Joe Sent Me. Multi-Factor Authentication for the Roaring 2020s.

Posted by Grant Mongardi on Thu, Dec 08, 2016 @ 10:31 AM

Tags: AD, Centrify, Security, cloud security

JoeSentMe02.jpg

In the days of Prohibition getting your Appletini was much more difficult than it ever should be. Foremost was the fact that they didn't exist. Other than that you would need to know where a speakeasy was, have the password ("Joe sent me"), and not be a copper (the law enforcement kind, not the British penny). In fact this was Multi-factor Authentication: something you know, something you have, and something you are (or are-not in this case). NAPC can help you revisit these roaring 20's but for the 2020s, and perhaps help you cut down on your Appletini consumption in the process.

Multi-factor Authentication or "MFA" is one of the buzz-words of 2016. Everyone is saying it but many people don't quite understand what the mechanism means to their security. It doesn't just mean that it protects against the brute-force attacks we've now had in our system logs for years, it also means more elaborate exploits can be mitigated

Take this years huge growth in spear-phishing attacks. Some of the largest, most security-concious corporations and government entities fell prey to spear-phishing attacks that involved advanced social engineering combined with compromised email accounts. For the attacker access to the victims email account means that they first analyze the communications in the victims inbox and craft an email interaction masquerading as someone the victim knows and convince them to do something that they wouldn't otherwise do, such as wiring money or sending proprietary information.

Add multi-factor to Windows logins

There are many things you can do to help avoid such a scenario, however MFA is probably the most effective. If all of your internal and privileged resources are protected by MFA then you've short-circuited the attacker at the outset. If the attacker doesn't have the 2nd factor for your email account login then they can't even get started. It doesn't matter if they have password, the 2nd factor prevents them from ever using it.

But attacks  aren't just limited to email. Cloud services are effected as well. Whether it's your office suite, your CRM suite, or even your accountiing solution, you really must protect all of your corporate services. Any little bit of information about your company or internal processes can give a smart attacker a leg-up on how to convince your employees into doing something that they probably wouldn't normally do.

Lastly there is what's inside your firewall: people. People have flaws, and mitigating those flaws can make your work an endless nightmare. Many of the things that an employee might do to ruin your weekend aren't necessarily intentional, but nonetheless can make you wish you could crush their skull with a rock. Ok, perhaps that's a bit extreme but the sentiment is similar. Preventing users from being their own worst enemy can extend inside your firewall as well. Adding MFA to servers, desktops, even network hardware will ensure that nobody inadvertantly has access to something that they shouldn't. Also, sharing their account information "for convenience" becomes useless. Also by adding MFA to a tunable privilege escalation mechanism you ensure that they are both the actual person that they say they are and are allowed to do what they are doing, and for everytime they do it. 

Contact NAPC today and we can help you navigate all of these issues and address any concerns you might have with reliable, secure solutions from Centrify. NAPC has the expertise in all of these technologies and experience in addressing all of your issues. Whether you have an audit pending or have had an "event" that you need kept confidential, NAPC can help.

Learn More about securing your Enterprise with MFA 

Zero is HUGE!!!!

Posted by Grant Mongardi on Wed, Nov 11, 2015 @ 02:00 PM

Tags: Security, AD, IT, cloud security

Zero Sign-On for Zero hassles. Simple solution to everyday frustration.

Wait? What did I just say?
Yes, it sounds like I've gone completely crazy, but the kind of zero I'm talking about is huge. For everyone!

I'm talking about Zero Sign-On. You might be saying "I've heard of Single Sign-On (SSO) Grant, but what the heck is Zero Sign-On?". Zero Sign-On is the idea that if you can identify the device being used to connect then you can assume that device belongs to and is controlled by someone you know, and as such can let them connect without actually having to type a password. It's physical security, much like a door key or pass-card is. If I know that your mobile phone or tablet is owned and controlled by you, then I should have no problem using that device as the unique identifier indicating that you are the one trying to connect. Better yet, if I know the device is controlled by both you and me, I can be very comfortable in asserting to anyone that I can control access of both the device and the end-user.

"So Grant, how does all of this work?". In short, by uniquely identifying and then "tagging" that device, be it a phone, tablet or even a netbook, then you can use that as a pass-key to getting into protected resources without having to type a password. The device uniquely identifies you as you, rather than a user/password combination. Not only can it not be "hacked" without the actual device, but it can't be easily "shared" like a user/password can.

"Yeah Grant, but what if someone steals it?". Well, with a proper service like Centrify's IaaS Cloud service for this then all of that should be taken care of. Centrify's offering lets the user register their own devices under their user account. In addition to using it for Zero Sign-On and changing forgotten passwords, it also lets them find the device on a map, lock it remotely, wipe it remotely, and even see what the battery charge level is. But more importantly it lets you, the IT or Security Administrator do important things like apply group policy to the device (like encrypting storage, screen-lock time, passcode length/complexity, etc), unenroll the device and disable Zero Sign-On, and lock or wipe the device.

Centrify Cloud lets you find your lost device, lock it, and even wipe it!

Finally, it let's you see and report on the device's activity and even see if it's been jail-broken and is being backed-up to the Cloud!

"So what about the user's laptop?". Well, if that user has a laptop capable of IWA then the user can use that for Single Sign-On, allowing them to access their services without typing their password again. Centrify DirectControl for Macs will enable IWA on Apple Macs and it's built into Windows, so they just login to the laptop and they're done.

So a few of the best "Zero"s are: Zero support, Zero audit findings, and Zero shared credentials. And that all translates into infinitely better security and tighter controls over your valuable corporate resources.

For more information on Centrify Identity Service or other great products from Centrify just contact us at TheExperts@napc.com and we'll be happy to give you a full demo. We'll also be having a Webinar on Elegant 6 SAML and Centrify's Cloud service on November 19th, 2015 at 2:00 PM EST. Register here to join us for an hour!

 

Password Performance That Isn’t A Compromise

Posted by Grant Mongardi on Wed, Nov 04, 2015 @ 09:12 AM

Tags: Security, AD, cloud security, Password, SSO

So the question often arises of how can I have a secure password that I can remember and that meets the criteria of my policy? It comes up all of the time. Most systems place criteria on setting a new password to something like this:

  • must be at least 8 characters
  • must contain uppercase & lowercase characters
  • must contain a number
  • must contain a symbol

and often:

  • cannot contain the username
  • cannot contain consecutive duplicate character

Although there is some dissention as to whether or not all of these criteria are necessary, it certainly does help. It means you can't only have your dog's name or your daughter's birthdate as your password. But most people have a problem even creating passwords that meet the criteria, never mind remembering them.

I suggest thinking of the password differently. If you think of your password as a "pass-phrase" rather than a single word then you are much more likely to both remember it and to create one that is very secure. First you can think of a subject that you're connected with. For example let's say that you're a huge fan of computer games. Perhaps you might create a password like this:

It's a-me, Mari0! 

    or 

It's super effect1ve!

So those certainly meets our criteria, assuming your name isn't Mario. And hopefully you can remember it. What if you're a SciFi movie buff? How about these:

Han sh0t first.

I'll b3 back.

We're all standing n0w!

I'm afra1d, Dave.

I'm my 0wn best friend!

In any case, the idea is that you create passwords based upon a phrase that you can remember. You should utilize punctuation just as you would because that helps meet the requirement of special characters. And finally you replace a part or a character with a number or symbol until you've met the criteria required.  

Mind you, this isn't the perfect solution but it meets the criteria and is far more secure than an 8-character password that you can never remember (and then can't reuse). Using a password like this for 60 days far exceeds the security of a random string of 8 characters. A desktop PC utilizing a couple of GPUs can crack 3750 8-character passwords in the about the same time it takes to crack a single 10-character password. Add more characters and those numbers get even better. Most of the passwords above would take years to crack, if not decades.

Contact The Experts <theexperts@napc.com> for options to ensure better security with less work and better compliance across all of your services & websites! Single Sign-On and ZERO Sign-On for all of your corporate web services!

How to tell if it's Active Directory Integration or just seasonal allergies

Posted by NAPC Marketing on Wed, Jun 04, 2014 @ 10:32 AM

Tags: Active Directory, Centrify, authentication, single sign-on, remote access, file-sharing, monitoring, cloud security

Screen_Shot_2015-04-02_at_2.01.03_PM

To those of you with runny noses and watery eyes, it will come as no big surprise that it’s allergy season. And, lucky you, if you do have allergies you most likely have more than one. No problem, just take that one big dose (or shot, or drop) that covers them all, right? Sadly, wrong. Treatment for dust mites won’t help for ragweed. Trees and dogs occupy different categories.

Kind of like all those people with their different devices. In this BYOD world we work in, it’s an IT nightmare of different passwords, user names, authentication and security needs. Enough to make eyes water and throats itch. One solution can’t possibly cover all these bases, right? Happily, wrong.

Using Centrify as an “immunity” boost for our existing, familiar Active Directory, our users (PC and MAC) can access a variety of websites from both their desktops and their mobile devices simply by using their existing AD credentials. Centrify also gives them useful tools that allows them to reset their passwords as needed, track the location of their mobile devices, and remote-lock and remote-wipe their mobile devices. One password does it all!

Granting access to these services, while still being able to maintain our privacy (and our customer's privacy) is game changing, but still requires that we keep a vigilant watch on how our internal services interact with our external services. Salesforce,

Google, Office365, WebEX, Box, DropBox, Zendesk and many more already support Centrify directly so it's simple to configure them to work with our Active Directory logins. And we don't even need to open ports on our firewall to do it.

Happy users, less-stressed IT people; it’s a beautiful balance that bring tears to my eyes…or it could be allergies.

Rid yourself of bothersome AD integration symptoms! click here.