to talk more about MFA, or any other vulnerability management solutions, please contact us. MortgageWorkSpace®’s cloud interface is a convenient entry point to your company that will help you manage your secure information. This secure portal provides you access to your team (by group, branch office, and/or department), their security, their devices, and data. You can control and manage your entire workforce from one web-accessible point with rich features like single-sign on, multi-factor authentication, and user application logs. This way, you can be sure you are keeping track of every aspect of your security.

We look forward to helping you protect your clients' and your network's information security.

Learn More

Topics: MortgageWorkSpace multi-factor authentication

Cerber Ransomware Poses a Huge Risk for Mortgage Companies

cerber_ransomware_.jpgInternational criminals are cyber-attacking American companies at unprecedented rates. Worse, many victims don't even announce they paid money to these gangsters, so the FBI doesn't actually know the precise numbers. However, the threat undoubtedly continues to grow.

Mortgage companies need to protect themselves now, before these criminal hackers use the latest sophisticated software program, called Cerber Ransomware, together with NSA-level, unbreakable encryption, to hold your company's data for ransom. This includes personal financial information on your customers.

How many of your customers would be upset to discover you allowed foreign cyber criminals into your firm's database?

Don’t let your mortgage company be another victim of ransomware. Here’s what you need to know about Cerber ransomware and the risks it poses to your business.

What is Cerber Ransomware?

Ransomware is a form of software virus that infects your computers and networks. It encrypts all your data files, then tells you they will remain encrypted until you pay the hacker in bitcoins. Cerber is the latest version.

What’s Different About Cerber?

First, Cerber talks to its victims. After it has completed encrypting all of your documents, pictures, videos, archives, audio files, and backups with a strong AES 256 algorithm that, so far, cannot be decrypted, it changes the original file extensions to .cerber. It also encrypts the file's name.

Then, it puts three files on your desktop: a .txt file, an .html file, and a Visual Basic Scripting file. They contain the same basic message, telling you about how to send the bitcoin ransom they demand in return for a decryption key. The VBS file actually speaks the message. If you fail to pay the original amount demanded in seven days, the ransom doubles. The program includes a timer in case you lose track of the time.

Secondly, Cerber comes from a website in Russia where it's sold as Ransomware as a Service. That means the criminals don't even program their own viruses. They just rent it from the real programmers, who receive a percentage of the money it brings in.

Thirdly, at the bottom of the message, it adds in Latin, "Quod me non necat me fortiorem facit," which is a famous quote from the German philosopher Friedrich Nietzsche. In English, it translates to  "That which does not kill me makes me stronger." Who knew Russian cybercriminals were so interested in motivational quotes?

Ways to Defend Yourself Against Cerber

This article offers a variety of technical ways to set up your network to defend yourself against Cerber and other ransomware. Note what the fourth expert says: Cerber spreads through macro-enabled Microsoft Word documents attached to email.

Businesses should require their employees to use only the default macro setting. That is, the user must actively allow the macro to run. If the user refuses to allow the macro to run, the macro cannot install Cerber. And, of course, nobody should open any file attached to an email if they don't know the email's sender.

Bleeping Computer has a lot more technical information about Cerber in this article, but unfortunately, there is still no way to decrypt files without paying the ransom.

One of the commenters at the end of the article said they got infected with Cerber through Craig's List. They received an email from someone replying to their post about a job.

Also beware of peer-to-peer networks such as Torrent. Be certain any software you download is only from trusted sites, and do not click on links in spam emails.

Ransomware is becoming a greater threat than ever, according to Computerworld. Many companies pay up, then shut up to avoid the embarrassment and bad publicity. Therefore, their incidents don't show up in the FBI statistics.

Access Business Technologies Can Help

Cerber ransomware is a threat to everybody, and it's especially serious to mortgage companies. They have access to money, but don't have the IT staff and equipment to protect themselves from ransomware and other data breaches major banks can afford.

However, DeviceGuardian™ from ABT protects and secures your data and ensures your mobile security at the device level. It makes all the hardware that accesses your network compliant with Consumer Financial Protection Bureau regulations. ABT provides 1Tb of backup data per user. This is important because having a backup that Cerber ransomware cannot reach is an essential part of your defense.

Access Business Technologies’ mortgage company security services provide full virus and malware protection, as well as mobile management software, to protect businesses and their customers and ensure complete security compliance. Contact us today to learn how to protect your company from the huge security threat Cerber ransomware poses.

Get Started

Topics: DeviceGuardian ransomware

Why Hard Drive Encryption is Important for Mortgage Companies

Hard_drive_encryption_.jpgIs your mortgage company encrypting the hard drives of the devices it uses to conduct daily business? Here’s a better question: Could your mortgage company withstand the potentially catastrophic fallout that would occur if a computer containing confidential client information was stolen and fell into the wrong hands? What about the regulatory repercussions and lack of customer confidence that such an event would cause?

Implementing hard drive encryption today could save you from potential disaster tomorrow.

The Importance of Protecting Your Data

Securing your computers with passwords or behind locked doors is not enough. Passwords may stop an unauthorized person from logging into one of your computers, but it will not stop them from stealing the entire computer. Once they have the computer, accessing any file on your hard drive is easy. Anyone with the right knowledge or tools can bypass the operating system security and access the files directly.

Consider for a moment what kind of confidential information your mortgage company gathers on its clients: social security numbers, birth dates, addresses, employment history, and credit history. Now, imagine if all that confidential data was stolen. In the right hands, this data could lead to hundreds of thousands of dollars in financial losses to your customers, and to your company.

Identity theft is serious business, and keeping your client data safe from theft is a serious part of your business. This is why mortgage industry regulators strongly recommend that mortgage companies encrypt the hard drives on all computers used to handle client data.

How Much Encryption is Enough?

Encrypting specific files or types of files is a good start. Unfortunately, due to the way in which computers access and handle data, anything short of full drive encryption is simply not enough.

Encrypted files on an otherwise unencrypted drive must be unencrypted on the fly by the operating system. These files, or pieces of them, are then stored in an area of the hard drive known as the swap file for easy access and editing once they are opened. For example, if you have ever used the undo function in Microsoft Word or Excel, it is the swap file that makes this possible.

Files and pieces of files in this area of the disk may linger for a considerable amount of time, leaving them vulnerable to access by anyone who can get to the unencrypted part of the file.

The unencrypted part of a partially encrypted drive can also be used as a sort of “back door” to access and circumvent the encryption. This vulnerability can be easily exploited by a fairly inexperienced person with the right software tools.

It is for these reasons that mortgage industry regulations now require businesses to use full disk encryption of all data on laptops and other devices. As such, full drive encryption is the only real option to both protect your confidential data and maintain full regulatory compliance.

Drawbacks of Encryption

Unfortunately, this level of security does come at a cost and with considerable risk.

There are a number of ways you can permanently lose access to the data on your computer or effectively ‘brick’ your computer during or after encrypting the drive. For instance, if you suffer a power outage or system failure while encrypting a drive, you will almost certainly lose the data on that drive. If you lose or forget the password that you used to encrypt your drive, you will be effectively locked out of your drive. If the encrypted drive becomes damaged or the data becomes corrupted, you can also permanently lose access to your data.

We Can Help

ABT can help you avoid those potential pitfalls while assuring your customers—and regulators—that client data at your mortgage company is being protected by a state-of-the-art security solution.

Our DeviceGuardian™ PC and Device Protection technology will ensure mobile device management for all of your computers and mobile devices. We make sure you are fully compliant with Financial Protection Bureau (CFPB) regulations by providing cutting-edge enterprise security and data encryption to protect your sensitive client data.

ABT is your one-stop IT provider with the specialized services and 24/7 support you need to take your mortgage company to the next level.

Contact us to today to discuss the many ways we can manage your specialized IT needs.

Learn More

Topics: DeviceGuardian encryption