Tag Archive for Password

| September 18, 2014
Comments Off on 10 Policies to Minimize BYOD Risk

10 Policies to Minimize BYOD Risk

Mandatory Authorization ProcessThe challenge for employers offering BYOD, according to schnaderworks, a labor and employment blog from Schnader Harrison Segal & Lewis LLP, is finding the right cost/benefit balance for their businesses. In developing an effectivebring your own device” (BYOD) policy, employers must first identify which employees will be eligible for the program according to the blog.

Onc10 Policies to Minimize BYOD Riske the basic parameters are set, the lawyers stress a written policy is essential to set up ground rules and permit enforcement to protect the company’s data and other interests. They suggest the following steps are key to establishing an effective BYOD policy:

1. Establish a Mandatory Authorization Process:  The lawyers say this should be completed before an employee can use company data and systems on a personal mobile device.

Require Password Protection2. Require Password Protection:  Each authorized device should have the same password protection as an employer-issued device.  According to the article, such protections include limiting the number of password entry attempts, setting the device to time out after a period of inactivity, and requiring new passwords at regular intervals.

3. Clarify Data Ownership:  A BYOD policy should specifically address who owns the data stored on the authorized device. It should be clear that company data belongs to the employer and that all company data will be remotely wiped from the device if the employee violates the BYOD policy, terminates employment, or switches to a new device. The policy should also alert employees that it is their responsibility to backup any personal data stored on the authorized device states the article.

Spell Out Procedures In Case of Loss4. Control the Use of Risky Applications and Third Party Storage:  Schnader Harrison Segal & Lewis recommends employers may want to ban the use of applications that present known data security risks, such as the use of “jailbroken” or “rooted” devices and cloud storage.

5. Limit Employee Privacy Expectations The BYOD policy should clearly disclose the extent to which the employer will have access to an employee’s personal data stored on an authorized device and state whether such personal data is stored on the company’s backup systems. The article recommends minimizing the co-mingling of company and personal data. Employers may want to install software that permits the “segmenting” of authorized devices.  However, no matter what measures the company takes to preserve employee privacy, the policy must emphasize that the company does not guarantee employee privacy if an employee opts in to the BYOD program.

Control the Use of Risky Applications6. Address Any Business-Specific Privacy Issues:  Certain businesses are subject to legal requirements about the storage of private personal information (such as social security numbers, drivers’ license numbers, and credit and debit card numbers, etc.) which may need to be addressed in a BYOD policy.  The blog points out that HIPAA requires native encryption on any device that holds data subject to the act. An employer may need to put in place processes prohibiting or limiting remote access for certain categories of sensitive data.

7. Consider Wage and Hour Issues:  Permitting employees to use an authorized device for work purposes outside of the employee’s regular work hours may trigger wage and hour claims. The lawyers suggest the BYOD policy should set forth the employer’s expectations about after-hours use  (such as a requirement that non-exempt employees must refrain from checking or responding to work emails, voice mail, and texts after hours) (rb- Yeah).

BYOD policy8. Ensure Compliance with Company Confidentiality Policies.  The author says a BYOD policy should reiterate that an employee using an authorized device must comply with all company policies on confidentiality and the “acceptable use” of company information.

9. Spell Out Procedures In Case of Loss or Theft:  The employer should set up a specific protocol to be followed in the event an authorized device is lost or stolen. The blog says the process should include the prompt reporting of a lost or stolen device and the remote wiping of the device.

Insure Compliance with Company Confidentiality Policies10. Document Employee Consent:  Finally the law firm, in good lawyer form, suggests the employer should get an employee’s written consent to all terms and conditions of the BYOD policy.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| August 12, 2014
Comments Off on Who Needs Two-Factor Authentication

Who Needs Two-Factor Authentication

Who Needs Two-Factor AuthenticationThe recent epidemic of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, most users depend on the same passwords. So what are we to do? One solution is Two-Factor Authentication.

John Shier at SophosNaked Security blog provided a primer on multi-factor authentication. Two-Factor Authentication is a subset of Multi-factor authentication (MFA).  MFA is an authentication process where two of three recognized factors are used to identify a user:

  • Sommulti-factor authenticationething you know – usually a password, passphrase, or PIN.
  • Something you have – a cryptographic smartcard or token, a chip-enabled bank card, or an RSA SecurID-style token with rotating digits
  • Something you are – fingerprints, iris patterns, voiceprints, or similar

How two-factor authentication works

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website. So if someone manages to get hold of your password (something you know), the article says they still will not be able to get access to your account unless they can provide one of the other two factors (something you have or something you are).

Data breachThe author explains that secure tokens with rotating six-digit codes can be used to remotely access internal systems via a VPN session. Users need to give a username, a password, and the six-digit code from the secure token appended to a PIN. Home users can use a sort of two-factor authentication using SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

The availability of mobile network service and the unreliable nature of SMS can make SMS 2FA difficult. However, some services allow you to use an authenticator app in addition to your password which presents you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook, and Twitter even when your phone does not have service (mobile or otherwise).

Two-factor authentication makes it harder

SPAM emailParker Higgins at the EFF, says normal password logins, which use single-factor authentication, just check whether you know a password. This means anybody who learns your password can log in and impersonate you. Adding a second factor, like a PIN, something you know, with your ATM card, something you have, makes it harder to impersonate you. You need to both have a card and know its PIN to make a withdrawal.

Online two-factor authentication brings the same concept to your services and devices by using your phone—which means that even if your password is compromised by a keylogger in an Internet café, or through a company’s security breach, your account is safer according to the EFF.

That’s important because phishing, which is one of the most common ways in which accounts are compromised, only gets information about passwords. By adding a different factor, phishing attacks become much more complicated and much less effective according to Mr. Higgins.

APhishings two-factor authentication systems become more popular, they have gotten increasingly user-friendly; the EFF believes it doesn’t have to be a difficult trade-off of convenience for security. Major services like Twitter, Google (GOOG), LinkedIn (LNKD), Facebook (FB), Dropbox, Apple (AAPL), Microsoft (MSFT). GitHub, Evernote, WordPressYahoo (YHOO) Mail and Amazon (AMZN) Web Services have enabled two-factor authentication.

rb-

Users should get used to two-factor authentication. 2FA is not available everywhere but many of the most popular sites and services on the internet use the technology.  Hopefully, this will compel the rest to follow suit. There is Android malware in the wild that is specifically designed to steal SMS verification codes trying to thwart 2FA so you still need anti-malware on your mobile devices.

In the wake of recent POS attacks (which I covered here), DHS has recommended 2FA for POS systems. While it is not bulletproof, it does increase your security by making it harder for your accounts to be compromised. All users will need Two-Factor-Authentication Authentication.

Related articles
  • Fending off automated attacks with two-factor authentication (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
| July 17, 2014
Comments Off on Can Former Staff Still Access Secure Info?

Can Former Staff Still Access Secure Info?

Can Former Staff Still Access Secure Info?InfoSecurity Magazine recently published an article that blames cavalier attitudes about password management for a new era of data breaches. The article says that a fundamental lack of IT security awareness in enterprises, particularly in the arena of controlling privileged logins, is potentially paving the way for a further wave of data breaches.

The author cites a survey from Lieberman Software of IT security professionals. In the survey, 13% of IT security pro’s interviewed at the RSA Conference 2014 in San Francisco admit to being able to access previous employers’ systems using their old credentials.

access previous employers’ systems using their old credentialPerhaps even more alarming is that of those able to get access to previous employers’ systems nearly 23% can get into their previous two employers’ systems using old credentials. And, shockingly, more than 16% admit to still having access to systems at all previous employers Lieberman reports. Philip Lieberman, CEO and president of the company, told InfoSecurity in an interview that he blames executives who are satisfied with only meeting minimum security requirements.

Investments in security for technology, people, and processes have been meager, at best, in most organizations for many years … many C-level executives have been strongly discouraged from implementing anything other than the minimum security required by law.

don't have, a policy to make sure that former employers can no longer access systemsThe survey also showed a communications breakdown between the IT Pros and management. Nearly one in five respondents admit that they do not have, or don’t know if they have, a policy to make sure that former employers and contractors can no longer access systems after leaving the organization according to the article.

The survey also found that current employees are also a concern. The InfoSecurity article says that almost 25% of employees surveyed said that they work in organizations that do not change their service and process account passwords within the 90-day time frame commonly cited as best practice by most regulatory compliance mandates. Lieberman pointed out that users who run with elevated privileges can introduce all sorts of IT headaches by downloading and installing applications, and changing their system configuration settings. CEO Lieberman warned that an organization would be wise to strictly control and monitor the privileged actions of its users by:

  1. Get control over privileged accounts. Start by generating unique and complex passwords for every individual account on the network – and changing these passwords often (no more shared or static passwords).
  2. Make sure you’re securely storing current passwords and making them available only to delegated staff, for audited use, for a limited time (no more anonymous and unlimited privileged access – for anyone).
  3. Automate the entire process with an enterprise-level privileged identity management approach. Mr. Lieberman argues, “when users exhibit poor behavior while logged into their powerful privileged accounts, you can be immediately alerted and respond to the threat.

half-life mentality of opening the pocketbook for security investments immediately after a data breachMr. Lieberman told InfoSecurity that In the wake of the Edward Snowden / NSA scandal and the Target breach, one would think that corporations would feel that minimizing the insider threat and the attempts of sophisticated criminal hackers to groom those with privileged accounts would be of tantamount importance. But, Lieberman cited a “half-life mentality of opening the pocketbook for security investments immediately after a data breach occurs, but then diminishing back to basic security after a few months.

rb-

When an employee leaves the company, it’s imperative to ensure that he or she is not taking the password secrets that can gain access to highly sensitive systems.

To back this up, Verizon’s 2013 annual Data Breach Investigations Report says that more than three-quarters (76%) of network intrusions relied on weak or stolen credentials – a risk that Verizon describes as “easily preventable”.

Creating Privileged Accounts:

  • Never issue direct access to Administrator or Root, create a unique alias.
  • Require password complexity, history and expiration.

Disabling Privileged Accounts:

  • Get the termination notice in writing from someone up the food chain before acting, then disable the account ASAP.
  • Disable the account, Lock the account, Change the password.
  • Don’t change the user name or delete the account until you are sure. Prematurely removing an Admin Account could break some applications or connectors.
  • Don’t forget about other accounts, email, VPN, wipe mobile devices, access control PINs.
Related articles
  • Protecting Against the Insider Threat (duosecurity.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 21, 2014
Comments Off on A History of Encryption

A History of Encryption

A History of EncryptionYour personal information is under attack from the Feds, Target, Neiman Marcus, and who knows else. One of the keys to keeping your personal information personal are secure passwords. But what makes a password secure? America Online (AOL), (rb- Yes they are still around) explains the concept of encryption (converting information into code) is not new.

In fact, as you can see below, encryption started with the Spartans in 500 B.C.  Yhey would rearrange the position of letters within a text. Through the years, this process has become more sophisticated, which brings us to Advanced Encryption Standard, or AES, which is what we use today. This standard is based on computing bits, basic units of information. The bits in passwords are what help to keep your data secure. Check out the infographic to see how encryption has evolved from 500 B.C. to the present day and their tips for keeping your passwords safe.

 

A history of encryption Infographic

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| February 16, 2013
Comments Off on UP EAS Warns of Zombie Attack

UP EAS Warns of Zombie Attack

UP EAS Warns of Zombie AttackEmergency Alert Systems at northern Michigan television stations sent out a fake emergency alert warnings. The alters warned the UP of a zombie attack after being hacked. The fake broadcast warned that bodies were rising from the grave and alerted people to avoid contacting the walking dead.

MLive Zombiereports the message went on Monday about 8:30 p.m.. The zombie attack warning interrupted “The Bachelor” on WBUP, ABC 10 and “The Carrie Diaries,” a prequel to “Sex and The City,” on CW. The same person got into Northern Michigan University’s public television station WNMU-TV 13. That message interrupted “Barney and Friends” at about 4 p.m., reports NMUstation manager Eric Smith.

People panicked and it was crazy and we didn’t know how to stop it,”  Cynthia Thompson, station manager and news director at ABC 10 and CW 5 in Marquette, MI said. The suspected hacker has been caught, according to MLive, Ms. Thompson could not release any further details on the suspect.

Attacks around the nation

Security leakSimilar attacks were reported at Great Falls, MT station KRTV and KNME/KNDM in Albuquerque, NM. The security breach’s occurred at stations that didn’t have their login names or passwords reset from factory default settings, said Ed Czarnecki, senior director for strategy and regulatory affairs for Monroe Electronics Inc., a Lyndonville, NY based manufacturer of EAS equipment. “We are very aggressively working with authorities … to ensure that all broadcasters have updated their passwords on their critical equipment,” he said.

Michigan Association of Broadcasters CEO Karole White said the MAB is taking the issue very seriously and working with the Michigan State Police and Federal Communications Commission on the case. “Though this was kind of a pranksters joke, they could have used a different code that could have caused people to be very concerned and possibly even panic,” CEO White said.

HackerInfoSecurity says the problem goes beyond just passwords. Mike Davis, a security expert with IOActive, submitted a report to US-CERT detailing flaws in the equipment used by the EAS system a month before the incident. “Changing passwords is insufficient to prevent unauthorized remote login. There are still multiple undisclosed authentication bypasses,” he told Reuters via email. “I would recommend disconnecting them from the network until a fix is available.

Really, really, terrible software

According to Kaspersky’s ThreatPost, the flaws Mr. Davis unearthed allowed him to do exactly what Monday’s hacker did. “There is some really, really, terrible software on the other side of that box,” Davis said. “There are some known issues like authentication bypasses and what I would call back doors, although I don’t know if they were meant that way. While I can’t provide authenticated messages [from the EAS system itself], I can log into all of them and insert authenticated messages.

The problems that Davis found,” warns ThreatPost, “represent a serious weakness in the EAS system. Some of the ENDECs (encoder-decoder) are networked together in a way that enables them to relay messages to one another, so an attacker who could compromise one could conceivably cause problems on others, as well.

 rb-

Umm Networking 101, change your default passwords.

Haven’t the dead been roaming the halls of Congress for years? Brain dead anyway!?

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
« Older Entries   Recent Entries »