Self Service Password Resets Save Time and Aggravation

Standard

You know the drill.  IT has implemented another security policy that requires you to change your password every 90 days.  The password must be complex, 12 or more characters and contain upper and lower case letters, at least one number and a symbol, a character like !@#$%&*.  Your password needs to be something like this, fU&s43jm#@l0, to be valid.  You are also not allowed to resuse a password you have used in the past year.  Will you remember it?  Hopefully.  Will you mistype it, almost certainly.  What will you do if you can’t remember it?  Call the Help Desk and have them reset your password.  It stresses you out, doesn’t it?

What if you could easily reset your password, right from your mobile phone without having to call the Help Desk?  You can!  An innovative company named Passportal from Alberta, Canada has what may be the easiest and best solution to the password reset problem.  Their solution is available through partner like Internet & Telephone, LLC and can make the password management problem go away for you and all the computers users in your company.

Here’s how it works:

  1. You get the dreaded message that your password has expired and you need to set a new one.
  2. You create your new password; ih0p3!r3m3mber@.
  3. You return to the login screen and type it in, but it says it’s invalid.  DejaVu sets in and your blood pressure begins to rise.
  4. In the old days, you would call the Help Desk and ask them to reset your password for you.  You wait for the friendly and empathetic technician to login to your network, open your users account and reset your password.  Back to work you go.
  5. Instead of #4, what if this happened:
    1. You pick up your mobile phone and text a keyword to a Blink_Chat_Animationpre-defined number you have saved as a contact.
    2. You immediately get a reply letting you know your password is about to be reset.
    3. Within 60 seconds, you receive another text with a new password.  Something like: 8Fx%$Gsjh3*7.
    4. You return to your login prompt and enter 8Fx%$Gsjh3*7 as your password.
    5. You are asked to set a new password that you will remember this time, right?

That’s how easy it could be to reset your password if you forget it, lock out your account or let it expire and mistype your new password.

This is also how easy it is to make password changes and resets less hassle for your users and less timely to complete.  The user has complete control and the ability to instantly help themselves through this efficient self service password reset system.

If you’re not using self service password reset now, you should be.  Your users will thank you.  So will your Help Desk team.

DocuSign Hacked, Exercise Caution

Standard

DocuSignLast week DocuSign, one of the market leaders in online eSignatures and contract execution and management, announced that it had discovered a data breach.  The result?  A targeted phishing campaign using social engineering gathered from the breached data to trick people into executing a document that is not a real DocuSign document.

If you are not familiar with DocuSign, here is an excerpt from their About Us page on their website.  “DocuSign® is changing how business gets done by empowering more than 300,000 companies and 200 million users in 188 countries to sign, send and manage documents anytime, anywhere, on any device, with confidence.”

The phishing attack, which DocuSign acknowledges, targets those who have used DocuSign to sign and execute contracts in the past.  It is doing this using data obtained from the breach.  Through social engineering techniques, users are tricked into activating macro code in an attached Word document that loads malware onto the victims computers.

An important thing to note is that DocuSign never sends attachments and asks the recipient to open the attached file.  That should be an immediate red flag.  If you have used the system, you know that the document you are being asked to sign in the DocuSign system is presented within your web browser over a secure SSL session.  You “sign” the document online and are then presented the option to download a PDF copy of your signed document.  This should be an easy phish to spot, yet people are falling victim to it.

Here is a recommendation that has been put out in collaboration with KnowBe4, our partner in helping to educate our clients about risks like this:

“Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.

But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click.”

Simple, but important advice to always verify the source, especially when you are not expecting something that you have received.

DocuSign maintains a good site regarding their security posture at https://trust.docusign.com.  I recommend you keep watch on this site if you are a regular DocuSign user.

 

 

 

Reflections on Kaseya Connect 2017

Standard

As I’m sitting here in McCarran International Airport awaiting my jetBlue Red Eye back to Boston, I’ve been reflecting on my week here in Las Vegas at the Kaseya KaseyaConnectConnect conference.  Kaseya is one of several technology partners that we have at Internet & Telephone, LLC.  Specifically, we use the Kaseya Virtual System Administrator (VSA) IT management platform as well as AuthAnvil two-factor authentication.  Both are part of our stack of specialized tools that we use to manage our customer infrastructures.

This was my first time attending Kaseya Connect and I’m impressed with the company and their roadmap for the future.  What’s significant about this is that a few years ago, it looked like the company was moving in the wrong direction and was no longer going to be a good partner for us.  That is no longer the case, at all.

We started the week off in the Customer Success Council meeting on Monday.  During this invitation only meeting, Kaseya executives shared details on upcoming product developments and new initiatives, including recent and planned acquisitions.  Following this meeting, Kaseya hosted a focused security symposium.

During the symposium, some interesting statistics were shared from the 2017 Verizon Data Breach Investigation Report.  This report has become the annual standard bearer for the state of cybersecurity in the commercial market space.

Some highlights from the report:

  • 62% of breaches involved hacking.
  • 81% of hacks used stolen or weak passwords.
  • 51% of hacks used malware to steal passwords.
  • Over 1 billion credentials were stolen in 2016.
  • It is recommended to deploy two-factor authentication to all users when feasible.

When considering two-factor authentication, consider that it meets these requirements:

  • HIPAA for healthcare organizations.
  • FFIEC for small banks and credit unions.
  • CJIS for law enforcement agencies.
  • The latest revision of the legal professional code of conduct requires it for remote access.

Following are some updated stats about data breaches, in terms of impact:

  • Every record breached costs a company $158.00, on average.
  • The average number of records breached, per data breach, is 3,000.
  • This is an average cost of $475,000 per data breach.
  • Short term impacts of a data breach are downtime, lost data and business interruption.
  • Long term impacts of a data breach include damage to the company’s reputation, customer loss and lost revenue.

On Tuesday morning, Kaseya CEO Fred Voccola kicked off the event with an engaging keynote that shared interesting stats that you may read more about in my post from Wednesday titled Small and Medium Size Business Stats from Kaseya Connect.

Fred also provided a comprehensive review of what Kaseya calls it’s IT Complete stack.  This includes the core feature set of the VSA platform that we use to manage our customers as well as new or updated modules focusing on network management, identity and access management, backup and disaster recovery, Office 365 management and backup and an impressive Cloud management module that will allow us to help our customers save money on their Cloud subscription costs.

I was also intrigued by some new initiatives around data analytics to help us manage our business better and deeper integration with our customer documentation system.

Kaseya did a very good job outlining the product roadmap and how we will be able to leverage these developments to help our technical team better manage our customers.

We have built our security offerings around the National Institute for Standards and Technology (NIST) Cybersecurity Framework.  I was very excited to see that Kaseya has built their security offerings around this same framework.  This will make aligning our security strategy with what Kaseya is and will be delivering to its partners a compelling benefit for our customers.

There was also a very interesting session on improving the user experience with IT.  Using something called persona modeling, it’s an intriguing model of better understanding the needs of IT users based on their role in the organization from an individual, departmental and overall company mission point of view.  I’m looking forward to testing this out to see what opportunities for improvement it may bring to the surface.

The conference wrapped up on Thursday with the entire Kaseya executive team sharing their thoughts on where the industry is moving, based on their individual areas of responsibility.  This touched on all aspects of the solutions that Kaseya brings to its partners.  I was particularly pleased to gain some insight into the companies Internet of Things (IoT) strategy.  These are the myriad of devices that now have an IP address and connect to the network.  As these devices become more prevalent and important to a company’s success, it is very important that they be managed, like every other device on the network and right now, there is no consistent model for accomplishing this and organizations need to be careful about deploying unmanaged devices onto their corporate networks.  As we saw several times in 2016, these devices, left unprotected and unmanaged, can be taken over and used to carry out a data breach or attacks on other organization.

We also had the opportunity to have a private meeting with several members of the senior team to discuss our business plans and the status of our partnership.  I was very pleased with the level of transparency and candor from everyone at this meeting and I am looking forward to working more closely with everyone at Kaseya to deepen our partnership for the benefit of our customers and our two companies.

 

 

What About Corporate Password Managers?

Standard

Following up on Wednesday’s post Why You Need a Password Manager, let’s talk about corporate password managers.  These are systems designed for use within a company, to manage the passwords across the enterprise.

Some of the password managers I mentioned in my Wednesday post also offer a business version, that allows you to share and manage passwords across groups of users.  Corporate password managers are a little bit different as they are typically geared more toward the IT user, not the average business user.

I divide corporate password managers into two categories, those for use within corporate IT departments and those for use by Managed Service Providers (MSP’s).  These are organizations, like Internet & Telephone, LLC, who provide IT services to their customers.

The features are designed for these environments and include all the basics you would expect from a robust password manager.  When I evaluate products like this, I look for several key features, among them appropriate encryption, identity management, user assurance auditing, change tracking, secure deployment and discovery, compliance, access control, least privileged access, self-service password reset, automatic password rotation, automatic password injection and more.  It all depends on defining your requirements and finding the solution that meets your needs.

In terms of my business, the solution I prefer most is Passportal.  This was built from the ground up by an MSP who understood the requirements most other MSP’s would have.  It also allows MSP’s to offer the service to their customers.  I find the feature set of Passportal to stand above the competition.  Consider this list of features:

Passportal.jpg

  • 1-Click Website Logins
  • Drag & Drop Data Imports
  • PSA Integrations
  • Multi-Factor Authentication
  • Personal Password Vaults
  • Role-based Permissions
  • Active Directory 2-Way Sync
  • Password Generator
  • Mobile Optimized Access
  • Password Data Analytics
  • Prebuilt Reports
  • Global Search
  • Co-Managed IT Password Collaboration
  • Password History Retention
  • Technician Disable Workflow
  • Password Rotation Management
  • Client and Password Access Requests
  • Windows Directory Services Control
  • Custom Security Groups
  • Temporary Access Rights
  • Scheduled Automated Data Exports
  • White Labelled / Rebrandable

Other worthy corporate solutions include BeyondTrust, ManageEngine Password Manager Pro and Thycotic to name just a few.

If you want to be absolutely, positively certain as to who accessed what password when and who used what password when and where, a corporate password management solution is a must.  Otherwise, you are simply leaving it to chance and trust that none of your employees will misuse a password or worse.  In today’s world of nearly daily breaches and cyber security issues, I believe these systems are a must in order to keep your passwords safe and in control.

UPDATE: Google Docs Phishing Scam

Standard

UPDATED THURSDAY, MAY 4

While the news continues to talk about this scam, you may rest assured that Google has stated publicly that they have secured their systems against this attach.  I still recommend following the steps below, to be certain your account was not impacted.  I also recommend never clicking a link to open an online document of any form, without first verifying with the sender that they actually sent this to you and that the document is legitimate.

May the 4th Secure You!

Today, many users are reporting receiving an email from a trusted sender that is asking them to click a link to open a Google doc online.  This is a scam and it is being widely reported.

The good news is that Google has implemented safeguards to stop the attack.  For those who may have already clicked the link, the bad news is that the hackers behind this now have access to your Google email and contacts.

Here’s how to check if you are at risk.

  1. Login to your Google account.
  2. Go to My Account.
  3. Click on Connected apps & sites.
  4. Review the list and if there is one called Google Docs, remove it, change your account password and be sure you have enabled two-step authentication.

GoogleDocsScam

Why You Need A Password Manager

Standard

Password managers are more critical now, than ever.  Over the past week, I have had a few conversations with different people that underscore this.  I still find logon passwords written on pieces of paper tucked under keyboards.

Worse, this weekend, I had someone tell me that they have so many passwords to remember, that they keep a paper list in their wallet with all of their passwords.  Think about this…if this persons wallet is stolen, their identity, credit, bank accounts, every application and web site they log in to are compromised.  This person represents the Holy Grail of targets for a hacker.  In one simple move, they will have this persons drivers license, credit and debit cards, presumably their health insurance card and possibly even their social security number, if they also have that card in their wallet.  By the way, experts recommend never carrying your social security card in your wallet.  I remember when it was trendy to carry it.  Don’t.

I asked this person to immediately subscribe to a password manager and get rid of that list!  As in, do this immediately!  I’m glad to say that they did, as I was getting calls for help getting it configured later that day.  What password manager you use if far less important than using one.

So what does a password manager do?  Simply put, it secures all of your web site and application usernames and passwords in a secure wallet.  The key to this is that you create a single master password to access the wallet.  The security of this master password becomes the single most important thing as it is the key to your security kingdom.  For this reason, I recommend that the master password actually be a passphrase that is a sentence incorporating a phrase that you can easily remember, while incorporating upper and lower care letters, symbols and numbers to make it as secure from hacking as possible.  For example, this would be a passphrase as opposed to a simply password:

AP@$$w0rd1sM0r3s3CuretHanAp@$$w0Rd

This may seem intimidating at first, but it’s really not.  Before you know it, you will be able to type this out very quickly and efficiently.

One you are logged in to your password manager, it will prompt you every time you login to a web site, to save your login credentials.  This will build an encrypted database in your password manager of all your logins, so you don’t have to remember you username and password for every web site you login to.  Some password managers also do this for applications that you use as well.  Most are focused on doing this just for websites, but more functionality is being added all the time.

Another feature of most password managers is that they allow you to save secure notes and digital wallet information like credit card accounts and addresses.  Secure notes allow to save any useful information that you need to securely keep track of.  These are typically free-form notes that you can use for any purpose you have.  The secure wallet information allows you to make online purchases more easily.  When you are on a shopping site and checking out, instead of having to type in your billing and shipping information, including your credit card, you can simply select what card you wish to use from your password manager and it will fill all of this in with one click of your mouse.  Could not be simpler or more secure.

Another great feature that many password managers are adding is a security check.  This will scan all of your logins and let you know what passwords are too weak and how many times you are reusing the same password, which is strongly not recommended.  You can use this analysis to quickly go to these accounts and set new, more secure passwords, where needed.

To make this all more effective, password managers include a password generator, so there is no excuse to not have a unique and complex password for every site you login to.  When setting up new logins or updating the password for an existing login, just open the password generator and have it create a long and complex password.  All you do is copy and paste the new password into the site and it will be saved to your password manager.

Password managers work on all platforms.  Whether you use Windows, Mac OS, iOS mobile devices or Android mobile devices, password managers work on them all and sync your changes from device to device, to ensure you always have the most up to date information no matter what device or platform you are working on.  Most also support two step authentication, where in addition to your amazing master password, you get prompted to enter a code that is texted to you or from an authenticator application.  With this level of security, you will have you best shot at deterring any hacker who may try to target you.  There will be far easier targets to hack than you.

Password managers are also very cost effective, typically in the range of $20 to $40 per year.  Many also offer longer term discounts if you subscribe for several years at a time.

In terms of recommendations, there are several password managers to consider.  They all offer a free version, so I would recommend testing one or two that look good to you, and see if one simply feels right for you.  Here are the password managers I would recommend considering:

Dashlane    LastPass    RoboForm    TrueKey

Watch the demos on each of the web sites and review the full feature list to help you decide which one to try.  Each have similar features and each have a feature or two that set it apart from the others.

There’s just no reason not to use a password manager and to have random, complex passwords for all of your logins.  This is perhaps the single, best step you can take to protect yourself online.

Those Fun Facebook Lists Could Pose Risk

Standard

Over the last week, I’m sure you have seen many FacebookConcertMemeof your Facebook friends posting the 10 concerts they have attended, and asking you to guess which one is a lie and then post your own list.  I’ve seen them flying by fast and furiously on my timeline.

While these are fun exercises and more than likely innocent in intent, they can pose a security risk.  What is that risk?

If you have ever clicked a link to reset your password, or visiting your banks web site from a new computer, you may have seen a security question presented, to verify your identity.  You know the ones, What street did you grow up on?  What’s your mothers maiden name?  Where were you born?  What’s the first concert you attended?  Get it?

Security researchers are rightly warning that it may be best to not play along with these lists.  The information you are freely providing may help a hacker try to guess the answer to password recovery question.  Especially if you have done this for several different types of lists.  Over time, a hacker who is using social engineering against you may be able to put the pieces together to hack into an important account of yours.

Some recommend not providing factual answers to these questions when you are setting up online accounts.  In other words, for the question “What street did you grow up on?”, you could put in the response of “Huckleberry Circle”, knowing that’s not where you actually grew up.  Instead of your mothers maiden name, you could answer McCringleBerry or some other random and bizarre name.  Hopefully you get the idea.

The point is, to always think about what you post online.  While it may seem like fun and innocent enough, you may be making yourself more easy to hack.

While we’re at it, those Facebook coupons for Bed Bath & Beyond, Lowes and others…not real and not worth the risk.