Category: information security

Posted on

4 Rules of Thumb Regarding Passwords and Authentication

Many people believe passwords are dumb.  They store their credentials for easy login, or maybe even leave the password blank if the app allows. For IT managers, forcing users to come up with a strong, unique password is definitely not an easy task.  Resting on convenience over security, many people would prefer to use familiar names and dates or simple phrases they can remember.  Even when IT departments try to enforce best practices there is often a struggle between honoring those standards and influencing user behavior.

Relaxed password standards allow users to set passwords that may be as easy to guess as they are to remember, and very strict requirements for strong and complex passwords often results with users storing passwords in document files or on post-it notes on the monitor. Setting password standards and managing the policy implementation requires a balance between usability and security, but more often than not the balance skews toward simplicity. Yet passwords aren’t going away any time soon, even while biometrics and multi-factor authentication methods grow in prominence.

It is most likely that new technologies and standards will be combined with passwords to protect critical data. Using only a password to protect information may not be the ultimate in security, but it is important to recognize that passwords remain as a key element in any security model. For now, passwords should be as strong and unguessable as possible.  As technologies and standards rise up to meet the demands of users as well as enterprises, there are likely to be changes in how passwords are used. Here are 4 rules of thumb to consider regarding passwords and where authentication technologies are going.

1. Your face might be your password.

Biometrics won’t fully replace passwords right away, but the use of biometric data for authentication is growing rapidly. Face recognition, fingerprinting and voice identification are all being employed as authentication mechanisms and users are embracing the technology because it is easier to use than a remembered password.  Smartphones and PCs have sensors for reading fingerprints and cameras for seeing faces, and microphones for hearing your voice.  Many systems are also now able to use geodata with the biometric data (matching person to place), making it harder to compromise an identity while also being less disruptive to the user. While the technology isn’t foolproof, it represents a major step towards creating more secure systems without placing the responsibility strictly on the user.

2. Two pieces of ID are better than one.

The point of multi-factor authentication is that there are two different pieces of evidence a user must present in order to gain access. For example, a password may be the first piece of evidence presented, with a pass code sent to a mobile device as a second. Even as biometric authentication grows in prominence, industry participants recognize that no single method covers all the bases all the time. Multi-factor authentication is gaining in prominence as users become more familiar with the methods and the implementations become less intrusive. AI may also influence how these systems are applied. As user behavior and transaction parameters are “learned”, systems can identify activities that fall outside of normal routines and additionally prompt users for single-use pins or passwords sent to their mobile device.

3. Businesses should learn from past mistakes.

With news of hacking, ransomware and malware being daily fare, companies and their users are realizing that password security really is important and are stepping up their security efforts. The information is available to help prevent businesses from making the same mistakes that others have, offering worst case scenarios a’plenty to learn from.  Using default passwords and recycling passwords across work and personal accounts, using unsecured network connections, not encrypting files that contain password information and failing to patch or update systems and software are entirely preventable situations that put information at risk. Taking the reports seriously and identifying mistakes to avoid is highly useful in designing security for the business.

4. There’s a growing ecosystem for authentication.

With the number and type of systems requiring authentication – from industrial control systems to dating websites – there is a great and growing need to find highly secure methods of authentication that are actually usable for the user. Even in the world of blockchain there is a need for “identity assurance” and confirmation when documents or biometrics are captured via smartphone. Fast IDentity Online (FIDO) is a set of security specifications for strong multi-factor authentication, developed by the FIDO Alliance. The FIDO Alliance includes members such as Google, Aetna, Amazon, Microsoft, Bank of America and Samsung, and developed the spec as an initial basis for standardizing authentication across platforms and systems at the client and protocol layers.  

Technology is changing rapidly and solutions once reserved for government and large enterprise are now entering mainstream consumer use. You’ve probably already noticed that banking and other apps are employing the use of fingerprint and other biometric data with increased frequency as users demand easier access to applications and features from their smartphones and other mobile devices.

These technologies sometimes replace traditional password entry as the primary means of authentication or augment password use in some manner. Even MasterCard has announced a component in its payment card solutions that allows users of next-gen payment cards to register their fingerprint data on their credit card.

The push is to allow users to interact with their tasks without putting up barriers to access.

A combination of usability and enhanced protection, the new standards are developing to address not just system security but identity verification for various purposes. Corporate information must be secured and so must personal identity information; simply read the news to understand what can happen when digital identity information gets compromised.

Whether the data is business or personal, keeping hackers and bad actors away from it isn’t easy, so strengthening the most basic first layer of protection – the password – is the best place to start.

Make Sense?

J

Posted on

4 Rules of Thumb for Better Mobile Device Security

Security threats are everywhere, lurking in alley ways and around corners and even in your favorite coffee shop. Yet mobility is in demand, and people will use their smartphones and other mobile devices because it’s convenient, even if company policy suggests against it.

This is a big deal for IT and security professionals and CIOs, which is why it took a while for IT to recognize the need to address mobile device security rather than simply deny mobile device use. With data breaches, ransomware attacks, hacks and information leaks happening on an almost daily basis, businesses must find ways to protect their valuable applications and data from loss or misuse while at the same time enabling mobile device use.

The following 4 rules of thumb are not comprehensive but are four essential rules of thumb to help guide business owners in addressing mobility management and security within their organizations.

Rule 1: Make sure there are clear mobile device use policies and support them with ongoing administration and strict enforcement.

I can’t say enough about having good security and mobile device policies and keeping them modernized, relevant, and actually enforcing them. Too many businesses say they have a “security and use” policy in place, yet it is outdated and doesn’t reflect the actual tools or processes currently in use.  Even more frequently a business will develop a policy just to say it has one, but won’t actually train workers or enforce compliance.

Rule 2: Require and enforce strong passwords, manage access in real time, and force password changes with some frequency.

It is essential that all user access to applications or data be controlled at minimum by password-protected logins to the device and corporate resources coupled with periodic forced password changes. Users often prefer to not require passwords or other authentication for device access, but corporate policy should not only require them but also enforce their use.  Also, user access should be managed in real time, meaning that any aspect relating to access should be disabled or revoked immediately upon employee termination or reassignment. Too often these forgotten chores are relegated to after-the-fact IT administration, which allows users to access resources beyond their rightful boundaries.

Rule 3:  Do something to contain the applications and data on the device.

Whether the approach is with containers, cloud hosting, server-based computing or something else, it is really important to try to “contain” the applications and data accessed from the mobile device. Risk is created when users sync data directly to the device’s storage or install applications directly on the device to access corporate data. Password and other security measures prevent unauthorized access, but allowing applications, credentials or data to be stored directly on the mobile device allows those things to interact with other things on the device.  Containers, hosting and server-based computing models keep the applications and data within secured spaces, often not even storing essential items on the device but only accessing them via the device. This allows the business to provide users with the access and functionality they need to do their jobs, but also reduces the vulnerability of applications and information assets.

Rule 4: Keep device software up to date and download fewer apps.

Updating mobile device operating system versions and release levels is important to make sure the device has the most current security patches and threat protection.   Some mobile OSes even have capabilities which can help keep personal and work apps separated.  Limiting the number of apps users can download to their devices should also be considered. Users may randomly download and install applications to their devices with little regard for the quality or security of the app, and often accept terms of use without really reading them. Consumer apps from app stores may pose risks to data and the device, so IT should check regularly for problematic apps if the device is used to access the corporate network, applications or data.

Mobile and wireless are in demand

Just about every business has people who use their phones and tablets for some business use, and every one of those mobile devices and the apps running on them could open the door for a hacker, ransomware, data theft or compromise. While there are many benefits to be gained by enabling remote and mobile devices in the business workflow, unrestricted access only creates risk.

Keeping mobile devices secure for business use takes multiple approaches, as there is no single method or solution that works for every situation. Our 4 rules provide a basic foundation for business mobility management, offering a starting point for developing a more thorough and detailed plan.

Make sense?

J

Posted on

Mobile IT for Contractors and Builders (for every business, actually)

The Trend Is Up For Single-Family Housing Market

Even as lot and labor shortages and other supply side constraints continue to impact builders, and while the cost of building materials continues to rise, the demand for housing continues to increase at a fairly consistent rate. “November’s builder confidence reading is close to a post-recession high-..” NAHB Chairman Granger MacDonald said in a recent release.

Supported by rising homeownership rates and a reduced number of available homes for sale, the trend up is expected to continue.

Increased competition for new business opportunities in the building market require that home builders and developers leverage available technologies and IT resources to improve operational performance and increase the profitability of every project. Applications for better estimating, project and cost management and accounting represent the foundations for information management and supporting the flow of work.Extending workflows to embrace mobile workers and remote offices is the next step to developing an efficient anytime/anywhere business. 92 percent of U.S. construction executives believe that technology will fundamentally change their businesses, and help them bridge the performance gap, according to KPMG’s Make it, or break it – Global Construction Survey 2017 report.

Collaborating while on the go and exchanging ideas and concepts quickly helps businesses be more agile and better-able to meet changing customer needs. Remote and mobile access provides businesses with mobile office options that allow users to get their jobs done no matter where they happen to be.

Business moves at a fast pace and working smarter means implementing the right IT to keep moving up with the demand and creating sustainability for leaner times.

Make Sense?

J

Posted on

The nasty surprises hackers have in store for us in 2018

“Hackers are constantly finding new targets and refining the tools they use to break through cyberdefenses. The following are some significant threats to look out for this year.

More huge data breaches

The cyberattack on the Equifax credit reporting agency in 2017, which led to the theft of Social Security numbers, birth dates, and other data on almost half the U.S. population, was a stark reminder that hackers are thinking big when it comes to targets. ..

Ransomware in the cloud

… The biggest cloud operators, like Google, Amazon, and IBM, have hired some of the brightest minds in digital security, so they won’t be easy to crack. But smaller companies are likely to be more vulnerable, and even a modest breach could lead to a big payday for the hackers involved.

The weaponization of AI

This year will see the emergence of an AI-driven arms race. Security firms and researchers have been using machine-learning models, neural networks, and other AI technologies for a while to better anticipate attacks, and to spot ones already under way. It’s highly likely that hackers are adopting the same technology to strike back…”

Source: The nasty surprises hackers have in store for us in 2018

Posted on

Business Data Storage in the Cloud – Accountex Report

The term “cloud” has been applied to all sorts of online or Internet-based application models, and there are a great many approaches to developing cloud-based services and solutions. What this translates to is a volume of options and possibilities for information storage, management, and access in the cloud.Understanding where information is stored, how it may be accessed, and how it might be transmitted to others becomes essential knowledge that business owners should have when they engage with any information technology (IT) solution or service. Yet the plethora of “simple, affordable, and instantly gratifying” services currently available on the web all but ensure that businesses will engage with one or more solutions that provide them with little or no information (much less control) over the placement and management of their data.

Source: Business Data Storage in the Cloud – Accountex Report

Read more about Compliance in the Cloud, and making sure your data doesn’t get lost or compromised, even when you use a hosting company…

Posted on

MSP, IT, Telecom, Channel: Convergence and the Cloud

Small and growing businesses have always relied upon various service providers and vendors to deliver the solutions required which support the business operation. Often viewed as the critical infrastructure of the business, phone and computer systems are among the first acquisitions a new business makes.  Phones and voice service, wired and wireless networks and all forms of communications infrastructure are part of IT and represent a large portion of the business information systems.

Small businesses used to have a phone guy they could call for phone stuff. The phone guy was a person or company who got phone lines installed, ran cabling for phones, installed phone systems and set up voicemail. The phone guy could help get cheaper long distance calling rates and train users on how to use the paging system and transfer calls.  The phone guy interacted mostly with the office manager or receptionist – the person in the office most likely to be “in charge” of the phone system, influencing these purchasing decisions greatly.

The computer guy, on the other hand, made sure the workstations and server were working, defragged hard drives, installed software and set up printers. The computer guy was the person or company that sold and supported the IT in the business, and often consulted with the business owner or line manager when it came to addressing information system requirements.

Telephony and networking is now clearly in the realm of IT, which changes how services are selected and purchasing is influenced. Computing and communications infrastructure, networking and mobile is all part of business IT. The separation of services – voice versus data – is gone.  The phone vendors and the IT suppliers are now the same company, providing the critical infrastructure, the platforms and the application services that businesses are buying. These service providers understand that the foundations for delivering voice and data services are the same; the skills of their techs and the tools they use have converged to the point where there is little separation of duties.

Cloud services and outsourced solution providers offering hosted PBX and virtual applications infrastructure have revealed to business owners that there is often little difference in what the phone guy and the computer guy can provide. Business owners want converged solutions: voice and data when and where they need it to support business operations. Just a little research reveals that these anytime/anywhere models are widely available and that the cloud is the key.

IT services are critical to the business, but the server doesn’t have to be under the front desk or in a back closet in order to function.  There is simply too much evidence in the market for these business owners to ignore;  shooting the server is now a viable option.

Every day more business owners are being inspired to [shoot their servers] seek out the services that will allow them to continue to benefit from innovations in technology while relieving them of the direct responsibilities of equipment purchasing, implementation, administration and lifecycle management.

Cloud services deliver this capability, and channel partners and Value Added Resellers should recognize their opportunity to get inspired as well, and to start offering cloud-based and hosted services to their customers and capture the “buying decision” opportunity that has [been] created.

Ready. Aim. Fire.

Source: Go Ahead and Shoot the Server: End of Microsoft Small Business Server Inspires Cloud Adoption with Small Businesses « Cooper Mann Consulting

Recognition of the convergence of voice and data services and channels hasn’t really hit home for a lot of resellers and channel partners, and this has rightfully positioned providers on both sides of the equation as viewing the others as direct competitors.  The phone guy thinks he is his customer’s “trusted advisor”, and that the loyal customer will certainly come to him if there is ever a need.  As well does the computer guy believe that he is the trusted advisor, having the ear of the business owner and wielding enough influence to ensure a continued revenue-earning relationship.

In truth, both the phone guy and the computer guy probably have earned their business customer’s trust and were the go-to people when there was a new business need. The problem is that the customer may no longer call one or the other of their “go-to” guys because the forward-thinking guys are offering one-stop service that delivers everything the business needs.  The lines between phone and computer stuff are not so clearly drawn any longer; it is all cloud IT and full service providers are winning the customer business.

Channel resellers, agents and MSPs are all telling their SMB/SME customers the same things, and at a base level they’re selling the same things, too.  Everyone is talking about lower up front investments and improved business productivity… and what they’re all selling is cloud and virtual. “Businesses need cloud in order to compete; move CapX to OpX; mobile is the new office” and “remote workers and devices need a secure quality network”.

Whether it relates to telephone systems with voicemail, automated attendants and a little intelligent voice response thrown in, or if the deal is for servers and workstations, software and network cabling, it is all business information technology and the trusted advisor is the guy who can provide it all. Convergence has clearly arrived.

Make Sense?

J